DotNet MSIL / Injector.VGR

[parahesap 1]

A threat (MSIL / Injector.VGR) was found in a file that the DotNet application tried to access. I get this alert every 25 seconds. I scanned the system could not find any virus. What should I do?

 

[Marcos 5,074]

Please provide logs collected with ESET Log Collector to start off.

[itman 1,659]

Interesting posting for MSIL / Injector.VGR on Eset Russian language forum here: https://translate.google.com/translate?hl=en&sl=ru&u=http://forum.esetnod32.ru/forum6/topic16369/&prev=search&pto=aue .

It appears a bit of manual cleaning for removal of it is required. Also, do not use the script posted in this link since it was written specifically for the OP. However, I would check the below  locations for presence of the files listed;

%SystemDrive% \ USERS \ xxxxx \ APPDATA \ ROAMING \ MICROSOFT \ WINDOWS \ START MENU \ PROGRAMS \ STARTUP \ MICROSOFT NET_FRAMEWORK.BAT
%SystemDrive% \ USERS \ xxxxx \ APPDATA \ ROAMING \ MICROSOFT \ GOOGLE \ CHROMEEXTENSIONS \ ADS \ HONEYADS \ EXUPD.EXE

Edited May 22, 2021 by itman

[Marcos 5,074]

I'd also recommend running a disk scan with ESET SysRescue.

Neither MICROSOFT NET_FRAMEWORK.BAT nor EXUPD.EXE were found in logs, yet it's worth checking if exist.

[parahesap 1]

As an administrator, I scanned the entire system from top to bottom. I could not find a virus. I turned off .Net Framework in the open or close windows features menu. The problem is still the same. I am getting a "Threat Removed" warning in 25-30 seconds. it started to be annoying. When I click on the DotNet text, the My Computer menu opens. 

[Marcos 5,074]

Please scan the disk with ESET SysRescue. It's important to scan it after booting from a 100% clean medium.

You can also supply me with a Procmon boot log for perusal.

Last but not least, don't forget to enable the LiveGrid Feedback system  as I recommend you.

[itman 1,659]

Referring to the Eset Russian web site malware cleaning script used:

It appears a Microsoft signature, Trojan:Win32/Bomitag.D!ml, was also used to detect this malware and remove this malware. This would imply that Eset doesn't have a sig. for it.

Edited May 22, 2021 by itman

[itman 1,659]

Another interesting post here indicating this might be a Phoenix coin miner detection: https://www.reddit.com/r/minerstat/comments/n2fspg/minerstat_wont_run_without_allowing_through_a/ .

Are you coin mining on this device?

[parahesap 1]

I am not a miner. I'm so sorry the deep scan took a little long. Log file is attached.

 

ScanLog_2021-05-23_01-35.txt

[Marcos 5,074]

Did you create a SysRescue medium and ran a scan as suggested?

[parahesap 1]

4 hours ago, Marcos said:

Did you create a SysRescue medium and ran a scan as suggested?

I scanned deep from here Eset SysRescue

[itman 1,659]

13 hours ago, parahesap said:

I am not a miner.

With that confirmed, it may be that an attacker may be using your device to coin mine.

Referring to the Eset logs shown in the linked Eset Russian web site posting, they show that multiple coin miners had been found on the poster's device previously. You may want to start manually monitoring for unusual CPU activity on this device.

Edited May 23, 2021 by itman

[Marcos 5,074]

Please provide a Procmon boot log for perusal.

[parahesap 1]

10 minutes ago, itman said:

With that confirmed, it may be that an attacker may be using you device to coin mine.

Referring to the Eset logs shown in the linked Eset Russian web site posting, they show that multiple coin miners had been found on the poster's device previously. You may want to start manually monitoring for unusual CPU activity on this device.

Mining is happening with the graphics card? If so I can understand from the fan noise of my graphics card. My graphics card is working steady. 

 

Edited May 23, 2021 by parahesap

[parahesap 1]

17 minutes ago, Marcos said:

Please provide a Procmon boot log for perusal.

Which internet address should I upload this Bootlog file to? mediafire or zippyshare? That file 969 MB

[parahesap 1]

the file is too big 969 MB I upload here

https://www.mediafire.com/file/453gp7c9d3dhxmg/Bootlog.pml/file

[itman 1,659]

Are you familiar with Autoruns: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns ? If so, have you ran it to determine if any suspect Win startup items exist?

[parahesap 1]

5 dakika önce itman şunları söyledi:

Otomatik çalıştırmalar hakkında bilgi sahibi misiniz: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns ? Eğer öyleyse, şüpheli herhangi bir Win başlangıç öğesinin olup olmadığını öğrenmek için çalıştırdınız mı?

I have attached the log file.

MASAÜSTÜ-4TQL8LV.rar

Edited May 23, 2021 by parahesap

[itman 1,659]

16 minutes ago, parahesap said:

I have attached the log file.

Note that only Eset moderators can access forum attachments.

For starters, what you are looking for are entries flagged by VirusTotal. You can ignore the 1/71 or like low detections since those are usually false positive detection's.

-EDIT- Also make sure you run the right Autoruns version. For 64 bit OS, run autoruns64.exe.

Edited May 23, 2021 by itman

[parahesap 1]

22 minutes ago, itman said:

Note that only Eset moderators can access forum attachments.

For starters, what you are looking for are entries flagged by VirusTotal. You can ignore the 1/71 or like low detections since those are usually false positive detection's.

-EDIT- Also make sure you run the right Autoruns version. For 64 bit OS, run autoruns64.exe.

I'm not familiar with these jobs. 64 bit Log here you can check this?

 

https://www.mediafire.com/file/nhj8nz96kqjj6xy/Logfile.rar/file

[Nightowl 202]

Try to raise the settings to be more aggressive

Set your HIPS to Smart Mode , Watch your network monitor for suspicious communications (from ESET) , try to set the real time detections to aggressive also , and are you scanning the computer with deep scan settings?

You can change the firewall to interactive mode which will ask you for every connection attempt which can help you pinpoint sometimes if it's connecting to somewhere weird, but also might confuse you with many requests

See maybe also taskmanager if it can show you some weird process that is utilizing much CPU/GPU usage.

Also try to enable detection of unsafe/unwanted applications if not enabled and set their settings to be aggressive.

Try some secondary scanner and see if it catches anything, Hitman Pro might be useful as it uses multiple engines for detection and doesn't have to be installed , or you can make a scan with Windows Defender , but try Hitman first

Edited May 23, 2021 by Nightowl

[itman 1,659]

28 minutes ago, parahesap said:

I'm not familiar with these jobs. 64 bit Log here you can check this?

 

https://www.mediafire.com/file/nhj8nz96kqjj6xy/Logfile.rar/file

This is a Process Monitor log.

Autoruns saved log files use a .arn suffix.

[Marcos 5,074]

Please provide me with the content of the c:\users\admin\appdata\roaming\microsoft\hashcalc\md5 folder (do not delete anything yet, only rename file extensions if you want to see if the detection stops). Don't post the download link here but send it in a personal message.

As for the Procmon boot log, did you stop logging after the threat has been detected after the reboot? I assume you stopped logging immediately before the detection occurred.

[parahesap 1]

I sent the MD5 folder as a private message. 

I followed the steps here about Procmon. 

https://support.eset.com/en/kb6308-using-process-monitor-to-create-log-files

[Marcos 5,074]

We've nailed it down. A legit tool was backdoored and loads a malicious dll with zero detection at VT which loads the following encrypted payload:

I expect the detection to be available momentarily via streamed/pico updates.

Also please confirm that you have enabled the LiveGrid Feedback system for maximum protection.