parahesap 1 Posted May 21, 2021 Share Posted May 21, 2021 A threat (MSIL / Injector.VGR) was found in a file that the DotNet application tried to access. I get this alert every 25 seconds. I scanned the system could not find any virus. What should I do? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted May 22, 2021 Administrators Share Posted May 22, 2021 Please provide logs collected with ESET Log Collector to start off. Link to comment Share on other sites More sharing options...
itman 1,749 Posted May 22, 2021 Share Posted May 22, 2021 (edited) Interesting posting for MSIL / Injector.VGR on Eset Russian language forum here: https://translate.google.com/translate?hl=en&sl=ru&u=http://forum.esetnod32.ru/forum6/topic16369/&prev=search&pto=aue . It appears a bit of manual cleaning for removal of it is required. Also, do not use the script posted in this link since it was written specifically for the OP. However, I would check the below locations for presence of the files listed; %SystemDrive% \ USERS \ xxxxx \ APPDATA \ ROAMING \ MICROSOFT \ WINDOWS \ START MENU \ PROGRAMS \ STARTUP \ MICROSOFT NET_FRAMEWORK.BAT %SystemDrive% \ USERS \ xxxxx \ APPDATA \ ROAMING \ MICROSOFT \ GOOGLE \ CHROMEEXTENSIONS \ ADS \ HONEYADS \ EXUPD.EXE Edited May 22, 2021 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted May 22, 2021 Administrators Share Posted May 22, 2021 I'd also recommend running a disk scan with ESET SysRescue. Neither MICROSOFT NET_FRAMEWORK.BAT nor EXUPD.EXE were found in logs, yet it's worth checking if exist. Link to comment Share on other sites More sharing options...
parahesap 1 Posted May 22, 2021 Author Share Posted May 22, 2021 As an administrator, I scanned the entire system from top to bottom. I could not find a virus. I turned off .Net Framework in the open or close windows features menu. The problem is still the same. I am getting a "Threat Removed" warning in 25-30 seconds. it started to be annoying. When I click on the DotNet text, the My Computer menu opens. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted May 22, 2021 Administrators Share Posted May 22, 2021 Please scan the disk with ESET SysRescue. It's important to scan it after booting from a 100% clean medium. You can also supply me with a Procmon boot log for perusal. Last but not least, don't forget to enable the LiveGrid Feedback system as I recommend you. Link to comment Share on other sites More sharing options...
itman 1,749 Posted May 22, 2021 Share Posted May 22, 2021 (edited) Referring to the Eset Russian web site malware cleaning script used: It appears a Microsoft signature, Trojan:Win32/Bomitag.D!ml, was also used to detect this malware and remove this malware. This would imply that Eset doesn't have a sig. for it. Edited May 22, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,749 Posted May 22, 2021 Share Posted May 22, 2021 Another interesting post here indicating this might be a Phoenix coin miner detection: https://www.reddit.com/r/minerstat/comments/n2fspg/minerstat_wont_run_without_allowing_through_a/ . Are you coin mining on this device? Link to comment Share on other sites More sharing options...
parahesap 1 Posted May 22, 2021 Author Share Posted May 22, 2021 I am not a miner. I'm so sorry the deep scan took a little long. Log file is attached. ScanLog_2021-05-23_01-35.txt Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted May 23, 2021 Administrators Share Posted May 23, 2021 Did you create a SysRescue medium and ran a scan as suggested? Link to comment Share on other sites More sharing options...
parahesap 1 Posted May 23, 2021 Author Share Posted May 23, 2021 4 hours ago, Marcos said: Did you create a SysRescue medium and ran a scan as suggested? I scanned deep from here Eset SysRescue Link to comment Share on other sites More sharing options...
itman 1,749 Posted May 23, 2021 Share Posted May 23, 2021 (edited) 13 hours ago, parahesap said: I am not a miner. With that confirmed, it may be that an attacker may be using your device to coin mine. Referring to the Eset logs shown in the linked Eset Russian web site posting, they show that multiple coin miners had been found on the poster's device previously. You may want to start manually monitoring for unusual CPU activity on this device. Edited May 23, 2021 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted May 23, 2021 Administrators Share Posted May 23, 2021 Please provide a Procmon boot log for perusal. Link to comment Share on other sites More sharing options...
parahesap 1 Posted May 23, 2021 Author Share Posted May 23, 2021 (edited) 10 minutes ago, itman said: With that confirmed, it may be that an attacker may be using you device to coin mine. Referring to the Eset logs shown in the linked Eset Russian web site posting, they show that multiple coin miners had been found on the poster's device previously. You may want to start manually monitoring for unusual CPU activity on this device. Mining is happening with the graphics card? If so I can understand from the fan noise of my graphics card. My graphics card is working steady. Edited May 23, 2021 by parahesap Link to comment Share on other sites More sharing options...
