Jump to content

Trojan removal again, Keeps coming back after restart Phorpiex E


Recommended Posts

The other day I created a post on the malwarebytes forum about a trojan that keeps coming back after removed. (Link below) After the removal everything was back to normal, however just today I saw Malwarebytes had detected the same trojan again in the same location. Another thing I noticed was in task manager the cuda usage of my graphics card was at 100%, this happens everytime this malware is detected. Please help 

 

Thanks Jackmin

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

  • Root Admin

Hello @Jackmin

Let me get some fresh new logs please.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

It's very late for me so I'll review further and provide assistance in the morning.

For now please go to Control Panel, Programs, Programs and Features and uninstall all versions of Java.

Once we're done working on cleaning the computer, if you really need Java we can reinstall it but for now please uninstall it and reboot.

Thanks

 

Link to post
Share on other sites

Hello @Jackmin   until Advancedsetup returns, would you kindly do 3 things.

1.    

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

2.  Provide a copy or 2 of the one or 2 most recent SCAN reports from Malwarebytes for Windows.

locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

🙂

[   3   ]

One other inquiry meant to see about odd sub-folders.  This is a query only.  It does not make any changes.

  • On the Windows taskbar , on the Windows search box, type in
cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.

 

  • Once the Command prompt window is up, copy > paste the line in the code-box below into the command-window.
dir c:\programdata\mmah*.* /s /q

tap ENTER-key to run that.

 

  • When that completes, place your mouse-pointer on the top bar of the command-window

& do a RIGHT-click & choose  "Select all"
& then choose " COPY "

then into the next Reply box on this topic, right-click on the white box and choose PASTE
You may then close the command window

Edited by Maurice Naggar
added command query
Link to post
Share on other sites

  • Root Admin

This is from 2015 - are you still using it?

R2 NoIPDUCService4; F:\DUC\No-IP\ducservice.exe [12288 2015-07-21] () [File not signed]

Your ProtonVPN Service also seems old for VPN

 

You have the following folders and tasks that were launching Java commands. Did you set them up on purpose? What do they do? Pretty odd to have the RSHD attributes set on a folder.

 

2021-07-12 13:57 - 2021-07-12 13:57 - 000003604 _____ C:\Windows\system32\Tasks\642da6cc71f97a2663019c78ce40c705
2021-07-12 13:57 - 2021-07-12 13:57 - 000000000 _RSHD C:\ProgramData\642da6cc71f97a2663019c78ce40c705
2021-07-12 13:52 - 2021-07-12 13:52 - 000003604 _____ C:\Windows\system32\Tasks\abf198171d3f2109e37d6eb048b69264
2021-07-12 13:52 - 2021-07-12 13:52 - 000000000 _RSHD C:\ProgramData\abf198171d3f2109e37d6eb048b69264
2021-07-12 13:47 - 2021-07-12 13:47 - 000003604 _____ C:\Windows\system32\Tasks\1f0a77b609234e043e9c1002fd677479
2021-07-12 13:47 - 2021-07-12 13:47 - 000003604 _____ C:\Windows\system32\Tasks\0ed2cd8bc3478f984b8da72b43aea9af
2021-07-12 13:47 - 2021-07-12 13:47 - 000000000 _RSHD C:\ProgramData\1f0a77b609234e043e9c1002fd677479
2021-07-12 13:47 - 2021-07-12 13:47 - 000000000 _RSHD C:\ProgramData\0ed2cd8bc3478f984b8da72b43aea9af

 

