Jump to content

Malware in Hidden Folder


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hey all,

So I decided to do a random scan with Malwarebytes and to my surprise, I was infected with xmrig-cuda.dll and a malware which seems to package xmrig-cuda.dll along with some other files in it. The packaged malware was in a hidden folder in the AppData folder called Angel, which I uploaded to VirusTotal to confirm that it was indeed packaged. As a precaution, I also checked the other files in the same folder and two other files also came back as infected on VirusTotal. xmrig-cuda.dll was found in a folder called Battle.net which also has one more compromised file called serviced.tdi which I scanned as well.

addon file https://www.virustotal.com/gui/file/8d5612d7f9f16c4b8a657aaf52a7dd449ad4aea0549eb68eb6eaf3af436ba863/detection

service.exe https://www.virustotal.com/gui/file/a94fc02cb72f45fcf330f8193629dc43f749a8b07a5567c013eb2f0242c3afaa/detection

work file https://www.virustotal.com/gui/file/64b7451fa9b5ccd0aea8e64ae10046634b8c8ebce56029698a906e433254955f/detection

serviced.tdi https://www.virustotal.com/gui/file/e2afa20615ae287b5708864afa3182f48e86decaf49798fc9827763927240af8/detection

 

To speed up the process, I followed advice from other related threads about uploading logs first so here are my Malwarebytes, AdwCleaner, and FRST logs.

 

FRST.txt Addition.txt MWB.txt AdwCleaner[S07].txt

Link to post
Share on other sites

Hi,   :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.  
  
Please only just attach   all report files, etc  that I ask for as we go along.

Thanks for the report.

Windows File Explorer needs to be  set to show ALL folders, all system files, etc including hidden files / folders

Open Windows File Explorer.

Select View from its top menu bar > click Options on the icon at the far right-side > Change folder and search options ( from the drop down ).

  • on the next multi-tab mini-window
  • Select the View tab and, in Advanced settings,
  • select Show hidden files, folders, and drives
  • and OK.

.

[     2     ]

 

The Malwarebytes for Windows version is a bit old.  Lets have you get updated to the very latest.

 The current release version is 4.2.3.96.  All program upgrades are at no charge.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Now, click the tab marked GENERAL.   Look for the button marked "Check for Updates" and click it.  Be sure to follow all prompts.  Lets be sure it is up-to-date.

That will hopefully insure that the program has the very latest Component Update.

[    3     ]

 

In Malwarebytes , we want to do a special scan.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON        👈
Click it to get it ON  if it does not show a blue-color

.

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
 

Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).    👈

🔻

MB4_scan_tick_ALL2.jpg.e8a7f94bceca3237b7dbe17faacfa577.jpg

 

 

Then click on Quarantine selected.

MB4_scan_all_Quarantine2.jpg.dd0e7b543cdb7c69c37bcf14f0e5b9d1.jpg
 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

We will do more later.

Link to post
Share on other sites

Hi Lawrence.  Thanks for the report.  On this next round, I would like to see that you do a full scan of the C drive with the Microsoft Defender antivirus.

1.  Do a new manual scan, a Full scan, with the Microsoft Defender Antivirus.
From the Windows Start menu, click Settings ( gear icon)  and then to Update & Security.
Click Windows Security on the left.
Click Virus & Threat protection.
A.  Scroll down and click on Check for Update  ( to check for the latest Microsoft Antivirus  intelligence updates.
B. Scroll back up  ( return back to Virus & Threat protection)  and now Click on "Scan Options"
C. Pick "Full Scan"
D. Have lots of patience.  Let that proceed till it finishes.  When done, jot down what the result is.

Link to post
Share on other sites

Hey so after seeing that service.exe in the Angel folder is signed under Logitech, I uninstalled Logitech Gaming Software since it's not really required and manually deleted the Angel folder and Battle.net folder since I no longer use Battle.net. After a reboot, I performed another scan with Malwarebytes and AdwCleaner with the scan coming back negative for malware. I believe it was service.exe in the Angel folder that kept bringing back xmrig-cuda.dll after I quarantined xmrig-cuda.dll every time since xmrig-cuda.dll was packaged into the addon file which was located in the same folder as service.exe.

I will perform another scan sometime within one week and see if xmrig-cuda.dll ever comes back. If it comes back, I will report it here.

MWB.txt AdwCleaner[S08].txt

Link to post
Share on other sites

These 2 reports are fine.  What I suggest is the following.

I would suggest that you do a scan with a scan tool from ESET  to just only scan the C drive.
Go to https://www.eset.com/us/home/online-scanner/

It will start a download of "esetonlinescanner_enu.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Custom scan    ( the choice on far-right side)

We want just the C drive to be scanned.

In the display "Select custom scan targets"  keep the top 3 lines ticked,  plus the one for the C drive   ( which should be your Windows drive)

UN-tick the other drives   ( D, E, F,   etc...)

Then click on the blue button "Save and continue"


Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.  Look for it on the bottom left, in blue.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

The goal here is to see if there are suspicious or actual threats on the C drive.    Please attach the scan-log with your next reply

Link to post
Share on other sites

Hi. Thanks for the ESET Onlinescan report.  That result, too, is excellent.  Allow me to make another suggestion, for another scan.

TrendMicro HouseCall scan
https://www.trendmicro.com/en_us/forHome/products/housecall.html
First, Download & Save to your Downloads folder the appropriate HouseCallLauncher

Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.
The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.
Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

IF you wish a Full scan or a Custom scan, first click on the Settings
then you can select which drives you want to include in the scan.
The default is a Quick scan.
Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.
If you see an item that you know is safe, you can click the Action  , and select Ignore.
When all done & ready, click the Fix now button.

Let me know that result, and also, let me know How the overall situation is ?

Sincerely.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.