CrimsonSymphony Posted May 3, 2021 ID:1454754 Share Posted May 3, 2021 This is a repost from this thread coming from a different board as suggested. --- Hello, Malwarebytes forum! Would like to report the existence of malware, of files coming out of the following URL: https://planetlemoncraft.com/ The website Planet Lemoncraft has been known for a long time for providing alternate download links for modifications for the game popular game Minecraft, which is hosted by themselves. Unfortunately for me, I was negligent in my vigilance this time and I downloaded one of the files from their server, called "Minecraft Forge", which is supposed to be an open source API for modders. Of course, the file that gets downloaded is not the actual "Minecraft Forge" as I soon discovered that the mod I'm looking for is hosted ONLY on the developers' official website ... but alas. It directed me to a site whereupon I got a "personalized" .msi file that is supposed to install the program. By personalized, I mean that no two downloaded files are alike. For instance, the attached file is called "minecraftforge_38876.msi", while when I downloaded one, it was called "minecraftforge_xxxxx.msi", with 'x' being any random number. It is worth noting that the actual Minecraft Forge installer does not come in an .msi file, but a .jar executable. I foolishly ran the file and went ahead with the installation. Upon completion, I got a Shortcut in my downloads folder called "MinecraftForge.lnk". Opening this takes me to a website whereupon another .msi is asked to be downloaded. At this point is when I stopped (or I was foolish enough to download it as well), when I got suspicious and looked at the new .msi file's certificates, which is certified for a "GanyMobile SAS" (or something like that) which should make it clear that it was malware. I immediately returned to my Downloads folder to purge all the files, but when I opened the folder, I see that the original .msi file has deleted itself upon running. I confirmed this by downloading another file from the same link (ridiculous, I know), which provided another personalized file, and when running the installer it automatically deletes itself (of course I didn't run the installer fully this time, I only opened it once to confirm that it auto-deletes itself upon running). Most troubling of all this is that Malwarebytes did not react to anything at all. I scanned the second downloaded file multiple times, as well as this one in the attachment, and I've gotten negative results. I even ran SpyHunter (suggested by a thread that suffered from this same issue) and found 0 results as well... I've had a manual look through %AppsData%, Program Files, and Common Files, and couldn't find anything that seems out of place. Perhaps I was lucky that I didn't get one that's packed with trojans, or there's an undetected trojan/keylogger sitting in my computer that will f**k my PC up for my carelessness. Please do have a look at the file attached as well as the downloadable .msi from the first link provided at the start of my post. I am aware that I am posting have posted this thread on the Newest Malware Threats board instead of the Newest IP or URL Threats. My current concern is with the status of my PC and whether it's currently susceptible to malicious activity or not, since I ran the suspected software. If I have indeed miscategorized the thread, then I apologize and I humbly request that this thread be moved to the other board instead of being deleted. Please do let me know how to proceed. Terribly anxious about the consequences of my error. I'm still hoping that it was a shortcut launcher and nothing worse... Thank you! -CrimsonSymphony (Attachments details can be found in the next page) The files attached are: FRST.txt Addition.txt minecraftforge_38876.rar - contains an .msi file similar to the one I downloaded minecraftforge.exe.rar - A .rar file containing the .lnk shortcut that was made upon the .msi file's completion (not 38876! do recall that the .msi auto-delete upon running) Screenshots 01 to 08 - Screenshots to help illustrate the description above. I did not take screenshots of the .msi file as I did not want to run it a third time. However, screenshots uploaded by others (for similar files downloaded from the same website) can be found in the Reddit links below. --- Please find results from the online virus scanners as suggested by the stickied thread of this board: VirusTotal - https://www.virustotal.com/gui/file/3da1a0b6a681f4d61cefd8f3a4806bf46336b053d19698e5eb86668dfb9663f8/detection Jotti - https://virusscan.jotti.org/en-US/filescanjob/ntknys4e8n VirSCAN - https://r.virscan.org/language/en/report/b75fc47a3b95ccb2fe212f25d6b0f498 --- A Reddit user u/Chengers had a look into this issue for a similar program (also for Minecraft) called Optifine, which is also "downloadable" from the deceiving URL mentioned earlier. He has written two in-depth posts about this which may come in useful for you guys: A dive into the fake Optifine variant "Planet Lemon Craft" and an analysis/write-up of what it actually does. - https://www.reddit.com/r/Optifine/comments/eo1hq5/a_dive_into_the_fake_optifine_variant_planet/ Hello all, The "Lemon Optifine" fake optifine exe has changed what it installs. I have just logged it with procmon and I need community help to filter through the ~13000 lines of logs to possibly make a .bat cure. - https://www.reddit.com/r/Optifine/comments/fus7vb/hello_all_the_lemon_optifine_fake_optifine_exe/ FRST.txt Addition.txt minecraftforge_38876.rar minecraftforge.exe.rar Link to post Share on other sites More sharing options...
