Jump to content

Infected with Trojan.VBS.TaskExecution


Recommended Posts

Recently I have accidentally perma-deleted a folder on my PC that contained important files and I have been making attempts to restore them by download a various of reputable software like R-Studio, Recuva, Reclaime and so on and so on.

Before I ever run anything on my machine I always make sure to run them through a virus total even if I get them from a legitimate place or not, and everything came clean.

My malwarebytes runs its usual scan the next day and suddenly it has caught like 5 viruses, A virus named Trojan.VBS.TaskExecution and a sprinkle of Trojan.BitCoinStealer.

I have made some research online but google didnt net me many results, however I did find this thread which the same virus is discussed (hopefully) and someone attached a link to a thread on github for removing the virus, which can be found here:

 

https://gist.github.com/infernoboy/cf114fda56ff3706478e0d1e6a1a1b27?permalink_comment_id=4140687#gistcomment-4140687

 

I tried following the steps, besides browsing the Task Scheduler since it wont run in Safe Mode, which is how I am using my computer at the moment as im on the hunt for the malware, so I instead went to the folder:

C:\Windows\System32\Tasks\Microsoft\Windows\NetService\      to find any remains of the virus, but such folder didnt exist!

instead, according the the malwarebytes scan that I've received, the malware was found here instead: C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Management\Provisioning\

The steps mention there should be a txt file in the folder C:\Windows\logs\, but mine does not have any.

The steps also mention that the virus modifies a system file named SyncAppvPublishingServer.vbs on your pc (Can be found in the system32 folder), however the contents of the file are the same as the legitimate version, so nothing was really different.

So What I suspect that I might have encountered a different virus, or a modified virus that has evolved to bypass the instructions given in the github,

I ran a DISM, but nothing was really found, I ran an SFC scan, and it did find some corrupted files! And the files were:

C:\Windows\System32\drivers\BthA2dp.sys

C:\Windows\System32\drivers\BthHfEnum.sys

and C:\Windows\System32\drivers\bthmodem.sys, mostly.

 

Stuff in startup in the task manager look fine too

But seeing that this nasty virus has put itself in entries that try and restore it after each boot, I am sure its doing some trickery to get back on its feet or remain undetected.

Should I do a fresh install or I have a chance of fight against this thing?

 

I have attached Farbar and MB files, hope this helps! 

 

And Thank you!

Addition.txt FRST.txt MalwareBytes Scan.txt

Edited by AdvancedSetup
Disabled live hyperlink
Link to post
Share on other sites

P.s, I have still not got the chance to look into Task Scheduler to see whats going on inside since it seems like its a task creation oriented malware from my judgement at it's title,

If anyone has an idea how to access information on the Task Scheduler in Safe Mode it would be a delight!

Link to post
Share on other sites

6 minutes ago, AdvancedSetup said:

 

Why is your Google Browser running from this location?
"C:\Users\Dan\AppData\Local\Google\Chrome SxS\Application\chrome.exe"

This is the normal location
"C:\Program Files\Google\Chrome\Application\chrome.exe"

 

I am using Canary, might be why.

I might run some extra scans and hopefully an offline one before starting the computer on once more once I figure out why Defender keeps crashing on safe mode

Link to post
Share on other sites

  • Root Admin

Fresh, brand new install of Google Chrome on Windows 11 also installs to the same folder as it does on Windows 10

"C:\Program Files\Google\Chrome\Application\chrome.exe"

 

So, why are  you running Google Chrome out of that folder?

 

Link to post
Share on other sites

1 minute ago, AdvancedSetup said:

Fresh, brand new install of Google Chrome on Windows 11 also installs to the same folder as it does on Windows 10

"C:\Program Files\Google\Chrome\Application\chrome.exe"

 

So, why are  you running Google Chrome out of that folder?

 

Not sure haha, I think its always been like that with the Canary version I have running

Link to post
Share on other sites

  • Root Admin

Just installed Canary on a clean Windows 11 workstation that has never had Google installed on it and it looks to be using that folder as you said.

 

"C:\Users\PC\AppData\Local\Google\Chrome SxS\Application\chrome.exe"

 

Do the recommended clean up and then restart the computer and get me new scan logs.

 

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

8 minutes ago, AdvancedSetup said:

Please follow the directions from the following topic and let us know if that corrects the issue for you.

 

Thank you

 

Followed, I always had my sync turned off anyway haha

2 minutes ago, AdvancedSetup said:

Just installed Canary on a clean Windows 11 workstation that has never had Google installed on it and it looks to be using that folder as you said.

 

"C:\Users\PC\AppData\Local\Google\Chrome SxS\Application\chrome.exe"

 

Do the recommended clean up and then restart the computer and get me new scan logs.

