Jump to content

Wacatac b!ml infection

Skele
 Share

Recommended Posts

Skele

Skele

Posted
  • Author
Posted

Nothing found.

Things to note:

- The computer was not restarted after I sent you the message. There is a possibility of a false positive, if that is ever possible with powershell windows.

- Last time firefox didn't have a problem downloading Farbar. This time it stopped downloading it, claiming that it is "usually not downloaded". I bypassed the message and forced firefox to download.

Addition.txt AdwCleaner[C00].txt FRST.txt MBScan13071129.txt

Link to post
Share on other sites
  • Replies 50
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

It's very late for me so we'll have to take this up more tomorrow. For now please run the following AV scan and see if they find anything.

We'll probably need to enable Auditing to track this down

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites
Skele

Skele

Posted
  • Author
Posted

There ya go.

Things to note. Ran an extra MB scan with no detections.

Restarted computer. Did not see the powershell window. Yesterday, when I noticed it, it was alot faster than the two old ones and getting a glimpse of powershells is a bit hard considering that they run even when I am on the login screen.

Screen "Turn off" function still disabled after restart.

Addition.txt FRST.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The log isn't showing signs of running it. Let's go ahead though and use a couple other checks.

 

You will need to send an email to Sophos to get the link to download, please do that.

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

mbst  

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

 

 

 

NEXT --->

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  • Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
  • Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
  • Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
  • Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
  • Then click the Rescan button. Agree to the VirusTotal EULA
  • Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

 

image.png

 

Thank you

 

 

Link to post
Share on other sites
Skele

Skele

Posted
  • Author
Posted

Ran Sophos Scan and Clean x64. Took 10 minutes. Didn't find anything. Started frantically looking for a problem within the instructions only to discover that I did do it correctly?

Ran Autoruns. Took less than 30 seconds with the extra Virustotal options. Added a rar file instead of a zip. Probably doesn't matter.

SophosScanAndClean_20220714_0630.log DESKTOP-QDGKCNF.rar

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

AutoRuns was not completed. Though it says it's ready, it's not ready. Once it submits a hash it then has to wait a while to rsync. You basically need to look in all the columns and scroll down them to ensure that all the Virus Total entries have completed.

 

Here is an example in the Drivers section where all the Virus Total was not completed yet.

 

image.png

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please do the following

STEP 1

Make a new folder at the top of your C: drive named Transcripts
So it will be:  C:\Transcripts

 

STEP 2

Click on START and type in GPEDIT  and you should see something like this. Run it.

image.png

 

STEP 3

Then drill down to the following path

Computer Configuration --> Administrative Templates --> Windows Components --> Windows PowerShell

 

STEP 4

We'll set the following policies

image.png

  • Turn on Module Logging

Click on the Show... button

image.png

Enter an asterisk * into the table and press the Enter key, then click the OK button

image.png

 

  • Turn on PowerShell Script Block Logging

Click on the "Log script block invocation start / stop events:

image.png

 

  • Turn on PowerShell Transcription

Type in the name of the folder we created in STEP 1

C:\Transcripts

Place a checkmark in the "Include invocation headers:"

image.png

 

Restart the computer

Watch the C:\Transcripts folder for entries being created

This should probably be enough to help us track this down. If not, then we'll look at enabling further Auditing

 

 

Link to post
Share on other sites
Skele

Skele

Posted
  • Author
Posted

Did everything you said and here's the result using magical Paint skills to put all the parameters and the folder in the same picture.

This time when the computer restarted, I got onto the desktop as quickly as possible. No powershell.

Silence.png

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

It creates logs that take space, but not all that much space considering the size of hard drives these days.

Click on Start and type in PowerShell then click Run as Administrator

Then paste in the following and hit the Enter key 

Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions" |  Out-String -Width 4096

That should then be listed in the C:\Transcripts folder that it ran

 

Link to post
Share on other sites
Skele

Skele

Posted
  • Author
Posted

Looked at the folder after the weekend and noticed one single poweshell command running every time I either start the computer or start the computer first time during that day. Here is one of the scripts written by "WORKGROUP\SYSTEM" with Host Application: powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';

Command start time: 20220717091013
**********************
PS>Write-Host 'Final result: 1';
Final result: 1
**********************
Command start time: 20220717091020
**********************
PS>$global:?
True
**********************
Windows PowerShell transcript end
End time: 20220717091020
**********************

Do you want all the files?

Link to post
Share on other sites
Skele

Skele

Posted
  • Author
Posted

There ya go.

Things to note: I removed one program (DS3/SCPToolkit) that might be doing that. We'll see if that is the culprit, just by waiting. Then again, I don't recognize what that powershell command is. (The SCPToolkit is a program that enables the use of a PS-controller on Windows. It checks driver updates once per day.)

Addition.txt FRST.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please go to Control Panel, Programs, Programs and Features and uninstall the following

CCleaner (computer experts no longer recommend this program)
Java 8 Update 331 (64-bit)
 

 

 

Let me have you run another round of clean up from the Fixlist as before. This should run a bit faster than the last one.

When the fix has been completed, post back the new FIXLOG.txt file as an attachment.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran Farbar from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites
Skele

Skele

Posted
  • Author
Posted

Removed Java.

Didn't remove CCleaner, but you might have done your part in it if I understood the fixlog correctly.

Everything went smoothly. The windows shield icon was not in the lower right on startup, just like the last time, but Malwarebytes was still running. Firefox still remembered the accounts that had been used on this computer. There was a transcript generated at the same time when Farbar started to run (this is expected?).

But now, to the interesting part. Yesterday, I noticed two alarming transcripts within the powershell folder.

- One was in the morning, when I started the computer and the other one was when I closed the computer.

- Both were under my username.

- Both had "Host Application" set to "C:\WINDOWS\System32\sdiagnhost.exe -Embedding".

- Both started with

"PS>
# Caller validation to ensure we are calling from and actual script, and not from a malicious command line
function Test-Caller {"...

- Both seemed to ask for a location, both are hiding computer name, A lot of things.

Do you want me to post it here or send it to you /w private message? We might find the source of the possible problem through this, because it references file locations and such.

What would be more malicious than say that a script you are running without the user's consent is not malicious? I actually laughed at that. :D

Fixlog.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please send to me in a Private Message the contents of those PowerShell entries. You can zip or rar them.

You had an old CheckPoint ZoneAlarm firewall service running but I did not see any signs of it actually being installed, so I had the script remove it. Was hoping perhaps that was behind some of it. Looks like it was not.

I'm heading to get some rest. Will check back on you when I get up again.

 

Thank you

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.