bbdrey Posted September 18 ID:1661674 Share Posted September 18 Hello, I have downloaded some malicious files. Yesterday, somebody tried to get into a few of my accounts, took care of changing passwords ASAP. Today I downloaded Malwarebytes and it keeps blocking a .NET Framework file. Ran a few scans with Malwarebytes, AdwCleaner and Farbar. Let me explain everything through screenshots and logs. Also, there's a process popping up in Task Manager now. It doesn't respond though. Thanks! Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Solution SQx Posted September 18 Solution ID:1661693 Share Posted September 18 (edited) Hello, Please do the following to run a FRST fix NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere. Start:: CreateRestorePoint: CloseProcesses: File: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe HKU\S-1-5-21-1025288014-908265551-3708859633-1001\...\Run: [finitoLaKomeda] => C:\Users\drewm\OneDrive\Pictures\MuhaBuntita\Cocksuchj.ex (No File) File: C:\Users\drewm\AppData\Roaming\7zip\bin\x64\win.exe Task: {34062064-B7B8-4AA9-8DB9-64D90063E53B} - System32\Tasks\d2luODA1 => C:\Users\drewm\AppData\Roaming\7zip\bin\x64\win.exe [788818944 2024-09-16] () [File not signed] <==== ATTENTION Task: {FF09D12F-2620-4C4F-8375-BE027ED6A7E3} - System32\Tasks\PhotoEditorTask_ODA1 => C:\Users\drewm\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA1.exe [1050881536 2024-09-16] () [File not signed] -> C:\Users\drewm\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\conf.txt <==== ATTENTION 2024-09-16 14:01 - 2024-09-16 14:01 - 000003808 _____ C:\WINDOWS\system32\Tasks\PhotoEditorTask_ODA1 2024-09-16 14:01 - 2024-09-16 14:01 - 000003452 _____ C:\WINDOWS\system32\Tasks\d2luODA1 2024-09-16 14:01 - 2024-09-16 14:01 - 000000000 ___HD C:\Users\drewm\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms 2024-09-16 14:01 - 2024-09-16 14:01 - 000000000 ____D C:\Users\drewm\AppData\Roaming\7zip FirewallRules: [{C5A96376-D4F3-4437-9EF2-E07E4347BCFC}] => (Allow) C:\Users\drewm\AppData\Local\Temp\ACFL\ACSetup\ACSetup.exe => No File FirewallRules: [{7D4FC197-BFF7-4E66-9DDD-016472D8C542}] => (Allow) C:\Users\drewm\AppData\Local\Temp\ACFL\ACSetup\ACSetup.exe => No File End:: Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer. Press the Fix button once and wait. FRST will process fix When finished, it will produce a log fixlog.txt on your Desktop. Post the log in your next reply. Please let me know if this solved the issue. Please Uninstall the following : Driver Booster 11 (HKLM-x32\...\Driver Booster_is1) (Version: 11.6.0 - IObit) Edited September 18 by SQx Link to post Share on other sites More sharing options...
bbdrey Posted September 18 Author ID:1661700 Share Posted September 18 Thanks for the quick reply. After the fix, Malwarebytes isn't blocking anything anymore. Also, I found a suspicious folder in AppData\Local, called OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms It had an .exe, .dll and a config inside. Deleted it right away. Ran it on a sandbox and I'm pretty positive it was a trojan. Also, I ran a cmd scan for corrupted files with sfc command, found something and got it dealt with. Fixlog.txt Link to post Share on other sites More sharing options...
SQx Posted September 18 ID:1661703 Share Posted September 18 Great, please stop using pirated software otherwise our help will be useless. As I see hosts file contains the entries for Adobe products. Please confirm that you have uninstalled the following software (Pup): Driver Booster 11 (HKLM-x32\...\Driver Booster_is1) (Version: 11.6.0 - IObit) Link to post Share on other sites More sharing options...
bbdrey Posted September 18 Author ID:1661705 Share Posted September 18 Yes I uninstalled the Driver Booster and anything related with it. By the way, what is the MuhaBuntita folder with the .exe inside? And also a file appeared in my Pictures folder, named 591A84D12FD1471FB12892B41EC81EB0 Link to post Share on other sites More sharing options...
