Jump to content

Trojan hiding in system32


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi. I will guide you. Did you notice whether the threat was removed ?

Yes this can be quite serious. First step, first scan follows. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

 

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first

https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Launch MSERT.exe

Accept the agreement terms of Microsoft

Select CUSTOM scan

Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

 

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.

Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.

We only rely on the end result that is on the log-report-file.

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log

Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

 

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

 

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Link to post
Share on other sites


---------------------------------------------------------------------------------------
Microsoft Safety Scanner v1.385, (build 1.385.1805.0)
Started On Sat Apr  1 22:19:48 2023

Engine: 1.1.20100.6
Signatures: 1.385.1805.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Sat Apr  1 23:20:29 2023


Return code: 0 (0x0)

  • Like 1
Link to post
Share on other sites

Hi. So first of all, do NOT use 

signal rgb

 

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop to your reply..

Link to post
Share on other sites

Thanks for the report file. I am urging you to not play any games while this case is in-progress. 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.
Link to post
Share on other sites

Please have much patience. I am reviewing your reports. By the way, this forum is not meant to be a always on chat mechanism. I will reply to you with the next suggestions. Plus, know that signalrgb has a recent logged history of crashing. Meaning it abnormally ends. In techno-geek terms, it "crashes".

Link to post
Share on other sites

I am not seeing indicators of a malware infection. But the Windows system does report aborts of SignalRgb.exe

=== Event log errors: ===
Application errors:
==================
Error: (03/30/2023 09:31:45 PM) (Source: Application Error) (EventID: 1000) (User: IBO_PC)
Description: Faulting application name: SignalRgb.exe, version: 2.2.29.0, time stamp: 0x63ebd744
Faulting module name: Qt5Core.dll, version: 5.15.11.0, time stamp: 0x6332aa78
Exception code: 0xc0000409
Fault offset: 0x0000000000020668
Faulting process id: 0x0x26bc
Faulting application start time: 0x0x1d9633db619848a
Faulting application path: C:\Users\ibrah\AppData\Local\VortxEngine\app-2.2.29\Signal-x64\SignalRgb.exe
Faulting module path: C:\Users\ibrah\AppData\Local\VortxEngine\app-2.2.29\Signal-x64\Qt5Core.dll

I also noticed some very oddly named files that start with "exclamation mark" followed by a number of "spaces" in their file-names. and they are located on the downloads folder. I would have security reservations if their source of origin was a dodgy or dangerous or unknown source.
C:\Users\ibrah\Downloads\!    §8Darkfault §7[16x].zip
C:\Users\ibrah\Downloads\!   §fsnow§9fault §f[16x].zip
C:\Users\ibrah\Downloads\!         §5Atlas §4 16x §7[§0Black §8& §fWhite§7].zip
C:\Users\ibrah\Downloads\!   §1§f§lDeemons 30K - 16x [Black & White].zip
C:\Users\ibrah\Downloads\!     §8Ranked§7[§f32x§7]§f - Black & White.zip
C:\Users\ibrah\Downloads\!           §8black§7berry [ 32x ].zip

The resident antivirus protection on this machine is AVG. If there are issues with AVG antivirus or with its alerts, you ought to check with the AVG Support.
This next run is in the nature of Windows computer housekeeping.

Please run the following custom script. Read all of this before you start. Please Close all open work.

Farbar program :  is FRSTENGLISH.exe which is already present 

Please download the attached fixlist.txt file and save it to C:\Users\ibrah\Downloads

Fixlist.txt< - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will reset the Winsock. It will attempt to clear all Cache and history on web browsers. Depending on the speed of your computer this fix may take 50-55 minutes or more.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

Link to post
Share on other sites

The run is good. As a next step, I suggest the following:

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

Hello @ibo020

Now a different scan with another security scanner. 

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\ibrah\DESKTOP\KVRT.exe will now show in the run box.

user posted image

add
-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\ibrah\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.

user posted image

That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"

user posted image

A new Window will open, select "Run anyway"

user posted image

A EULA window will open, tick both confirmation boxes then select "Accept"

user posted image

In the new window select "Change Parameters"

user posted image

 
  • In the new window ensure the following boxes are ticked:
    • System memory
    • Startup objects
    • Boot sectors
    • System drive
  • Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

  • completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
  • Usually, your system needs a reboot to finish the removal process.
  • Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20230406_103000.klr

  • Right click direct onto those reports, select > open with > Notepad.
  • Save the files and attach them with your next reply
Link to post
Share on other sites

Hello @ibo020. Please use File Explorer, go to folder C:\KVRT_data\
then go see the sub-folder Reports
Attach the file(s) that are there in a Reply.

NEXT:

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.
Link to post
Share on other sites

Hello. We have run a custom-script-fix plus several scans. Advise me, How is the situation at this point ?
 

Temporarily disable Microsoft SmartScreen to download the next software below 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

Link to post
Share on other sites

Got it. Will have remarks on that report later. Looking back on this thread, there is 1 tool I asked to run for which you did not do. Let us do it now.

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.