parahesap 1 Posted May 23, 2021 Author Share Posted May 23, 2021 17 minutes ago, Marcos said: Please provide a Procmon boot log for perusal. Which internet address should I upload this Bootlog file to? mediafire or zippyshare? That file 969 MB Link to comment Share on other sites More sharing options...
parahesap 1 Posted May 23, 2021 Author Share Posted May 23, 2021 the file is too big 969 MB I upload here https://www.mediafire.com/file/453gp7c9d3dhxmg/Bootlog.pml/file Link to comment Share on other sites More sharing options...
itman 1,749 Posted May 23, 2021 Share Posted May 23, 2021 Are you familiar with Autoruns: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns ? If so, have you ran it to determine if any suspect Win startup items exist? Link to comment Share on other sites More sharing options...
parahesap 1 Posted May 23, 2021 Author Share Posted May 23, 2021 (edited) 5 dakika önce itman şunları söyledi: Otomatik çalıştırmalar hakkında bilgi sahibi misiniz: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns ? Eğer öyleyse, şüpheli herhangi bir Win başlangıç öğesinin olup olmadığını öğrenmek için çalıştırdınız mı? I have attached the log file. MASAÜSTÜ-4TQL8LV.rar Edited May 23, 2021 by parahesap Link to comment Share on other sites More sharing options...
itman 1,749 Posted May 23, 2021 Share Posted May 23, 2021 (edited) 16 minutes ago, parahesap said: I have attached the log file. Note that only Eset moderators can access forum attachments. For starters, what you are looking for are entries flagged by VirusTotal. You can ignore the 1/71 or like low detections since those are usually false positive detection's. -EDIT- Also make sure you run the right Autoruns version. For 64 bit OS, run autoruns64.exe. Edited May 23, 2021 by itman Link to comment Share on other sites More sharing options...
parahesap 1 Posted May 23, 2021 Author Share Posted May 23, 2021 22 minutes ago, itman said: Note that only Eset moderators can access forum attachments. For starters, what you are looking for are entries flagged by VirusTotal. You can ignore the 1/71 or like low detections since those are usually false positive detection's. -EDIT- Also make sure you run the right Autoruns version. For 64 bit OS, run autoruns64.exe. I'm not familiar with these jobs. 64 bit Log here you can check this? https://www.mediafire.com/file/nhj8nz96kqjj6xy/Logfile.rar/file Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 23, 2021 Most Valued Members Share Posted May 23, 2021 (edited) Try to raise the settings to be more aggressive Set your HIPS to Smart Mode , Watch your network monitor for suspicious communications (from ESET) , try to set the real time detections to aggressive also , and are you scanning the computer with deep scan settings? You can change the firewall to interactive mode which will ask you for every connection attempt which can help you pinpoint sometimes if it's connecting to somewhere weird, but also might confuse you with many requests See maybe also taskmanager if it can show you some weird process that is utilizing much CPU/GPU usage. Also try to enable detection of unsafe/unwanted applications if not enabled and set their settings to be aggressive. Try some secondary scanner and see if it catches anything, Hitman Pro might be useful as it uses multiple engines for detection and doesn't have to be installed , or you can make a scan with Windows Defender , but try Hitman first Edited May 23, 2021 by Nightowl Link to comment Share on other sites More sharing options...
itman 1,749 Posted May 23, 2021 Share Posted May 23, 2021 28 minutes ago, parahesap said: I'm not familiar with these jobs. 64 bit Log here you can check this? https://www.mediafire.com/file/nhj8nz96kqjj6xy/Logfile.rar/file This is a Process Monitor log. Autoruns saved log files use a .arn suffix. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted May 23, 2021 Administrators Share Posted May 23, 2021 Please provide me with the content of the c:\users\admin\appdata\roaming\microsoft\hashcalc\md5 folder (do not delete anything yet, only rename file extensions if you want to see if the detection stops). Don't post the download link here but send it in a personal message. As for the Procmon boot log, did you stop logging after the threat has been detected after the reboot? I assume you stopped logging immediately before the detection occurred. Link to comment Share on other sites More sharing options...
parahesap 1 Posted May 23, 2021 Author Share Posted May 23, 2021 I sent the MD5 folder as a private message. I followed the steps here about Procmon. https://support.eset.com/en/kb6308-using-process-monitor-to-create-log-files Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted May 23, 2021 Administrators Share Posted May 23, 2021 We've nailed it down. A legit tool was backdoored and loads a malicious dll with zero detection at VT which loads the following encrypted payload: I expect the detection to be available momentarily via streamed/pico updates. Also please confirm that you have enabled the LiveGrid Feedback system for maximum protection. itman, notimportant, Nightowl and 2 others 5 Link to comment Share on other sites More sharing options...
Recommended Posts