Solved Trojan.MSIL.Crypt.dowu

D

decay

New Member
Thread author
May 25, 2017
4
Hello citizens =) I've launched an infected file accidentally. I was like 99% sure that it's an infected one but my hand wasn't act by my will. Fu hand :<

So. I've had already launched task manager so I almost immediately found and terminated a one suspicious process.

It was a steamerrorreporter.exe located in %AppData%\Local\Temp

Then I downloaded, installed and run Malwarebytes, started scan (rootkits including).

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/16/17
Scan Time: 4:33 AM
Log File:
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.122
Update Package Version: 1.0.1947
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Decadance\Decay

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 299038
Threats Detected: 77
Threats Quarantined: 21
Time Elapsed: 4 min, 25 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 1
Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Quarantined, [24], [224889],1.0.1947

Module: 1
Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Quarantined, [24], [224889],1.0.1947

Registry Key: 20
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\WOW6432NODE\AUSLOGICS\BoostSpeed, No Action By User, [1697], [341837],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\CLSID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\CLSID\{278029E0-2347-4254-A65E-204AC55E2508}\InprocServer32, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\DISKDOCTORCHECKER.DISKCHECKER, No Action By User, [1954], [380634],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE, Quarantined, [676], [249729],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE, Quarantined, [676], [249729],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE, Quarantined, [676], [249460],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{56DB5FD1-9CD7-439D-8AC9-0305D3AB4EB5}, Quarantined, [1697], [383082],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1, Quarantined, [1697], [341838],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AUSLOGICS\BoostSpeed, Quarantined, [1697], [383076],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE, Quarantined, [676], [249460],1.0.1947

Registry Value: 7
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LOWRISKFILETYPES, Quarantined, [15326], [251589],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\DISKDOCTORCHECKER.DISKCHECKER|, No Action By User, [1954], [380634],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE|DEBUGGER, Quarantined, [676], [249729],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE|DEBUGGER, Quarantined, [676], [249729],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE|DEBUGGER, Quarantined, [676], [249460],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{56DB5FD1-9CD7-439D-8AC9-0305D3AB4EB5}|PATH, Quarantined, [1697], [383082],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE|DEBUGGER, Quarantined, [676], [249460],1.0.1947

Registry Data: 3
PUM.Optional.DisableCMDPrompt, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM|DISABLECMD, Replaced, [16390], [293304],1.0.1947
PUM.Optional.DisableTaskMgr, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLETASKMGR, Replaced, [16401], [293320],1.0.1947
PUM.Optional.DisableRegistryTools, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLEREGISTRYTOOLS, No Action By User, [16393], [293310],1.0.1947

Data Stream: 0
(No malicious items detected)

Folder: 11
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden\BoostSpeed, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\PROGRAMDATA\Auslogics\BoostSpeed, No Action By User, [1697], [341833],1.0.1947
Trojan.StolenData, C:\USERS\DECAY\APPDATA\ROAMING\IMMINENT\LOGS, Quarantined, [1075], [250104],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\WINDOWS\SYSTEM32\TASKS\AUSLOGICS\BOOSTSPEED, Quarantined, [1697], [341836],1.0.1947

File: 34
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists\SvcMgr_User.igl, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists\TRE_User.igl, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\BoostSpeedLogic.log, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\InternetOptimizerStatistics.log, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\TweakManagerStatistics.log, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003242014.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003307306.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003325217.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003332343.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003340691.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003346103.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003400159.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003415581.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003638295.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307762.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307843.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307855.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308262.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308345.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308358.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004218204.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004232426.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004457456.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004545084.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004610312.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004750443.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004810616.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515015129591.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden\BoostSpeed\170515150234855.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\StatDB.json, No Action By User, [1697], [341833],1.0.1947
Trojan.StolenData, C:\USERS\DECAY\APPDATA\ROAMING\IMMINENT\LOGS\16-05-2017, Quarantined, [1075], [250104],1.0.1947
Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Removal Failed, [24], [224889],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, D:\SOFT\AUSLOGICSBOOSTSPEED\DISKDOCTORCHECKER.X64.DLL, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\Windows\System32\Tasks\Auslogics\BoostSpeed\Scan and Repair, Quarantined, [1697], [341836],1.0.1947

Physical Sector: 0
(No malicious items detected)


(end)

It found C:\PROGRAMDATA\WinDefender.exe that was launched, idk how I missed this one.

And we found %APPDATA%\ROAMING\IMMINENT directory =) Also I found BrTf1LX.exe in %temp%.

Also I found out that my task manager/msconfig/regedit and etc were disabled ))) Malwareytes fixed it so never mind.

What I did next: quarantined these files, did reboot, launched full scan again and... and found WinDefender.exe at the old place <: It wasn't run according to taskm but I was unable to delete it, so I decided that Malwarebytes blocked it (idk), so I went sleep.

The next day I quarantined and removed it. Then... Since I did know the exact time I started all of this I decided to find all fresh created/modified files.

So I started search via Total Commander. I found a windows task that launches WinDefender.exe, and checked when it the last time did a task.

It was 17:02, so I started another chaotic search through C:\

I found this
79b49622d342f7c859ae636bd39a021e.png

These folders looks suspicious to me because of their date, 11/05/2017. I did install Windows two days ago at 14/05, wtf!

I also did some google research and found this article TSPY_HEYE.C - Threat Encyclopedia - Trend Micro USA

Some familiar files there: BrTf1LX.exe (not .ink), Imminent\Geo.dat, Logs\...

And I did step #3 (removed msvideo thread from register.).

I tried to track its actions in VBOX environment but seems it has vbox/sandbox detection, so it does nothing <:

I'm afraid that there are some leftovers. I wait for any help. Thanks.

FRST.txt Addition.txt

malwr.com analysis report

Also I scanned with TDSSKiller and roguekiller
 
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
This looks suspicious:

R2 wuauserv; C:\Windows\system32\wuaueng2.dll [2651136 2017-05-11] (Microsoft Corporation) [File not signed]

Can you scan it on VirusTotal?
 

Similar threads

R
  • Locked
Unable to remove 'search-great' browser hijacker; I feel like I tried everything - please help
Replies
3
Views
295
Windows Malware Removal Help & Support
Rman
R
hunainkonan
  • Locked
nslookup.exe high ram usage (windows 11)
Replies
4
Views
501
Windows Malware Removal Help & Support
nasdaq
nasdaq
suthey1
  • Locked
Google Chrome Extension Can't Be Removed
Replies
6
Views
725
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top