TangoTen

CLOSED JS:Trojan.Cryxos.2619 (B)

Recommended Posts

Hi, I've double clicked on an email attachment and it tried to open a page on my browser which said File Error in red capital letters.  I run Emsisoft and Malwarebytes anti-malware.  Malwarebytes came back clean, but Emsisoft returned the above trojan files hidden in the User Profile of my Mozilla Firefox browser, which is now quarantined in Emsisoft.  I use Windows 10 version 1909, Quad9 DNS.  I do not have Microsoft Office installed nor Acrobat Reader.  I use LibreOffice and all microsoft office documents are associated with LibreOffice. Pdf's are only opened in the Chrome browser.  I have disconnected the laptop from my network and the internet.  since then Emsisoft does not find anything else.  I don't know what this Trojan does and am very worried it has exfiltrated my files or opened a backdoor or downloaded other nasties.  Please show me how to determine the state of my laptop and network and whether I need to change my passwords etc...

Share this post


Link to post
Share on other sites

Hi Stapp, I have tried to download the Farbar Recovery Scan Tool,  but I get this message; 

FRST64.exe

https://download.bleepingcomputer.com/dl/f42338792d8a4d46c54f39315d69a13c/5e305b72/windows/security/security-utilities/f/farbar-recovery-scan-tool/FRST64.exe

This file is not commonly downloaded and may be dangerous.
 
It only downloads this file called "Unconfirmed 738148.crdownload", which is only 2.5 Mb and which I can't open.
 
I have also downloaded Emsisoft Emergency Kit.  I haven't returned the Trojans back from my Emsisoft Quarantine. So the Emsisoft Emergency Kit found nothing.  I've attached the scan report from Emsisoft and the download file which I can't open.  
 
Please inform me if I need to return the Trojans from Quarantine and re-scan with Emsisoft Emergency Kit and explain to me what I am doing wrong when trying to download Farbar Recovery Scan Tool, thank you
 
 

scan_200128-153126.txt

Share this post


Link to post
Share on other sites

Hi Stapp,

I have tried to upload the "Unconfirmed 738148.crdownload" file to you but the upload fails.  I don't know why?  Help.

All the best

Share this post


Link to post
Share on other sites
38 minutes ago, TangoTen said:

This file is not commonly downloaded and may be dangerous.

@TangoTen That warning is incorrect with regards to FRST.  You can tell Chrome to keep the file.  If you are not offered that option then you need to alter the download setting for chrome.

Share this post


Link to post
Share on other sites

FRST needs to be ran from an account with administrative privileges, otherwise it will not function properly.

Please run FRST from an admin account and attach the new reports to your reply.

Share this post


Link to post
Share on other sites

Hi Kevin,

I have attached the new reports run from my admin account.  My printer etc... are all disconnected from the network.  So I ran FRST.exe through the WiFi to the router and nothing else connected.

FRST.txt Addition.txt

Share this post


Link to post
Share on other sites

Do the following:

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

GroupPolicy: Restriction ? <==== ATTENTION
Task: {000BC7BA-E648-4FAC-988F-0A94FED38478} - \Microsoft\Windows\Setup\EOONotify -> No File <==== ATTENTION
Task: {04D9A4B7-0510-4B2D-917B-7457E5015C56} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {1F390734-6B2B-4CDA-B31E-375FE145FFC3} - \Games\UpdateCheck_S-1-5-21-4224017519-229722566-3410020428-1004 -> No File <==== ATTENTION
Task: {231F1743-A734-4739-A954-2E31F344BC9D} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {2B70B19B-D492-475B-B616-3BB8FE69134B} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
Task: {48D99643-C319-4963-BAD7-47C0B97AA3E5} - System32\Tasks\HPPSdr Restart Diagnose => C:\Users\Bruce\AppData\Local\Temp\7zS2184\HPDiagnosticCoreUI.exe <==== ATTENTION
Task: {498C74A7-EF67-4DB9-9483-4F4CEA4E6B21} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {5B5B5B7D-D26B-49B2-8791-445D18B9A711} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {5D707D18-0930-4FDB-A7A9-49A30EA869DC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {5FC7D977-F82D-4516-9C75-B0A14925E401} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {613B92E1-6470-4922-AC41-B5DF25743DAE} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {621D5D6A-9911-4BD8-B032-4EA67D8D0BD1} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {7235214D-F3EF-4181-8D95-FF214E83EAD5} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {76C0CBAF-011E-4FB8-8B48-25EBE25657AD} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {7DA54035-3293-4E7F-9D27-C5A5E5EA5244} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {7E8FBE30-E0BD-40F9-B4DA-5AC5F621B8DE} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {96C84661-83E8-4DC6-BD68-74258DB09B6C} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {AB94CF6F-677F-4E22-8C30-7F91F4C731D2} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {B978DD93-83C5-4959-8AC7-1C0794AB07A0} - \ConfigFree Startup Programs -> No File <==== ATTENTION
Task: {C72CD31F-498E-4D60-8871-45FC23EAB102} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
Task: {D5CCF18A-ED75-4C9F-832D-B756C412FF0E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
URLSearchHook: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 -> DefaultScope {623DDCA9-52C8-4518-A331-434895817817} URL =
SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 -> {42E2D4FE-AA33-4C6A-9F56-CF8A0EA049FA} URL =
SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 -> {623DDCA9-52C8-4518-A331-434895817817} URL =
SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1003 -> {623DDCA9-52C8-4518-A331-434895817817} URL =
BHO: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> No File
BHO-x32: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
ContextMenuHandlers1_S-1-5-21-4224017519-229722566-3410020428-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
ContextMenuHandlers4_S-1-5-21-4224017519-229722566-3410020428-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
ContextMenuHandlers5_S-1-5-21-4224017519-229722566-3410020428-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
ContextMenuHandlers1_S-1-5-21-4224017519-229722566-3410020428-1003: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
ContextMenuHandlers4_S-1-5-21-4224017519-229722566-3410020428-1003: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
ContextMenuHandlers5_S-1-5-21-4224017519-229722566-3410020428-1003: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Clear Firefox's browser cache.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

Share this post


Link to post
Share on other sites

Hi Kevin,

I have attached the fixlog.txt file below.

I haven't really used my laptop for anything over the last couple of days.  I've only switched it on to carry out the tasks you have asked me to carry out, so I haven't really noticed anything.  I'll switch it on tomorrow and see if I notice anything else and then I'll report back later in the day tomorrow.

What I am most worried about is whether anything was exfiltrated, or whether a backdoor was setup, and especially if you think I need to change all my passwords.  Please inform me, all the best.

Fixlog.txt

Share this post


Link to post
Share on other sites

The file is most likely a JavaScript that was downloaded to the browser cache when FireFox loaded it and try to run it,  Probably an attempt to compromise your system when you opened the email attachment.  I didn't see any malware in the FRST logs, but there was a lot of orphaned stuff and policy restrictions that are not set by default.  Which is what I had FRST fix.

Share this post


Link to post
Share on other sites
Quote

 

Hi Kevin,
 
Thank you for your support.  I have cleared the cache in Firefox for both the adminstrator user and the restricted user.    I have also used my laptop today and I am not aware of anything strange going on.
 
However, I have tried to delete the trojans which are stored in Emsisoft's Quarantine, but the DELETE and RESTORE buttons are greyed out and I can't find a way to get them to become responsive.  I have also looked at trying out the Network lockdown switch, but again if I hover over the OFF switch the cursor doesn't change shape into a hand and it won't switch on by clicking on it.  In fact apart from the SCAN facility virtually every button/switch on the Emsisoft Dashboard whether ON or OFF or Greyed out won't work.  Is this to prevent customers tampering with the selections or is there a problem?
 
Kind Regards
 
Ian

 

Ian,

Please do not respond to the email notification as it not connected with our forum software and we normally will not see your reply.  Emsisoft is mostly likely locked down with a password and has restrictions preventing someone without permissions from altering settings and deleting stuff that they are not allowed to delete.  Unless, you know the admin password to EAM or running it from and admin account they you will not have access to those options.

Share this post


Link to post
Share on other sites

You are welcome.

 

Happy to be of assistance.  Is there anything else I can help you with?

Share this post


Link to post
Share on other sites

Thread Closed

 

Reason: Resolved

 

PM either Kevin, or Arthur to have this thread reopened.

 

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

 

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.