[Suspected BIOS virus]

Thank you very much

kprm-20230709040304.txt

[Suspected BIOS virus]

thank you for ur efforts 

SecurityCheck.txt

[Suspected BIOS virus]

here u go 

mbar-log-2023-07-08 (04-10-29).txt system-log.txt

[Suspected BIOS virus]

Here you go. As you've informed, it found 3 detections while scanning but in the end it said no viruses were found

 

msert.log

[Suspected BIOS virus]

Thanks I'm providing the report.

 

By the way, I'm also seeing a file called "exportBCDfile" in C:\ folder. Is this a byproduct of one the programs we've used?

 

 

report_2023.07.07_08.11.46.klr.txt exportBCDfile.zip

[Suspected BIOS virus]

I made a "Full scan" with C and D selected and all options selected. Results came clean, ADWCleaner also came clean. I'm sharing scan log + mbst log (I restarted pc as you instructed before doing this step)

Do you believe my system is clean? Or could there be something else?

fullscan.txt mbst-grab-results.zip

 

I think Fcon file is not signed by Microsoft. That is most likely it is throwing errors. But I wonder if it is not signed for others too or specific to me.

[Suspected BIOS virus]

I ran the fixlist, here's fix log

 

 

Fixlog.txt

[Suspected BIOS virus]

I wanted to add, I forgot to update "database" in Mbar. Once I did, it did not detect any of the "trojans" listed above. Can I say they were false positives due to old database?= Once I clicked update database, it updated to something from 2023 and results came clean. Just wanted to confirm.  Then I re installed old MBAR with old database, and once again it found those exact 6 trojans. And once database updated , it came off clean again

 

What tipped me off was a file called "fcon.dll" appeared in "failed Audiot" in event viewer;

 

https://i.imgur.com/u3v3D5j.png

 

https://www.virustotal.com/gui/file/263c192c3ccbee1973395d0f43632050dbb4231845d8d16b321923ac4f859f5f

 

Virustotal

 

File itself I provided. This exact same error survivos full reinstals which is the reason I'm angered and tipped off.

 

"Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name:    \Device\HarddiskVolume3\Windows\System32\fcon.dll  "

fcon.zip

[Suspected BIOS virus]

Thanks for your quick response and attention sir, here are MBST results

mbst-grab-results.zip

[Suspected BIOS virus]

Hello, I've been seeing some weird behaviour on my PC, slowdowns and sluggishness and random restarts of Windows defender and TPM info being laggy or not there and suddenly be there after checking it etc.

I clean installed Windows and decided to run some scans, and Malwarebyte's Anti Rootkit beta tool found some. I'd like some assistance regarding this. Thanks.

 

 

 

[Malwarebytes - BypassIO support]

4 hours ago, Porthos said:

They know already. It is just a case of how many out of millions of customers will want/need to use the new feature.

 

You're absolutely correct; but I'm glad Mbytes is aware of situation and doing stuff to get it working. Sooner or later, this tech will be incorporated into more and more nextgen games. I don't know how many gamers use MBytes though; probably not so much. 

[The Witcher 3 Crash Reporter Virus False or Legit?]

I did,

 

[The Witcher 3 Crash Reporter Virus False or Legit?]

Have you unzipped the file?

 

Interesting. I can't even download the zip file I have uploaded here. Defender immedaitly stops it and detects it

 

 

Is my Defender compromised? how can I be sure?

[The Witcher 3 Crash Reporter Virus False or Legit?]

My the witcher 3 crashed for some reason and sudenly Defender picked up some steam and blocked it as a threat. Mbytes is saying it is clean

 

https://www.virustotal.com/gui/file/ad30328a3746d77eb24ef4dd447b4818e224ec3a96e71413d09c64efd5e3fea8/detection

 

It is a legit copy of the game.  I deleted he file and validated the game files and redownloaded file returns the exact same detection

 

https://www.virustotal.com/gui/file/ad30328a3746d77eb24ef4dd447b4818e224ec3a96e71413d09c64efd5e3fea8

CrashReporter.zip

[Call of Duty Modern Warfare II Trojan Detection]

1 hour ago, BjelakovicL said:

Hi,

Thanks for reporting this to us. The IP block will be removed.

Thanks, when I was researching about the IP, I found something like this;

https://otx.alienvault.com/pulse/61ec9e7a54c7b88a86345dce

 

Could it be revelant? (Is this website itself is safe or not?) It says it targets Turkey and I'm indeed from Turkey so I got a bit suspicious.

[Call of Duty Modern Warfare II Trojan Detection]

I suspect this is a false positive? I've provided the detection export + scan export and the Virustotal upload of the file.

https://www.virustotal.com/gui/file/90c8213b86629688862eebb818da289fe76df217401d853cabfbe0c8b294d97a

 

 

detection report.txt scan report 19 nov.txt

[Malware.Exploit.Agent.Generic]

Thanks a lot, I appreciate it highly!

[Malware.Exploit.Agent.Generic]

Thanks better safe than sorry

[Malware.Exploit.Agent.Generic]

Thanks for help

I added the log

I also recorded the detection as it happens. It is %100 preproducible on Clean installs.

It can 

 

report_2022.09.26_08.45.01.zip

[Malware.Exploit.Agent.Generic]

"Did you manually create this entry on purpose for a shortcut or service?"

I didn't, at least purposefully. I played around input / language settings to replicate the issue however, added and removed languages in the hopes of replicating it. 

