The powerful trojan sality sinkhole

[ShiroNaomi]

For almost a year, I've had this headache
Something unknown infects my running programs, causing it to increase CPU usage (when the UAC is disabled) and opening a randomly named executable (example: fwjeihtie.exe) in that same process

I decided to download malwarebyte and see if it could help me

When I activated Malwarebyte, it blocked requests to pages of the injected processes

It helped me almost nothing because it only repaired some settings that this powerful trojan changed in windows settings

This is the log (in spanish)

-----------------------------------------------------------------------------------------

-Datos de sitio web-
Categoría: Troyano
Dominio: apadanapub.com
Dirección IP: 206.189.61.126
Puerto: 80
Tipo: Saliente
Archivo: C:\Users\Shiro\AppData\Programas\Portables\xmplay\xmplay.exe

-----------------------------------------------------------------------------------------

-Datos de sitio web-
Categoría: Troyano
Dominio: alsharqpaper.net
Dirección IP: 202.229.21.221
Puerto: 80
Tipo: Saliente
Archivo: C:\Users\Shiro\AppData\Programas\Portables\xmplay\xmplay.exe

-----------------------------------------------------------------------------------------

xmplay is just an audio or video file player, but it is easily injected by something I don't know because of the simplicity of the program

Searching for "apadanapub.com" in google, I found out that it is an ultra powerful trojan and that link is a request it makes every x seconds.
That's why the malwarebyte history is long

 

Here is all the information about this trojan

https://any.run/report/f43675215a8f73680ee87fdbf3cda2387491036ddd495ad159f9e9b6c39ec849/5ff336b3-fed1-45bb-9ba6-9bf640bcb033

https://app.any.run/tasks/9f80a04b-dc8c-4a22-8a27-b0e5b55737c3/

 

I tried to search for "pratnm.exe" with the file search program "Everything" and it did not find it
It doesn't show up in the "Process hacker" processes either

I am new to this forum and did not know where to post this topic

Please put an end to this plague.

[ShiroNaomi]

[kevinf80]

Hello ShiroNaomi and welcome to Malwarebytes, Continue with the following: Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab. Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following:   Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror   Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Before running FRST right click direct on FRST, select "Rename" then add the word English so you have FRSTEnglish Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans"   Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply... Thank you, Kevin....

[ShiroNaomi]

Hi kevin

I did all that, but didn't work

About Adwcleaner, i tried it 2 years ago and the program put my windows useless, i had to reinstall windows 7

Now I've done it again, but I see it as unnecessary

It only detected the program I use to take screenshots.

Some logs are in Spanish, sorry for that

log 2.txt Addition.txt log 1.txt FRST.txt AdwCleaner_Debug.log AdwCleaner[S00].txt

[ShiroNaomi]

Oh

Captures were saved messy

Log 1.txt was the first scan I did before making the post

Log 2.txt was the second scan with what you told me, before scanning, I updated the program and activated all exploit protections

It did not detect the Trojan, only my usual programs.

[ShiroNaomi]

[kevinf80]

Is this version of windows legitimate..?

[ShiroNaomi]

Yes

[kevinf80]

Well you are certainly running a cracked version of Malwarebytes, that is totally unacceptable. You also have AutoKMS installed and active on your system, I`m well aware of the purpose of that software...

Create a Batch File and Run it: Open Notepad. (Control Panel > Accessories > Notepad) Copy/paste the following text into the empty Notepad text field.   Quote @Echo off Licensingdiag.exe -report %userprofile%\desktop\report.txt -log %userprofile%\desktop\repfiles.cab del %userprofile%\desktop\look.bat Click Notepad's File > Save As , and In the dialog that pops up: Choose location as Desktop. Type in filename as look.bat Underneath the filename, choose Save as Type > All Files (*.*) Click OK Now go find the file look.bat you just saved on your desktop. Right click on the file look.bat on your desktop, select "Run As Administrator" to run it. If it asks permission, give OK. NOTE: Two files will be put on your desktop - report.txt and repfiles.cab Attach report.txt file to your reply.. You can ignore the repfiles.cab file for the moment, as it's only backup data.   Thank you....

[ShiroNaomi]

9 hours ago, kevinf80 said:

Well you are certainly running a cracked version of Malwarebytes, that is totally unacceptable.

Yes..
Sorry for that, i just want destroy this troyan

I ran it as administrator, and instead of prompting me for permission, it just ran
There I noticed that the trojan disabled my user account control again (UAC)

9 hours ago, kevinf80 said:

@Echo off
Licensingdiag.exe -report %userprofile%\desktop\report.txt -log %userprofile%\desktop\repfiles.cab
del %userprofile%\desktop\look.bat

I ran it and it says:

"Licensingdiag.exe" is not recognized as an internal or external command, program or executable batch file.
The batch file was not found.

Note: I ran the bat in the cmd as admin to see the message

My windows is 7

So, I dont know if "Licensingdiag.exe" it's for win 10

[kevinf80]

Are these settings known to you and trusted...

ProxyEnable: [S-1-5-21-1680972773-681890255-3162775664-1000] => Proxy está habilitado.
ProxyServer: [S-1-5-21-1680972773-681890255-3162775664-1000] => 127.0.0.1:8118
ManualProxies: 1127.0.0.1:8118

[ShiroNaomi]

56 minutes ago, kevinf80 said:

Are these settings known to you and trusted...

