pleasedonttakemytokens
-
Posts
25 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by pleasedonttakemytokens
-
Here is the requested log. mbst-grab-results.zip -
There are no other apparent signs of infection, and the computer runs fine. However, both of these were true prior to this process. The only sign of any form of infection was the one file detected by Dr.Web, which you suspected an FP, and i'm inclined to agree likely was just a necessary piece to do with the Domain from a long while ago. I suspect there are only two ways for me to go about solving the, as detected by MWB RTP, (potential) powershell payload process exploit. Especially seeing as it is an issue that seems to relate more to my specific discord account rather than the discord installation itself, or the system. The reason I have come to believe that is that I, prior to this process, tried solving the issue by logging into the Windows client for discord with a fresh discord account, and managed to avoid the problem entirely. The two (potential) solutions in my mind 1. Attempt to get more information on the potential exploit itself via another diagnostic tool that is able to at least display the attempt and failure of the process (via reinstalling discord, logging in, and letting RTP stop the attempt) even if not the nature of it, be it one present in windows already or one that you recommend. 2. Work with Discord support themselves on a solution that more directly involves me taking action on my account itself (which can be done safely both via my mobile and browser clients), or action on their end. If you suspect the former wouldn't give us anything useful information wise, i think the next step is the latter solution, which I would be very willing to report any found solution discovered here if nothing else to prevent potential future headaches.
-
Attached are the requested logs. Addition.txt FRST.txt
-
Attached is the Fixlog. Fixlog101123.txt
-
Attached is the Fixlog, as for discord i did uninstall it when requested, still haven't reinstalled it. the only thing i could imagine it picking up was an .exe file discord had in a seperate place specifically for start up. Got rid of that too when i found it but uninstalling through app management in settings clearly missed that file, not sure if there's any other you might mean. Fixlog.txt
-
In their respective steps, 1. Turned Off registering, restarted, and added the Malwarebytes program folder to exclusions. 2. This is the .exe that was generated with a random string for the Dr.Web scan done earlier, as such i have opted to skip the virus total scan for this step. 3. AnyDesk does appear to have a background process that runs with startup, but the application loading on start up has been disabled prior to this entire process via Task Manager. Still, to simplify things i have deleted it from the start up folder. 4. Similar to Anydesk, despite the shortcut being present in the startup folder, startup was disabled via Task Manager, and I have not run this program at all for no less than 2 years. 5. As for this file, it was an application I experimented with over a year ago, would allow me to change the wallpaper of my PC by uploading any image to a respective link. Since then, it has been disabled on startup via Task Manager, and has not run since. Here is the respective Virustotal scan: https://www.virustotal.com/gui/file/dd8137714c3c65a19070caab15ac9c844e0f845234609baae88dbf330e716475/detection 6.For this hard drive it is definitely an aging HDD i've had for a bit, thankful for the warning concerning its condition. I'll be addressing it sooner than later. 7. It was temporarily on a domain yes, I have opted to remove it entirely in this case. 8. I recognize the files, and only one of them is running on startup (Peace, which is a rather well known Audio Equalizer), the others previously disabled in Task Manager, which haven't been run at all on this computer from a period of months to years. I still opted to delete those from the startup folder for simplicity's sake. 9. I believe this file is located where it is because of its inclusion in the Malwarebytes Support tool. I do already have a version of FRSTEnglish.exe located in my downloads but decided to copy this one as you said to the desktop.
-
Attached is the requested log. mbst-grab-results.zip
-
Attached are the requested logs. Addition101023.txt FRST101023.txt
-
Attached are the requested logs. MWBthreatscan10_10_2023.txt AdwCleaner[C02].txt mbst-grab-results.zip
-
I've uninstalled the application entirely including anything in appdata related to it specifically. I've also restarted the computer. There are no alerts at present, but i'll wait for your go ahead prior to reinstalling it and trying again, just as i'm uncertain if that was what you wanted me to check.
-
The computer runs fine in general, although yes i am still having the issue with discord. I'll quickly summarize the issue with discord, and how i've managed to make the issue go away temporarily just prior to us beginning this process. 1. Start up Discord 2. Log In (automatically or manually) to my account. 3. Discord is terminated and I get an RTP notification from Malwarebytes. (my latest one attached to this post) As for how I've managed to make the problem subside prior: 1. Use Run to access \%appdata%\discord 2. Delete Cache 3. Start up application, and log in with a different account. 4. No alert, nor is the application terminated. The instant I switch back to my actual account the problem resumes. So I can only imagine my account is loading something with an embedded payload into my cache (a ridiculously common thing on discord unfortunately). Somehow, something is attempting to run that embedded payload, and malwarebytes is considering it threatening (potentially for good reason). MWB_RTP 10_09_23.txt
-
I have uninstalled or updated all of the listed applications. Attached are the requested logs. MWBthreatscan10_9_2023.txt AdwCleaner[C01].txt mbst-grab-results.zip
-
Attached is the requested Security Check SecurityCheck.txt
-
Attached is the Fixlog. Fixlog10_07_2023.txt
-
or more specifically i guess, would it be fine to reboot directly into safe mode while Dr.web is asking me to reboot?
-
Dr.Web is requesting i reboot to finish neutralizing the threat, should i do that or the FRST first?
-
The threat detected and acted on by the program is C:\Program Files\DWAgent\native\dwaggdi.dll
-
Yes this is the same computer, and I am 100% sure they were updated, the logs are timestamped with the correct time of me doing the requested scan. Attached to my reply is the requested cureit log. cureit.log
-
Here are the Fresh Logs FRST2.txt Addition2.txt
-
Attached is the requested log. Bonjour and CCleaner have been uninstalled. Fixlog.txt
-
I thought the filename might have been triggering the spam filter, forgot to remove the first one. Both AdwCleaner files are the same log.
-
Here are all the logs you requested. The scan functioned properly, the ADW worked but didn't ask me to reboot, I did restart the pc prior to the third step regardless. MWB Scan Result.txt AdwCleaner[C00].txt mbst-grab-results.zip AdwCleanerScan.txt
-
Here is the respective report information. report_2023.10.06_14.15.49.txt
-
Hello there, attached is the requested log. Fixlog.txt
-
Hello there, This issue occurs specifically whenever I access the discord application in windows on a particular discord account. I do not get detections either on other accounts, or when accessing that account through my browser or my phone, all of which also have Real Time Protection with the MWB chrome extension/MWB Android app installed. FRST attached if relevant. Thank you for your help. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 10/6/23 Protection Event Time: 11:22 AM Log File: 56a45fcc-6475-11ee-8bd9-00ffd160be8b.json -Software Information- Version: 4.6.3.282 Components Version: 1.0.2158 Update Package Version: 1.0.75995 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: Discord Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command - URL: (end) Addition.txt FRST.txt
