Jump to content

Persistent script/trojan (ttdinject.exe?)

logicforward
 Share
Go to solution Solved by AdvancedSetup,

Recommended Posts

logicforward

logicforward

Posted
Posted

Hello All!

So this has been running me in circles for about 2 weeks.  I first noticed the virus when my pc came to a crawl during gameplay.  Observing the system at boot and then safe mode with HWMONITOR. I could see that my PC GRAPHICS was at 100% utilization.  I narrowed it down to a program I had installed and removed it and the problem seemed to actually go away.  Upon reboot the problem came back as another app,  It seems the malware is good at disguising itself as other software.  Well, fast forward through a week of Malwarebytes and other software scan tools it seems like everything was removed but now what I get is constant popups about blocked websites. 

image.png.b2e8048be271994522c6ee8a301e4fb4.png

Multiple scans come up clean. Did a registry search but couldn't find anything specific, checked out task scheduler and there seemed to be some oddities all named "lkjlkjasdf," or some variant, that I removed still with no change.  Searching through logs I did see a particular odd .exe in the system32 folder called "ttdinject.exe"  and looked it up. 

image.png.7dc88b8430d6c926c264bf9b9674dd78.png

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Ttdinject.A&ThreatID=2147781124

 

I am unsure if this is actually the culprit. found a website that called it a "Coin Miner Trojan" and their description certainly describes my initial issues.

 

here are my logs:

scanreport2022-06-22.txt

FRST.txtAddition.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Are you running this VBE file on startup on purpose?

Startup: C:\Users\antho\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatadif.vbe [2022-06-26] () [File not signed]
 

Please temporarily disable Avast real-time protection and run the following fix. Failure to disable Avast will cause this fix not to run.

https://helpdeskgeek.com/how-to/how-to-turn-off-or-disable-avast-temporarily/

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites
logicforward

logicforward

Posted
  • Author
Posted

Hello AdvancedSetup!

First thank you for the quick response and assistance.  I do NOT have any VBE's running at boot and is actually part of the same problem I noticed myself.  When I delete the file it recreates itself with a different name.  overnight I let two things run, a full MalwareBytes Scan plus a Microsoft Safety Scanner.  

Microsoft Scanner removed some items but they didn't seem serious (just unsigned code) and here is the removal for MalwareBytes:

image.png.aa9d36a2aeb22133666c59064719adb9.png

 

I had uninstalled Avast some time ago, not sure why there is anything running under their name. I followed up with Avast uninstall tool, hopefully it's gone entirely now.  

 

I then ran your filefix, here is the log:

Fixlog.txt

 

checked MalwareBytes log and this is what I see (same issue):

image.png.997e7568faf8b318a73588bf6503811c.png

Link to post
Share on other sites
  • Root Admin
  • Solution
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
  • Solution
Posted

Please uninstall the outdated versions of these programs

Java(TM) SE Development Kit 17 (64-bit)
Java(TM) SE Development Kit 17.0.3.1 (64-bit)

 

Then run this updated FIXLIST as before and post back the new FIXLOG when it's done.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

$BarTender_Security$ (S-1-5-21-4084680586-3339615061-4144054259-1007 - Limited - Enabled)  I didn't notice the Bartender software I'm used to seeing. Are you sure you still use and need this account?

Guest (S-1-5-21-4084680586-3339615061-4144054259-501 - Limited - Enabled) This account should be disabled. It poses a risk being enabled
 

 

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

You may want to consider uninstalling the following.

CCleaner (computer experts no longer recommend using this program)

 

Your DNS Servers: 192.168.0.1

Please consider changing your default DNS Server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

  • Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

 

 

Please follow the directions from the following topic and clean up your Google Chrome browser

 

 

 

Once the items above have been completed, please restart the computer and run the following antivirus scanner to double-check and make sure it too does not find anything more.

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Link to post
Share on other sites
logicforward

logicforward

Posted
  • Author
Posted
30 minutes ago, AdvancedSetup said:

$BarTender_Security$ (S-1-5-21-4084680586-3339615061-4144054259-1007 - Limited - Enabled)  I didn't notice the Bartender software I'm used to seeing. Are you sure you still use and need this account?

Guest (S-1-5-21-4084680586-3339615061-4144054259-501 - Limited - Enabled) This account should be disabled. It poses a risk being enabled

BarTender?  I believe it's a label software that I no longer have/use (leftover traces?)

Unfortunately, I need the guest acct active but I'll see about disabling it, very good advice. 

ran a new scan and didn't find anything new and ran a ESET and it didn't find anything.  I monitor my system for a few days and see anything new pops up.

thank you!

image.png

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

You're quite welcome @logicforward , glad to be of help.

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites
  • 1 month later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.