Posts by syu

Info	Message
1) Message boards : News : Windows malware reported Message 114291 Posted 19 Jul 2024 by syu	Thank you @David Anderson for sharing the report. I came back to this forum because I identified a more malicious attack than the fake BOINC install and that is the PowerShell execution (documented in Huntress) and forced proxy connection, that was not documented in the report. I found the update.js file in my downloads folder, most likely I clicked it thinking it was a legitimate Chrome update. After deleting the BOINC files as outlined previously, the command window stopped popping up, but I still noticed substantial Internet data usage on my computer coming from my OS system and some unusual browsing experience, such as having to go through extensive human security checks via Cloudflare when accessing basic websites or just not being able to access websites. I noticed that my internet kept connecting to a manual proxy setup despite hundreds of attempts to turn that setting off in system settings. I am not a computer engineer, so I thought maybe it was a default setting so didn't think much about it until yesterday when I tried to log into my Bank of America account. My account got locked on my computer and then received a call from the security department at BofA saying that my computer has malware on it so they had to reset my account and issued a new username and password which I can access via mobile banking but not my computer until the threat has been taken care of. That confirmed my proxy suspicions and dug in. Long story short, I downloaded GridinSoft Antimalware since MalwareBytes was unable to detect anything and sure enough the malicious registry edits that overrides the proxy settings and a suspicious BCILauncher.exe launcher was flagged. Initially deleting the proxy setting registries didn't work and it kept reappearing, so I turned off the Internet to block the connection, deleted the BCILauncher.exe registry first, then deleted the proxy registries and it did not come back. The persistent proxy settings haven't returned, but I'm still monitoring it. Here is the registry key file path to identify if there is a proxy override key: BCILauncher Key: Path: Computer\HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\BCILauncher Proxy Enable Key: Path: Computer\HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable Value: "1" (This means the proxy is enabled) Proxy Server Key: Path: Computer\HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer Value: https=localhost:5311 (This sets the localhost and the port number as the proxy server, the port can vary, i've seen it as a 5 digit value as well) To identify when this program was downloaded to help with examining malicious files and folders that you did not install or download, open Task Scheduler on windows, find a task that says "wfgmzebrocxts". Examine the action: Action: Start a program Details: conhost --headless powershell -ep bypass Azurewfgmzebrocxts When you click edit, you will see when it was set to start the schedule - for my case mine started on 5/9/24 and it was set to run every 3 minutes. Delete this task after you inspect it. I easily found the update.js file in my downloads folder and sure enough it was downloaded on 5/9/24. If you do more digging, this is a known trojan virus. It's important to note that the BOINC files and task schedule did not appear until around the end of June for me, so my theory is that those files were uploaded onto my computer at a later data possibly using the proxy connection.
2) Message boards : News : Windows malware reported Message 114241 Posted 9 Jul 2024 by syu	Correct, I did not install BOINC on my computer. Never heard about it till I had to investigate the cause of the command window popping up and closing.
3) Message boards : News : Windows malware reported Message 114238 Posted 9 Jul 2024 by syu	Recently, my computer began experiencing disruptions characterized by a PowerShell window that intermittently popped up and closed rapidly. This was not only annoying but also interrupted my workflow by abruptly affecting active windows. Based on the help of this thread, I was able to delete the malware in this order: 1. I deleted the BOINC program in task managers first 2. Proceeded to deleting the task scheduler 3. The files in the AppData/Roaming folder. I waited 15 minutes to see if the program ran again and I'm happy to report that it hasn't so I think the malware has been handled. If not, I will update you here. My account of the BOINC malware identification, hopefully it will help with investigating the source: Identifying the Malware: I meticulously observed my Task Manager to identify the source during these pop-ups. I discovered that each appearance was associated with the execution of a BOINC application, which terminated just as quickly. Evasion of Detection: To attempt a resolution, I installed and ran Malwarebytes, a reputable antivirus software, which unfortunately failed to detect any malicious activity. This suggests that the malware is capable of evading detection by standard antivirus tools. Disguise Tactics: Further investigation revealed that the malware was disguised under innocuous file names like "Licensing Validator Updater," which camouflaged it among legitimate system processes. Given the novelty of this malware a Google search wasn't enough to provide me with more detail. I also shared some of the file logs with ChatGPT to see if it understands what it's executing and it was unable to detect any foul play and said something like: "Based on the content of the log you provided, it doesn't indicate that this is a virus. BOINC (Berkeley Open Infrastructure for Network Computing) is a legitimate platform that allows people to contribute their computer's unused processing power to scientific research projects. It's widely used for purposes such as disease research, climate change predictions, and astrophysics simulations." The next question that led me to was how did it even get installed on my computer. Investigating more log files in the folder I noticed that although BOINC is a Berkeley project, it was referencing Rosetta and even have a http://rosettahome.cn/rosettahome/ url in some of the files that made it more suspicious. I uncovered a file named "daily_xfer_history.xml" in the malware's directory. This file recorded extensive data uploads and downloads, clearly outlining unauthorized network activity. For instance, on one day, the log showed an upload of over 1.1 million units and a download of 181,511 units. This is when I found this thread and started taking actions to remove it. Connection to JetBlue Inflight Internet: The creation date of the malware's folder coincided with the day I accessed JetBlue's free inflight Internet on 6/24/24 flying out of JFK, suggesting a potential point of infection. It was the start of my vacation and I rarely used my computer for the week I was there. On the flight back home on JetBlue I noticed that my computer was considerably slower and attributed it to the WiFi, but most likely could've been the malware executing tasks. System Information: My system runs on Windows 11 OS.

Copyright © 2025 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.