Task: {1F2AB2B0-BD05-4F8C-AAC4-B451133D37E0} - System32\Tasks\642da6cc71f97a2663019c78ce40c705 => javaw [Argument = -jar "C:\ProgramData\642da6cc71f97a2663019c78ce40c705\642da6cc71f97a2663019c78ce40c705.jar" 642da6cc71f97a2663019c78ce40c705] <==== ATTENTION
Task: {867C95EE-3D38-41DB-84A0-23D4FA2C5C1D} - System32\Tasks\1f0a77b609234e043e9c1002fd677479 => javaw [Argument = -jar "C:\ProgramData\1f0a77b609234e043e9c1002fd677479\1f0a77b609234e043e9c1002fd677479.jar" 1f0a77b609234e043e9c1002fd677479] <==== ATTENTION
Task: {A0C0CCCF-B79C-4261-84E0-454C8AB6BAAA} - System32\Tasks\0ed2cd8bc3478f984b8da72b43aea9af => javaw [Argument = -jar "C:\ProgramData\0ed2cd8bc3478f984b8da72b43aea9af\0ed2cd8bc3478f984b8da72b43aea9af.jar" 0ed2cd8bc3478f984b8da72b43aea9af] <==== ATTENTION
Task: {E09FEB79-B27C-47EB-981E-B1BD53F76239} - System32\Tasks\abf198171d3f2109e37d6eb048b69264 => javaw [Argument = -jar "C:\ProgramData\abf198171d3f2109e37d6eb048b69264\abf198171d3f2109e37d6eb048b69264.jar" abf198171d3f2109e37d6eb048b69264] <==== ATTENTION

 

Windows Defender should have removed these files. Are they still present on the system?

L:\Runtime Broker.exe
L:\Service Host.exe
C:\Users\Jackmin\Downloads\Ville.exe

 

 

 

Link to post
Share on other sites

@Maurice Naggar

Here are the contents of the folder and the logs of the Malwarebytes scan image.png.6aca9df5ea767a7d568b219cc2681d71.png

Microsoft Windows [Version 10.0.19042.1083]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Jackmin>dir c:\programdata\mmah*.* /s /q
 Volume in drive C has no label.
 Volume Serial Number is 32DA-9134

 Directory of c:\programdata

15/07/2021  09:45 am    <DIR>          BUILTIN\Administrators MMAHhpWyFn
               0 File(s)              0 bytes

     Total Files Listed:
               0 File(s)              0 bytes

               1 Dir(s)  91,046,752,256 bytes free

Log.txt

Link to post
Share on other sites

  • Root Admin

Thank you @Jackmin

Please save the attached FIXLIST.TXT file to the same folder location as the Farabar FRST program.

Then run FRST and click on the FIX button. It will run and create a zip file on your desktop with the Date and Time as the name .zip

Please attach that zip file on your next reply

fixlist.txt

Thanks

 

Link to post
Share on other sites

@AdvancedSetup

I did not add those tasks in task scheduler but I did notice them yesterday. Using process hacker I've observed that dllhost.exe was using around 5gb of dedicated memory and 100% of my cuda cores (crypto miner?). After terminating the process it seems like it has stopped, could this file be infected? Also after investigating in task scheduler I've noticed an unusual task which may be linked to the first infection as it is for a java file and is located in the same directory as the Malwarebytes scan. Another thing I've noted is a unusual .jar file which was in my temp folder, this happened to be created on the day the task was created. I am still using no-ip duc for a hosting a minecraft server and occasionally using proton vpn windows defender has removed those files.

image.thumb.png.b2be838115780bac0a0873cef55e687a.png

image.png.08654400fc36153ed3561eaa153edaf2.png

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

  • Root Admin

Once the fix below has been completed attach the FIXLOG.TXT file

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: This fix will reset the entire network stack including the firewall back to factory default settings

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Thanks for your help,

Do you have any idea where this infection could have come from and will Malwarebytes still work after my trial ends? 

I am also quite curious on what the 3 files that Malwarebytes detected were do you have any idea? Anyways thanks for your help it seems like everything is back to normal

Thanks

Jackmin

Link to post
Share on other sites

  • Root Admin

This was a Java type infection. Where it came from is unknown but there are many sites that try to take advantage of users that use Java.

 

Let me have you run a 3rd party antivirus scanner to see if they can find anything else we might have missed.

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Link to post
Share on other sites

  • Root Admin

Thank you for the log.

Please download and run the following tool. Windows Defender and Smart Screen will complain, please tell them to keep and allow the download. Then run it and post back the log.

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current-security-update status of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Thank you

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.