AlexSmith
-
Posts
1,742 -
Joined
-
Last visited
-
Days Won
16
Content Type
Events
Profiles
Forums
Posts posted by AlexSmith
-
-
@Cobra1970 I have moved your topic to the Malwarebytes Antimalware help section. This should get your issue infront of the right people on the forums.
-
Merging the original topic to the secondary topic in the Malware Removal section.
-
Moved this thread to the Malwarebytes Anti-Malware Help section.
-
41 minutes ago, Jurionx said:
@AdvancedSetup The malware injects itself at 0200 hrs my time, and I had Procmon running and saved the file, however, it's 69MB in size. Here's a Drive link for you to get the file.
https://drive.google.com/file/d/0B93uw01hFu8yUG9odWZsTTdBa3c/view?usp=sharing
BINGO!! This is exactly what was needed. The program that is launching nslookup AND creating the registry key is what appears to be a compromised/hijacked version of Install Shield at C:\Program Files (x86)\Common Files\InstallShield\updateservice\ISUSPM.exe. That also happens to be one of your Scheduled Tasks.
-
Sounds like you have a variant of this: https://labs.bitdefender.com/2016/05/inside-the-million-machine-clickfraud-botnet/
Now we need to uncover the Scheduled Task that appears legit that is doing this.
-
Thanks for the additional details!! I agree with you and the ISP that this issue is isolated to the laptop itself.
31 minutes ago, SDGreen said:I'm not sure sorry as its my mother who uses the laptop. She is usually using Skype or watching tv shows when it happens. I've told her to make sure she's able to access websites through her browser when Skype disconnects as to make sure its not just Skype that's DCing. The connection icon in the bottom right taskbar just turns to disconnected and even though I have "Connect automatically" ticked, I usually have to manually reconnect when this happens.
This tells me the issue is with the wireless adapter or the driver itself disconnecting the actual wireless network connection. To attack the driver side, I would make sure you have the latest driver directly from the manufacturer of the wireless adapter OR the manufacturer of the PC if the device manufacturer doesn't provide end user driver support.
If you have tried the latest driver and are still experiencing issues then it could be something wrong with the adapter itself or the internal antennae leads. Best way to test for an adapter problem is to try using a USB wireless adapter if you have access to one. If not, you may want to contact a computer technician or take it in to a tech shop for service.
-
Sorry to hear about your wireless connection issues. I know how frustrating that can be as I have encountered it personally in the past. Generally speaking, there can be a metric ton of root causes for this, most of which are usually related to networking hardware, drivers, or even local interference.
With that being said, when this issue happens what exactly happens? Does the actual Wireless Connection claim to be disconnected or does web based traffic simply time-out? Do you get any specific error messages or error codes you can share? Is the laptop that is behaving nicely in the same area of your house when this issue occurs? -
How to Use Sysinternals Process Monitor (ProcMon) to Capture Stuff
Process Monitor is a very powerful tool that monitors and records file operations, registry operations, and network activity that is occurring via any currently running process or thread. This is a great expert "detective" tool in helping uncover what may be causing an application to crash, fail at performing a common operation, or uncovering malware that is doing something evil. This tool can be overwhelming and usually requires an expert to fully utilize it and interpret the results.The directions below will cover how to create a ProcMon log that an expert can analyze. Make sure to stage everything ahead of time for the task you need to capture/record. This will reduce the size of the log file created and improve an experts ability to analyze the log results.
Prepare/stage everything needed to perform the task you need to record/capture. Close out any applications that are not needed to perform this task to reduce noise in the log file.
- Download Sysinternals ProcMon from here: http://live.sysinternals.com/Procmon.exe
- Run ProcMon.exe as Administrator and select Yes at the UAC prompt
- ProcMon will start Capturing/Recording immediately, so perform the task(s) and/or operations(s) you need to capture/record.
- Once complete, go to ProcMon and stop capturing by selecting the Magnifying Class icon or by pressing CTRL+e (or File > Capture Events).
- Click on the Save icon (or File > Save) and click Ok. DO NOT CHANGE ANY OF THE DEFAULT SAVE OPTIONS.
- Upload the .PML file created. You may need to compress it in a Zip or 7z file to save space.
For you specific situation, you would have Regedit ready to go then delete that AutoConfigURL entry then refresh RegEdit until it comes back. That's the task you want to record/capture.
-
Darn. Something is obviously bringing this back. My guess is that it's coming back via something that looks legitimate, but isn't.
When I want to track down what's recreating an object (e.g. registry setting, a particular file, etc.), I usually use Sysinternals ProcMon to record/capture me deleting it and it getting recreated. Then sifting through that log will help me find out what process re-created that object.
If you want to take a stab at that, please do. If you need a second set of eyes on your ProcMon log, upload it.
-
That looks clean too. Do any of the following files exist?
-
c:\Windows\System32\GroupPolicy\Machine\registry.pol
-
c:\Windows\\System32\GroupPolicy\User\registry.pol
-
-
@Jurionx, can you perform the following?
Creating a Sysinternals AutoRuns Data File (.ARN)
Sysinternals AutoRuns is an advanced tool for managing startup items as well as manual malware/hijack identification and remediation. Think of it as MSConfig and certain parts of Task Manager on steroids. To get the most out of this tool, the current state of your PC needs to be exported then analyzed by a professional. The steps below will walk you through this process.- Download Sysinternals AutoRuns from here: https://live.sysinternals.com/autoruns.exe
- Right click AutRuns.exe and select "Run as Administrator". Click Yes at the UAC prompt.
