Trojan SmokeLoader

[EdoardoMB]

Hi everyone and thanks in advance for any help I will receive.

Recently I have noticed the fan turning up when the pc was in idle, when opening task manager I would see the cpu between 60-99% for a split second and then see it drop to the normal 2-3%. I runned the quick scan (the one that you call Threat Scan I think) that had no result (report below), then I runned an advanced scan (the settings for this scan are attached below) that found a Trojan.SmokeLoader. Since the quarantine of this file the computer behavior has not changed so here I am.

I'm a computer noob but I think that the virus shut itself when I open the task manager, I did some test and the cpu act normal when the manager is running but if I close it for a moment the cpu will go up to at least 60%.

Since you have a pinned post about it I must confess that the virus probably come from a pirated game, I downloaded a bunch two years ago and another one the last month, I can't exclude that the virus have been there for over two years. I also don't know what to do with qBitTorrent, the pinned topic say to not uninstall anything but also to disable it, let me know.

report_quickScan_22_07_17_11.txt report_advancedScan_22_07_17_34.txt FRST.txt Addition.txt

[AdvancedSetup]

Hello @EdoardoMB and

Let's start by doing a bit of general clean up and see if that helps with your issues.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[EdoardoMB]

Thank you very much for the reply, I will get back to you tomorrow when I will be able to run the script.

[AdvancedSetup]

You're quite welcome. Post back the FIXLOG.txt when ready. I'll try to follow up over the weekend but if not then for sure on Monday

Cheers

 

[EdoardoMB]

Here is the fixlog

Fixlog.txt

[Maurice Naggar]

Hi EdoardoMB.   My name is Maurice.   I'm filling in for Advancedsetup for a bit.  Thanks for the Fixlog.  I would suggest the following as a next step.

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

• Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

• When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Please make sure you attach the log report.

[EdoardoMB]

Hi Maurice, here is the log report, it look really short and not detailed so tell me if I got the wrong file. ESET has found nothing, is it because I quarantined the first file with MalwareBytes? In any case the cpu usage has not changed

report_eset.txt

[Maurice Naggar]

That is the right report.

Next steps.

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

.

[   2    ]

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

 

Let me know the result of this.    This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

[Maurice Naggar]

For after you have completed the steps above & when you have quiet time.

First a comment about Task Manager's initial display.

You said 

Quote

 I have noticed the fan turning up when the pc was in idle, when opening task manager I would see the cpu between 60-99% for a split second and then see it drop to the normal 2-3%.

It is important to not view the first percentage of use displays as actual realistic numbers.  You need to wait at least for a minute or 2 minutes.

.

I do not see Avira Antivirus currently installed.   I would ask if you uninstalled it recently ?  yes or no.   Answer later.

.

As I said, when you are caught up, I need two reports from this machine.

[    1    ]

This is a different sort of report.  I want to check on the security status of some services.

 

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

• Internet Services
• Windows Firewall
• System Restore
• Security Center/Action Center
• Windows Update
• Windows Defender
• Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.    😁

 

[     2    ]

I would urge getting a readout report as to update status of some key apps.

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

and save the tool on the desktop.

• If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

[EdoardoMB]

About Avira, I uninstalled it last week

[Maurice Naggar]

OK.   Just please finish the one Safety scan by MS  & get for me the 2 reports.  No need to rush.   I will look forward to 3 reports.

Cheers.

[EdoardoMB]

Here are the reports. I need to say that something could be wrong whit the MS Scan report, maybe its normal but before I went to bed it had already found one infected file, the scan starting time also is wrong.

msert.log FSS.txt SecurityCheck.txt

[TwinHeadedEagle]

Trojan.SmokeLoader detection was a false positive, you can restore this detection from quarantine
C:\PROGRAMDATA\FIREFLY STUDIOS\STRONGHOLD KINGDOMS\2.0.34.17\GECKOFX\XULRUNNER33\PLUGIN-HANG-UI.EXE

[EdoardoMB]

If you are sure then ok, but I'm running another Microsoft Safety Scanner full scan and as of now there are 14 detection. Sorry if I'm bothering you too much, I just want to be sure the computer is fine.

[Maurice Naggar]

Thank you Djordje.

@EdoardoMB   Has that Safery Scan finished ?

[EdoardoMB]

8 minutes ago, Maurice Naggar said:

Thank you Djordje.

@EdoardoMB   Has that Safery Scan finished ?

Not yet, 6 hours and still going.

[Maurice Naggar]

Please note that the first MS Safety Scanner reported "no" malware.

No infection found.
Microsoft Safety Scanner Finished On Tue Jul 27 09:48:43 2021

 

[EdoardoMB]

Yes I read the report, I was pointing out that while the scanning was in progress it said there was infected files while at the end the report was clean. I don't know if that is very common or not, I just wanted to let you know because maybe it could help.

[Maurice Naggar]

Discount any intermediate meesages.  It is the bottom line result that matters when it completes the run.  Sorry to say, but those intermediate messages are just wrong.  Its been pointed out by others before.

[EdoardoMB]

Understood, so in the end it was a false positive, very good news. Thank you very very much for your help Maurice, If you want I will follow up whit this last scan otherwise you can close the topic. And if you don't mind I have a last question about the Addition file from FRST.

[Maurice Naggar]

Hi.  Let me know what question you have regarding FRST.

The SecurityCheck tool has listed a few applications & drivers that need to be updated for the latest security releases.  Make time & take care of those.

NVIDIA GeForce Experience 3.20.5.70 v.3.20.5.70   Warning!  Download Update

Discord v.0.0.310   Warning!   Download Update

Zoom v.5.3.1 (52879.0927)   Warning!   Download Update

[EdoardoMB]

I will check the drivers, the safety scan is clean. About FRST, in the addition file there is this list of sites that are correctly listed as fake, the thing is I'm pretty sure I've only visited one of them and certainly not everyone. Why are they all they here? Are they here because I accidentally downloaded from one of them? Is it something I should worry about?

[Maurice Naggar]

Those are contents on this machine's Windows HOSTS file.  Cannot tell how the entries got there, except to guess that in one way or another it would involve a visit to a website and accepting a download.

In any event,  the custom script below will reset the HOSTS file to the normal one.

Please first Delete the old file named Fixlist.txt  on the Desktop.

Next download the attached fixlist.txt file and save it to the Desktop.

Fixlist.txt

NOTE. It's important that both files,  FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run  FRST64 and press the Fix button just once and wait.

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This custom script will set the HOSTS file to a normal one.  The standard one from Microsoft Windows.

 

The system will be rebooted after the fix has run.    Please attach the Fixlog.txt.   Let me know if you need other help.

Cheers.

[EdoardoMB]

Here is the fixlog 😁

Fixlog.txt

[Maurice Naggar]

The run is good.  The HOSTS file is reset.

Tell me, do you need other help ?