Jump to content

.NET Framework Trojan


Go to solution Solved by SQx,

Recommended Posts

Hello, 

I have downloaded some malicious files. Yesterday, somebody tried to get into a few of my accounts, took care of changing passwords ASAP.

Today I downloaded Malwarebytes and it keeps blocking a .NET Framework file. 

Ran a few scans with Malwarebytes, AdwCleaner and Farbar.

Let me explain everything through screenshots and logs.

Also, there's a process popping up in Task Manager now. It doesn't respond though.

Thanks!

Malwarebytes.png

spravce.png

Addition.txt FRST.txt

Link to post
Share on other sites

  • Solution

Hello,

Please do the following to run a FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
    Start::
    CreateRestorePoint:
    CloseProcesses:
    File: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    HKU\S-1-5-21-1025288014-908265551-3708859633-1001\...\Run: [finitoLaKomeda] => C:\Users\drewm\OneDrive\Pictures\MuhaBuntita\Cocksuchj.ex (No File)
    File: C:\Users\drewm\AppData\Roaming\7zip\bin\x64\win.exe
    Task: {34062064-B7B8-4AA9-8DB9-64D90063E53B} - System32\Tasks\d2luODA1 => C:\Users\drewm\AppData\Roaming\7zip\bin\x64\win.exe [788818944 2024-09-16] () [File not signed] <==== ATTENTION
    Task: {FF09D12F-2620-4C4F-8375-BE027ED6A7E3} - System32\Tasks\PhotoEditorTask_ODA1 => C:\Users\drewm\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA1.exe [1050881536 2024-09-16] () [File not signed] -> C:\Users\drewm\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\conf.txt <==== ATTENTION
    2024-09-16 14:01 - 2024-09-16 14:01 - 000003808 _____ C:\WINDOWS\system32\Tasks\PhotoEditorTask_ODA1
    2024-09-16 14:01 - 2024-09-16 14:01 - 000003452 _____ C:\WINDOWS\system32\Tasks\d2luODA1
    2024-09-16 14:01 - 2024-09-16 14:01 - 000000000 ___HD C:\Users\drewm\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms
    2024-09-16 14:01 - 2024-09-16 14:01 - 000000000 ____D C:\Users\drewm\AppData\Roaming\7zip
    FirewallRules: [{C5A96376-D4F3-4437-9EF2-E07E4347BCFC}] => (Allow) C:\Users\drewm\AppData\Local\Temp\ACFL\ACSetup\ACSetup.exe => No File
    FirewallRules: [{7D4FC197-BFF7-4E66-9DDD-016472D8C542}] => (Allow) C:\Users\drewm\AppData\Local\Temp\ACFL\ACSetup\ACSetup.exe => No File
    End::
    
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fix
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

    Please let me know if this solved the issue. 


    Please Uninstall  the following :
    Driver Booster 11 (HKLM-x32\...\Driver Booster_is1) (Version: 11.6.0 - IObit)
Edited by SQx
Link to post
Share on other sites

Thanks for the quick reply. 

After the fix, Malwarebytes isn't blocking anything anymore.

Also, I found a suspicious folder in AppData\Local, called OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms

It had an .exe, .dll and a config inside. Deleted it right away. Ran it on a sandbox and I'm pretty positive it was a trojan.

Also, I ran a cmd scan for corrupted files with sfc command, found something and got it dealt with.

Fixlog.txt

Link to post
Share on other sites

Great, please stop using pirated software otherwise our help will be useless. As I see hosts file contains the entries for Adobe products. 

Please confirm that you have uninstalled the following software (Pup):
Driver Booster 11 (HKLM-x32\...\Driver Booster_is1) (Version: 11.6.0 - IObit)

Link to post
Share on other sites

1 minute ago, bbdrey said:

By the way, what is the MuhaBuntita folder with the .exe inside?

1)If you do not know the origin of the specified directory, please delete it.
 

2) Please run the following AV scanners and post back the logs when ready

 

[ 1 ]

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

 

[ 2 ]

ESET Online Scanner

Please run the following and perform a Full Scan
 
Click the following link to save the installer for ESET Online Scanner
https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started.
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.


 
Note: If you do need to do a File Restore from ESET please follow the directions below
[KB2915] Restore files quarantined by the ESET Online Scanner version 3
https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner
 
Please attach the ESET scan log you saved at the end to your next reply

Link to post
Share on other sites

Drweb found just the hosts file as suspicious due to adobe entries.
 

C:\WINDOWS\system32\drivers\etc\hosts - probably infected with HOSTS:SUSPICIOUS.URL

 

46 minutes ago, bbdrey said:

Ran the folder I asked about on a sandbox, it was the trojan which caused .NET framework to run (the one I mentioned at the start)

Could you please upload the malware to virustotal.com and share the report link to the next post, if you still have this malicous file.

We removed all active malware, so the copies of malware could be in the mentioned folder, so you can remove it.

 

Edited by SQx
Link to post
Share on other sites

Also this archive could contain the malicious code as well: HELPY-UNIVERSAL-main.zip so please delete it as well.
 

Date: 2024-09-16 13:37:22
Description: 
Antivirová ochrana v programu Microsoft Defender zjistil malware nebo jiný potenciálně nežádoucí software.
Další informace:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Malgent!MTB&threatid=2147836816&enterprise=0
Název: Trojan:Win32/Malgent!MTB
Závažnost: Vážné
Kategorie: Trojský kůň
Cesta: containerfile:_C:\Users\drewm\Downloads\HELPY-UNIVERSAL-main.zip; file:_C:\Users\drewm\Downloads\HELPY-UNIVERSAL-main.zip->HELPY-UNIVERSAL-main/UC Release.zip->UC Release/hotkey_class.exe; webfile:_C:\Users\drewm\Downloads\HELPY-UNIVERSAL-main.zip|https://codeload.github.com/Villageslayer/HELPY-UNIVERSAL/zip/refs/heads/main|pid:10592,ProcessStart:133709602388404531
Původ detekce: Internet
Typ detekce: Konkrétní
Zdroj detekce: Soubory ke stažení a přílohy
Uživatel: DESKTOP-CLIQQHL\drewm
Název procesu: Unknown
Verze bezpečnostních informací: AV: 1.417.735.0, AS: 1.417.735.0, NIS: 1.417.735.0
Verze modulu: AM: 1.1.24070.3, NIS: 1.1.24070.3


https://www.virustotal.com/gui/file/f6d5d82e4d8a0b479454a3ac3d9a29163e1b94636c584894641102f90bdb5921

Link to post
Share on other sites

Looks like I'm clean. Thanks a lot. 

I deleted the virus, but I'll try to recover it and post it there.

Btw, the HELPY archive was deleted way before, that's weird it got logged. Can't find any copy anywhere though.

 

Once again, thanks a lot for your help! Really appreciate it.

Link to post
Share on other sites

22 minutes ago, bbdrey said:

Btw, the HELPY archive was deleted way before, that's weird it got logged. Can't find any copy anywhere though.

Looks like a script for customizing and automating mouse actions. Checking if it's false alarm.

 

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.