Jump to content

sbonds

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Yes, they are very aware of the issue, as noted when I mentioned it to them in their support chat:
  2. A partial workaround rather than completely disabling Malwarebytes is to shut off Web Protection. Set a reminder for yourself to check this again tomorrow. I bet this gets fixed quickly.
  3. Same issue here for an old freeware hex editor http://www.mh-nexus.de.
  4. An old version of PuTTY, in use for five years, has triggered Malware.AI.2854659608. This is unlikely to be malware so it might make a good addition to your training set. The log is attached. The affected file has a SHA256 of B10922648F6AD71F3F20B9ACDFACF9AEFF706CAD6C52737CDC426307CCFA51D9. 20210510 malwarebytes putty false positive.txt
  5. Version 2.3.0.0 of HxD gives the same false positive. Please ensure the fix goes beyond a simple binary whitelist.
  6. I have no remaining issues or concerns-- thanks for checking back. I'm a bit horrified at how easy a local privilege escalation is on a modern, fully patched version of Windows 10 though. :-)
  7. The PC Accelerator Pro popup on login for the "rbond" account is now gone. It looks like there may have been some earlier, less obvious malware on there as well. That has me more concerned since there shouldn't be any way for "rbond" to write to C:\Windows\System32 as a non-administrative account. Was that some known malware?
  8. Here are the log files requested. FRST Fixlog.txt Fix result of Farbar Recovery Scan Tool (x64) Version: 13-12-2017 Ran by sbonds_adm (15-12-2017 18:20:22) Run:1 Running from C:\Users\sbonds_adm\Downloads Loaded Profiles: sbonds_adm (Available Profiles: sbonds_adm & qzbkd & rbond & ksebo & tbond & inthi) Boot Mode: Normal ============================================== fixlist content: ***************** Start CloseProcesses: CreateRestorePoint: C:\Users\rbond\AppData\Roaming\PCAccelerateP\PCAcceleratePro.exe HKU\S-1-5-21-4201553482-1877617574-1160474004-1003\...\Run: [PCAccelPro] => C:\Users\rbond\AppData\Roaming\PCAccelerateP\PCAcceleratePro.exe [7632192 2017-11-24] (PC Accelerate Sales Inc) C:\Users\rbond\AppData\Roaming\PCAccelerateP\PCAcceleratePro.exe C:\Users\rbond\AppData\Roaming\PCAccelerateP HKU\S-1-5-21-4201553482-1877617574-1160474004-1003\...\Run: [PUpdater] => C:\Users\rbond\AppData\Roaming\PUpdater\PUpdater.exe C:\Users\rbond\AppData\Roaming\PUpdater\PUpdater.exe C:\Users\rbond\AppData\Roaming\PUpdater GroupPolicy: Restriction <==== ATTENTION C:\Users\rbond\Downloads\Installer-Re-DL.exe C:\Users\rbond\AppData\Local\P.C.A.P C:\Users\rbond\AppData\Local\AYLN#Pr.Update 2017-12-06 07:45 - 2017-01-31 21:32 - 000000000 ____D C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿq 2017-12-06 07:45 - 2017-01-31 21:32 - 000000000 ____D C:\WINDOWS\system32\460fadc4947af53df76f2d..bin 2017-12-06 07:45 - 2016-11-18 17:18 - 000000000 ____D C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿ8 2017-12-06 07:45 - 2016-11-08 23:30 - 000000000 ____D C:\WINDOWS\system32\€‡±Ié 2017-12-06 07:45 - 2016-11-08 16:47 - 000000000 ____D C:\WINDOWS\system32\€‡$‚† 2017-12-06 07:45 - 2016-11-07 21:49 - 000000000 ____D C:\WINDOWS\system32\€‡ž 2017-12-06 07:45 - 2016-11-06 19:24 - 000000000 ____D C:\WINDOWS\system32\€‡úºA 2017-12-06 07:45 - 2016-11-06 19:24 - 000000000 ____D C:\WINDOWS\system32\€‡ÞJB 2017-12-06 07:45 - 2016-11-05 19:35 - 000000000 ____D C:\WINDOWS\system32\€‡ØVG 2017-12-06 07:45 - 2016-11-05 19:35 - 000000000 ____D C:\WINDOWS\system32\€‡º¨g 2017-12-06 07:45 - 2016-11-04 19:26 - 000000000 ____D C:\WINDOWS\system32\€‡úŒ= 2017-12-06 07:45 - 2016-11-04 16:19 - 000000000 ____D C:\WINDOWS\system32\€‡lp^ 2017-12-06 07:45 - 2016-11-04 13:36 - 000000000 ____D C:\WINDOWS\system32\€‡¡Ó3 2017-12-06 07:45 - 2016-11-03 20:08 - 000000000 ____D C:\WINDOWS\system32\€‡MÑl 2017-12-06 07:45 - 2016-11-03 20:08 - 000000000 ____D C:\WINDOWS\system32\€‡Ð˯ 2017-12-06 07:45 - 2016-11-03 18:19 - 000000000 ____D C:\WINDOWS\system32\€‡ãoÈ 2017-12-06 07:45 - 2016-11-03 16:42 - 000000000 ____D C:\WINDOWS\system32\€‡Ãÿ‰ 2017-12-06 07:45 - 2016-11-03 15:56 - 000000000 ____D C:\WINDOWS\system32\€‡xÐ' 2017-12-06 07:45 - 2016-11-03 15:01 - 000000000 ____D C:\WINDOWS\system32\€‡Cöú 2017-12-06 07:45 - 2016-11-02 19:31 - 000000000 ____D C:\WINDOWS\system32\€‡ÏŠP 2017-12-06 07:45 - 2016-11-02 18:59 - 000000000 ____D C:\WINDOWS\system32\€‡ï(G 2017-12-06 07:45 - 2016-11-02 18:58 - 000000000 ____D C:\WINDOWS\system32\€‡ÑIÓ 2017-12-06 07:45 - 2016-11-02 17:51 - 000000000 ____D C:\WINDOWS\system32\€‡7Ë 2017-12-06 07:45 - 2016-11-02 13:50 - 000000000 ____D C:\WINDOWS\system32\€‡’À& 2017-12-06 07:45 - 2016-11-02 13:49 - 000000000 ____D C:\WINDOWS\system32\€‡€÷d 2017-12-06 07:45 - 2016-11-02 13:48 - 000000000 ____D C:\WINDOWS\system32\€‡A+o 2017-12-06 07:45 - 2016-11-02 13:09 - 000000000 ____D C:\WINDOWS\system32\€‡Ãh‡ 2017-12-06 07:45 - 2016-11-02 13:07 - 000000000 ____D C:\WINDOWS\system32\€‡_Ìâ 2017-12-06 07:45 - 2016-11-02 07:56 - 000000000 ____D C:\WINDOWS\system32\€‡œm’ 2017-12-06 07:45 - 2016-11-02 05:55 - 000000000 ____D C:\WINDOWS\system32\€‡ÖVï 2017-12-06 07:45 - 2016-11-02 05:51 - 000000000 ____D C:\WINDOWS\system32\€‡gÓâ 2017-12-06 07:45 - 2016-11-02 05:51 - 000000000 ____D C:\WINDOWS\system32\€‡Åþ¦ 2017-12-06 07:45 - 2016-11-02 00:00 - 000000000 ____D C:\WINDOWS\system32\€‡,X÷ 2017-12-06 07:45 - 2016-11-01 20:53 - 000000000 ____D C:\WINDOWS\system32\€‡üE- 2017-12-06 07:45 - 2016-11-01 20:53 - 000000000 ____D C:\WINDOWS\system32\€‡d½¬ 2017-12-06 07:45 - 2016-11-01 20:47 - 000000000 ____D C:\WINDOWS\system32\€‡u,d 2017-12-06 07:45 - 2016-11-01 20:47 - 000000000 ____D C:\WINDOWS\system32\€‡r¸J 2017-12-06 07:45 - 2016-11-01 20:20 - 000000000 ____D C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿ 2017-12-06 07:45 - 2016-11-01 20:20 - 000000000 ____D C:\WINDOWS\system32\00a364fd4a471f3b1ad96..bin 2017-12-06 07:45 - 2016-11-01 20:01 - 000000000 ____D C:\WINDOWS\system32\€‡‰Ò 2017-12-06 07:45 - 2016-11-01 19:47 - 000000000 ____D C:\WINDOWS\system32\€‡Ú)è Task: {FF69CE88-D388-455E-9A4A-A025D894577E} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION 2017-11-24 04:58 - 2017-11-24 04:58 - 000653312 _____ () C:\Users\rbond\AppData\Roaming\PCAccelerateP\BrowserUtils.dll 2017-11-24 05:03 - 2017-11-24 05:03 - 000353088 _____ () C:\Users\rbond\AppData\Roaming\PCAccelerateP\Scanner.dll EmptyTemp: Hosts: CMD: ipconfig /flushDNS end ***************** Processes closed successfully. Error: (0) Failed to create a restore point. C:\Users\rbond\AppData\Roaming\PCAccelerateP\PCAcceleratePro.exe => moved successfully HKU\S-1-5-21-4201553482-1877617574-1160474004-1003\Software\Microsoft\Windows\CurrentVersion\Run\\PCAccelPro => value not found. "C:\Users\rbond\AppData\Roaming\PCAccelerateP\PCAcceleratePro.exe" => not found. C:\Users\rbond\AppData\Roaming\PCAccelerateP => moved successfully HKU\S-1-5-21-4201553482-1877617574-1160474004-1003\Software\Microsoft\Windows\CurrentVersion\Run\\PUpdater => value not found. "C:\Users\rbond\AppData\Roaming\PUpdater\PUpdater.exe" => not found. C:\Users\rbond\AppData\Roaming\PUpdater => moved successfully C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully C:\Users\rbond\Downloads\Installer-Re-DL.exe => moved successfully C:\Users\rbond\AppData\Local\P.C.A.P => moved successfully C:\Users\rbond\AppData\Local\AYLN#Pr.Update => moved successfully C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿq => moved successfully C:\WINDOWS\system32\460fadc4947af53df76f2d..bin => moved successfully C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿ8 => moved successfully C:\WINDOWS\system32\€‡±Ié => moved successfully C:\WINDOWS\system32\€‡$‚† => moved successfully C:\WINDOWS\system32\€‡ž => moved successfully C:\WINDOWS\system32\€‡úºA => moved successfully C:\WINDOWS\system32\€‡ÞJB => moved successfully C:\WINDOWS\system32\€‡ØVG => moved successfully C:\WINDOWS\system32\€‡º¨g => moved successfully C:\WINDOWS\system32\€‡úŒ= => moved successfully C:\WINDOWS\system32\€‡lp^ => moved successfully C:\WINDOWS\system32\€‡¡Ó3 => moved successfully C:\WINDOWS\system32\€‡MÑl => moved successfully C:\WINDOWS\system32\€‡Ð˯ => moved successfully C:\WINDOWS\system32\€‡ãoÈ => moved successfully C:\WINDOWS\system32\€‡Ãÿ‰ => moved successfully C:\WINDOWS\system32\€‡xÐ' => moved successfully C:\WINDOWS\system32\€‡Cöú => moved successfully C:\WINDOWS\system32\€‡ÏŠP => moved successfully C:\WINDOWS\system32\€‡ï(G => moved successfully C:\WINDOWS\system32\€‡ÑIÓ => moved successfully C:\WINDOWS\system32\€‡7Ë => moved successfully C:\WINDOWS\system32\€‡’À& => moved successfully C:\WINDOWS\system32\€‡€÷d => moved successfully C:\WINDOWS\system32\€‡A+o => moved successfully C:\WINDOWS\system32\€‡Ãh‡ => moved successfully C:\WINDOWS\system32\€‡_Ìâ => moved successfully C:\WINDOWS\system32\€‡œm’ => moved successfully C:\WINDOWS\system32\€‡ÖVï => moved successfully C:\WINDOWS\system32\€‡gÓâ => moved successfully C:\WINDOWS\system32\€‡Åþ¦ => moved successfully C:\WINDOWS\system32\€‡,X÷ => moved successfully C:\WINDOWS\system32\€‡üE- => moved successfully C:\WINDOWS\system32\€‡d½¬ => moved successfully C:\WINDOWS\system32\€‡u,d => moved successfully C:\WINDOWS\system32\€‡r¸J => moved successfully C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿ => moved successfully C:\WINDOWS\system32\00a364fd4a471f3b1ad96..bin => moved successfully C:\WINDOWS\system32\€‡‰Ò => moved successfully C:\WINDOWS\system32\€‡Ú)è => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FF69CE88-D388-455E-9A4A-A025D894577E} => could not remove key. ErrorCode1: 0x00000002 "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FF69CE88-D388-455E-9A4A-A025D894577E}" => removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => key not found "C:\Users\rbond\AppData\Roaming\PCAccelerateP\BrowserUtils.dll" => not found. "C:\Users\rbond\AppData\Roaming\PCAccelerateP\Scanner.dll" => not found. C:\Windows\System32\Drivers\etc\hosts => moved successfully Hosts restored successfully. ========= ipconfig /flushDNS ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= =========== EmptyTemp: ========== BITS transfer queue => 7888896 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6409042 B Java, Flash, Steam htmlcache => 43190994 B Windows/system/drivers => 5303442 B Edge => 2448379 B Chrome => 97258029 B Firefox => 17484296 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 6656 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 180152 B NetworkService => 353134 B sbonds_adm => 64005132 B qzbkd => 46516 B rbond => 473491078 B ksebo => 65908 B tbond => 55719 B inthi => 16798 B RecycleBin => 42761429 B EmptyTemp: => 725.7 MB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 18:21:02 ==== Malwarebytes scan log (clean): Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/15/17 Scan Time: 6:47 PM Log File: 70d65cda-e20b-11e7-b147-c8600014cc62.json Administrator: No -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3499 License: Trial -System Information- OS: Windows 10 (Build 16299.125) CPU: x64 File System: NTFS User: DESKTOP-031LLE2\rbond -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 415409 Threats Detected: 0 (No malicious items detected) Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 5 min, 43 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end) AdwCleaner log shows all clear: # AdwCleaner 7.0.5.0 - Logfile created on Sat Dec 16 03:01:08 2017 # Updated on 2017/29/11 by Malwarebytes # Database: 12-15-2017.1 # Running on Windows 10 Pro (X64) # Mode: scan # Support: https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** No malicious registry entries found. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries. ************************* C:/AdwCleaner/AdwCleaner[S0].txt - [1046 B] - [2017/12/16 2:12:3] ########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ########## Microsoft Malicious Software Removal Tool Log: --------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v5.55, December 2017 (build 5.55.14421.1) Started On Fri Dec 15 18:13:01 2017 Engine: 1.1.14405.2 Signatures: 1.257.1160.0 Run Mode: Interactive Graphical Mode Results Summary: ---------------- No infection found. Successfully Submitted Heartbeat Report Microsoft Windows Malicious Software Removal Tool Finished On Fri Dec 15 18:18:12 2017 Return code: 0 (0x0) Thanks for your help-- looks like your fixlist hit all the nasties that were left over. What was all the junk in C:\Windows\System32? That shouldn't have been possible for an unprivileged user ("rbond") to change or was this malware using a local privilege escalation exploit?
  9. After completing the quarantine process successfully with MalwareBytes, on reboot PC Accelerate Pro has re-activated itself. I've reviewed the sticky topic and attached the relevant logs here. Note that the Farbar scan was run as a different user (sbonds_adm) than the one who is infected (rbond) but the sbonds_adm user is an admin account and rbond is not. The likely source of the malware is in C:\Users\rbond\Downloads\Installer-Re-DL.exe This is what the poor guy gets for trying to install some Minecraft mods. Welcome to the Internet! :-( What's a good way to get rid of this junk short of restoring from yesterday's backup (or reloading Windows)? FRST.txt Addition.txt 20171215 Malware from Minecraft Mods.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.