Jump to content

Have an infection taking over ledger-live


Recommended Posts

Seems to have started when I Installed a new version of node.js, i was able to detect a few files with eset that caused node to stop working, then later malware bytes identified a few files as well.  I see there was a node script that installed msedgewebview2.exe  

 

Scans do not report anything at this time, I downloaded the file version of node and replaced all as it appears when i run node.msi it open, flashes a away and opend again, much like ledger opens then goes away and im left with an imposter asking for seed keys.

Link to post
Share on other sites

Hello @AFCChris and welcome back:

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.  WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have posted.

Thank you.

Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:    @AFCChris

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim.
  • Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections.
  • If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

Please give me a few moments to review your logs

 

Link to post
Share on other sites

  • Root Admin

Please follow the steps below @AFCChris

[ 1 ]

Your current DNS Servers:  192.168.1.1

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 4 providers. And be aware that you need to modify 1 time for IPv4 & a 2nd pass for IPv6

  • Google Public DNSIPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • CloudflareIPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNSIPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCHIPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b


The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

[ 2 ]

Please make the following change in Malwarebytes if you're using the Premium or Trial version

  • Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security tab.
  • Then turn off "Always register Malwarebytes in the Windows Security Center"
  • Restart the computer

 

It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions
between Malwarebytes and Windows Defender

 

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

Then visit the following links on how to setup exclusions in Windows Defender

How to Add or Remove Exclusions for Microsoft Defender Antivirus in Windows 10
https://www.tenforums.com/tutorials/5924-add-remove-microsoft-defender-antivirus-exclusions-windows-10-a.html

Add or Remove Exclusions for Microsoft Defender Antivirus in Windows 11
https://www.elevenforum.com/t/add-or-remove-exclusions-for-microsoft-defender-antivirus-in-windows-11.8797/

 

We are not aware of any currently known issues between Windows Defender and Malwarebytes Premium

 

[ 3 ]

Please copy the Farbar program to your DESKTOP - it will be easier to find in Safe Mode below

C:\Users\Chris\Downloads\FRSTEnglish.exe 

Please run the following from Safe Mode

Start in Safe mode:

  • Press the Windows icon on the keyboard together with the letter I, to get into the Settings.
  • Choose Update and Security.
  • From the menu at the left, choose Recovery.
  • Under the title Advanced startup at the right, choose Restart now.
  • From the window that will appear choose Troubleshoot and then Advanced options.
  • Choose Startup Settings and then Restart.
  • Press number 5, for choosing Safe mode with networking.
  • You will know that you are in Safe mode, if the background is black and Safe mode is written at the four corners of the screen.


After that:

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

 

Start::
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction
End::

 

  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.
 
 
[ 4 ]
 
Then after the restart and you're back into Normal Mode run the following.
 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Please uninstall, update, or otherwise address the following as appropriate for your system.

 

 

 

Then RESTART the computer and check for Windows Updates and install any found.

 

 

Link to post
Share on other sites

malwarebytes detected this after

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/29/23
Protection Event Time: 11:02 AM
Log File: 13ccdb5e-467d-11ee-87e6-088fc35f468e.json

-Software Information-
Version: 4.6.1.280
Components Version: 1.0.2117
Update Package Version: 1.0.74609
License: Premium

-System Information-
OS: Windows 11 (Build 22621.2215)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.PayloadFileBlock, C:\WINDOWS\system32\cmd.exe, Blocked, 601, 392684, 0.0.0, 5A6BE4D2519515241D0C133A26CF62C0, 423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload file blocked
File Name: C:\WINDOWS\system32\cmd.exe
URL: 

(end)

Link to post
Share on other sites

  • Root Admin

Thank you for the updates @AFCChris

Please run the following

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin

That's good it found nothing but let's see what else is going on.

 

Let's go ahead and run a couple of scans and get some updated logs from your system.


Please make the following changes.

 

  • Temporarily disable your antivirus real-time protection or other security software first if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

 


Next, run these steps and post back the logs as an attachment when ready.


[ 1 ]

Malwarebytes for Windows

  • If you already have Malwarebytes installed then open Malwarebytes and click on the small gear icon, then click on the "Check for updates" button on the General tab.
  • After any updates, click the middle Scan button from the main page. It will automatically run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed, make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let us know in your next reply that the scanner would not run.

[ 2 ]

Malwarebytes AdwCleaner

  • Please download Malwarebytes AdwCleaner and save the file to your Desktop or Downloads folder.
  • Double-click to run the program - Malwarebytes AdwCleaner guide
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • DO NOT remove Preinstalled MFG vendor software 
  • When finished, if items are found please click Quarantine to finish the cleaning process.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach that log to your next reply.
     
  • If No Detections are found, Click Skip Basic Repair

    WARNING: Do Not click the Run Basic Repair button unless instructed to by a Malwarebytes support agent or authorized helper


 

RESTART THE COMPUTER Before running Step 3

[ 3 ]

Gather MBST Logs

Please do the following so that we may take a closer look at your system for any possible infections.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

    WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper

 

Thank you

 

Link to post
Share on other sites

  • Root Admin

I don't use NODE myself. Why I'm asking if these were run by you on purpose or not. Not sure how either Kaspersky or Malwarebytes would be triggered if the application was not in use.

 

Node allows developers to write JavaScript code that runs directly in a computer process itself instead of in a browser. Node can, therefore, be used to write server-side applications with access to the operating system, file system, and everything else required to build fully-functional applications.


Exploit.PayloadFileBlock, C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js, Quarantined, 0, 392684, 0.0.0, 4E2EB14252F20EBA055E03500AB8539E, 3CE7CBA6F5128DD5F54C98B6A5036B0F850496878CC2E21044B675FE3C594E3E
Exploit.PayloadFileBlock, C:\Program Files\nodejs\node.exe, Blocked, 601, 392684, 0.0.0, D56CCF901907269B965760858E6C2CD5, 3F6AC39CD107BA6CBD691CC34862CF9977B25ED1297C643D78C07D934BB4C19E
Exploit.PayloadFileBlock, C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js, Blocked, 601, 392684, 0.0.0, 4E2EB14252F20EBA055E03500AB8539E, 3CE7CBA6F5128DD5F54C98B6A5036B0F850496878CC2E21044B675FE3C594E3E

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload file blocked
File Name: C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js
URL:


Exploit.PayloadProcessBlock, C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe \c CALL C:\Program Files\nodejs\node.exe C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js prefix -g, Blocked, 701, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe \c CALL C:\Program Files\nodejs\node.exe C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js prefix -g
URL:

 

 

 

Link to post
Share on other sites

Yes I use node daily as I am a programmer, and if node is quarntined I can  not work.  I did re-install node from their official site, also downloaded the file only version after node triggerd a quarntine event before I contacted you.

 

The CMD one is very odd as I did not use it nor see a cmd window

Link to post
Share on other sites

  • Root Admin

Yeah, why I don't want to submit for review or have you make changes in Exploit protection to allow it as we don't know what it's doing.

Is it possible for you to research what those calls are actually trying to do and if there is possibly some trigger or scheduled task that might have kicked it off?

Is it possible to rip out the current NODE and put back the old one at least for testing?

 

Link to post
Share on other sites

I can re-install, i have the same files from the download last week.  I was suspicious with the MSI as when I would launch it, it would come up, flash off and back up again, almost like the ledger program was doing when its being replaced with another program.

I can re-copy the files over

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.