sparta

CLOSED Persistent Malware undetected but detected by virustotal & hybrid analysis, changes windows password denies access to program

Recommended Posts

Hi i have a persistent malware infection in win10x64 (latest updates till aug 2018)
i have did clean install several times (i have other drive as well that has data which was not formatted) but after working for some time infection returns usually after reboots or installing software or doing windows update etc.

following happens 

1)avast antivirus does not detect any thing but continously uses around 10% CPU. 
2)installed malwarebytes, but some times it works other times malware protection and ransomware protection turnf off by own and do not turn back on.
3)bitdefender antivirus does not detect any thing.
4)comodo antivirus also does not detect any thing but uses 25% cpu.
5)Avira antivirus also does not detect anything.
if computer goes to sleep or if it is restarted, then the password of computer gets changed by malware i have to reset using 3 secret questions (win10x64).
6)if malwarebytes is able to work then ok otherwise taskmanager or any other app says you dont have permissions etc.

Also System  tries to go udp pot 137 log copy of outpost firewall blocked logs 

    SYSTEM    OUT    UDP    131.253.61.86    137    
    SYSTEM    OUT    UDP    131.253.61.82    137    
    SYSTEM    OUT    UDP    131.253.61.64    137    
    SYSTEM    OUT    UDP    13.107.4.52    137    
    SYSTEM    OUT    UDP    104.27.128.190    137    
    SYSTEM    OUT    UDP    104.20.94.33    137    
    SYSTEM    OUT    UDP    74.125.24.188    137    

hence now formatted system and reinstalled win10x64 (i have other drive as well that has data which was not formatted)and installed emsisoft antimalware, it also does not detect any thing.
then read ur manual malware removal guide.
ran Autoruns and the found detected viruses by virustotal. 

entries of virustotal show some files are infected but that has been detected by one antivirus company only. I copes all these files to a folder and zip them and ran analysis on virustotal 
https://www.virustotal.com/#/file/47b4b566e2de3e7f73a554073ba028a5b165f0918c8ec134aef9378aade196d9/details
and hybridanalysis as well
https://www.hybrid-analysis.com/sample/47b4b566e2de3e7f73a554073ba028a5b165f0918c8ec134aef9378aade196d9
, they said infected.
 uploaded on of the files to hybridanalysis.com and ran on win7x64 it also said infected.

when i turn off emsisoft  to check the above mentioned issues return back.

what can i do now? how can i replace these infected files or if u can add this to ur virus database and remove it somehow.
or tell me steps to do to get this resolved.

regards.

sparta

Infected files.zip

Share this post


Link to post
Share on other sites

Hi Stapp Namaste & thanks for replying.

I have some more details for u that i forget last time.

Also when the infection first started display driver told to be corrupt etc and now or then intel display componets asked for some permissions to ntoskernel etc and wifi stopped working and dns service took large CPU percentage, with only bitdefender installed at that time. so went to wifi adapter and put manual IP and dns. then it worked. however it used to work without that in past.
As avast was taking high cpu and not detecting anything so renamed its folder (in safe mode) in programfiles but did not uninstall it.
Also ran the aswmbr.exe avast rootkit tool earlier but it gave BSOD when trying to read xbox drivers(like xinputhid.sys shown as virus by virustotal.com (https://www.virustotal.com/#/file/682d1f32dd1bbeb031d5129ce40d9c77d3c6cf4fb5979f1918b2482af617b5be/detection)  https://www.hybrid-analysis.com/sample/682d1f32dd1bbeb031d5129ce40d9c77d3c6cf4fb5979f1918b2482af617b5be) and showed for a split second that that file was locked so used ubuntu to delete all the xbox drivers thinking they might be infected, used autoruns to remove them from loading in drivers and services. (deleted xboxdrivers included as zip). it still did not run fine and gives BSOD in end.

so installed malwarebytes but it got disabled by its own on reboots.

So installed emsissoft but it did not detect anything. however automatic password changes stopped and malwarebytes also works everythime now guess it can not handle malware without emisoft support.
Also I have many portable apps from portableapps.com but some of them work other do not at all however they can be seen in taskmanager. for those who work emsissoft saays it looks like malware but i says it to trust it only then it runs. is it normal. portable apps are on  drive other than system drive.
Also if i disable emsisoft malware and malwarebytes (as i did for emsisoft kit scan and frst scan), and then restart emsisoft then SERVICES.EXE wants access to exe's of emsissoft according to outpost firewall. and when access is granted emsisoft window open but hangs with coursor busy and no other program opens as well. so basically every window that is already open will be working but as you try to do something that program hangs as well. and i have to restart. and malwarebytes did not start even.

have now inculded the emsisoft kit scan and frst reports as well. do u have a rootkit scanner that can be run from usb like offline scan. Also can emsisoft be asked to report on UAC automatically if the services have been disabled.

pls let me know what can be done next.

regards.