SQx Posted September 18 ID:1661706 Share Posted September 18 1 minute ago, bbdrey said: By the way, what is the MuhaBuntita folder with the .exe inside? 1)If you do not know the origin of the specified directory, please delete it. 2) Please run the following AV scanners and post back the logs when ready [ 1 ] Dr.Web CureIt! Please download the Dr.Web CureIt! anti-virus utility https://free.drweb.com/ You will need to send them an email to obtain a link to download the scanner, please do so The downloaded file will normally have a unique name such as: q7a9tr4p.exe Close all open applications and locate the downloaded file and double-click to run it The program will take a moment to launch and bring up the License and Update screen Place a check mark to agree to the terms and then click on the Continue button Click the underlined link Select objects for scanning On the top left click the Scanning objects that should automatically check all objects Click the small wrench and make sure there is a check on Automatically apply actions to threats Then click the large button on bottom right Start scanning Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad The log is saved in the folder named Doctor Web in the top of your user profile folders Please attach that log on your next reply [ 2 ] ESET Online Scanner Please run the following and perform a Full Scan Click the following link to save the installer for ESET Online Scanner https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get started. When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue When prompted for scan type, Click on the Full Scan button Enable ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click the Start scan button. Have patience. The entire process may take a few hours or more. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log and give it a name and location you remember. If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files” ( in blue, at the bottom). Press Continue when all done. You should click to turn off the offer for “periodic scanning”. Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program. Note: If you do need to do a File Restore from ESET please follow the directions below [KB2915] Restore files quarantined by the ESET Online Scanner version 3 https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner Please attach the ESET scan log you saved at the end to your next reply Link to post Share on other sites More sharing options...
bbdrey Posted September 18 Author ID:1661716 Share Posted September 18 Ran the folder I asked about on a sandbox, it was the trojan which caused .NET framework to run (the one I mentioned at the start) Weird is, that none of these antiviruses found it as malicious. BTW the ESET found nothing. cureit.log Link to post Share on other sites More sharing options...
SQx Posted September 18 ID:1661724 Share Posted September 18 (edited) Drweb found just the hosts file as suspicious due to adobe entries. C:\WINDOWS\system32\drivers\etc\hosts - probably infected with HOSTS:SUSPICIOUS.URL 46 minutes ago, bbdrey said: Ran the folder I asked about on a sandbox, it was the trojan which caused .NET framework to run (the one I mentioned at the start) Could you please upload the malware to virustotal.com and share the report link to the next post, if you still have this malicous file. We removed all active malware, so the copies of malware could be in the mentioned folder, so you can remove it. Edited September 18 by SQx Link to post Share on other sites More sharing options...
SQx Posted September 18 ID:1661739 Share Posted September 18 Also this archive could contain the malicious code as well: HELPY-UNIVERSAL-main.zip so please delete it as well. Date: 2024-09-16 13:37:22 Description: Antivirová ochrana v programu Microsoft Defender zjistil malware nebo jiný potenciálně nežádoucí software. Další informace: https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Malgent!MTB&threatid=2147836816&enterprise=0 Název: Trojan:Win32/Malgent!MTB Závažnost: Vážné Kategorie: Trojský kůň Cesta: containerfile:_C:\Users\drewm\Downloads\HELPY-UNIVERSAL-main.zip; file:_C:\Users\drewm\Downloads\HELPY-UNIVERSAL-main.zip->HELPY-UNIVERSAL-main/UC Release.zip->UC Release/hotkey_class.exe; webfile:_C:\Users\drewm\Downloads\HELPY-UNIVERSAL-main.zip|https://codeload.github.com/Villageslayer/HELPY-UNIVERSAL/zip/refs/heads/main|pid:10592,ProcessStart:133709602388404531 Původ detekce: Internet Typ detekce: Konkrétní Zdroj detekce: Soubory ke stažení a přílohy Uživatel: DESKTOP-CLIQQHL\drewm Název procesu: Unknown Verze bezpečnostních informací: AV: 1.417.735.0, AS: 1.417.735.0, NIS: 1.417.735.0 Verze modulu: AM: 1.1.24070.3, NIS: 1.1.24070.3 https://www.virustotal.com/gui/file/f6d5d82e4d8a0b479454a3ac3d9a29163e1b94636c584894641102f90bdb5921 Link to post Share on other sites More sharing options...
bbdrey Posted September 19 Author ID:1661940 Share Posted September 19 Looks like I'm clean. Thanks a lot. I deleted the virus, but I'll try to recover it and post it there. Btw, the HELPY archive was deleted way before, that's weird it got logged. Can't find any copy anywhere though. Once again, thanks a lot for your help! Really appreciate it. Link to post Share on other sites More sharing options...
SQx Posted September 19 ID:1661947 Share Posted September 19 22 minutes ago, bbdrey said: Btw, the HELPY archive was deleted way before, that's weird it got logged. Can't find any copy anywhere though. Looks like a script for customizing and automating mouse actions. Checking if it's false alarm. Link to post Share on other sites More sharing options...
SQx Posted September 19 ID:1661971 Share Posted September 19 For visibility, requested to confirm the detection. Link to post Share on other sites More sharing options...
SQx Posted September 20 ID:1662156 Share Posted September 20 I got a confirmation that hotkey_class.exe is false positive. Please run the following: Scan with SecurityCheck by glax24 https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/ Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 27 Root Admin ID:1663542 Share Posted September 27 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Tips to help protect from infection Thanks Link to post Share on other sites More sharing options...
Recommended Posts