I've ran the test as you asked, it prompt a disk check after restart. Here are the files you've requested.

Is my UEFI / BIOS / MOBO is compromised? Even after complete nukes and full reinstalls, this still happens. Is something intercepting the install process and injects itself into the system from the BIOS side? If so will I have to change my entire mobo? I even tried reflashing a newer BIOS version, yet it still happened. I also have this "SecureBootEncodeUEFI" file that is not signed or approved by Microsoft (which I believe you removed something about it, and wanted a copy of). Even after full reinstals, the entries you deleted with Fixlist comes back, and same Alt+Shift exploit detection occurs. In every clean install the "SecureBootEncodeUEFI" also is there always, unsigned.

Am I doomed? I can't move on with my life, I also have crucial PC-related jobs, I'm really in a pickle here :(

 

 

25.09.2022_10.45.03.zip Fixlog.txt

[Malwarebytes blocked language hotkey]

Exact same thing happened to me. But I can't reliablly reproduce the "customization" notification to pop up. Have you found a way to make it pop consistently? After a full format and 3 hrs of usage it popped randomly again. I wonder what kind of algorythms are in place that it gets triggered? It does not even get triggered when I use the shortcuts. It seems random. But in what respect?

 

[Malware.Exploit.Agent.Generic]

Well, I got spooked and nuked all my hard drives. After nuking the drives, and installing the Windows  + Malwarebytes and once activated, I also pulled the plug of the internet. Used PC around 2-3 hrs, doing practically nothing and trying to reproduce the issue. Finally, randomly when I tried to deactivate license for Mbytes it got popped again. It happens when Windows randomly (I dont still know the exact trigger) displays a notification about input switch shortcuts. Once that happens and you click on "customize", the Mbytes blocks it.

I will leave the logs. Hope I'm not infected by a super nasty persistent virus that tries to hack its way into my system even when I'm offline and after a full format. At this point I've become overly paranoid. . I just hope these logs are useful and you can tell me that my system is clean or not. Or else I will have to change my modem or something because at this point I'm clueless as to why this happens.

 

I've posted a thread scan report, the export of the detection, FRST thingy, and its addition.

 

 

Addition.txt FRST.txt detection.txt threat scan report.txt

[Malware.Exploit.Agent.Generic]

Hello, I'm on new Windows 22H2 build. I was trying to install Call of duty MW open beta and after installation began this happened;

 

I'm not sure if the incident is linked to Battle.net or installation. I tried uninstalling the game and launcher and reinstalled in hopes of reproducing the block, but it never happened again.

I also shared report so I would be glad if you can help me regarding if this is something I should worry about or not.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/23/22
Protection Event Time: 4:19 PM
Log File: 542b68ce-3b42-11ed-a369-2cf05d79a0f8.json

-Software Information-
Version: 4.5.14.210
Components Version: 1.0.1767
Update Package Version: 1.0.60360
License: Premium

-System Information-
OS: Windows 11 (Build 22621.521)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe Shell32.dll,Control_RunDLL input.dll,,{C07337D3-DB2C-4D0B-9A93-B722A6C106E2}{HOTKEYS}, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: Windows Control Panel
Protection Layer: Application Behavior Protection
Protection Technique: Exploit Office loading points abuse blocked
File Name: C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe Shell32.dll,Control_RunDLL input.dll,,{C07337D3-DB2C-4D0B-9A93-B722A6C106E2}{HOTKEYS}
URL: 



(end)

 

[Windows 11 KB5015814 Failed to install 0x8007007e]

4 hours ago, shankly1985 said:

Had the same problem since June. After seeing this thread I disabled Malwarebytes protection and restarted the PC the update installed fine afterwards. 

Something has changed between MW and Microsoft since June 

Problems about MW and Windows 11 actually goes beyond these updates. Forza Horizon 5 and many other Xbox Game Pass games sometimes fail to relaunch when I exit them. As soon as I turn off Malwarebytes, they launch just fine. Problem is even more complex than that however, since games themselves cannot be launched if the game installment folder is not placed in the allow list. Adding game folders to allow list do allow them to launch, but relaunch becomes very buggy afterwards, regardless. Sometimes they launch, sometimes they don't. In my case, I can replicate that the relaunch issue completely goes away if I uninstall Mbytes from my system. My suspect is to do with the game exe, directly. These game pass executables cannot even be read by Rivatuner, Steam or any other software. I guess malwarebytes locks the system when it tries to read the file, but read refuses to be read. Its just a wild guess however. 

Forza 5 and Halo Infinite also exhibits more stutters, especially when loading files from the drive. I did a couple tests and I can safely say that Mbytes causes huge slowdowns that causes low %1 lows and stutters while games stream assets despite folders being on asset list. I identified the issue actually, even though games are installed to a specific folder, a seperate place where some files about the games are also stored additionally in deeper places within Windows installation. After I managed to add all those folders, experience became smooth again, with no apparent asset streaming stutters.

I'm not completely putting the blame on MB however. Windows and its weird Xbox app system is weird and gets broken for no reason at all sometimes. I don't know the stuff will ever improve or not though.

https://twitter.com/Dachsjaeger/status/1550078796862296064/photo/1

However probably adding Mbytes on top of of a buggy Xbox/game system probably makes stuff even more complex. I

[Windows 11 KB5015814 Failed to install 0x8007007e]

Why did this happen, exactly? Any insights?