Ond 0 Posted March 24, 2023 Share Posted March 24, 2023 Hello, it started when I downloaded an executable file from the internet which, when opened, just popped up for a few seconds and then nothing further happened. The problem occurred after a while when my processor started running at 100%. But every time I turn on the task manager the processor suddenly starts running completely normally. I think the virus hides every time I turn on task manager so I can't even find out what it's running in the background. And I also noticed that it creates random files and folders even in the registry. When I looked in the Windows Defender history, I tried to delete those files but every time I delete them they are always created again. And one more thing I noticed that the virus creates exclusions for its files in Windows Defender. I am able to provide more information but I really don't know where to start it's really overwhelming. Thank you for any future help. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,072 Posted March 25, 2023 Administrators Share Posted March 25, 2023 For a start please provide logs collected with ESET Log Collector. Link to comment Share on other sites More sharing options...
Ond 0 Posted March 25, 2023 Author Share Posted March 25, 2023 Okay, everything was successful but when I want to upload the file it says it's too big. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,072 Posted March 25, 2023 Administrators Share Posted March 25, 2023 The archive probably exceeds 100 MB. Please upload it to a file sharing service and drop me a message with a download link. Link to comment Share on other sites More sharing options...
Ond 0 Posted March 25, 2023 Author Share Posted March 25, 2023 Heres the link: https://wormhole.app/eQzXY#nyCq850bGvDqb_TvULT4Yw Link to comment Share on other sites More sharing options...
Administrators Marcos 5,072 Posted March 25, 2023 Administrators Share Posted March 25, 2023 Please install ESET and activate a trial version if you don't have a license. Run a full disk scan which should detect and remove Win64/Agent.BWG.gen trojan. Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 25, 2023 Share Posted March 25, 2023 (edited) 13 hours ago, Ond said: And one more thing I noticed that the virus creates exclusions for its files in Windows Defender. This is notable since malware has been doing this for sometime. It appears Microsoft is powerless to fix it. Edited March 25, 2023 by itman Link to comment Share on other sites More sharing options...
Ond 0 Posted March 25, 2023 Author Share Posted March 25, 2023 I am currently scanning my computer with ESET. Several threats have already been found but every time after a few minutes this threat appears again and again. It's hiding in the Google Chrome folder under the name "updater.exe". Each time it re-creates itself. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,072 Posted March 25, 2023 Administrators Share Posted March 25, 2023 Please provide fresh ELC logs. Link to comment Share on other sites More sharing options...
Ond 0 Posted March 25, 2023 Author Share Posted March 25, 2023 2 minutes ago, Marcos said: Please provide fresh ESET Log Collector logs. Can i do it while the scanning? Link to comment Share on other sites More sharing options...
Ond 0 Posted March 25, 2023 Author Share Posted March 25, 2023 27 minutes ago, Marcos said: Please provide fresh ESET Log Collector logs. Okay here are the new logs: https://wormhole.app/KxJvO#zV8vyJmbdtVhI-Y0aDjBYA Link to comment Share on other sites More sharing options...
Administrators Marcos 5,072 Posted March 25, 2023 Administrators Share Posted March 25, 2023 Provide also a Procmon boot log. After enabling boot logging and restarting the machine, stop logging only after the threat has been detected and save the log unfiltered. Before you upload the log, compress it. Also it would help if you generated new logs with ELC then. I suspect Virtual Desktop to be involved since d:\programy\virtual desktop streamer\virtualdesktop.injector32.dll is injected in dialer.exe which continually creates the detected file. While being a legit application, it's not very popular according to LiveGrid and might be vulnerable. The Procmon log should shed more light. notimportant 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 25, 2023 Share Posted March 25, 2023 2 hours ago, Marcos said: I suspect Virtual Desktop to be involved since d:\programy\virtual desktop streamer\virtualdesktop.injector32.dll is injected in dialer.exe which continually creates the detected file. While being a legit application, it's not very popular according to LiveGrid and might be vulnerable. Appears to be a good assumption: https://threatinfo.net/certificates/Virtual%2BDesktop%2C%2BInc. . Link to comment Share on other sites More sharing options...
Solution Ond 0 Posted March 26, 2023 Author Solution Share Posted March 26, 2023 7 hours ago, Marcos said: Provide also a Procmon boot log. After enabling boot logging and restarting the machine, stop logging only after the threat has been detected and save the log unfiltered. Before you upload the log, compress it. Also it would help if you generated new logs with ESET Log Collector then. I suspect Virtual Desktop to be involved since d:\programy\virtual desktop streamer\virtualdesktop.injector32.dll is injected in dialer.exe which continually creates the detected file. While being a legit application, it's not very popular according to LiveGrid and might be vulnerable. The Procmon log should shed more light. I'm afraid I can't do that anymore. After I finished scanning with ESET, I restarted my computer and suddenly the same threat no longer showed up and the infected files were not downloaded again. The processor is also running just fine as normal. I also looked in the task manager and did not see the "dialer.exe" file running in the background anymore. So I don't know if everything is fine. Is there anything else I should do? Or should I still do the Procmon boot log? Link to comment Share on other sites More sharing options...
Ond 0 Posted March 26, 2023 Author Share Posted March 26, 2023 Also one more small thing i also noticed before was that the malware or whatever type of that was downloading the infected files again and again using PowerShell. Link to comment Share on other sites More sharing options...
Ond 0 Posted March 26, 2023 Author Share Posted March 26, 2023 11 hours ago, itman said: This is notable since malware has been doing this for sometime. It appears Microsoft is powerless to fix it. Indeed. I completely agree. Microsoft did only detect it but didn't delete it. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted March 26, 2023 Most Valued Members Share Posted March 26, 2023 (edited) 5 hours ago, Ond said: Also one more small thing i also noticed before was that the malware or whatever type of that was downloading the infected files again and again using PowerShell. Try using this to prevent the script from running till you find the source of it : https://www.thewindowsclub.com/how-to-turn-on-or-off-windows-powershell-script-execution Look in System Scheduler , and look in Startup entries , this is the most usual places of how a malware could keep reviving itself after being removed. Edited March 26, 2023 by Nightowl Link to comment Share on other sites More sharing options...
Recommended Posts