kevinf80 Posted May 7, 2021 ID:1455402 Share Posted May 7, 2021 Hello CrimsonSymphony and welcome to Malwarebytes, Apologies for the late reply, if you still need help continue with the following: If you do not have Malwarebytes installed do the following: Download Malwarebytes version 4 from the following link:https://www.malwarebytes.com/mwb-download/thankyou/ Double click on the installer and follow the prompts. When the install completes or Malwarebytes is already installed do the following: Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab. Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following: Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system....https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Next, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" If English is not your primary language Rename FRST to FRSTEnglish before running.... (right click on FRST, select "Rename") Let me see those logs in your reply... Thank you, Kevin.... Link to post Share on other sites More sharing options...
CrimsonSymphony Posted May 8, 2021 Author ID:1455536 Share Posted May 8, 2021 Dear kevinf80, Please find requested attachments and detailed replies to your instructions. Please note that I previously ran Microsoft's Safety Scanner first and before the other items on this list, as I was waiting for a reply on this thread. Thus, the results would be a few days old and may affect the details of the other instructions which I have followed today. 1. Malwarebytes (202105080446 Malwarebytes Premium 4.3.0 scan results.txt) Ran as requested. Note that I have already run Malwarebytes several times previously on Monday when I first got suspicious. In both "before and after" the MSRT runs, the scan results always turned out as "Safe", which I have shaky faith in. 2. AdwCleaner by Malwarebytes (AdwCleaner[S00].txt) Ran as requested. 3. MSRT (msert.log) Did not run as requested. As mentioned earlier, I have already downloaded and run the program (on Tuesday) before your post. After 25 hours, the scan completed and yielded results. Please find screenshot results attached, in addition to the log file that you would've requested. 4. FRST (FRST.txt & Additions.txt) Ran as requested. Please do let me know if there's anything else to be done. Thank you. Kind regards, CrimsonSymphony 202105080446 Malwarebytes Premium 4.3.0 scan results.txt AdwCleaner[S00].txt msert.log FRST.txt Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted May 8, 2021 ID:1455559 Share Posted May 8, 2021 Hello CrimsonSymphony, Thanks for those logs, continue: Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.Note: If the tool warned you about an outdated version please download and run the updated version.NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Let me see those logs in your reply... Thank you, Kevin.. fixlist.txt Link to post Share on other sites More sharing options...
CrimsonSymphony Posted May 9, 2021 Author ID:1455620 Share Posted May 9, 2021 Dear kevinf80, Please find requested attachments and detailed replies to your instructions. 1. FRST (Fixlog.txt) Ran as requested. Restarted at the end of the procedure. 2. Sophos Free Virus Removal Tool (SophosVirusRemovalTool.log & SophosVirusRemovalTool_cloud4.log... as well as SophosVirusRemovalTool (2).log & SophosVirusRemovalTool_cloud4 (2).log) Ran as requested. The scan discovered 5 "viruses", but none related to my issue in the opening post. The attached "(2)" logs are the files after pressing "Start Cleanup". From the looks of things, it seems like the msi installer (as attached in the opening post) failed to introduce any malware to my system, but it's really strange. I would like to know this: Why should I use other malware scanning services instead of Malwarebytes alone? Is it because different the programs have different virus databases, thus a sketchy file might be "safe" in one, but detected as "malware" in another? It is kind of jarring how I'm suggested to use other software as a replacement to Malwarebytes, which I paid premium for... Please do let me know if there's anything else to be done. Thank you. Kind regards, CrimsonSymphony Fixlog.txt SophosVirusRemovalTool.log SophosVirusRemovalTool_cloud4.log SophosVirusRemovalTool (2).log SophosVirusRemovalTool_cloud4 (2).log Link to post Share on other sites More sharing options...
