NetService malware, help needed.

[Ven0m]

Hi. I just got out of nowhere a malware. Malwarebytes found them and i quarantine them. But i want to get more info about it and how i might have gotten it. I was clean but now all the sudden i have this. I attached the file

net malware.txt

[Maurice Naggar]

Hi. I will guide you. 

The Malwarebytes for Windows has items that must be selected for removal. Do a special run with Malwarebytes for Windows, after a update run.

Start Malwarebytes. Click Settings ( gear ) icon. 

• Click the Security Tab. 
• Scroll down and lets be sure the line in SCAN OPTIONs for
• "Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .
• Now click on the GENERAL tab
• Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

• Next, the Malwarebytes scan.
• Next click the blue button marked Scan.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     

Edited April 29, 2022 by Maurice Naggar
revised corrections

[Ven0m]

Im doing as you said. But i think it will come out clean because it already found and quarantined them as you could see in my attached file. It created stuff in task scheduler. But luckily Malwarebytes found it before i restarted the pc. 

 

"First, by adding a scheduled task to regain any lost access, they achieve persistence on the target," Parkin told The Register. "Second, by hiding the scheduled task, they make it much more difficult to identify and remediate the threat."

That said, while the task itself is essentially hidden from view, it still has artifacts in the Windows Registry that can be identified and dealt with, he said. It can be time-consuming if done manually, and there are automated tools that can examine the registry to highlight or automatically remove suspicious entries.

The Microsoft analysts wrote that bad actors will use this evasion method to keep access to high-value targets while remaining undetected, and that this can be a problem for systems such as domain controllers and database servers that aren't frequently rebooted.

[Ven0m]

Microsoft published information about new malware on its security website on April 12, 2022. The malware, codenamed Tarrask, exploits a bug in Windows task scheduling system to evade detection.

 

 

Tarrask is used by the Hafnium hacking group, which targeted the telecommunications, internet service providers and data services industry in the past.

The group uses zero-day vulnerabilities for its attacks to penetrate computer systems. Once a system has been successfully attacked, a bug in Windows is used to hide the traces of the malware and make detection more difficult. Tarrask uses the bug to create scheduled tasks that are hidden to avoid detection and probably also for persistence.

The Windows Task Scheduler is used by the system and by applications to launch tasks, for example to check for updates or perform maintenance operations. Applications can add tasks to the Task Scheduler, provided they are run with sufficient rights to do so. Malware often uses tasks, according to Microsoft, to “maintain persistence in a Windows environment”.

Tasks can be analyzed by launching the Task Scheduler tool in Windows. Tarrask uses a bug to hide its task from the tool as well as the “schtasks/query” command line option, which returns a list of scheduled tasks that exist. To avoid detection, Tarrask removes the task’s security descriptor value from the Windows registry; this causes the task to disappear from the task scheduler and the command line tool. In other words: close inspection of all tasks using either tool will not reveal malicious tasks.

[Ven0m]

I want to do this! Can you tell me how? I don't really understand what this text tells me. Can you guide me to log the task so i can see the log. 
 

Malwarebytes is still doing a scan, ill post the results when done. 

 

Modify your audit policy to identify scheduled task actions by enabling “TaskOperational” logging in Microsoft-Windows-TaskScheduler/Operational. Apply the recommended Microsoft audit policy settings appropriate for your environment.

Enable and centralize the following Task Scheduler logs. Even though the tasks are “hidden”, these logs track key events related to them that could lead you to discover a well-hidden persistence mechanism.
Event ID 4698 in Security.evtx log
Microsoft-Windows-TaskScheduler/Operational.evtx log

[TwinHeadedEagle]

@Ven0m

Please ZIP this folder and attach it as well
C:\ProgramData\Malwarebytes\MBAMService\Quarantine

[Maurice Naggar]

Good morning @venom 

When you get caught up. Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

Gotta have history and all logs from Malwarebytes for Windows. 

 [   2   ]

• I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

• Please attach  mbst-grab-results.zip    to your reply. I need this report set so that I can review the overall state of this system.

[Ven0m]

Hi ill be back with those things you asked for, in the mean time i went to my other windows and did a scan of This windows and it found more things. When i use scan for rootkits my scanner slows down at about 400 thousand files. I had it on for more than 8 hours and it only went to 500 thousand from 400 thousand. If i disable rootkitscan it only takes about 28 min to scan around 850 thousand + files. Why is it so slow? Look at my attached file

new scan.txt

[Maurice Naggar]

FYI. with the rootkit scan on, it invokes a more demanding load. I try to only use it whan the occasion calls for it. I am going to look at your report. AND I also look forward to getting the ZIP report from the support tool. I really need that to get a fuller picture of what is going on.

Further comment, I hope you did not select a custom scan of the whole system !

