Jump to content

DotNet MSIL / Injector.VGR


Go to solution Solved by parahesap,

Recommended Posts

A threat (MSIL / Injector.VGR) was found in a file that the DotNet application tried to access. I get this alert every 25 seconds. I scanned the system could not find any virus. What should I do?

 

Adsız.jpg

Link to comment
Share on other sites

Posted (edited)

Interesting posting for MSIL / Injector.VGR on Eset Russian language forum here: https://translate.google.com/translate?hl=en&sl=ru&u=http://forum.esetnod32.ru/forum6/topic16369/&prev=search&pto=aue .

It appears a bit of manual cleaning for removal of it is required. Also, do not use the script posted in this link since it was written specifically for the OP. However, I would check the below  locations for presence of the files listed;

%SystemDrive% \ USERS \ xxxxx \ APPDATA \ ROAMING \ MICROSOFT \ WINDOWS \ START MENU \ PROGRAMS \ STARTUP \ MICROSOFT NET_FRAMEWORK.BAT
%SystemDrive% \ USERS \ xxxxx \ APPDATA \ ROAMING \ MICROSOFT \ GOOGLE \ CHROMEEXTENSIONS \ ADS \ HONEYADS \ EXUPD.EXE

Edited by itman
Link to comment
Share on other sites

  • Administrators

I'd also recommend running a disk scan with ESET SysRescue.

Neither MICROSOFT NET_FRAMEWORK.BAT nor EXUPD.EXE were found in logs, yet it's worth checking if exist.

Link to comment
Share on other sites

As an administrator, I scanned the entire system from top to bottom. I could not find a virus. I turned off .Net Framework in the open or close windows features menu. The problem is still the same. I am getting a "Threat Removed" warning in 25-30 seconds. it started to be annoying. :) When I click on the DotNet text, the My Computer menu opens. 

Adsız.jpg

Link to comment
Share on other sites

  • Administrators

Please scan the disk with ESET SysRescue. It's important to scan it after booting from a 100% clean medium.

You can also supply me with a Procmon boot log for perusal.

Last but not least, don't forget to enable the LiveGrid Feedback system  as I recommend you.

Link to comment
Share on other sites

Posted (edited)

Referring to the Eset Russian web site malware cleaning script used:

Eset_script.thumb.png.1d2178d0e19d1e2d8e210ebd5973805d.png

It appears a Microsoft signature, Trojan:Win32/Bomitag.D!ml, was also used to detect this malware and remove this malware. This would imply that Eset doesn't have a sig. for it.

Edited by itman
Link to comment
Share on other sites

  • Administrators

Did you create a SysRescue medium and ran a scan as suggested?

Link to comment
Share on other sites

4 hours ago, Marcos said:

Did you create a SysRescue medium and ran a scan as suggested?

I scanned deep from here Eset SysRescue

pntxdcd.jpg

qbvroc5.jpg

Link to comment
Share on other sites

Posted (edited)
13 hours ago, parahesap said:

I am not a miner.

With that confirmed, it may be that an attacker may be using your device to coin mine.

Referring to the Eset logs shown in the linked Eset Russian web site posting, they show that multiple coin miners had been found on the poster's device previously. You may want to start manually monitoring for unusual CPU activity on this device.

Edited by itman
Link to comment
Share on other sites

Posted (edited)
10 minutes ago, itman said:

With that confirmed, it may be that an attacker may be using you device to coin mine.

Referring to the Eset logs shown in the linked Eset Russian web site posting, they show that multiple coin miners had been found on the poster's device previously. You may want to start manually monitoring for unusual CPU activity on this device.

Mining is happening with the graphics card? If so I can understand from the fan noise of my graphics card. My graphics card is working steady. 

 

Adsız.png

Edited by parahesap
Link to comment
Share on other sites

17 minutes ago, Marcos said:

Please provide a Procmon boot log for perusal.

Which internet address should I upload this Bootlog file to? mediafire or zippyshare? That file 969 MB

Link to comment
Share on other sites

Posted (edited)
5 dakika önce itman şunları söyledi:

Otomatik çalıştırmalar hakkında bilgi sahibi misiniz: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns ? Eğer öyleyse, şüpheli herhangi bir Win başlangıç öğesinin olup olmadığını öğrenmek için çalıştırdınız mı?

I have attached the log file.

MASAÜSTÜ-4TQL8LV.rar

Edited by parahesap
Link to comment
Share on other sites

Posted (edited)
16 minutes ago, parahesap said:

I have attached the log file.

Note that only Eset moderators can access forum attachments.

For starters, what you are looking for are entries flagged by VirusTotal. You can ignore the 1/71 or like low detections since those are usually false positive detection's.

-EDIT- Also make sure you run the right Autoruns version. For 64 bit OS, run autoruns64.exe.

Edited by itman
Link to comment
Share on other sites

22 minutes ago, itman said:

Note that only Eset moderators can access forum attachments.

For starters, what you are looking for are entries flagged by VirusTotal. You can ignore the 1/71 or like low detections since those are usually false positive detection's.

-EDIT- Also make sure you run the right Autoruns version. For 64 bit OS, run autoruns64.exe.

I'm not familiar with these jobs. 64 bit Log here you can check this?

 

https://www.mediafire.com/file/nhj8nz96kqjj6xy/Logfile.rar/file

Link to comment
Share on other sites

  • Most Valued Members
Posted (edited)

Try to raise the settings to be more aggressive

Set your HIPS to Smart Mode , Watch your network monitor for suspicious communications (from ESET) , try to set the real time detections to aggressive also , and are you scanning the computer with deep scan settings?

You can change the firewall to interactive mode which will ask you for every connection attempt which can help you pinpoint sometimes if it's connecting to somewhere weird, but also might confuse you with many requests

See maybe also taskmanager if it can show you some weird process that is utilizing much CPU/GPU usage.

Also try to enable detection of unsafe/unwanted applications if not enabled and set their settings to be aggressive.

Try some secondary scanner and see if it catches anything, Hitman Pro might be useful as it uses multiple engines for detection and doesn't have to be installed , or you can make a scan with Windows Defender , but try Hitman first

Edited by Nightowl
Link to comment
Share on other sites

  • Administrators

Please provide me with the content of the c:\users\admin\appdata\roaming\microsoft\hashcalc\md5 folder (do not delete anything yet, only rename file extensions if you want to see if the detection stops). Don't post the download link here but send it in a personal message.

As for the Procmon boot log, did you stop logging after the threat has been detected after the reboot? I assume you stopped logging immediately before the detection occurred.

Link to comment
Share on other sites

  • Administrators

We've nailed it down. A legit tool was backdoored and loads a malicious dll with zero detection at VT which loads the following encrypted payload:

image.png

I expect the detection to be available momentarily via streamed/pico updates.

Also please confirm that you have enabled the LiveGrid Feedback system for maximum protection.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...