kevinf80 Posted May 9, 2021 ID:1455676 Share Posted May 9, 2021 Hello CrimsonSymphony, I did check the two .rar files you attached earlier. The fist was an installer when unzipped I checked that one at VirusTotal, it came back as malicious: https://www.virustotal.com/gui/file/3da1a0b6a681f4d61cefd8f3a4806bf46336b053d19698e5eb86668dfb9663f8/detection The second one was a shortcut to a URL, when unzipped and selected the URL opened to a website where genymotion-3.2.1.exe could be downloaded, I check that exe at ViruTotal, it came back as clean: https://www.virustotal.com/gui/file/1de2d5ab9fd28460eaaefc8ceaf63d85f156d285b6be4dc89fb583ab0998e6c5/detection Regarding security, for me Malwarebytes is the best tool available. Obviously a licence is required to enable realtime protection, have a read at the following two links for an understand of Malwarebytes... https://www.security.org/antivirus/malwarebytes/review/ https://www.malwarebytes.com/premium/ How does your PC currently respond, are there any remaining issues or concerns...? Thank you, Kevin.. Link to post Share on other sites More sharing options...
CrimsonSymphony Posted May 9, 2021 Author ID:1455690 Share Posted May 9, 2021 1 hour ago, kevinf80 said: Hello CrimsonSymphony, I did check the two .rar files you attached earlier. The fist was an installer when unzipped I checked that one at VirusTotal, it came back as malicious: https://www.virustotal.com/gui/file/3da1a0b6a681f4d61cefd8f3a4806bf46336b053d19698e5eb86668dfb9663f8/detection The second one was a shortcut to a URL, when unzipped and selected the URL opened to a website where genymotion-3.2.1.exe could be downloaded, I check that exe at ViruTotal, it came back as clean: https://www.virustotal.com/gui/file/1de2d5ab9fd28460eaaefc8ceaf63d85f156d285b6be4dc89fb583ab0998e6c5/detection Yeah, these are the results I got as mentioned in the OP. I'm just worried if there's any trace of them on my PC that could be used to stage further attacks. After following all the steps provided by you, there shouldn't be anything left, right? Even the positives that we found were mostly from different disks that are not related to these. 1 hour ago, kevinf80 said: Regarding security, for me Malwarebytes is the best tool available. Obviously a licence is required to enable realtime protection, have a read at the following two links for an understand of Malwarebytes... https://www.security.org/antivirus/malwarebytes/review/ https://www.malwarebytes.com/premium/ Well I do have a license and a Premium account. I'm just astonished that these files just went under the radar, and that active protection did not do anything to halt installation. This is a concern that is shaking my faith in the software's strength sadly. 1 hour ago, kevinf80 said: How does your PC currently respond, are there any remaining issues or concerns...? No suspicious activity going on. Still worried if there are any traces. Do you think there is anything else I can do short of a complete fresh reinstall? Or it's just adware and I shouldn't be panicking this much about it? Do note that the file I installed is not the same as the one I attached, as the .msi file deleted itself immediately after running, thus my lingering fears. I do have a thread in a different board about this file (and the entire website's malicious activities in general) that can be found at https://forums.malwarebytes.com/topic/273733-planet-lemoncraft-minecraftforge_38876msi/?pagecomment1454708=2 I was wondering if Malwarebytes would be able have a look into this website and perhaps add it to their database as a host of malicious files and activities. If I could get some closure on this end, then that would be great. CrimsonSymphony Link to post Share on other sites More sharing options...
