Jump to content

Crypto miner and random files recreating itself


Ond
Go to solution Solved by Ond,

Recommended Posts

Hello, it started when I downloaded an executable file from the internet which, when opened, just popped up for a few seconds and then nothing further happened. The problem occurred after a while when my processor started running at 100%. But every time I turn on the task manager the processor suddenly starts running completely normally. I think the virus hides every time I turn on task manager so I can't even find out what it's running in the background. And I also noticed that it creates random files and folders even in the registry. When I looked in the Windows Defender history, I tried to delete those files but every time I delete them they are always created again. And one more thing I noticed that the virus creates exclusions for its files in Windows Defender. I am able to provide more information but I really don't know where to start it's really overwhelming. Thank you for any future help.

Link to comment
Share on other sites

Okay, everything was successful but when I want to upload the file it says it's too big.

Link to comment
Share on other sites

  • Administrators

The archive probably exceeds 100 MB. Please upload it to a file sharing service and drop  me a message with a download link.

Link to comment
Share on other sites

  • Administrators

Please install ESET and activate a trial version if you don't have a license. Run a full disk scan which should detect and remove Win64/Agent.BWG.gen trojan.

Link to comment
Share on other sites

13 hours ago, Ond said:

And one more thing I noticed that the virus creates exclusions for its files in Windows Defender.

This is notable since malware has been doing this for sometime. It appears Microsoft is powerless to fix it.

Edited by itman
Link to comment
Share on other sites

I am currently scanning my computer with ESET. Several threats have already been found but every time after a few minutes this threat appears again and again. It's hiding in the Google Chrome folder under the name "updater.exe". Each time it re-creates itself.

Snímek obrazovky (63).png

Link to comment
Share on other sites

  • Administrators

Provide also a Procmon boot log. After enabling boot logging and restarting the machine, stop logging only after the threat has been detected and save the log unfiltered.  Before you upload the log, compress it.

Also it would help if you generated new logs with ELC then.

I suspect Virtual Desktop to be involved since d:\programy\virtual desktop streamer\virtualdesktop.injector32.dll is injected in dialer.exe which continually creates the detected file. While being a legit application, it's not very popular according to LiveGrid and might be vulnerable. The Procmon log should shed more light.

Link to comment
Share on other sites

2 hours ago, Marcos said:

I suspect Virtual Desktop to be involved since d:\programy\virtual desktop streamer\virtualdesktop.injector32.dll is injected in dialer.exe which continually creates the detected file. While being a legit application, it's not very popular according to LiveGrid and might be vulnerable.

Appears to be a good assumption: https://threatinfo.net/certificates/Virtual%2BDesktop%2C%2BInc. .

Link to comment
Share on other sites

  • Solution
7 hours ago, Marcos said:

Provide also a Procmon boot log. After enabling boot logging and restarting the machine, stop logging only after the threat has been detected and save the log unfiltered.  Before you upload the log, compress it.

Also it would help if you generated new logs with ESET Log Collector then.

I suspect Virtual Desktop to be involved since d:\programy\virtual desktop streamer\virtualdesktop.injector32.dll is injected in dialer.exe which continually creates the detected file. While being a legit application, it's not very popular according to LiveGrid and might be vulnerable. The Procmon log should shed more light.

I'm afraid I can't do that anymore. After I finished scanning with ESET, I restarted my computer and suddenly the same threat no longer showed up and the infected files were not downloaded again. The processor is also running just fine as normal. I also looked in the task manager and did not see the "dialer.exe" file running in the background anymore. So I don't know if everything is fine. Is there anything else I should do? Or should I still do the Procmon boot log?

Link to comment
Share on other sites

Also one more small thing i also noticed before was that the malware or whatever type of that was downloading the infected files again and again using PowerShell.

Link to comment
Share on other sites

11 hours ago, itman said:

This is notable since malware has been doing this for sometime. It appears Microsoft is powerless to fix it.

Indeed. I completely agree. Microsoft did only detect it but didn't delete it.

Link to comment
Share on other sites

  • Most Valued Members
5 hours ago, Ond said:

Also one more small thing i also noticed before was that the malware or whatever type of that was downloading the infected files again and again using PowerShell.

Try using this to prevent the script from running till you find the source of it :

https://www.thewindowsclub.com/how-to-turn-on-or-off-windows-powershell-script-execution

Look in System Scheduler , and look in Startup entries , this is the most usual places of how a malware could keep reviving itself after being removed.

Edited by Nightowl
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...