Jump to content

Recommended Posts

This is a repost from this thread coming from a different board as suggested.

---

Hello, Malwarebytes forum!

Would like to report the existence of malware, of files coming out of the following URL: https://planetlemoncraft.com/

The website Planet Lemoncraft has been known for a long time for providing alternate download links for modifications for the game popular game Minecraft, which is hosted by themselves. Unfortunately for me, I was negligent in my vigilance this time and I downloaded one of the files from their server, called "Minecraft Forge", which is supposed to be an open source API for modders. Of course, the file that gets downloaded is not the actual "Minecraft Forge" as I soon discovered that the mod I'm looking for is hosted ONLY on the developers' official website ... but alas.

It directed me to a site whereupon I got a "personalized" .msi file that is supposed to install the program. By personalized, I mean that no two downloaded files are alike. For instance, the attached file is called "minecraftforge_38876.msi", while when I downloaded one, it was called "minecraftforge_xxxxx.msi", with 'x' being any random number. It is worth noting that the actual Minecraft Forge installer does not come in an .msi file, but a .jar executable. I foolishly ran the file and went ahead with the installation. Upon completion, I got a Shortcut in my downloads folder called "MinecraftForge.lnk". Opening this takes me to a website whereupon another .msi is asked to be downloaded. At this point is when I stopped (or I was foolish enough to download it as well), when I got suspicious and looked at the new .msi file's certificates, which is certified for a "GanyMobile SAS" (or something like that) which should make it clear that it was malware. I immediately returned to my Downloads folder to purge all the files, but when I opened the folder, I see that the original .msi file has deleted itself upon running. I confirmed this by downloading another file from the same link (ridiculous, I know), which provided another personalized file, and when running the installer it automatically deletes itself (of course I didn't run the installer fully this time, I only opened it once to confirm that it auto-deletes itself upon running).

Most troubling of all this is that Malwarebytes did not react to anything at all. I scanned the second downloaded file multiple times, as well as this one in the attachment, and I've gotten negative results. I even ran SpyHunter (suggested by a thread that suffered from this same issue) and found 0 results as well...

I've had a manual look through %AppsData%, Program Files, and Common Files, and couldn't find anything that seems out of place. Perhaps I was lucky that I didn't get one that's packed with trojans, or there's an undetected trojan/keylogger sitting in my computer that will f**k my PC up for my carelessness. Please do have a look at the file attached as well as the downloadable .msi from the first link provided at the start of my post.

I am aware that I am posting have posted this thread on the Newest Malware Threats board instead of the Newest IP or URL Threats. My current concern is with the status of my PC and whether it's currently susceptible to malicious activity or not, since I ran the suspected software. If I have indeed miscategorized the thread, then I apologize and I humbly request that this thread be moved to the other board instead of being deleted.

Please do let me know how to proceed. Terribly anxious about the consequences of my error. I'm still hoping that it was a shortcut launcher and nothing worse...

Thank you!

-CrimsonSymphony

(Attachments details can be found in the next page)


The files attached are:

FRST.txt

Addition.txt

minecraftforge_38876.rar - contains an .msi file similar to the one I downloaded

minecraftforge.exe.rar - A .rar file containing the .lnk shortcut that was made upon the .msi file's completion (not 38876! do recall that the .msi auto-delete upon running)

Screenshots 01 to 08 - Screenshots to help illustrate the description above. I did not take screenshots of the .msi file as I did not want to run it a third time. However, screenshots uploaded by others (for similar files downloaded from the same website) can be found in the Reddit links below.

---

Please find results from the online virus scanners as suggested by the stickied thread of this board:

VirusTotal - https://www.virustotal.com/gui/file/3da1a0b6a681f4d61cefd8f3a4806bf46336b053d19698e5eb86668dfb9663f8/detection

Jotti - https://virusscan.jotti.org/en-US/filescanjob/ntknys4e8n

VirSCAN - https://r.virscan.org/language/en/report/b75fc47a3b95ccb2fe212f25d6b0f498

---

A Reddit user u/Chengers had a look into this issue for a similar program (also for Minecraft) called Optifine, which is also "downloadable" from the deceiving URL mentioned earlier. He has written two in-depth posts about this which may come in useful for you guys:

A dive into the fake Optifine variant "Planet Lemon Craft" and an analysis/write-up of what it actually does. - https://www.reddit.com/r/Optifine/comments/eo1hq5/a_dive_into_the_fake_optifine_variant_planet/

Hello all, The "Lemon Optifine" fake optifine exe has changed what it installs. I have just logged it with procmon and I need community help to filter through the ~13000 lines of logs to possibly make a .bat cure. - https://www.reddit.com/r/Optifine/comments/fus7vb/hello_all_the_lemon_optifine_fake_optifine_exe/

202105031939_screenshot_01.png

202105031939_screenshot_02.png

202105031939_screenshot_03.png

202105031940_screenshot_04.png

202105031940_screenshot_05.png

202105031940_screenshot_06.png

202105031941_screenshot_07.png

202105031941_screenshot_08.png

FRST.txt Addition.txt minecraftforge_38876.rar minecraftforge.exe.rar

Link to post
Share on other sites

Hello CrimsonSymphony and welcome to Malwarebytes,

Apologies for the late reply, if you still need help continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes version 4 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts.