- Allow Sysinternals AutoRuns to scan the system then click the Save icon in the toolbar (or go to File > Save or click Ctrl+s).
- Save the current scan as an ARN file (default setting)
- Post the ARN as an attachment on a follow up post.
-
The plugin appears to have been installed and is functioning fine so far.
-
We will have to discuss this one. I like the idea of ctrl+z providing the same functionality as clicking that link, but that might not be the default or intended behavior. It makes technical sense why it works the way it does currently because fundamentally speaking, Undo is simply stepping backwards, not "removing formatting and remembering my choice".
-
Most of these types of infections will use group policies, a registry.pol file, or a Scheduled Task that uses Command Prompt, PowerShell, or wscript to re-add itself. Sometimes it can also be a rootkit or a compromised application that may have been obtained from unofficial channels.
You may want to utilize Sysinternals Autoruns to see if you find anything out of place from the Scheduled Tasks front.
@TwinHeadedEagle and @AdvancedSetup, any thoughts? -
This might be intended behavior. CTRL+z is the universal shortcut for "Undo" not "Remove Formatting".
Now if you click the "Display as Link Instead" pop-up at the bottom of the Editor, that will remember which URLs you converted back from a Preview.
-
As of a few minutes ago, this should now be resolved.
-
11 minutes ago, Tof_SLRCORP said:
Hi,
I'd rather use PowerShell :
Add-AppxPackage -register "C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2.5.0_x64_8wekyb3d8bbwe\appxmanifest.xml" -DisableDevelopmentMode
I'll try tomorrow
That might not work since you are missing an actual file from that Appx package folder. You also run the risk of making things a little worse if the Add-AppxPackage still brakes UWP apps as it does in 10586.x.
-
So far no one has been able to reproduce this when creating links. This would mean that it was an issue accidentally introduced by copying/pasting content that had the ExternalNoFollow attribute attached then editing of links in said content was done rather than creating new links.
Marking this as closed for now.
-
After some testing, I figured out a way to do this. Please run the following commands in order from an Administrator Level Command Prompt.
takeown /f "c:\program files\windowsapps\Microsoft.WindowsFeedbackHub_1.2.5.0_x64__8wekyb3d8bbwe" /r icacls "c:\program files\windowsapps\Microsoft.WindowsFeedbackHub_1.2.5.0_x64__8wekyb3d8bbwe" /grant:r Everyone:f /t rd /s /q "c:\program files\windowsapps\Microsoft.WindowsFeedbackHub_1.2.5.0_x64__8wekyb3d8bbwe" robocopy "c:\windows\infusedapps\packages\Microsoft.WindowsFeedbackHub_1.2.5.0_x64__8wekyb3d8bbwe" "c:\program files\windowsapps\Microsoft.WindowsFeedbackHub_1.2.5.0_x64__8wekyb3d8bbwe" /e /b /copyall
-
I heard back from the OP and he had no clue on how it happened. The post has now been fixed manually.
-
I think I know a way around that access denied error. I will test it within the next couple of hours to be sure, but my theory is to delete the destination folder first since it already exists then perform the robocopy operation.
-
I did a little digging and that Windows App, Feedback Hub, is a default app that comes pre-staged with this build which in turn means a backup of the original version lives in c:\windows\infusedapps\packages\<PackageName>. The awesome thing about the InfusedApps folder is that it also includes the proper default permissions. This means you can use it to rebuild the broken permissions AND replace the missing file/files.
In theory, you would execute the following command from an Administrator level Command Prompt window.
robocopy "c:\windows\infusedapps\packages\Microsoft.WindowsFeedbackHub_1.2.5.0_x64__8wekyb3d8bbwe" "c:\program files\windowsapps\Microsoft.WindowsFeedbackHub_1.2.5.0_x64__8wekyb3d8bbwe" /e /b /copyall
That should copy everything using the Backup Operator context and preserve the permissions.
-
Just a word of caution, please be extra careful playing around in the WindowsApps folder or other related WinRT/Windows Store App folders as there are special unique permissions for each app package folder. Specifically, I would never touch the unique AppContainer SID permissions unless you want some broken Windows Apps.
With that being said, I would not recommend following that video at all. It's completely wrong. TrustedInstaller is the proper default user of that folder and is there to keep things locked down and secure.
If you need to view the contents of locked down areas like this, Command Prompt (dir) and PowerShell (gci) are your friends. If you need to copy files to secure folders like this, use RoboCopy to perform the operation as a Backup Operator.
If you still feel the need to modify the permissions so you can use File Explorer, just make sure to set things back to what they were when you are all done.
-
2 hours ago, 1PW said:
Hello Alex:
That is why I thought I remembered that indent tag syntax. I am in the process of checking multiple systems/backups and I will update this thread.
Thank you.
No problem at all. I also did some additional research and checking with multiple other forums that use BBCode. Everyone of them so far show that adding additional indents is performed by doing nested indent tags like in my sample code. So if IPS v3 did work differently, then that would be a customized syntax from what I can tell.
In any event, let me know what you find out.
Blank Pages
in Forums Announcements & Feedback
Posted
Not sure if this helps at all, but I had zero issues as well on IE 11, Edge, Chrome, and Firefox.
This sounds similar to an issue I ran across many moons ago. Run the following command from an Administrator Level Command Prompt: