Jump to content

Ran fake MSI afterburner as admin


VoiD_9
 Share

Recommended Posts

Hi,

I didn’t pay too much attention and accidentally ran a fake MSI Afterburner exe. Upon running it a couple of times nothing happened so I checked the website and discovered it was a wrong url. Also, the exe got deleted from my downloads folder. Windows security doesn’t show anything in protection history so I don’t know what happened to it. I’ve attached the logs needed. 
Please help me out, thanks.

Addition.txt FRST.txt MAl.txt

Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:     @VoiD_9

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

Give me some time to review your current logs.

Here below is a link to what it looks like you were hit by

https://www.bleepingcomputer.com/news/security/fake-msi-afterburner-targets-windows-gamers-with-miners-info-stealers/

 

Link to post
Share on other sites

  • Root Admin

So it looks like Windows Defender saw it but not sure it was able to fully stop it as it has multiple entries.

 

Windows Defender:
================
Date: 2022-11-27 20:48:03
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Behavior:Win32/Wovdnut.B!sms&threatid=2147797724&enterprise=0
Name: Behavior:Win32/Wovdnut.B!sms
Severity: Severe
Category: Suspicious Behavior
Path: behavior:_process: C:\Users\Prit\Downloads\MSIAfterburner.exe, pid:18668:41453985114272; file:_C:\Users\Prit\Downloads\MSIAfterburner.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.379.1044.0, AS: 1.379.1044.0, NIS: 1.379.1044.0
Engine Version: AM: 1.1.19800.4, NIS: 1.1.19800.4

Date: 2022-11-27 20:48:03
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Behavior:Win32/Wovdnut.B!sms&threatid=2147797724&enterprise=0
Name: Behavior:Win32/Wovdnut.B!sms
Severity: Severe
Category: Suspicious Behavior
Path: behavior:_process: C:\Users\Prit\Downloads\MSIAfterburner.exe, pid:18668:41453985114272; file:_C:\Users\Prit\Downloads\MSIAfterburner.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.379.1044.0, AS: 1.379.1044.0, NIS: 1.379.1044.0
Engine Version: AM: 1.1.19800.4, NIS: 1.1.19800.4

Date: 2022-11-27 20:47:58
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Behavior:Win32/Wovdnut.B!sms&threatid=2147797724&enterprise=0
Name: Behavior:Win32/Wovdnut.B!sms
Severity: Severe
Category: Suspicious Behavior
Path: behavior:_process: C:\Users\Prit\Downloads\MSIAfterburner.exe, pid:18668:41453985114272; process:_pid:18668,ProcessStart:133140736656864931
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: Unknown
Process Name: C:\Users\Prit\Downloads\MSIAfterburner.exe
Security intelligence Version: AV: 1.379.1044.0, AS: 1.379.1044.0, NIS: 1.379.1044.0
Engine Version: AM: 1.1.19800.4, NIS: 1.1.19800.4

Date: 2022-11-27 20:47:57
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:

https://go.microsoft.com/fwlink/?linkid=37020&name=Behavior:Win32/Wovdnut.B!sms&threatid=2147797724&enterprise=0
Name: Behavior:Win32/Wovdnut.B!sms
Severity: Severe
Category: Suspicious Behavior
Path: behavior:_process: C:\Users\Prit\Downloads\MSIAfterburner.exe, pid:18668:41453985114272; process:_pid:18668,ProcessStart:133140736656864931
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: Unknown
Process Name: Unknown
Security intelligence Version: AV: 1.379.1044.0, AS: 1.379.1044.0, NIS: 1.379.1044.0
Engine Version: AM: 1.1.19800.4, NIS: 1.1.19800.4

 

I don't see signs in the log that it was infected with a miner, but we can run a generic clean up script as well as some other antivirus scans to double check.

Please run the following.

 

 

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

 

Link to post
Share on other sites

  • Root Admin

Yeah, I don't expect it to find anything, but no harm in checking.

Once that is done, post back the log and we'll use another AV scanner to double-check as well. @VoiD_9

 

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

Link to post
Share on other sites

Alright, attached is the log. Nothing was detected at the end of the scan. I’ll follow the steps to scan with the other AV. I’ll also give more info as to what I have already done. I have done the Malwarebyte full scan, the Kaspersky virus removal, MB full scan in safe mode, Microsoft safety scanner. None of them detected anything 

msert.log

Link to post
Share on other sites

  • Root Admin

Yes, I'm pretty sure it was stopped before it could install anything.

 

You can run the following generic clean up script to remove temp, junk, etc. and check system files.

 

 

Please run the following fix

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

It was a good run and did clean up a lot and was able to find and repair some issues. @VoiD_9

Windows Resource Protection found corrupt files and successfully repaired them.

It did clean up Google Chrome and MS Edge some but they've made changes so it does not clean as much as it used to.

Please follow the guide below to do a thorough cleaning of Google Chrome.

 

 

Then restart the computer and run the following

 

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Thank you. @VoiD_9

Please uninstall, update, or otherwise address the following as appropriate for your system.

 

Discord v.1.0.9003 Warning! Download Update
Git v.2.36.0 Warning! Download Update
GitHub Desktop v.2.9.6 Warning! Download Update
Microsoft Teams v.1.5.00.2164 Warning! Download Update
Slack v.4.28.182 Warning! Download Update
Wireshark 3.6.8 64-bit v.3.6.8 Warning! Download Update
Zoom v.5.11.1 (6602) Warning! Download Update
iTunes v.12.11.3.17 Warning! Download Update ^Please use Apple Software Update tool.^


---------------------------- [ UnwantedApps ] -----------------------------
Bonjour v.3.1.0.1 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended.

 

Then once completed and you've restarted the computer, please check for and install any security updates for Windows from Microsoft.d

 

Let me know how the computer is running now and if there are any signs of an infection at this point.

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

Alright did all of the steps. I just didn't remove Bonjour as I believe it is a apple software which works with iTunes? 

Laptop seems to be running fine and I don't see any signs of infection. I was just worried about info stealing viruses but i guess, after all these scans, my laptop isn't infected after all. 

Link to post
Share on other sites

  • Root Admin
1 hour ago, VoiD_9 said:

Alright did all of the steps. I just didn't remove Bonjour as I believe it is a apple software which works with iTunes?

Bonjour is a network discovery tool. Yes it is from Apple and NO, it is not needed on Windows. In many cases it is the cause of networking issues.

I have and use iTunes as well as back up my wfies' iPhone without Bonjour. One of the few reasons you might need it would be to connect an Apple TV to your PC. Though I don't have one to test I'm pretty sure I could connect even without Bonjour.

It is a very noisy, chatty, broadcasting protocol. Windows will thank you for uninstalling it. Though you'll need to keep an eye on it as iTunes will try to reinstall it during updates.

 

I think the computer is good to go now.

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.