ProxyEnable: [S-1-5-21-1680972773-681890255-3162775664-1000] => Proxy está habilitado.
ProxyServer: [S-1-5-21-1680972773-681890255-3162775664-1000] => 127.0.0.1:8118
ManualProxies: 1127.0.0.1:8118

Yes

https://www.privoxy.org/

[kevinf80]

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from. NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied:   Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system.... https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Post those logs when complete:

fixlist.txt

[ShiroNaomi]

This was the only thing that it work to destroy the troyan

10 hours ago, kevinf80 said:

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

I am surprised that Malwarebyte could not detect this Trojan

The microsoft antimalware detected 337 infected files, which disinfected all of them and only deleted the ones it considered trojans, viruses, etc

It deleted Wpe pro, which is weird, because it's not a malicious program or anything

I had created a folder with all the executables with random names that the virus created or downloaded in the videos folder

I hope this will help in the development of the program to detect it in the future

Thank you for your help

Here I attach the logs:

msert.log Fixlog.txt

[ShiroNaomi]

Recommendations for this great program: Reduction of resource usage (CPU/RAM)

PD: Microsoft's antimalware consumes almost the entire CPU

Screenshots:

[kevinf80]

Hello ShiroNaomi,

The infection on your system was a direct result of AutoKMS and KMSico running on your system. Those programs are not malicious per se, hence malwarebytes does not flag them.

As they are primarily used to cheat licience activation on Microsoft operating systems and Microsoft Office MSERT does flag and remove them. Malware writers are well aware that many people will use these illegal programs so do load them with their malicious applications. To be honest i`m unsure why Malwarebytes does not flag that illegal software, but as I already stated the programs themseleves are not not malicious per se... Maybe a point worth raising with Malwarebytes developement team...

We need another scan with FRST to ensure there are no remnants of the infction remaining...

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Rename FRST to FRSTEnglish before running.... (right click on FRST, select "Rename")   Thank you,   Kevin..

[ShiroNaomi]

 

9 hours ago, kevinf80 said:

The infection on your system was a direct result of AutoKMS and KMSico running on your system.

Not really, I have installed this activator on other computers and have had no problems with trojans or viruses
I think the problem was due to the fact that some pages, when downloading a program, instead of downloading the program directly, you download an .exe to download the program from the executable, so it can install unwanted things without knowing it and infect your PC

In fact, 2 years ago I installed that for a client and to this day, he doesn't have that problem
Nor does it have anti-malware or anti-virus

The files that were disinfected by the microsoft antimalware, left them unusable because when opened, they do not open
By restoring the file to a previous point, the google chrome executable could be opened, but the .exe was infected, so I had to run the microsoft antimalware again
Restore files are infected, so I have to delete those restore points

9 hours ago, kevinf80 said:

To be honest i`m unsure why Malwarebytes does not flag that illegal software

In fact, 3 years ago, several clients I have had, have had Trojans, viruses and malwares of all kinds, by installing Malwarebyte, as it was said to be the most powerful antimalware out there.
I was surprised to find that it did not detect anything after a scan with everything enabled

The solution for them was the reinstallation of windows

So far, I installed and cracked it to see if it could destroy this Trojan in my PC

I was disappointed that the program that detected my infected files and executables was microsoft antimalware and not Malwarebyte
I hope this will help a lot in the developing the security and file scanning of this program, so it should have a robust list of data with recent trojans, malwares, etc
Come to think of it, the web protection was blocking the requests the trojan made infecting programs, but what about the other things that it didn't detect of this troyan level 5?

Thank you Kevin.

Addition.txt

[kevinf80]

I see lots of infected system here at Malwarebytes, other sites and personal callouts, one very common denominator is either AutoKMS or KMSpico, when that type of illegal software is installed it does not always come pre-loaded with an infection. However, as a an open door is created in the Firewall and such software has the ability to either call out or accept inbound calls malicious activity can be created anytime malware writers wish. Its a vicious circle that will continue as long as customers d/l such illegal software....

I also need to see the primary log from FRST "frst.txt" Logs are saved here: C:\FRST\Logs

[ShiroNaomi]

26 minutes ago, kevinf80 said:

one very common denominator is either AutoKMS or KMSpico

Well, in my experience, it's not always

Here I also attach the autopico files in case you want to check it.

FRST_30-01-2021 00.03.54.txt FRST_31-01-2021 18.07.32.txt KMSpico.rar

[kevinf80]

Hiya ShiroNaomi,

Logs look ok, apart from the obvious that you mention... Continue:

Right click on FRST here: C:\Users\Shiro\Desktop\Nueva carpeta\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator" If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall That action will remove FRST and all created files and folders... Next, Condsider the following: Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/ Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download From there you should be good to go... Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

[ShiroNaomi]

8 minutes ago, kevinf80 said:

Condsider the following:

Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/

Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee

The problem is that I use K-meleon due to the resources of my PC and it does not accept extensions of new versions of firefox

http://kmeleonbrowser.org

Thank you very much for your help.

 

[kevinf80]

You`re very welcome.....

[kevinf80]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you