Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware/Trojan infected after running this file downloaded from BitTorrent


  • Please log in to reply
2 replies to this topic

#1 testplayer

testplayer

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 25 July 2016 - 07:29 PM

Hello,

 

I downloaded this file https://torrentz.eu/e33e613e5a98b2484087ead40f4c188747cdaaa0 which is huge. It looked OK, but I just couldn't find anything meaningful inside using 7-zip browser, which is weird. Anyway, I took the risk to run that file, then I was infected.

 

By default, this file tried to extract the actual contents (yes, the real portable version of acrobat DC that really works) to C:\Users\Administrator\AppData\Local\Temp\, but it also provided a prompt so I can extract the real contents to other folder, and I did that. However, after the extraction, I found that there was a "System.exe" file in the %Temp% and this file was running! I was scared and realized that I was infected, so I launched Process Hacker and tried to kill this process. But once I did that, EVERY other process triggered another process "WindowsDefender.exe" and my computer almost froze. After a while, the "System.exe" and all the ~80 "WindowsDefender.exe" processes created by other processes disappeared, but there is one "WindowsDefender.exe" left there. This file was in C:\ProgramData\850395\WindowsDefender.exe. I tried to kill this process again, but again, every other process launched one instance of this "WindowsDefender.exe" and all these disappeared after freezing for a while, but the original "WindowsDefender.exe" was still alive. I noticed there were some text files generated in C:\ProgramData\850395\, and these files contained what I input in Firefox's search bar or some other programs.

 

I noticed the severity of this problem, so I reboot into another OS (I have dual boot, Win8.1 Enterprise and Win8.1 Pro, the Enterprise was infected), then I took the ownership of C:\ProgramData\850395\ of the infected OS and deleted the WindowsDefender.exe and also cleared the %Temp% of the infected OS. Then I rebooted back to the original OS, and it looked fine without suspicious processes. I then run several scanning tools, including the actual windows defender, Spybot, TDSSKiller, and McAfee Stinger. All passed without finding any threats. However, this spyware seemed to modify something:

(1) The only short cut file in C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ was modified and pointed to the deleted C:\ProgramData\850395\WindowsDefender.exe, but since I had already deleted this file before rebooting into the infected OS, this file became empty, so I had to restore what I originally had.

 

(2) In task scheduler, C:\ProgramData\850395\WindowsDefender.exe was added as a task, and the trigger is whenever any user log on. I had already deleted this task.

 

(3) Windows firewall stopped working and cannot be restarted. I had to assign NT SERVICE\mpssvc a full control permission of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess such that the firewall can be restarted. In windows firewall, I didn't find any new rules added by this spyware.

 

Now my computer looked fine. But I'm not 100% sure of that, especially I don't know what name of this spyware is and what else did it modify to my OS. I have re-downloaded this spyware by uTorrent, extracted by 7-zip (although showing checksum error), and scanned using several tools, but still couldn't find anything. Theoretically I can use sandboxie to see what happens after double click this Acrobat.DC.15.017.exe file, but I'm afraid I don't have that time. I only want to go back to the original state of my OS before I run the Acrobat.DC.15.017.exe file, because I disabled the system recovery of Windows.

 

Can anyone help me? Thanks a lot!


Edited by testplayer, 25 July 2016 - 09:28 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,902 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:58 AM

Posted 25 July 2016 - 08:07 PM

Welcome to BC....

 

Please disable the torrent link or delete it.

 

Suggest you start a new topic in the Malware Removal Forum by following the instructions below.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 testplayer

testplayer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 25 July 2016 - 08:58 PM

The link to the new topic is http://www.bleepingcomputer.com/forums/t/621095/spywaretrojan-infected-after-running-this-file-downloaded-from-bittorrent/






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users