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image

If English is not your primary language Rename FRST to FRSTEnglish before running.... (right click on FRST, select "Rename")


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

Dear kevinf80,

Please find requested attachments and detailed replies to your instructions. Please note that I previously ran Microsoft's Safety Scanner first and before the other items on this list, as I was waiting for a reply on this thread. Thus, the results would be a few days old and may affect the details of the other instructions which I have followed today.

1. Malwarebytes (202105080446 Malwarebytes Premium 4.3.0 scan results.txt)

Ran as requested. Note that I have already run Malwarebytes several times previously on Monday when I first got suspicious. In both "before and after" the MSRT runs, the scan results always turned out as "Safe", which I have shaky faith in.

2. AdwCleaner by Malwarebytes (AdwCleaner[S00].txt)

Ran as requested.

3. MSRT (msert.log)

Did not run as requested. As mentioned earlier, I have already downloaded and run the program (on Tuesday) before your post. After 25 hours, the scan completed and yielded results. Please find screenshot results attached, in addition to the log file that you would've requested.

4. FRST (FRST.txt & Additions.txt)

Ran as requested.

 

Please do let me know if there's anything else to be done.

Thank you.

Kind regards,

CrimsonSymphony

202105051318 Microsoft Safety Scanner 01.png

202105051318 Microsoft Safety Scanner 02.png

202105051319 Microsoft Safety Scanner 03.png

202105051320 Microsoft Safety Scanner 04.png

202105051320 Microsoft Safety Scanner 05.png

202105080446 Malwarebytes Premium 4.3.0 scan results.txt AdwCleaner[S00].txt msert.log FRST.txt Addition.txt

Link to post
Share on other sites

Hello CrimsonSymphony,

Thanks for those logs, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Let me see those logs in your reply...

Thank you,

Kevin..

fixlist.txt

Link to post
Share on other sites

Dear kevinf80,

Please find requested attachments and detailed replies to your instructions.

1. FRST (Fixlog.txt)

Ran as requested. Restarted at the end of the procedure.

2. Sophos Free Virus Removal Tool (SophosVirusRemovalTool.log & SophosVirusRemovalTool_cloud4.log... as well as SophosVirusRemovalTool (2).log & SophosVirusRemovalTool_cloud4 (2).log)

Ran as requested. The scan discovered 5 "viruses", but none related to my issue in the opening post. The attached "(2)" logs are the files after pressing "Start Cleanup".

 

From the looks of things, it seems like the msi installer (as attached in the opening post) failed to introduce any malware to my system, but it's really strange.

I would like to know this: Why should I use other malware scanning services instead of Malwarebytes alone? Is it because different the programs have different virus databases, thus a sketchy file might be "safe" in one, but detected as "malware" in another? It is kind of jarring how I'm suggested to use other software as a replacement to Malwarebytes, which I paid premium for...

 

Please do let me know if there's anything else to be done.

Thank you.

Kind regards,

CrimsonSymphony

 

202105090905 Sophos.png

202105090908 Sophos.png

Fixlog.txt SophosVirusRemovalTool.log SophosVirusRemovalTool_cloud4.log SophosVirusRemovalTool (2).log SophosVirusRemovalTool_cloud4 (2).log

Link to post
Share on other sites

Hello CrimsonSymphony,

I did check the two .rar files you attached earlier. The fist was an installer when unzipped I checked that one at VirusTotal, it came back as malicious:

 
The second one was a shortcut to a URL, when unzipped and selected the URL opened to a website where genymotion-3.2.1.exe could be downloaded, I check that exe at ViruTotal, it came back as clean:
 
 
Regarding security, for me Malwarebytes is the best tool available. Obviously a licence is required to enable realtime protection, have a read at the following two links for an understand of Malwarebytes...
 
 
 
How does your PC currently respond, are there any remaining issues or concerns...?
 
Thank you,
 
Kevin..

 

Link to post
Share on other sites

1 hour ago, kevinf80 said:

Hello CrimsonSymphony,

I did check the two .rar files you attached earlier. The fist was an installer when unzipped I checked that one at VirusTotal, it came back as malicious:

 
The second one was a shortcut to a URL, when unzipped and selected the URL opened to a website where genymotion-3.2.1.exe could be downloaded, I check that exe at ViruTotal, it came back as clean:
 

Yeah, these are the results I got as mentioned in the OP. I'm just worried if there's any trace of them on my PC that could be used to stage further attacks. After following all the steps provided by you, there shouldn't be anything left, right? Even the positives that we found were mostly from different disks that are not related to these.

