Jump to content

Website blocked due to Trojan showing up every 2 seconds.


Recommended Posts

I am a MSP and have had a customer bring in two of their pc's for the exact same issue. Our clients computer is being attacked/pinged every couple of seconds and it will not stop. The exact Malwarebytes message we are getting is.

Domain: 100k0.ddns.net

Ip Address: 142.202.240.42

Port:6606

Type: Outbound

File: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

 

Our shop has tried everything to get rid of this nuisance. We have ran Malwarebytes, Superantispyware, ADW cleaner, JRT, Roguekiller, Tweaking, FRST and also deleted the Framework 4.0 folder located in the windows folder. The trojan I assume  would not allow permissions to be switched from trusted installer to be able to erase the 4.0 framework folder, we were not able to erase that folder until we moved the drive to another computer. Only then were we able to switch permissions from trusted installer to user. Once that was done the notifications had stopped for an hour or two and didn't notice a single notification while doing the rest of the clean up on the computer. After the hour or two wait the notifications started back up again. The notifications still come and full force even when not connected to any internet either. 

 

Our shop has been working on this for a couple days now and have read many forums trying to find solutions but there are non. Any help you can provide will be immensely appreciated. We would like to find out the root of this problem so we can prevent it for clients in the future and also of course a solution. 

 

-Thank you

Edited by clickcomputers2018
Link to post
Share on other sites

  • Root Admin

Let me get a full set of logs, please. You'll need an Internet connection as it will also reach out and grab FRST and run it as part of the log gathering. @clickcomputers2018

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

 

Let me also have you run the following

 

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here.
  • Save Autoruns.exe to your desktop and double-click it to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures and Check VirusTotal.com and Submit Unknown Images
  • Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
  • When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder you just created to your next reply

 

image.png

 

Thank you

 

 

Link to post
Share on other sites

Sorry for wait. The laptop having this issue is now not letting me download the Malwarebytes support tool from any download link I've used. I'm not sure if it has anything to do with my 4.0.net framework but suspecting. Every time I use the download link, it downloads FRSTEnglish but on any other computer it just downloads the normal Malwarebytes tool. Which I read FRST is used for logs for forums so there must be a reason. I've included the FRST LOGS and Autoruns logs as well as a .net framework repair tool logs and the Malwarebytes notification that I am getting repeatedly.

 

Autoruns logs.zip FRST LOGS.txt

Link to post
Share on other sites

  • Root Admin

Thanks for the logs @clickcomputers2018

Can you please run the Farbar FRST program again and make sure you place a check mark on the Addition.txt file.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

image.png

 

Thanks

 

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

  • Root Admin

Please go to Control Panel, Programs, Programs and Features and uninstall the following

Bonjour
Java 8 Update 131

 

Just an FYI - seeing this in the logs. Tweaking.com - Windows Repair this  is a shotgun approach to cleaning a computer that nothing else was able to fix. ie. The computer really should have had the hard drive formatted and Windows reinstalled if you had to resort to using this tool.

Please uninstall those items while I continue to review your logs.

Thank you @clickcomputers2018

 

 

Link to post
Share on other sites

  • Root Admin

 

System errors:
=============
Error: (08/31/2021 04:44:45 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800704c7: 2021-08 Cumulative Update for Windows 10 Version 2004 for x64-based Systems (KB5005033).

 

Please upload the following file to https://virustotal.com  and have them scan it and post back the URL from the scan. The file is probably legit but want to verify.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

 

SUPERAntiSpyware is also faulting on trying to update. That could be due to what is going on with the computer though and there may not really be anything wrong with it

I see it's had the policy set from years ago to try to control ransomware.

 

Please open the following file with NOTEPAD and review it's contents. This is a Visual Basic Script file that could be used for just about anything. Need to verify it's not doing anything bad.

Startup: C:\ProgramData\WindowsHost\\SystemSettings.vbs [2021-08-17] () [File not signed]

You can post back the contents here please in a CODE box

 

What is this task doing?

Task: {15BD9D0D-3205-4385-87BB-CB48500A0515} - System32\Tasks\Microsoft\Windows\WaaSMedic\MaintenanceWork => {72566E27-1ABB-4EB3-B4F0-EB431CB1CB32}

 

Something is locking all of the DLL files in System32 and SysWow folders which is not normal.  Is your company running any custom or special security software that might be blocking FRST and making it think those files are locked?

 

 

Link to post
Share on other sites

  • Root Admin

I'd like to have you run two different rootkit scanners on this system, please.

Please follow the directions from this link

 

 

Next, please run this one as well

 

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

PC Winvids - How to run Kaspersky TDSSKiller

If an infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

Thank you

 

 

 

Link to post
Share on other sites

No we don't run anything out of the ordinary besides just recently running tweaking which we do not usually ever use but seemed like it could help correct framework. We have thought of a os reinstall of course. But want to figure this out in case it happens again in the future since our client had it happen on two of his computers. Its obvious he picked it up from somewhere. The customers has tons of freeware for DVD burning, solitaire, etc. . So they most likely definitely got something nasty from that.

 

Another busy day I will post logs your requested tomorrow morning. 

 

Thank for everything so far

Link to post
Share on other sites

  • 5 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.