Scan not detecting trojan that pops up as notifcation

[dfa]

Hi, 

 

I Appear to have the same issue as the closed topic above.  Malwarebytes is constantly alerting to 'Website blocked due to Trojan" with the following details:

Domain: stevenhead.ddns.net

IP Address 157.20.182.5

Port: 8898

Type: Outbound

File: C:|Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

 

Additionally, I'm also running Norton which is also warning of 'Threats Blocked' and a program acting abnormally, pointiing to the same file as indicated above (ie: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe).  Norton is reporting Threat Name "SONAR.SuspLaunch!g318"  

I appear unable to rename/update/delete/remove aspnet_compiler.exe, even under safe mode. 

 

Scan logs for Malwarebytes, AdwCleaner & FRST64 are attached.  Is anyone able to talk a relativly inexperienced user through a fix for this issue please?

 

Many many thanks in advance

 

Dave A

 

Malwarebytes Scan Report 2024-07-24 080818.txt AdwCleaner[S04].txt Addition.txt FRST.txt Norton Log.txt

[1PW]

Hello @dfa and :

Thank you for the attachment(s) you have already posted. However, please carefully follow the procedures below in the order given for the best data. Please do not forget Malwarebytes AdwCleaner in its proper order.

Although I will not be your malware removal helper, please carefully follow the steps in the order given:

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process.

Then, follow each step in the order provided. Unless otherwise asked, please attach all log files.

Please make the following system changes:  Please pay close attention to the instructions in all the following links.

1. If you have not done so already, Enable System Protection and create a NEW System Restore Point.
2. Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads. Make sure to turn it back on once the scans are completed.
3. Temporarily disable the overly sensitive Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed.
4. Disable-Fast-Startup. <<<<< Important.
5. Show-Hidden-Folders-Files-Extensions.

Please run the following scans:  Please Take your time and pay close attention to the instructions in all the following links.

1. Select the following link and run a Scan with Malwarebytes AdwCleaner with only the eight (8) requested options selected.  Report files: AdwCleaner[S00].txt and AdwCleaner[C00].txt   Please run the scan only once, correctly, to capture any and all error data. Alternate Download Source.
2. Select the following link and run a DEFAULT Scan with Malwarebytes 5 for Windows®. Report file: Malwarebytes Scan Report YYYY-MM-DD HHMMSS.txt
3. >>>> Restart the computer <<<<
4. Select the following link, and then rename FRST.exe or FRST64.exe to FRSTEnglish.exe and run a Scan with Farbar Recovery Scan Tool. Report files: FRST.txt and Addition.txt

Example image of where to click to attach the five (5) files when posting your reply to your topic:

The sooner you attach/send the five (5) log files, the sooner one of the Experts will weigh-in on your topic.

Thank you.

[AdvancedSetup]

Hello @dfa

Why are you running software from 2008 and 2015 ?  The motherboard shows to be from 2021 and running Windows 11

Very little reason to run any software that old normally.

HKLM\...\Run: [Cmaudio8788] => C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\cmicnfgp.dll,CMICtrlWnd [13463552 2015-08-11] (C-Media Corporation) [File not signed]
HKLM\...\Run: [Cmaudio8788GX] => C:\Windows\syswow64\HsMgr.exe [200704 2008-07-11] () [File not signed]
HKLM\...\Run: [Cmaudio8788GX64] => C:\Windows\system\HsMgr64.exe [282112 2008-07-11] () [File not signed]

R3 cmudaxp; C:\Windows\system32\drivers\cmudaxp.sys [2735616 2015-06-02] (C-MEDIA ELECTRONICS INC. -> C-Media Inc)

 

 

Please temporarily disable your Norton antivirus real-time protection and run the following fix.

 

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

• NOTICE: This script was written specifically for this user, for use on this particular machine.
• Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\dfa19\OneDrive\Desktop\New folder\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
               Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[dfa]

Following advice/instruction from 1PW PFA the requisite files

 

DFA

AdwCleaner[S00].txt FRST.txt Malwarebytes Scan Report 2024-07-24 181755.txt Addition.txt AdwCleaner[C00].txt

[AdvancedSetup]

Please follow my instructions above @dfa and when done, post back the FIXLOG.TXT file.

 

Also, let me know why you're running such old software on a fairly new computer

Thank you

 

[dfa]

Having problems replying via pc due to website spam catcher so trying via tablet. Fix appears to have worked, errors have ceased.Fixlog.txt

[dfa]

Many, many thanks.  Older software is due to an older Asus Xonar sounndcard

[AdvancedSetup]

Thank you for the log. I have removed the SPAM block so reply should be easier now.

Let me check the log and I'll be back in a moment

 

[AdvancedSetup]

Overall the fix ran well. It looks like there may be some type of path issue so we should get some new logs to review.

 

Please check on this folder. It looks like it was probably created by malware and can possibly be removed.  C:\Users\dfa19\dfa19-2024-07-21\

 

Please RESTART the computer and get me new fresh logs

 

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Thanks

 

 

 

 

 

[dfa]

Will have to wait until tomorrow now.  Thanks for your help so far.  DFA

[dfa]

Hi there.  Sorry for the delay - unfortunatly work sometimes intereferes.  PFA the required files from the scans.  I've looked at C:\Users\dfa19\dfa19-2024-07-21\, which contains some batch files for running powershell.  I don't recall loading/downloading anything on that date and have so elected to delete the 4 files.

