Jump to content

Processexplorer/virustotal shows same trojan uploaded from killed processes


Recommended Posts

Process Explorer indicated a new entry under the Virus column yesterday. It was IPO Once I killed that process, deleted the file, and reopened process explorer, it showed a new process. Some that I remember are officeclicktorun.exe, nvcontainer.exe,  and now it shows MBAMservice.exe. Earlier it showed some that I can't quite remember, like jhi_service and IProsetMonitor.exe in system32, and then a logitech ghub service, which I uninstalled.

On VirusTotal, all those files showed the same thing when uploaded:

https://www.virustotal.com/gui/file/e399c390687589194d8aad385055f0cfa7d52ad9e837d8ff95008b8eb2b34e50/community

I think it's weird. I'm attaching the threat scan log and the two txt files from the Farbar scan tool.

processexplorer mbam service.png

Addition.txt FRST.txt threatscan.txt

Link to post
Share on other sites

Hi @atakvn.   :welcome:

My name is Maurice. I will guide you.

please do not do things on your own.

Know that mbamservice is a process /service of Malwarebytes.

officeclicktorun.exe is by Microsoft Office.

nvcontainer.exe is a driver for Nvidia 

I am going to guide you. 

We will use known security tools to check system.

Do not do things on your own.

If you have questions, ask me first.

.

 The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Select "FULL " scan from scan options.

Let me know the result of this.

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

Link to post
Share on other sites

Thank you for the run & the report.

MS SAFETY Scanner removed a few different threats.

.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Link to post
Share on other sites

Thanks @Maurice Naggar, I've attached the scan log. Still when I open procexp64 and procexp, they show MBAMService.exe and sqlwriter.exe as a virus, and on virustotal they refer to the same Trojan/Generic.ASMalwS.1534BA6 in the first post. Maybe it's not important, but the UI for ESET was a little different than you described. I didn't get an option for "computer scan" and wasn't prompted by Windows, so I just selected Full scan and let it run. Hope I did the right one.

eset_scan_log.txt

Link to post
Share on other sites

Thanks for the Eset scan log. You did well.

Note: MBAMService.exe is not a threat at all. It is a part of Malwarebytes for Windows.

Second & most important, I use known security scanners to look for threats.

.

I would like you to run another scanner.

 

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

 

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program

Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your reply

 

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

 

  • Click Exit to close the program

If no threats were found please confirm that result....

 

The Virus Removal Tool scans the following areas of your computer:

  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Link to post
Share on other sites

Maybe this isn't important, but when I try to open process explorer now, it asks me "Do you want to allow this app to make changes to your device?" but it never asked me that before. Does that mean those tools you linked me successfully removed some malware responsible for preventing the request for permission, or that the file is corrupted, or something else? It's a shared computer so I need to tell others if we need to remove documents from this computer and change accounts/emails/passwords or take any other action. Thanks again, sorry for triple replying!

Link to post
Share on other sites

What you quoted is a normal /standard prompt from Windows. This just means that more normal security settings of Windows are back.

This wording by Microsoft has always been poorly worded.

It is meant as a safety measure that really should say, Hey, do you really want to allow this to proceed.

.

Tell me, HOW is the system now ?

Link to post
Share on other sites

The Sophos tool flagged as malware & removed steamclient64.dll on E & G drives.

They appear to have been on some game drives.

.

What follows is a custom script to run Windows System File Checker, to help with Microsoft Windows Update, & help Microsoft Defender.

 

The script Fixlist.txt  needs to be saved to the same folder that contains FRST64.exe   /  you have yours saved somehere on E drive under a sub-folder Desktop

 

The custom script on this post is ONLY for this machine and NO other.   

  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

 

The system will be rebooted after the script has run.

 

  • Please save the (attached file named) FIXLIST.txt   to the  E:\Desktop folder

Fixlist.txt

 

  • Start the Windows Explorer and then, to the E:  Desktop folder.
  • RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run the tool. 
  • If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.

 

  • IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

  • on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Do let me know how things are overall,  after all this.

Link to post
Share on other sites

It completed very quickly, just took 5 minutes. Is that normal? I downloaded it to E: Desktop which also had FRST64.exe. When I ran FRST64.exe I don't remember getting any prompts asking me to allow it. I clicked Fix once, and after a few minutes it said completed. It said it needed to restart after I clicked OK, and that the tool would not notify me after the PC restarts. I've attached Fixlog.txt. I don't know if I forgot to run as administrator. Tell me if I should run it again.

For some files, the log says, "cannot access the file because it is being used by another process."

As for how is the system now,  I'm still seeing that first trojan being detected in process explorer, but the number of .exe's are fewer than before, and it's still only one .exe at a time. It makes me feel like something is jumping between processes. After removing a lot of malware, less processes are being flagged (IProsetMonitor and jhi_service are gone, and sqlwriter.exe hasn't been flagged yet even though it's still running), but there are still some that get flagged like officeclicktorun, so does that mean the thing is still jumping around?

Anyway, I've attached the log file.

 

 

 

Fixlog.txt

Link to post
Share on other sites

The script run did complete. You did fine.

I would not be looking at Process Explorer trying to have it find malware.  Not recommended.

As I noted before, I believe, I use known security antivirus tools to help identify malware.

We have run Sophos 

ESET Online scanner 

Microsoft Security Scanner 

.

We can have you run a different security scanner.

Please download and run the following Kaspersky antivirus scanner to remove any found threats.

 

Kaspersky Virus Removal Tool

 

Let me know if it finds anything or not.

Link to post
Share on other sites

Hi.  Kaspersky KVRT Reports are saved here C:\KVRT_data\Reports and look similar to this report_20210605_103821.klr 

Right click direct onto that report, select > open with > Notepad. Save that file and attach to your reply.

And, I would ask you, Is there now any security application that now reports a flagged executable program?

I would rather stick with known security apps instead of trying to make any judgement via the displays on ProcessExplorer.

  • Thanks 1
Link to post
Share on other sites

Thanks, attached the file. Apart from the tools you linked, I don't have anything besides Malwarebytes to check my system. A few months ago I found userdata of someone that isn't me in my Steam folder, but I thought it was from installing some mods, and since Malwarebytes didn't find anything wrong I thought I should be okay. I'll stay away from worrying too much about things not based on known security tools, sorry if I seemed unreasonable. Please let me know if there's anything of note in the KVRT report and if there are more tools I can use.

report_2021.06.05_00.59.31.klr.enc1.txt

Link to post
Share on other sites

Hello.   Unfortunately I could not read the content of that report.

This next report is just a Inquiry on some key Windows services.   Just for review.

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Kindly FSS.txt into your reply. 

  • Thanks 1
Link to post
Share on other sites

Hi, Thanks.

The Microsoft Defender antivirus is now showing as manual  ( on-demand ) start.   If you wish, it can be set to be automatic start so that it too monitors the system in real-time.

There is one thing I suggest you do  - - - that is to check on the definitions state of Defender & to insure it is all the latest from Microsoft.

You could then also do a manual on-demand scan with Defender.

.

  • From the Windows'  Start menu, select Settings, then select Update and Security.
  • Next, look at the left-side menu & select Windows Security
  • Next, In Windows Security section:  Click on the grey button Open Windows Security
  •  
  • Now, click on the shield Virus and threat protection
  • On the next display,  look at all the options.   Look down the list and see "Check for Updates
  • You can click on that to have the system check for updates for Windows Defender.
Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.