Jump to content

I'm infested with MSBUILD malware


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello. If what you suspect is true, this sounds like the STRRAT trojan.  Did you recently get a email that made some "claim"  or assertion about a ransom or some sort of threat?

Did you open any such email ?

Also, when did this pest first show up ?    and do you have a Backup of this system from before this event ?    I would hope you have a recent backup on offline storage .

 

Edited by Maurice Naggar
  • Thanks 1
Link to post
Share on other sites

I don't think so. I don't open emails from unknown sources.

I didn't clue in until recently but I've been shutting down PowerShells and MSBUILDs as well as changing browser proxy settings for a few weeks now.

I have backups of important material and can recreate anything else I need.

Link to post
Share on other sites

IF you have a complete, recent system image / full backup, do consider doing a restore from that.   as long, as you are sure that that backup is from before the start of this trojan infection.

This infection is very serious and does involve the theft of passwords & potentially personal identifiers.   After this event is squashed, you will need to change all your passwords to new , strong passwords  ...but only on a clean machine.

This infection could have been due to a drive-by browser use.   or perhaps, due to getting some sort of dodgy "freeware" of some kind, or other download.

Just let me know if you decide to restore from backup.   or perhaps better yet, doing a clean rebuild of Windows, then doing new installs of your programs.   and then getting your personal files off the Backup.

  • Thanks 1
Link to post
Share on other sites

It would be helpful to get the 2 reports from FRST.    Just so you know, it looks like you did not TICK all lines detected by Malwarebytes.   I will guide you on that.

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

[   2    ]

Now a fresh new scan with Malwarebytes for Windows.

  • In Malwarebytes for Windows program, we want to do a special scan.

  •  

  • Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.

  •  

  • Then click the Security tab.   

  • Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈

  •  

  • Click it to get it ON if it does not show a blue-color

  • .

  • Next, click the small x on the Settings line to go to the main Malwarebytes Window.

  •  

  • Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

 

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

There will be much more to do after this.   Please stick with me

[    3    ]
If possible, Restart Windows into Safe mde.  Then repeat the same scan just like # 2  above  with Malwarebytes for Windows.
I think you can do those 2 scans  within something like 30 - 40 minutes.
When all done, restart system into normal mode Windows.
 
NOTE:  There will be much much more to do.
  • Thanks 1
Link to post
Share on other sites

Thanks for the Malwarebytes report.

NEXT

The custom script on this post is ONLY for this machine and NO other.   

Please Close / Exit any open work files   ( if you have any ongoing at this point).   Save any work.  Exit out of other open apps that you yourself started at this session.

This procedure will involve a Restart at the end of the run.

Save this scrpt file named FIXLIST.txt  to  Downloads folder

Fixlist.txt

 

Using File Explorer, go to   Downloads folder

  • RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run the tool. 
  • If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.

 

  • IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

Click on FIX button.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

 You will see a green progress bar start. 

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

 

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

There will be more to do after this, so please, stick with me  and as much as possible, stay current with this thread.

I will get back with you as I have the opportunity.  Kindly remember I am a volunteer here.

  • Thanks 1
Link to post
Share on other sites

Aliright.   We still have other scans to do, to check the system.

By the way, the Windows System File Checker found some issues & made corrections.

.

This is a special tool to check your pc for viruses, trojans & other malware.

Download Sophos Free Virus Removal Tool    and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result....

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Let me know what Sophos reports.

  • Thanks 1
Link to post
Share on other sites

Alright. We are done with Sophos VRT tool.  Now to uninstall it.

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-windoww.
2. Type 

appwiz.cpl 

and tap Enter.
The Programs and Features window will appear.   Locate on the list "Sophos Virus Removal".

Do a right-click on it.  Then choose Uninstall.   Let it proceed.

Exit Programs and Features.

.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

 

Let me know the result of this.    This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

  • Thanks 1
Link to post
Share on other sites

Good morning.  That is excellent report from MS Safety Scanner.

I would recommend getting a readout report as to update status of some key apps.

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

and save the tool on the desktop.

  • If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

  • Thanks 1
Link to post
Share on other sites

  • Solution

Yes, the pc is good to go. That said, be aware that you ought to review closely the following list and get these drivers / apps / programs updated. These are what SecurityCheck indicates are outdated & might pose a security risk exposure.

NVIDIA GeForce Experience 3.20.0.118 v.3.20.0.118 Warning! Download Update

Dropbox 20 GB v.0.9.0 Warning! Download Update

Microsoft Teams v.1.3.00.26064 Warning! Download Update

Zoom v.5.5.2 (12494.0204) Warning! Download Update

Spotify v.1.0.84.344.gfc674f6f Warning! Download Update

Adobe Creative Cloud v.5.0.0.354 Warning! Download Update

Mozilla Thunderbird 45.0 (x86 en-US) v.45.0 Warning! Download Update

Windows Live Essentials v.16.4.3528.0331 Warning! This software is no longer supported.


Music Manager Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it

Google Video Support Plugin v.19.12.1000.0 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it
.
We can proceed with cleanup of tools we used.

To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe.
Then run that ( double click on it) to begin the cleanup process.

Delete MBAR.exe
Delete SecurityCheck.exe


Any other download file I had you download, you may delete. I wish you all the best. Stay safe.
You are very welcome. I am glad to have worked with you.

Sincerely.

Maurice

  • Thanks 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.