 

Regards

DFA

FSS.txt SecurityCheck.txt FRST.txt

[AdvancedSetup]

Thank you for the logs @dfa

 

Please Uninstall, Update, or otherwise address the following as appropriate for your system.

 

• Adobe Creative Cloud v.6.0.0.571 Warning! Download Update
• NVIDIA GeForce Experience 3.28.0.412 v.3.28.0.412 Warning! Download Update
• qBittorrent 4.4.3.1 v.4.4.3.1 Warning! Download Update
• µTorrent v.3.5.5.46206 Warning! Ad-supported P2P-client.

Then RESTART the computer and check for Windows Updates and install any found. You have a missing Windows Defender update that a Windows update should install for you.

 

 

 

NOTE:

The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is illegal, and there is always a chance of prosecution if caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. However, be aware that we have seen increased malware bundled with software downloads over P2P.

Recent Ransomware infections have been seen to encrypt user data so that no one can decrypt the data without the private key.
When sharing files, please keep in mind that you're increasing your system's attack surface area, which can increase the risk of infection.

Scan all files before running them. https://www.virustotal.com

If you don't need or use the P2P software, you should uninstall it.

P2P File-Sharing: Know the Risks
https://www.bankinfosecurity.com/p2p-file-sharing-know-risks-a-737

 

Hidden risks in pirated software https://news.microsoft.com/apac/2019/01/08/hidden-risks-in-pirated-software/
Why You Shouldn't Use Pirated Software (But Why People Still Do) https://www.computer.org/publications/tech-news/trends/why-you-shouldnt-use-pirated-software

 

 

 

[AdvancedSetup]

Good day @dfa

How are things going today?

 

[dfa]

Busy yesterday and unable to spend time with the PC. 

Advice above followed and the torrent progs I was unaware of removed (thanks son!).  Updates completed and system has now been up for about 2 days with no issues evident. 

Many thanks for all your help with this issue.  I think I'm content to close this now.

Best regards

DFA

[dfa]

Maybe I spoke too soon above.  MWB is again reporting issues (but not Norton this time) similar to the one experienced last week. 

 

Original problem: 

Website Blocked Due To Trojan

Domain: stevenhead.ddns.net

IP Address 157.20.182.5

Port: 8898

Type: Outbound

File: C:|Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

 

New Problem:

Website Blocked Due To Trojan

Domain: stev3nhdad.ddns.net

IP Address 157.20.182.5

Port: 1665

Type: Outbound

File: C:|Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

 

Guess I could be back to square 1? :(

 

I've aagain attached files following scans by Malwarebytes, ADWCleaner & FRST

AdwCleaner[S00].txt FRST.txt Malwarebytes Scan Report 2024-07-29 191119.txt Addition.txt AdwCleaner[C00].txt

[dfa]

Additional File from MWBMalwarebytes Website Blocked Report 2024-07-29 190028.txtMalwarebytes Website Blocked Report 2024-07-29 190028.txt

[AdvancedSetup]

Please move the  Farbar program out of the OneDrive location  C:\Users\dfa19\OneDrive\Desktop\New folder\FRSTEnglish.exe

Copy or move it to C:\Users\dfa19\Downloads

You also have some duplicate FIXLIST.TXT files in your C:\Users\dfa19\Downloads  folder. Please delete all those text files. Then save the following file to your Downloads folder where you just copied the FRSTEnglish.exe file.

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

• NOTICE: This script was written specifically for this user, for use on this particular machine.
• Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   C:\Users\dfa19\Downloads\FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\dfa19\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
               Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Edited July 30 by AdvancedSetup
Updated information

[dfa]

Thanks forthe help again.  I've completed the above and attached the fixlog.  Very early days I know, but the error, which previosly appeared every 30 secs according to MWB detection history, seems to have calmed down again.    I suppose the question remaining is what the issue is and why it seems to have adapted itself between the 2 instances that it was present.  I suppose I'm really asking the question - is it likely to adapt again and return?

 

Again, thanks for your patience and time.

Fixlog.txt

[AdvancedSetup]

Thank you the log looks good. In this case it was a very specific fake task that was created. Before we left the old folder alone so perhaps it had something in it to bring it back?

This time we removed the bad task and removed the entire folder as well

Please go ahead and run a couple of other AV scans to help ensure nothing else is lingering.

 

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

• The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
• Close all open applications and locate the downloaded file and double-click to run it
• The program will take a moment to launch and bring up the License and Update screen
• Place a check mark to agree to the terms and then click on the Continue button
• Click the underlined link Select objects for scanning
• On the top left click the Scanning objects that should automatically check all objects
• Click the small wrench and make sure there is a check on Automatically apply actions to threats
• Then click the large button on bottom right Start scanning
• Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
• The log is saved in the folder named Doctor Web in the top of your user profile folders
• Please attach that log on your next reply

 

 

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system.

Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

[ 2 ]

Microsoft Safety Scanner

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours to complete.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run and saved in the log.
• The scan may take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware. )

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found and did.

 

Thank you

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks