Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected,but not infected!?(Logs)


  • This topic is locked This topic is locked
15 replies to this topic

#1 NoUserName312

NoUserName312

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 06 March 2017 - 05:18 PM

So recently I downloaded something and avast start going crazy telling it's a Trojan,I ignore it since the download seemed legit.

Anyway after running the program I got curious and scanned it with Virus Total and got a whooping 41/59,I already looked at behaviour on virus total but couldn't find anything of interest also looked with autorun and process hacker in safe mode and I also ran MalwareBytes and it seemed to not detect anything,I have also removed the .exe with avast but I'm afraid changes have already been made do services or registry so did I or didn't I ** up?

 

Virus Total Scan

 

As a result of a quick analysis boope sugest to post here some logs,so here they are.

 

 

 

 

 

Attached Files


Edited by NoUserName312, 06 March 2017 - 05:45 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,568 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:46 PM

Posted 07 March 2017 - 02:10 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
GroupPolicy: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\Kirian\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-11]
CHR Extension: (Chrome Media Router) - C:\Users\Kirian\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-26]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
S4 atillk64; \??\C:\Users\Kirian\Downloads\atiflash_274\atillk64.sys [X]
S3 HWiNFO32; \??\C:\Users\Kirian\AppData\Local\Temp\HWiNFO64A.SYS [X] <==== ATTENTION
Task: {B4027C81-D2F3-47B7-BE83-1E70CC4B2C59} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2016-12-06] ()
C:\Windows\AutoKMS

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixldog.txt and let me know what problem persists.

#3 NoUserName312

NoUserName312
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 07 March 2017 - 03:00 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

 

...


Please post the Fixldog.txt and let me know what problem persists.

 

 

I have turned on System Restore and ran the fixlist with FRST.

But before I continue I would just like to ask some things and also point out others if you wouldn't mind of course.

start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File 
#This lines are totally fine since one drive had no use to me so I decided to remove it I would guess this are the leftovers.
GroupPolicy: Restriction <======= ATTENTION 
#Is this messing with group policy and if so is it disabling it?I have Windows Update configs made with this so if you could give me any info about this I would be very grateful :)
GroupPolicyScripts: Restriction <======= ATTENTION 
#Again same thing as above
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION 
#I would guess this is just removing some IE perms witch again is fine since I don't use it at all
CHR Extension: (Chrome Web Store Payments) - C:\Users\Kirian\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-11]
CHR Extension: (Chrome Media Router) - C:\Users\Kirian\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-26]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx 
#I am not sure what this lines do but if I had to guess they remove reg keys? All the chrome extension I had were trusted Google Docs,2 Steam Market plugins and UBlock Origin.
S4 atillk64; \??\C:\Users\Kirian\Downloads\atiflash_274\atillk64.sys [X] 
#This line remove flashing GPU ROM driver form ATIFlash(Trusted) witch for diagnosing is fine,but I guess you already know that.
S3 HWiNFO32; \??\C:\Users\Kirian\AppData\Local\Temp\HWiNFO64A.SYS [X] <==== ATTENTION 
#This also removed a monitoring drive for HWInfo64(Trusted)
Task: {B4027C81-D2F3-47B7-BE83-1E70CC4B2C59} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2016-12-06] ()
C:\Windows\AutoKMS

End

Ok taking my comments in consideration do you think any of the removals were related to the trojan that I posted?

The original problem was that I didn't know if I had a problem the Virus Total analysis and boope only gave me enough info that the trojan was made as a remote access hack,so it's kind of hard knowing if the problem was solved or not since my computer is running speedy as usual.

Anyway the log is attached bellow.

 

P.S:I had system restore disabled because windows seems do defrag SSD if it's enabled or at least that's what I read here.

Attached Files


Edited by NoUserName312, 07 March 2017 - 03:09 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,568 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:46 PM

Posted 08 March 2017 - 08:44 AM

Your article is dated 2014...

