Microsoft Defender detects trojan on launch, then forgets

[lone]

Hello!

My main issue is that whenever I restart my PC, the Microsoft Defender icon in my taskbar flashes red for a couple seconds after starting up, and then goes back to green. After it disappears from Defender's screen, clicking on Protection History shows nothing, and it acts as if never detected anything. I can't open Defender's log folder for some reason either. But if I open Defender up quickly enough, on the main page it shows:

Current Threats: Threats found. Start the recommended actions.
TrojanLMSIL/Redline.CBYZ!MTB
2024-08-26 7:54 PM (Active)
Action options: Block Threat, Allow on Device, See Details. Start Action.

Clicking 'Start Action' after choosing 'Block Threat' does absolutely nothing. The button just, well, presses. Opening 'See Details' gives me the file path, at least:
"Affected Items: amsi: \Device\HardidskVolume3\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"

This has been happening for at least a few days, no more than a week; at first I dismissed it because I didn't see any threat in any scans, but today I opened Defender immediately after a restart and saw the threat.

So, what I've tried so far; Microsoft Defender Quick Scan, Microsoft Defender Antivirus (offline scan), Mulwarebytes Scan (log attached), a Malwarebytes full scan of C:\ with rootkits included, I tried scanning the file path specifically with both scanners, I downloaded and ran ADWCleaner and FRST64 based off some other threads I tried out first but neither of them spotted anything, at least to me (logs also attached). I haven't gotten a single positive on anything except for Defender at launch.

Some threads have said that this specific path could be a false positive, and while I'm hoping that's true, I really don't want to take any chances and especially not with something like Powershell or a Redline Trojan. I haven't noticed any of the other common symptoms from other threads like powershell opening for a split second on launch, nor anything else like a slower PC or high RAM/CPU usage, and I also haven't downloaded anything too suspicious in the past month. Unless this is something that lies in wait for a while, I don't think it appeared recently; my last possibly dangerous download was a textbook PDF a week ago. Also checked that, doesn't seem to be infected at all.

Any help you can offer will be greatly appreciated. Thank you!

Malwarebytes Scan Report 2024-08-27 002747.txt AdwCleaner[S00].txt Addition.txt FRST.txt

[1PW]

Hello @lone and :

Please know that the valuable attachments are greatly appreciated but your helper can best analyze the computer when the following procedures are carefully executed in sequence:

Let us get the information to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

 

Let us go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process.

Then, sequentially follow each step in the order provided. Unless otherwise asked, please attach all logs.

 

Please make the following system changes:  Please pay close attention to the instructions in all the following links.

• If you have not done so already, Enable System Protection and create a NEW System Restore Point.
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed.
• Disable-Fast-Startup.
• Show-Hidden-Folders-Files-Extensions.

Please run the following scans:  Please pay close attention to the instructions in all the following links.

1. Click the following link and run a Scan with AdwCleaner Alternative AdwCleaner download.
2. Click the following link and run a Scan with Malwarebytes Alternative MB5 download. Please check for application and Update Package updates.
      RESTART the computer
3. Click the following link and run a Scan with Farbar Recovery Scan Tool.
    

Example image of where to click to attach the 5 files when posting your reply

 

Thank you.

[lone]

Alright, done. I only have four files to attach though; one from running AdwCleaner, one from Malwarebytes, and two from Farbar. Hope these help!

Addition.txt AdwCleaner[C03].txt FRST.txt Malwarebytes Scan Report 2024-08-27 052716.txt

[AdvancedSetup]

Please uninstall ALL old versions of Java.

Then RESTART the computer and run the following AV scans.

[ 1 ]

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

• The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
• Close all open applications and locate the downloaded file and double-click to run it
• The program will take a moment to launch and bring up the License and Update screen
• Place a check mark to agree to the terms and then click on the Continue button
• Click the underlined link Select objects for scanning
• On the top left click the Scanning objects that should automatically check all objects
• Click the small wrench and make sure there is a check on Automatically apply actions to threats
• Then click the large button on bottom right Start scanning
• Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
• The log is saved in the folder named Doctor Web in the top of your user profile folders
• Please attach that log on your next reply

 

[ 2 ]

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get started. 
• When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
• On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
• When prompted for scan type, Click on the Full Scan button
• Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
• Have patience.  The entire process may take a few hours or more.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log and give it a name and location you remember.
• If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
• Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

[lone]

For some reason, ESET starts up and runs a 'downloading modules' thing, but crashes immediately after. I think, I don't see it open anywhere in the taskbar or task manager. However, Cureit at least managed to find something, not sure if it's what was causing the issues. I'll restart and see if Windows Defender still does the thing and then try to rune ESET again, but here's the log for Cureit.

cureit.log

[lone]

Yeah, Windows Defender still sees the Trojan at powershell on startup, so that wasn't it. Still good it was caught, but ESET still doesn't seem to be working. I don't think the scan's working in background, is it? It just crashes after downloading module updates. Any idea why?

In any case I'll come back to this tomorrow hopefully, thanks a ton for all your help.

[AdvancedSetup]

Yes, there are clean up issues. It's past midnight for me. Please do the following and we'll pick up on it tomorrow

 

Let's try a Microsoft scanner

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system.

Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

[ 2 ]

Microsoft Safety Scanner

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours to complete.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run and saved in the log.
• The scan may take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware. )

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found and did.

 

 

 

Then RESTART the computer and get me NEW fresh logs and I'll assist you tomorrow

 

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

Thanks

 

 

 

 

 

 

[lone]

Well, that was a beefy eight hour search. Didn't come up with anything, though. I've attached the MSERT logs, though they seem lacking in information to me. I've also added the two logs for FRST, the one for FSS, and the final one for SecurityCheck. None found anything though, but the symptom is still ongoing, the last restart had it happen again for a couple seconds. I also just noticed a large amount of huy_NATO.db files in appdata/roaming - is that normal?

Addition.txt FRST.txt FSS.txt msert.log SecurityCheck.txt

[lone]

Well, now my laptop's crashing randomly, though that happens about once or twice a month for me anyways, and my Rainmeter's stopped functioning, though I think that was because one of the skins was quarantined and that somehow broke it all. However, I got a bit more paranoid, so I downloaded HitmanPro and got it to scan as well, but that one didn't find anything either. I also ran a few device health commands; scannow, DISM, chkdsk. None brought up anything too egregious and they didn't stop the threat from appearing at launch either. Is it possible this whole thing is actually a false positive? I'm just gonna run another full scan on Windows Defender, but I doubt it'll find anything the other nine scanners haven't. Hope these logs help, and again, thank you for your help.

HitmanPro_20240828_0216.log

[AdvancedSetup]

The huy_NATO appears to be connected to a PowerShell attack.

It's now 2:00 AM here for me. I'm heading to bed but will work on writing you a fix tomorrow.

Thank you @lone

 

[AdvancedSetup]

Sorry for the delay @lone

Do you still need help?

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks