Crypto miner and random files recreating itself

[Ond 0]

Hello, it started when I downloaded an executable file from the internet which, when opened, just popped up for a few seconds and then nothing further happened. The problem occurred after a while when my processor started running at 100%. But every time I turn on the task manager the processor suddenly starts running completely normally. I think the virus hides every time I turn on task manager so I can't even find out what it's running in the background. And I also noticed that it creates random files and folders even in the registry. When I looked in the Windows Defender history, I tried to delete those files but every time I delete them they are always created again. And one more thing I noticed that the virus creates exclusions for its files in Windows Defender. I am able to provide more information but I really don't know where to start it's really overwhelming. Thank you for any future help.

[Marcos 4,718]

For a start please provide logs collected with ESET Log Collector.

[Ond 0]

Okay, everything was successful but when I want to upload the file it says it's too big.

[Marcos 4,718]

The archive probably exceeds 100 MB. Please upload it to a file sharing service and drop  me a message with a download link.

[Ond 0]

Heres the link: https://wormhole.app/eQzXY#nyCq850bGvDqb_TvULT4Yw

[Marcos 4,718]

Please install ESET and activate a trial version if you don't have a license. Run a full disk scan which should detect and remove Win64/Agent.BWG.gen trojan.

[itman 1,543]

13 hours ago, Ond said:

And one more thing I noticed that the virus creates exclusions for its files in Windows Defender.

This is notable since malware has been doing this for sometime. It appears Microsoft is powerless to fix it.

Edited March 25 by itman

[Ond 0]

I am currently scanning my computer with ESET. Several threats have already been found but every time after a few minutes this threat appears again and again. It's hiding in the Google Chrome folder under the name "updater.exe". Each time it re-creates itself.

[Marcos 4,718]

Please provide fresh ELC logs.

[Ond 0]

2 minutes ago, Marcos said:

Please provide fresh ESET Log Collector logs.

Can i do it while the scanning?

[Ond 0]

27 minutes ago, Marcos said:

Please provide fresh ESET Log Collector logs.

Okay here are the new logs: https://wormhole.app/KxJvO#zV8vyJmbdtVhI-Y0aDjBYA

[Marcos 4,718]

Provide also a Procmon boot log. After enabling boot logging and restarting the machine, stop logging only after the threat has been detected and save the log unfiltered.  Before you upload the log, compress it.

Also it would help if you generated new logs with ELC then.

I suspect Virtual Desktop to be involved since d:\programy\virtual desktop streamer\virtualdesktop.injector32.dll is injected in dialer.exe which continually creates the detected file. While being a legit application, it's not very popular according to LiveGrid and might be vulnerable. The Procmon log should shed more light.

[itman 1,543]

2 hours ago, Marcos said:

I suspect Virtual Desktop to be involved since d:\programy\virtual desktop streamer\virtualdesktop.injector32.dll is injected in dialer.exe which continually creates the detected file. While being a legit application, it's not very popular according to LiveGrid and might be vulnerable.

Appears to be a good assumption: https://threatinfo.net/certificates/Virtual%2BDesktop%2C%2BInc. .

[Ond 0]

7 hours ago, Marcos said:

Provide also a Procmon boot log. After enabling boot logging and restarting the machine, stop logging only after the threat has been detected and save the log unfiltered.  Before you upload the log, compress it.

Also it would help if you generated new logs with ESET Log Collector then.

I suspect Virtual Desktop to be involved since d:\programy\virtual desktop streamer\virtualdesktop.injector32.dll is injected in dialer.exe which continually creates the detected file. While being a legit application, it's not very popular according to LiveGrid and might be vulnerable. The Procmon log should shed more light.

I'm afraid I can't do that anymore. After I finished scanning with ESET, I restarted my computer and suddenly the same threat no longer showed up and the infected files were not downloaded again. The processor is also running just fine as normal. I also looked in the task manager and did not see the "dialer.exe" file running in the background anymore. So I don't know if everything is fine. Is there anything else I should do? Or should I still do the Procmon boot log?

[Ond 0]

Also one more small thing i also noticed before was that the malware or whatever type of that was downloading the infected files again and again using PowerShell.

[Ond 0]

11 hours ago, itman said:

This is notable since malware has been doing this for sometime. It appears Microsoft is powerless to fix it.

Indeed. I completely agree. Microsoft did only detect it but didn't delete it.

[Nightowl 187]

5 hours ago, Ond said:

Also one more small thing i also noticed before was that the malware or whatever type of that was downloading the infected files again and again using PowerShell.

Try using this to prevent the script from running till you find the source of it :

https://www.thewindowsclub.com/how-to-turn-on-or-off-windows-powershell-script-execution

Look in System Scheduler , and look in Startup entries , this is the most usual places of how a malware could keep reviving itself after being removed.

Edited March 26 by Nightowl