No Reply PC Infected with Persistent Malware Downloading Files Hourly

The author of this help request did not reply to the thread in at least 5 days. Therefore, we are going to assume that he does no longer need our help, and close this support request.
If you are the author and still need help, please send a Private Message to any staff member within the next five days. Be sure to include a link to your thread in your private message.
Status
Not open for further replies.
tanner_doriano

tanner_doriano

New Member
Thread author
Apr 8, 2024
2
Hello Malware Tips Community,

I'm in a bit of a bind and desperately need your expertise. Yesterday, around 6:30-7:00 PM (GMT +8), I mistakenly executed a file I downloaded from the Internet. Only after running it did I realize its malicious intent, evident from a suspicious pre-build event in the code. Here is the code in question:

Since then, my PC has been automatically downloading a .7z file to the "AppData/Local/Temp" folder every hour on the hour. This archive contains "aitstatic.exe", "ComSvcConfig.exe", and "MicrosoftCertificateServices.exe." Additionally, every time I start my computer, 2-3 command prompt windows briefly appear, and files named "Service.exe", "b.bat", and "b.vbs" are created in various public user folders (e.g., Public Downloads, Public Documents).

I've attempted to clean this infection with both Malwarebytes and Avast, but to no avail. The threat names reported by Avast vary, including IDP.HELU.SHADOW18, Script:SNH-gen [Trj], Win64:Malware-gen, and Win32:InjectorX-gen [Trj].

I am at my wit's end and worry about the safety of my personal data and the integrity of my system. Could anyone provide guidance on how to thoroughly remove this persistent malware? Any assistance or advice on tools and procedures to follow would be immensely appreciated.

Thank you in advance for your time and help.
 
Last edited by a moderator:
icotonev

icotonev

Moderator
Verified
Staff Member
Mar 9, 2017
532
Hello..! Welcome to MalwareTips..! :)

My name is icotonev and I'm here to help you remove malware ..! Before we begin, please note the following:
  • First, please keep in mind most of us at MalwareTips volunteer our assistance for your benefit in your time of need. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.
  • It is important to not run any tools or take any steps other than those I will provide for you.Also, do not uninstall or install any software during the procedure, unless I ask you to do so.
  • Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.
  • Please perform all steps in the order they are listed. If things are not clear or you experience problems be sure to stop and let me know.
  • Please attach all logs into your post unless otherwise requested.
  • When your computer is clean I will let you know, provide instructions to remove tools and reports, and offer you information about how you can combat future infections.
  • If you do not reply to your topic after 5 days I will assume it has been abandoned and I will close it.

Please follow the following instruction ..:

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.
If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach the content of these two logs in your next reply.
---------------------------------------------------

In your next reply, please include:
  • FRST.txt
  • Addition.txt
 
icotonev

icotonev

Moderator
Verified
Staff Member
Mar 9, 2017
532
tanner_doriano said:
I have attached both the "FRST.txt" and "Addition.txt" logs from the Farbar Recovery Scan Tool as you instructed. Both logs are now ready for your review.
Click to expand...


Thank you..! :)
Looking over your logs now, depending on how much I need to research, this may (or may not) take me some time.

During this time, I recommend..:

Please uninstall:

Code: 
McAfee Security Scan Plus
WebAdvisor by McAfee

I do not advise you to use the 'on board' uninstaller that comes with the Windows , since it has a tendency to leave a lot of orphans behind, that can cause problems.
Better to use the following tool, created by McAfee themselves, which does a much better job.



Clean the Windows Defender Quarantine folder...How to: Delete/Restore quarantined files:

www.thewindowsclub.com

Manage Quarantined Items and Exclusions in Windows Defender

Learn how to remove or restore Quarantined Items, as well as add items to Exclusions list in Windows Defender in Windows 11/10.
www.thewindowsclub.com www.thewindowsclub.com
 
Last edited:
icotonev

icotonev

Moderator
Verified
Staff Member
Mar 9, 2017
532
Is this Proxy familiar to you..?

Code: 
ProxyServer: [S-1-5-21-1892575819-2086180298-88142306-1014] => http=127.0.0.1:8365;https=127.0.0.1:8365

...also :

Uninstalling Adobe Flash Player:

Note: Adobe Flash Player is no longer supported and is a security risk.
  • Download Adobe Flash Player Uninstaller and save it to your Desktop
  • Right click on the icon and select Run as administrator
  • Click Uninstall then Done to reboot your computer
malwaretips.com

Adobe Flash Player 10 ActiveX: Should I Remove It?

Learn about Adobe Flash Player 10 ActiveX, its purpose, and whether you should remove it. Get insights and make an informed decision.
malwaretips.com malwaretips.com
 
icotonev

icotonev

Moderator
Verified
Staff Member
Mar 9, 2017
532
Next ....:

Farbar Recovery Scan Tool - Fix

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone

Please download the attached file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.

  • Copy/paste the following in the Search: box
Code: 
Searchall: McAfee Security Scan , McAfee , WebAdvisor

  • Click Search Files button
  • When completed click OK and a Search.txt document will open on your desktop
  • Аttach the report in your reply. If the file is too large zip and upload it here.

In your next reply, please include:
  • Fixlog.txt
  • Search report
 

Attachments

  • fixlist.txt
    16.2 KB · Views: 2
icotonev

icotonev

Moderator
Verified
Staff Member
Mar 9, 2017
532
I am disappointed with the attitude..! :(

Due to lack of activity, this topic is now closed.
If you still need help, open a new topic, and wait for a new helper..!
 
Status
Not open for further replies.

Similar threads

Xeno1234
    • Like
  • Locked
Could someone take a look at my network and PC to ensure I am not infected.
Replies
14
Views
750
Windows Malware Removal Help & Support
nasdaq
nasdaq
mjfneto
  • Locked
Persisting Suspicious Activity
Replies
5
Views
433
Windows Malware Removal Help & Support
nasdaq
nasdaq
C
    • Like
  • Locked
Help - Google Chrome Extension Virus reinstalls itself every hour
Replies
3
Views
856
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top