Jump to content

AliExpress virus undetected by Malwarebytes Premium. Now what?


Recommended Posts

  • Root Admin

Is this Windows 8.1 Pro or Just 8.1 ?

What are you doing when you notice it launch?

Will it launch if you're not even touching or running anything on the computer?

I was hoping to find an entry in Scheduled tasks that might be doing it but I'm not seeing anything that sticks out as a potential cause.

 

 

Link to post
Share on other sites

Windows 8.1...regular version.

Most of the "launches" have occurred when I am away from the computer.  The computer would be on, connected to the internet but no browser open and no other programs open.  When I return to the computer, the virus will have opened Firefox by itself and connected to the AliExpress website.  I say "most" because the latest launch happened while I was at the computer with Firefox already running.

Link to post
Share on other sites

  • Root Admin

First off, it's not a virus. It's more than like simply from some application that has been installed at some point and may be called from a DLL or other process and why it's not shown in Scheduled Tasks.

The possible issue is the age of your computer and not being the Pro version we're more limited in tools that still support it.

Let me see if I can do file auditing on a non Pro version, well enough to capture the web browser being called. I may not reply again until tomorrow, but will try to if I can get testing done today.

Thank you @yalakom

Link to post
Share on other sites

  • Root Admin

@yalakom

I think we're going to need to use SYSMON from Microsoft to try to locate what is calling this.

You can download SYSMON from Microsoft
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

 

This may possibly be a bit over your head, but you can download it too for possible reference.

The Windows Sysmon Logging Cheat Sheet - Jan 2020.pdf

https://www.malwarearchaeology.com/s/Windows-Sysmon-Logging-Cheat-Sheet_Jan_2020-g7sl.pdf

 


Please visit this site

https://github.com/olafhartong/sysmon-modular

Then download this file. You can right-click and Save-As from this link below too. Clicking the link will open the raw file.

https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml

image.png

 

 

 

Then I would personally create a new folder to place these items in so that they're in their own new folder such as C:\Monitor

Then you'll want to increase the size of your Security Event Log to probably about 512MB. If you need help with that, let me know.
The entry would be 512000

image.png

 

 

 

Once that is all set and all the files in place in C:\Monitor you'd start an elevated admin command prompt and run the following command.

CD C:\Monitor
sysmon.exe -c sysmonconfig.xml

 

Please give that a try or if you have questions, please ask

 

Thanks

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

Thanks!

I downloaded SYSMON.  It came as a .zip file, so I extracted the file into C:\Monitor as suggested.  I right-clicked and selected "save as" for the .xml file and placed it in C:\Monitor as well.  I set the Event Viewer log size to 512KB.  Finally, I copied and pasted the command prompt and this is what I got...see attachment.

I did NOT open the .exe file of SYSMON after extracting it.  Was I meant to do this before running the command?

Cheers,

 

Capture.PNG

Link to post
Share on other sites

I realised after the fact that the SYSMON .zip file extracted itself into its own SYSMON folder within the C:\Monitor folder. Thus, the SYSMON .exe files were separate from the .xml file.  So, I placed everything together in the Moniter folder and tried again.  This didn't work either...here's a screen shot of the end of the lengthy message in the Prompt window.  Not sure what I've done wrong...?

 

Capture.PNG

Link to post
Share on other sites

  • Root Admin

You're in the wrong folder @yalakom

Please try the following again from an elevated admin command prompt.

CD C:\Monitor
sysmon.exe  -accepteula -c sysmonconfig.xml

Both of these files need to be in the C:\Monitor folder as well.

sysmon.exe
sysmonconfig.xml
 

I'm off work until Thursday, but will try to check back on you before then.

Thanks

 

Link to post
Share on other sites

  • Root Admin

Okay, I'm off work today and have things I need to get done at home.

I think we need to try an uninstall command and then retry the install. I may need to review the schema listed and see if it needs edits due to the age of your computer.

I'll check back with you either later tonight, or some time tomorrow.

Thank you for your patience as well

Cheers @yalakom

 

 

 

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.