Addition.txt

FRST.txt

xbox deleted files.zip

scan_180804-123439.txt

scan_180804-124604.txt

scan_180804-125225.txt

Share this post


Link to post
Share on other sites

You have way too many AV apps installed.  Uninstall Avast, BitDefender, & Malwarebytes.  You are asking for trouble with all that installed.

Outpost Firewall is discontinued and no longer supported.  You should not be using it.

Neither ZIP archive contains infected files.

Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

Start::
    HKLM\...\Policies\Explorer: [NoThumbnailCache] 1
    HKLM\...\Policies\Explorer: [DisableThumbnailCache] 1
    HKLM\...\Policies\Explorer: [NoInstrumentation] 1
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
    GroupPolicy: Restriction ? <==== ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
    U1 aswbdisk; no ImagePath
    S3 OSFMount; \??\C:\Program Files\OSFMount\x64\OSFMount.sys [X]
    2018-08-02 16:32 - 2018-08-02 16:32 - 000000769 ___SH C:\Windows\system32\gfe5de41b52e0479f.fby
    CustomCLSID: HKU\S-1-5-21-3248752295-1430501022-1583321965-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\mac\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3248752295-1430501022-1583321965-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\mac\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3248752295-1430501022-1583321965-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\mac\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
    ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
    ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll -> No File
    ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
    ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll -> No File
    ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll -> No File
    ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll -> No File
End::

Share this post


Link to post
Share on other sites

Hi kevin
thanks for replying,
I have removed other antiviruses but remianed malwarebytes but disabled it when running scan, also i have paid for outpost so have not uninstalled it as it still is the best firewall out of the ones tried by me that is compatible with most of the products plus for least sevral years it has worked without issue. I have also disabled it when running scan.
i have attached the log as required by you after disabling other malwarebytes and outpost.
pls let me know what to do now.
 

Fixlog.txt

Share this post


Link to post
Share on other sites

Just because you paid for the software, does not mean you should be using it any longer.  The version on your computer was released on December 1, 2015.  That is an eternity in the software lifecycle.  Especially since it has not been updated, is not in active development, and is totally inadequate in providing protection in today's threat environment. I have paid and licensed copies of  MS Office 97, 2000, XP, 2007, 2010, and 2013. Windows 3.1, 95, 98, 98SE, ME , 2000, XP, Vista, 7, 8/8.1. Just because I paid for them is not justification to use those programs and longer.  Discontinued, unsupported software does not receive patches and is a malware magnet.

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Share this post


Link to post
Share on other sites

hi,
sorry for replying late actually system stopped working at all so used a old image backup to restore windows 10 clean image on computer also formatted other drives as well before doing so, but as it happens in past this time again the infection came back.

So when just it was working fine ran autoruns and saved the entries  and ran again when it got infected on its own and save entries again, how ever it is to mentioned here that other exe were not opening at all but autoruns.exe ran fine if run without admin previledges.

 

if u want i can share the autoruns before and after infection files. or the whole vmware machine (several GB)

I have made a vmware machine of the infected system which behaves in the same way. malwarebytes did not install in normal mode access denied to exe msi etc.
so boot into safe mode and installed malwarebytes and ran scan but nothing was found. ran emsisoft emergency toolkit updated but nothing found.

emsisoft log attached
frst log attached.

let me knw how to fix this.

regards
sparta

Addition.txt

FRST.txt

scan_180811-230445.txt

Share this post


Link to post
Share on other sites

Your logs are not showing much in the way of malware.  There are a few things that should be addressed though.

Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

Start::
    AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hoo~1.dll => No File
    AppInit_DLLs-x32: c:\progra~1\agnitum\outpos~1\wl_hook.dll => No File
    GroupPolicy: Restriction ? <==== ATTENTION
    BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll => No File
    BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll => No File
    FF HKU\S-1-5-21-1086499768-1002506749-3283279360-1001\...\SeaMonkey\Extensions: [[email protected]] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
    2018-08-11 10:41 - 2018-08-11 10:41 - 000001024 _____ C:\Windows\SysWOW64\%TMP%
End::

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.