Solution kevinf80 Posted May 9, 2021 Solution ID:1455761 Share Posted May 9, 2021 Ok, lets try another scan to double check your system... Go here and click "ONE-TIME SCAN" under 'ESET Free Online Scanner. A new window will open, select "Save File" save that to your Desktop. Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how Right click on and select "Run as Administrator" In the new Window accept the terms of service In the new Window select "Enable detection of potentially unwanted applictions" then expand "Advanced Settings" In the new Window checkmark (tick) the entries as shown, make sure "Clean threats automatically" is not checkmarked. Now select "Scan" In the new Window new virus database signatures will download, Do Not Select Stop The Window will progress showing the scan in action.... In the new Window if no threats are found, select "Delete applications data on close" then select "Finish" no log is produced, confirm that in your reply... If threats are found the following Window will open: Click on "Select All" then "Save to Text file" name and save that file, attach to your reply. Now select "Do not clean" and then close out.... Attach the text file to your reply.... Thank you, Kevin.. 1 Link to post Share on other sites More sharing options...
CrimsonSymphony Posted May 10, 2021 Author ID:1455961 Share Posted May 10, 2021 I followed your instructions, but I must say that your answer template is quite out of date. The options presented by the scanner are nowhere similar to the screenshots in your answer, but I eventually did figure it out. It might be an issue to those with a weaker understanding and grasp of tech. Please find attached results of the scan. It is interesting though that ESET managed to deal with minecraftforge_38876.msi, but Malwarebytes failed to do anything with it. Seems like a change from one antivirus to another will have be in order... but I digress. 23 hours ago, kevinf80 said: Now select "Do not clean" and then close out.... This option isn't available. Therefore, I haven't closed the window yet, and I have left it as shown in the screenshot below. I have already reviewed the 150 suspected files, and I wouldn't give a care if they were removed when pressing "Continue" as they are non-essential stuff, or really old basic-malware-filled shareware found on other disks' OS's salvaged from older PCs/laptops. Please let me know if there's anything left to do. At this point, I think we covered almost every possible nook and cranny where the malware would hide itself in... but who am I to say that? CrimsonSymphony ESET Online Scanner Results 202105101452.txt 1 Link to post Share on other sites More sharing options...
kevinf80 Posted May 10, 2021 ID:1455983 Share Posted May 10, 2021 Hiya CrimsonSymphony, You are correct, I`ve not used ESET Online scanner for awhile so the templates are quite dated. Have update that one when I have time... How is your PC responding now, any remaining issues or concerns.... Thank you, Kevin.. Link to post Share on other sites More sharing options...
CrimsonSymphony Posted May 10, 2021 Author ID:1456011 Share Posted May 10, 2021 Hi kevinf80, For now, I'm not facing any persistent issues nor do I have any concerns (besides a tiny sliver of paranoia). After all these steps, I believe it should be safe to say that my computer is clean now. I hope I'm not proven wrong lol Thank you very much for your time and effort helping me clean up my PC! Kind regards, CrimsonSymphony ... As a final request... I do have a thread in a different board about this file (and the entire website's malicious activities in general) that can be found at https://forums.malwarebytes.com/topic/273733-planet-lemoncraft-minecraftforge_38876msi/?pagecomment1454708=2 I was wondering if Malwarebytes would be able have a look into this website and perhaps add it to their database as a host of malicious files and activities. If there could be some closure on this end, then that would be most beneficial, and will protect those who would end up downloading what is almost genuinely presented as legitimate software from such a deceitful website. Thank you. Link to post Share on other sites More sharing options...
kevinf80 Posted May 10, 2021 ID:1456058 Share Posted May 10, 2021 Hello CrimsonSymphony, I`ll pass on your final request to the Admin guys, continue to clean up etc.... Uninstall the following program (unless you prefer to keepit):Sophos AVhttp://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/ Also delete this folder if still present: C:\ProgramData\Sophos Next, Right click on FRST here: C:\Users\Red October\Desktop\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator" If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall That action will remove FRST and all created files and folders... Next, Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2 Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/ Condsider the following: Disable Remote Desktop: https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html Disable Windows Telemetry: https://helpdeskgeek.com/windows-10/how-to-disable-windows-10-telemetry/ Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/ Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Will also work for Opera and Edge.. PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download From there you should be good to go... Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
kevinf80 Posted May 11, 2021 ID:1456207 Share Posted May 11, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you 1 Link to post Share on other sites More sharing options...
Recommended Posts