Jump to content

Believe I Installed Trojan/RAT


yerb

Recommended Posts

Hello, unwittingly I ran an .exe for a cracked game and it started opening powershell and cmd prompts, and opening my browser/closing it. I unplugged my ethernet and reinstalled windows via usb.

I believe it may still be on my computer and I may have infected my usb boot drive too, so I am looking for help.

 

Here is the virus total for the exe I ran, can someone make out what happened? (Check behaviors -> dropped files etc)

https://www.virustotal.com/gui/file/3b08d4a26c787252cf1a485ae91982e9afd5bee4324402737dcb519b68a1c224/behavior

 

I would really appreciate some knowledge on if my system / usb is infected and how to fix it as it seems out of my league right now.

Thanks in advanced.

 

Link to post
Share on other sites

@yerb

Let's get the info to get the process started.

While you are waiting for the next qualified/approved malware removal expert helper to take on your case, even though you may have run the following Malwarebytes utility or its subsets, please carefully follow these instructions: Do not try any other cleaning of any kind after running the support tool. Use the computer as little as possible, or even better don’t use it at all except to check this topic and follow the instructions given.

Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Next.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

 

Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

image.png.1a94fec66febf538e456df2bc16e9ad7.png

Close Malwarebytes. Restart/reboot the computer.

 

Then do the following after restart.

WARNING: Do Not click the Repair System under Advanced unless requested by a Malwarebytes support agent or authorized helper

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Link to post
Share on other sites

30 minutes ago, yerb said:

but I really want to try another clean install.

You are welcome to do that. I suggest you do not log into any syncing, especially browsers.

Following the procedures below there are zero attacks currently known that can survive and remain present. The computer will be safe and secure at least until you start to install 3rd party software or drivers.

Make sure you verify the HASH of the downloaded valid Microsoft NON-Modified ISO image

 

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

Also, please review the following topic

Bypass Microsoft Online Account Creation during installation of Windows 11

 

Link to post
Share on other sites

Thanks, I am not sure if you will be able to get back to me before I try, but should deleting all the partitions and a quick format while in the windows installer be enough?

This is what I did before but, it doesn't feel right. Malwarebytes being spammed closed (literally the X button being hit over and over) happened last time. I will see if it happens again.

Link to post
Share on other sites

Hi again, I had the same issue where malwarebytes gets force closed so I think I still have it.

Is there a possibility my network is compromised?

I used my laptop to make the usb, could my laptop be compromised now as well?

Could a helper please walk me through what to do? I did a clean install of windows, reset my router, MB still got spammed close.

@Maurice Naggar @Porthos @AdvancedSetup

I also have the website I got the Trojan from if that would help.

Link to post
Share on other sites

Okay I am gonna get a usb from a neighbor and do one more reinstall tomorrow.

@Porthos In the meantime, please, would you mind addressing or even ‘shooting down’ my assumptions?

Mainly:

1) Should I consider my laptop and other computer compromised? (By using usb to create boot media)

2) Is it possible the Trojan can infect my network and could my network be reinfected by connecting a compromised computer to it?

This would really help me, I don’t know what to do / expect in this situation.

Link to post
Share on other sites

  • Root Admin

Thank you @yerb

It may be wise to isolate this computer from other computers. Once ready we need to get new logs as requested previously

 

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

The link for the method to do the CLEAN install also replies to issues

https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

 

This forum has some very intelligent techs that can also dig in deep for hardware and BSOD issues if needed

https://www.sysnative.com/forums/

 

Link to post
Share on other sites

  • Root Admin

The logs indicate this is not a CLEAN install of Windows. How did you reset it?