 

1 hour ago, kevinf80 said:

Regarding security, for me Malwarebytes is the best tool available. Obviously a licence is required to enable realtime protection, have a read at the following two links for an understand of Malwarebytes...

Well I do have a license and a Premium account. I'm just astonished that these files just went under the radar, and that active protection did not do anything to halt installation.

This is a concern that is shaking my faith in the software's strength sadly.

 

1 hour ago, kevinf80 said:

How does your PC currently respond, are there any remaining issues or concerns...?

No suspicious activity going on. Still worried if there are any traces. Do you think there is anything else I can do short of a complete fresh reinstall? Or it's just adware and I shouldn't be panicking this much about it?

Do note that the file I installed is not the same as the one I attached, as the .msi file deleted itself immediately after running, thus my lingering fears.

 

I do have a thread in a different board about this file (and the entire website's malicious activities in general) that can be found at https://forums.malwarebytes.com/topic/273733-planet-lemoncraft-minecraftforge_38876msi/?pagecomment1454708=2

I was wondering if Malwarebytes would be able have a look into this website and perhaps add it to their database as a host of malicious files and activities. If I could get some closure on this end, then that would be great.

 

CrimsonSymphony

Link to post
Share on other sites

  • Solution

Ok, lets try another scan to double check your system...

Go here and click "ONE-TIME SCAN" under 'ESET Free Online Scanner.

user posted image

A new window will open, select "Save File" save that to your Desktop.

user posted image

Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how

Right click on user posted image and select "Run as Administrator"

In the new Window accept the terms of service

user posted image

In the new Window select "Enable detection of potentially unwanted applictions" then expand "Advanced Settings"

user posted image

In the new Window checkmark (tick) the entries as shown, make sure "Clean threats automatically" is not checkmarked. Now select "Scan"

user posted image

In the new Window new virus database signatures will download, Do Not Select Stop

user posted image

The Window will progress showing the scan in action....

user posted image

In the new Window if no threats are found, select "Delete applications data on close" then select "Finish" no log is produced, confirm that in your reply...

user posted image

If threats are found the following Window will open:

user posted image

Click on "Select All" then "Save to Text file" name and save that file, attach to your reply.

Now select "Do not clean" and then close out....

Attach the text file to your reply....

Thank you,

Kevin..

  • Thanks 1
Link to post
Share on other sites

I followed your instructions, but I must say that your answer template is quite out of date. The options presented by the scanner are nowhere similar to the screenshots in your answer, but I eventually did figure it out. It might be an issue to those with a weaker understanding and grasp of tech.

Please find attached results of the scan.

It is interesting though that ESET managed to deal with minecraftforge_38876.msi, but Malwarebytes failed to do anything with it. Seems like a change from one antivirus to another will have be in order... but I digress.

23 hours ago, kevinf80 said:

Now select "Do not clean" and then close out....

This option isn't available. Therefore, I haven't closed the window yet, and I have left it as shown in the screenshot below. I have already reviewed the 150 suspected files, and I wouldn't give a care if they were removed when pressing "Continue" as they are non-essential stuff, or really old basic-malware-filled shareware found on other disks' OS's salvaged from older PCs/laptops.

Please let me know if there's anything left to do. At this point, I think we covered almost every possible nook and cranny where the malware would hide itself in... but who am I to say that?

CrimsonSymphony

202105102014 ESET Online Scanner.png

ESET Online Scanner Results 202105101452.txt

  • Thanks 1
Link to post
Share on other sites

Hi kevinf80,

For now, I'm not facing any persistent issues nor do I have any concerns (besides a tiny sliver of paranoia).

After all these steps, I believe it should be safe to say that my computer is clean now. I hope I'm not proven wrong lol

Thank you very much for your time and effort helping me clean up my PC!

Kind regards,

CrimsonSymphony

 

...

 

As a final request...

I do have a thread in a different board about this file (and the entire website's malicious activities in general) that can be found at https://forums.malwarebytes.com/topic/273733-planet-lemoncraft-minecraftforge_38876msi/?pagecomment1454708=2

I was wondering if Malwarebytes would be able have a look into this website and perhaps add it to their database as a host of malicious files and activities. If there could be some closure on this end, then that would be most beneficial, and will protect those who would end up downloading what is almost genuinely presented as legitimate software from such a deceitful website.

Thank you.

Link to post
Share on other sites

Hello CrimsonSymphony,

I`ll pass on your final request to the Admin guys, continue to clean up etc....

Uninstall the following program (unless you prefer to keepit):

Sophos AV

http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Also delete this folder if still present: C:\ProgramData\Sophos

Next,

Right click on FRST here: C:\Users\Red October\Desktop\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

Condsider the following:

Disable Remote Desktop: https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

Disable Windows Telemetry: https://helpdeskgeek.com/windows-10/how-to-disable-windows-10-telemetry/

Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/

Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Will also work for Opera and Edge..

PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

  • Thanks 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.