 

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

  Reveal hidden contents
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Gotcha!

 

Addition.txt AdwCleaner[S00].txt MalwareBytes Scan.txt FRST.txt

Link to post
Share on other sites

  • Root Admin

Please run the following fix. When it has been completed post back the FIXLOG.txt file as an attachment.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

We'll look at Malwarebytes a bit later. For now, let me have you run the following

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  • Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
  • Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
  • Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
  • Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
  • Then click the Rescan button. Agree to the VirusTotal EULA
  • Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

 

image.png

 

Thank you

 

 

Link to post
Share on other sites

On 6/20/2022 at 2:31 AM, AdvancedSetup said:

We'll look at Malwarebytes a bit later. For now, let me have you run the following

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  • Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
  • Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
  • Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
  • Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
  • Then click the Rescan button. Agree to the VirusTotal EULA
  • Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

 

image.png

 

Thank you

 

 

Thank yoh for the reply! 

I however had to get things moving again sooner than I could allow myself as I need my system back on for my employment and other. 

Between replies I was trying all I could to research and identify the virus better on my own and while it's important to me to also know how I got my system contaminated in the first place to avoid getting contaminated again if one of the files I've backed up are infected, I had to wipe my pc as it seemed like the powershell virus kept restoring itself even during safe mode. 

Seems like it's a Banker Trojan and the amount of damage it causes is extremely severe and probably even after attempts to get it rid which would probably means digging deeper into the case, probably would still leave the OS heavily altered, damaged, compromised or things that would affect the experience of using the OS overall. 

I hated to do it but I had to reformat my pc, but I'm still on the offense of any of my backed up data since however how and why I got infected in thr first place went totally under the radar and was undetected by my built in and third party (malwarebytes) AVs and scans I've made through virus total. 

I don't think whatever I got is registered yet as a virus, at least not whatever payload I previously executed to get quietly infected in the first place. 

Link to post
Share on other sites

  • Root Admin

They are Trojans in most cases. No harm understood. Doing a re-installation of Windows is a good thing.

Let me leave you some suggestions to help you keep the system better protected. Make sure you also have good backups to an external drive.

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

8 hours ago, AdvancedSetup said:

They are Trojans in most cases. No harm understood. Doing a re-installation of Windows is a good thing.

Let me leave you some suggestions to help you keep the system better protected. Make sure you also have good backups to an external drive.

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Thank you for the advises! Good to know I have been following all the right procedures for safety! 

I have scanned my backup with malwarebytes, Kaspersky and bitdefender, any more AVs I can use to scan for any pasky threats most commercial AVs can't? 

Link to post
Share on other sites

40 minutes ago, AdvancedSetup said:

No, scanning flat files from storage is pretty much a waste of time. Malware needs to be in active regions of the computer so that it can be launched and run to be effective

Take care

 

Yeah I know, just wanted to know the source of the infection this time so I won't be launching it again in case one of the stuff I backed off contained it. 

Thank you though. 

Link to post
Share on other sites

  • Root Admin

Sophos Scan & Clean

You will need to send Sophos an email address to get a link to download the scanner, please do so

 

Download Sophos Free Virus Removal Tool and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

mbst  

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

 

 

 

 

 

This is the Kaspersky one

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
 
 
 

 

 

Link to post
Share on other sites

  • Root Admin

These are the instructions for Dr. Web, however, the instructions are very old so they may have changed the download process and the program interface. If so then you'd need to adjust as appropriate to download and run it.

 

 

Let me have you run the following Dr.Web antivirus scanner.

Note: If you need to see images please click the "Reveal hidden contents" link below.

  1. Please visit the following website: https://free.drweb.com/
  2. Click on the green download free of charge link - Only for home
  3. In the next screen click the red x to close the offer for Android download if offered
  4. Then click the small green arrow to agree to the use of cookies
  5. Then click on the "Download Dr.Web CureIt!" link and download the installer
  6. Locate the file downloaded and double-click to run it and click to accept the User Account Control alert
  7. Click to agree to the DrWeb license and update, then click the Continue button
  8. Make sure you click on the "Select objects for scanning" link and select all items
  9. After you have selected all objects then click the "Start scanning" button
  10. Once the scan has completed there will be an option to either Cure or Ignore for each item detected
  11. If you're certain that an object is good and safe then uncheck the box next to the object in the list
  12. If the scan detects your "hosts" file uncheck it and click to ignore.
  13. Then click the Neutralize button
  14. Once completed click on the small "Open report" link and save that file to your desktop and attach on your next reply

Thank you


 

Spoiler

 

image.png

image.png

image.png

image.png

image.png

image.png

image.png

 

 

 

 

 

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.