This is a recent article
https://www.tenforums.com/backup-restore/40697-system-restore-ssd.html

Dont Waste Time Optimizing Your SSD, Windows Knows What Its Doing
https://www.howtogeek.com/256859/dont-waste-time-optimizing-your-ssd-windows-knows-what-its-doing/

If you need additional advice I suggest your ask your questions to a Technician in the Internal Hardware forum.
This is not my forte.

https://www.bleepingcomputer.com/forums/f/7/internal-hardware/

===

I did not find any malware on your logs.
To be safe you should run this scan.

Sophos Virus Removal Tool

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.
  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.
Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Windows XP:
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===

#5 NoUserName312

NoUserName312
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 08 March 2017 - 11:15 AM

Your article is dated 2014...

This is a recent article
https://www.tenforums.com/backup-restore/40697-system-restore-ssd.html

Dont Waste Time Optimizing Your SSD, Windows Knows What Its Doing
https://www.howtogeek.com/256859/dont-waste-time-optimizing-your-ssd-windows-knows-what-its-doing/

If you need additional advice I suggest your ask your questions to a Technician in the Internal Hardware forum.
This is not my forte.

https://www.bleepingcomputer.com/forums/f/7/internal-hardware/

===

  • If no threats were found, please confirm that result.
===

 

 

Ok starting with scan,there isn't a single detected threat by Sophos and using Process Monitor in a VM seems to not come up with much results either witch is making more more and more suspectful that it the end the setup.exe trojan might have been a false positive?I can send the setup.exe in a .zip file if that helps identifying what we should be looking for.

 

Anyway about the "#comments" that I made,I noticed that you didn't say anything about them so I guess you didn't seem them,so I'm going straight to what I just need to know:Did the fixlist by any means modified or disable group policy?

I have some configs with Windows Update that I would like to keep if possible.

 

Thanks for the help.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,568 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:46 PM

Posted 08 March 2017 - 11:56 AM



I can send the setup.exe in a .zip file if that helps identifying what we should be looking for.


Let see what yiou were dealing with.

Send the file to VirusTotal for a check.
Follow the instructions on the site.
https://www.virustotal.com/

---

Did the fixlist by any means modified or disable group policy?


It means that there are restrictions on these key.

Remove them from the list before you save the fixlist.txt file.

GroupPolicy: Restriction <======= ATTENTION \
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION


#7 NoUserName312

NoUserName312
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 08 March 2017 - 12:07 PM

 

I can send the setup.exe in a .zip file if that helps identifying what we should be looking for.


Let see what yiou were dealing with.

Send the file to VirusTotal for a check.
Follow the instructions on the site.
https://www.virustotal.com/

---

Did the fixlist by any means modified or disable group policy?


It means that there are restrictions on these key.

Remove them from the list before you save the fixlist.txt file.

GroupPolicy: Restriction <======= ATTENTION \
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

 

 

Here's the VirusTotal Scan.

 

I'm currently running Process Monitor to check any process child and parent writes on the VM I mentioned will post the log here after too.

 

Quick Edit:I have found so far that the setup creates this 3 DWORDS:

 

HKCU/Software/Micorosft/Windows/CurrentVersion/Internet Settings/ZoneMap

ProxyBypass
IntranetName
UNCAAsIntranet


Edited by NoUserName312, 08 March 2017 - 12:23 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,568 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:46 PM

Posted 08 March 2017 - 02:02 PM

Clear you Zone map. Or Open Regedit and look at all the Zonemaps and delete what you have foud.

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

Restart the computer normally.

Let me know if the problem persists.

p.s.
Export the Zonemap registry to be safe.

#9 NoUserName312

NoUserName312
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 08 March 2017 - 06:03 PM

Clear you Zone map. Or Open Regedit and look at all the Zonemaps and delete what you have foud.

p.s.
Export the Zonemap registry to be safe.

 

I've ran the zone map script and finally finished the Log file for Process Monitor I'm going to leave the registry changes made by setup.exe and child process bellow since I'm unable to upload the whole file directly since it's 8GB (around 22 million events I think?) do you think it's better to upload the full log to another website or just split it in small 9MB parts with 7zip and post across multiple post, I also think there's a way to save as XML so I'm able to post directly on the post text instead of a file,so what should I do?

 

Again thank you very much for the help.