 

Application errors:
==================
Error: (09/28/2023 07:57:50 AM) (Source: Application Error) (EventID: 1000) (User: NT AUTHORITY)
Description: Faulting application name: wmiprvse.exe, version: 10.0.22621.1, time stamp: 0x3b1bcc5b
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0x80131623
Fault offset: 0x00007ffdd1a2c32f
Faulting process id: 0x0x32fc
Faulting application start time: 0x0x1d9f21c264e7ffd
Faulting application path: C:\Windows\system32\wbem\wmiprvse.exe
Faulting module path: unknown
Report Id: e42836ca-3069-4b71-beb6-a07dab3f8a01
Faulting package full name:
Faulting package-relative application ID:

Error: (09/28/2023 07:57:50 AM) (Source: .NET Runtime) (EventID: 1025) (User: )
Description: Application: wmiprvse.exe
Framework Version: v4.0.30319
Description: The application requested process termination through System.Environment.FailFast(string message).
Message: Unexpected exception thrown from the provider:
 System.IO.FileLoadException:
File name: 'Microsoft.AppV.AppvClientComConsumer, Version=10.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'
   at Microsoft.AppV.AppvPublishingServerWMI.AppvPublishingServer.EnumeratePublishingServers()


Stack:
   at System.Environment.FailFast(System.String)
   at WmiNative.WbemProvider.WmiNative.IWbemServices.CreateInstanceEnumAsync(System.String, Int32, WmiNative.IWbemContext, WmiNative.IWbemObjectSink)

Error: (09/28/2023 07:57:49 AM) (Source: Microsoft Security Client) (EventID: 3002) (User: )
Description: Event-ID 3002

 

 

Link to post
Share on other sites

I guarantee it’s clean, I wiped my 2 nvme drives with parted magic (Linux secure erase tool) 

Then I got a clean windows usb from my friends house.

Rebooted my router with no other devices connected and installed.

I ran eset security, could it be that? Or do I still have a virus..

Link to post
Share on other sites

  • Root Admin

Yes, this log looks better. It is clean from the other junk.

It does appear to need some driver updates which you should get from the manufacturer of your motherboard.

BIOS: American Megatrends International, LLC. F7 07/10/2023
Motherboard: Gigabyte Technology Co., Ltd. B650M AORUS ELITE AX
Processor: AMD Ryzen 5 7600 6-Core Processor
Percentage of memory in use: 14%
Total physical RAM: 31895.2 MB
Available physical RAM: 27335.72 MB
Total Virtual: 37015.2 MB
Available Virtual: 31176.22 MB

 

 

Faulty Device Manager Devices

==================

Name: RZ616 Wi-Fi 6E 160MHz
Description: RZ616 Wi-Fi 6E 160MHz
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: MediaTek, Inc.
Service: mtkwlex
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Generic Bluetooth Adapter
Description: Generic Bluetooth Adapter
Class Guid: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
Manufacturer: GenericAdapter
Service: BTHUSB
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

Name: USB Input Device
Description: USB Input Device
Class Guid: {745a17a0-74d3-11d0-b6fe-00a0c90f57da}
Manufacturer: (Standard system devices)
Service: HidUsb
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: USB Input Device
Description: USB Input Device
Class Guid: {745a17a0-74d3-11d0-b6fe-00a0c90f57da}
Manufacturer: (Standard system devices)
Service: HidUsb
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

 

 

 

Application errors:
==================
Error: (09/28/2023 09:19:36 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x803F7000
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=UserLogon;SessionId=2

Error: (09/28/2023 09:18:54 AM) (Source: SecurityCenter) (EventID: 16) (User: )
Description: Error while updating Windows Defender status to SECURITY_PRODUCT_STATE_ON.


System errors:
=============
Error: (09/28/2023 09:24:53 AM) (Source: BTHUSB) (EventID: 17) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (09/28/2023 09:24:45 AM) (Source: mtkwlex) (EventID: 5006) (User: )
Description: \Device\NDMP2RZ616 Wi-Fi 6E 160MHz

Error: (09/28/2023 09:23:55 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200b: MediaTek, Inc. - Net - 3.3.0.496.

Error: (09/28/2023 09:19:31 AM) (Source: BTHUSB) (EventID: 17) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (09/28/2023 09:17:52 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The Printer Extensions and Notifications service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (09/28/2023 09:11:48 AM) (Source: BTHUSB) (EventID: 17) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (09/28/2023 09:10:35 AM) (Source: BTHUSB) (EventID: 17) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (09/28/2023 09:10:32 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The netprofm service terminated with the following error:
The device is not ready.

 

 

Other than that, the computer shows no signs of infection. Here is some advice to help keep it that way.

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.