[Maurice Naggar]

That last report shows scanning the P: drive.  What is going on there? Are you in a business network ?  or is this just a home-user-type with maybe a home network ?

why is there a P:\WINDOWS

[Ven0m]

Here is the quarantine zip file

Quarantine.rar

[Ven0m]

9 minutes ago, Maurice Naggar said:

FYI. with the rootkit scan on, it invokes a more demanding load. I try to only use it whan the occasion calls for it. I am going to look at your report. AND I also look forward to getting the ZIP report from the support tool. I really need that to get a fuller picture of what is going on.

Further comment, I hope you did not select a custom scan of the whole system !

No i only did custom scan for C: drive

[Ven0m]

5 minutes ago, Maurice Naggar said:

That last report shows scanning the P: drive.  What is going on there? Are you in a business network ?  or is this just a home-user-type with maybe a home network ?

why is there a P:\WINDOWS

I went into my other windows, i use 2 windows (not dual boot) and P: drive is my windows i use often that is up to date with updates. I use my other windows offline. But i went to the offline one went online quickly to update malwarebytes and then i scanned P: drive which is my main windows.

[Ven0m]

Here is the log you asked for :)

mbst-grab-results.zip

[Ven0m]

14 minutes ago, Maurice Naggar said:

FYI. with the rootkit scan on, it invokes a more demanding load. I try to only use it whan the occasion calls for it. I am going to look at your report. AND I also look forward to getting the ZIP report from the support tool. I really need that to get a fuller picture of what is going on.

Further comment, I hope you did not select a custom scan of the whole system !

When it slows down it uses no resources from my pc at all, but when it goes fast it uses almost 100% of my cpu. Then when it comes to about 400 thousand files scanned it slows down so much that only a singel digit is counting like this as an example 200-201-202 but when it goes fast its like this 200-250-300 and so on. more like 10 digits per second. I mean it was scanning for 8 hours only c: drive. because it uses no resources and only 1 digit is moving when it scans. 

[Maurice Naggar]

Why is there a mention of a Z: drive being scanned on the scan of today ? 2022-04-29   T  16:00:08 Z

If there is a next time that I need a scan with Malwarebytes for Windows, I will ask that it either be just a standard scan, or else, just the C drive.

For now, I will be drilling thru the reports and history, and will get back to you later this afternoon. Thanks.

[Maurice Naggar]

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

[ NEXT ]

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

• Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

• At screen "Detections occured and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[Ven0m]

48 minutes ago, Maurice Naggar said:

Why is there a mention of a Z: drive being scanned on the scan of today ? 2022-04-29   T  16:00:08 Z

If there is a next time that I need a scan with Malwarebytes for Windows, I will ask that it either be just a standard scan, or else, just the C drive.

For now, I will be drilling thru the reports and history, and will get back to you later this afternoon. Thanks.

Z drive is the other windows when im in my P: drive windows . When im in my other windows (offline one) my current c: drive (online windows) becomes P: drive, when im in this current windows (online one) the other windows (offline one) becomes Z: drive

[Ven0m]

I did scan with adwarecleaner ill provide the results, and with eset online, it was all clean so i wont submit the log from eset. I had that malware/virus that i started this topic but malwarebytes deleted it as you saw, i have nothing else in my pc im clean. But i have a question. What was that virus i had that put it self into task scheduler? Do you know how i could of gotten it? And how dangerous do you think it was, and have you seen this virus i had before?

AdwCleaner[S01].txt

[Maurice Naggar]

The issue that you started this case on is classified as "Trojan.Agent". You can read what the Malwarebytes Research group says about Trojan.Agent.TskLnk ( which most fits the issue) at this link
https://blog.malwarebytes.com/detections/trojan-agent-tsklnk/

The most common way for those to come in is typically thru web browsers and what is downloaded. We often see these types when folks grab onto game hacks / game cracks, or other means of dodgy or questionable sourcing.
I do believe this system should be scanned by another trusted tool, from Microsoft.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
• Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
• We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

[Maurice Naggar]

As I was re-reviewing this case, it seems that there is important reports that we did not get from this machine. Please make time to get these so that I can double check. It is for security of your machine. 

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to the disclaimer.
• Press the Scan button.

• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually
• Please attach both logs to your reply 

[Ven0m]

FRST logs

Addition.txt FRST.txt

[Maurice Naggar]

Is Norton 360 supposed to be the antivirus application on this system ?

[Ven0m]

Yes i have norton also, i heard its ok with malwarebytes i have also made exclusions in both programs so they dont fight. I found a really weird thing just now! The Microsoft Safety Scanner found 359 infected files, but when it finished it only found 2 things that it deleted, what happened to those 359 files? 

msert.log

[Ven0m]

i was in shock when it said 359 files infected while scanning, and i thought how come norton, eset, malwarebytes, and so on have missed so many infected files, but then when it finished those files where nowhere to be found. is it a bug, or has someone or something quickly deleted/hidden those files for it to not be deleted or shown in the log for us to see?