Wraith

Level 13
Verified
Malware Tester
I am normally a very careful user and don't download unknown things from the Internet. This morning when I started up my PC, it booted straight into minimal SAFE MODE and after a few moments restarted automatically in NORMAL MODE. Everything seemed to be fine except for the fact that ESET INTERNET SECURITY refused to start. I had to uninstall using the ESET Removal Tool and then install ESET IS again. I made sure to update it and run a full scan and it found this threat and deleted it.(LINK BELOW). I ran Norton Power Eraser and it detected a change in Powershell policy. I fixed that. Malwarebytes detected disabled security center and a fake trojan. I removed the trojan. But even after all this I still feel that my PC is not fully clean since Farbar found two disabled limited user accounts with funny names. I don't know how the malware got there but I will be extremely grateful if someone could help me out with this.

Here is the VT link for the malwares which infected my PC
VirusTotal
 

Attachments

  • FRST.txt
    152.3 KB · Views: 13
  • Addition.txt
    18.8 KB · Views: 7
  • MBAM.txt
    1.4 KB · Views: 6
  • NPE.JPG
    NPE.JPG
    41.1 KB · Views: 22
Last edited:

Wraith

Level 13
Verified
Malware Tester
It resembles the coin miner via the scheduled task. Have you the task in Application Experience section named StartupCheckLibrary?
You are spot on. As far as I remember a scheduled task was created and maybe that's the reason why the PC rebooted in safe mode, to delete some ESET files and then the PC rebooted in Normal mode. Maybe if I had OSArmor and WinPatrol, I would have got notified.
 

Wraith

Level 13
Verified
Malware Tester
Hey! User account creation is something deep driven and a scheduled task may be a rootkit i guess.
Automatic reboot / safe mode is a definite root kit signal, since it is driver driven and scheduled task.
Try with free rootkit scanners from Avast, NPE both in normal and safe mode.

Most of AV out there are useless against root kits, since it hides and replicate via . Sys (driver)
I already run a scan with Norton Power Eraser. I also ran a scan with Malwarebytes with detection of rootkits enabled. ESET does have a module called Anti-Stealth that is supposed to protect from rootkits but I don't know how effective it is.
 

Wraith

Level 13
Verified
Malware Tester
I only see this in your logs. Wait for the specialist's answer. Regards.

Code:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
U2 diagtrack; no ImagePath
U2 dusmsvc; no ImagePath
ContextMenuHandlers4: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File
ContextMenuHandlers6: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File

:unsure:
I'm sorry but I don't understand these logs. Do the above entries show any sign that the PC is still infected?
 

TwinHeadedEagle

Level 41
Verified
Yes, those users are really suspicious. See if you can delete them.


Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    icon and select
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.
 

Attachments

  • fixlist.txt
    840 bytes · Views: 6
Top