Edited by NoUserName312, 09 March 2017 - 03:11 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,568 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:46 PM

Posted 09 March 2017 - 08:34 AM

There is nothing I can do with the attached .zip file.

What are the remaining problems that you are having?

#11 NoUserName312

NoUserName312
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 09 March 2017 - 03:10 PM

There is nothing I can do with the attached .zip file.

What are the remaining problems that you are having?

 

I've looked around and doesn't seem to be any suspicious file,but you can never be to careful.

I just now I'm reminded do you think that avast besides removing the infected file also reverts the changes made by it whether it be on registry or in files?

Anyway I finished looking quickly on the logs and it doesn't seem to be any harmful changes made by setup.exe on the VM,I looked mainly on the changes made in the registry so I could be wrong if you could give a quick opinion it would be very much appreciated you can view the log using Process Monitor inside the .zip attached or you can download Process Monitor directly from Microsoft here.

 

Edit: What do think about the shell command request by the program?

((null)) C:\95bc059434d87978c2bd3c37c3f895947ed0a787baab2d24f3fe6a317471b9c8/VERYSILENT /NORESTARTAPPLICATIONS /NOFORCECLOSEAPPLICATIONS /NOCLOSEAPPLICATIONS [(null)]

 

Edit 2:Found another thing a remains of possible infection C:\Users\Kirian\AppData\Local\Microsoft Windows\spdc32.exe.config so I would guess it creates a spdc32.exe?

It appears to be an Skeeya.A!rfn and a Dynamer!ac according to MSE.Also atached a log of setup.exe running but this time only .txt.

 

Edit3:Uploaded V2 of log should focus now more on setup.exe , but it might left a few changes out by processes created by it,so please check this first and check V1 for the "full picture".

Attached Files


Edited by NoUserName312, 09 March 2017 - 07:13 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,568 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:46 PM

Posted 10 March 2017 - 09:12 AM

  • Download Zoek and save it to your Desktop
  • Right click the icon, select Run as Admistrator, and wait for the Program to appear on your Desktop (may take 15 seconds or so)
  • Verify Scan All Users is selected then click Run Script
  • Type xxx3xxx in the lower box to Perform only a Deep Scan then click OK
  • Wait patiently for the program to run
  • Do not use your computer while the scan is running
  • When completed a zoek-results.txt report will appear on your desktop. Copy and paste the contents in your reply
1 - Do a Quick Scan and Automatic Cleaup.
2 - Perform only a Quick Scan.
3 - Perform only a Deep Scan.
4 - Do a Deep Scan and Automatic Cleanup.

===================================================

Run these two cleaning tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.


============ EXTRA CLEANING ==========


Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

===

I have not advice for you as to what else to remove from the registry.
I would leave them alone if the injector Setup.exe is removed.

You can possibly get advice from the Windows 10 experts in this forum.
https://www.bleepingcomputer.com/forums/f/229/windows-10-support/

#13 NoUserName312

NoUserName312
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 10 March 2017 - 06:26 PM

I have made a "major" breakthrough I managed to isolate the virus that was inside the setup.exe by using innounp and using using TextScan on the "virus".exe I managed to also found the "maker" of the virus!

I still not sure what product but I bet it's the Crypto Logger one,anyway the company is this one if you wouldn't mind taking a look.

I will also post the log of TextScan as well the .config that was beside the virus.

Attached Files


Edited by NoUserName312, 10 March 2017 - 06:27 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,568 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:46 PM

Posted 11 March 2017 - 07:47 AM

Good work. You did well.

Honestly I cannot offer any additional help.

#15 NoUserName312

NoUserName312
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 11 March 2017 - 09:39 AM

Good work. You did well.

Honestly I cannot offer any additional help.

 

Hey don't worry about it you have a been a great help!I think that avast probably deleted the full threat when it deleted the setup.exe so maybe I was just being paranoid,still I will investigate just little bit more and will report any findings here.

 

Edit:Turns out the LogicNP just makes the obfuscator used by the .exe to hide the code ,just ran de4dot and looking through MSIL of the virus as I type this.


Edited by NoUserName312, 11 March 2017 - 01:28 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users