Jump to content

xml verbose logging found in BD and MBytes,control and report settings appear to be statically set...


Recommended Posts

Sorry.  Newb here.

Who can direct me to a start point for getting to the bottom of A) Suddenly, Administrator controls in Win10 have been reset in NT. B) Malwarebytes is not loading asfirst op when Ilog in after setting it as such. C) BD and MBytes seem to have xml verbose scripting in it's folders that appear to turn off certain control selections for the dashboard, update, and scan selection properties.

 

Help.

Link to post
Share on other sites

  • Root Admin

Hello @l3arnin6Quick and :welcome:

The computer doesn't necessarily look infected, but there are crashes and other issues going on according to the logs. We'll go ahead and scan for malware though to make sure the system is clean and then look and see if we can fix some of the issues.

Please temporarily disable your Bitdefender antivirus and run the following. When done make sure you re-enable your Bitdefender

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

Ok, here are the logs requested.  The Sophos reported nothing, created no log, said nothing found. The most suspicious thing I saw is the 04-20-2017 date in the FRST as the back up date.  This Win 10 was a clean install on 01-27-2017, with BD install originally early Feb 2017.  It makes no sense that the FRST date is so recent, but again, I'm no pro.

Looking forward to your response.

 

Addition.txt

AdwCleaner[C0].txt

AdwCleaner[S0].txt

FRST.txt

JRT.txt

Link to post
Share on other sites

  • Root Admin

Actually, the logs look pretty good. The system has less errors in the Event Logs than most I see. Might want to try doing a full disk check and temp file clean and see if that corrects any issues you're having. Settings changing in controls as far as Administrative rights, etc. is not typical of any infection.

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 


Please click on the "Search the web and Windows" box.

win10search.jpg.ab49407705b2ffa8728339ae


Then type in CMD.EXE and when it shows on the start menu right click and select "Run as administrator"

 

cmd_prompt_run_as_administrator.jpg.252a

 

In the command prompt please type the following exactly.

CHKDSK  C:  /R

This will tell Windows to run a full disk check, however you'll get the following, telling you it cannot run because it's in use.

Press the Y key to tell it to run on the next restart of the computer.

 

Quote

Microsoft Windows [Version 10.0.10586]


(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>CHKDSK C: /R
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process.  Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N)

 

Then restart the computer and let it run.
Then find and copy the disk check entry from the Event Logs and paste back the results here.

How to Read Event Viewer Log for Chkdsk (Check Disk) in Windows 10

 

Then let me know how the computer is running and what specific issues if any you're having with Malwarebytes.

 

Link to post
Share on other sites

  • Root Admin

As said, the logs look pretty good. Not many infections go around modifying current accounts. They typically use your own rights (normally Admin level) to attack the box, then install as services or drivers with full access to continue doing whatever it is they want to do.

These are the only accounts listed from the FRST program.

 

Administrator (S-1-5-21-130373187-614007382-1928682149-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-130373187-614007382-1928682149-503 - Limited - Disabled)
defaultuser0 (S-1-5-21-130373187-614007382-1928682149-1000 - Limited - Disabled) => C:\Users\defaultuser0
Guest (S-1-5-21-130373187-614007382-1928682149-501 - Limited - Disabled)
Matt Adkins (S-1-5-21-130373187-614007382-1928682149-1003 - Limited - Enabled) => C:\Users\Matt Adkins
My Portal (S-1-5-21-130373187-614007382-1928682149-1002 - Administrator - Enabled) => C:\Users\My Portal

I don't think there is any infection but I can potentially help you look at security settings if you can be a bit more specific as to what your concern is.

Thanks again

Ron

 

Link to post
Share on other sites

Ok. Well that sounds good.

My other concerns stem from primarily changes that occurred to account controls and rights, some certificate items, the Mb dashboard and the inability to click boxes for specified locations when choosing the custom scan, Mb items spread throughout folders (not necessarily all residing within the original install location, same concerns as last two for BD as well, finding executable files in both Mb and BD with what appears to be certain functions turned off within the scripting.  I will do my best to provide examples below.

So, I created the bottom 3 accounts as listed in your mail, when I set up unit.  Top 3 as listed, I have no idea what/who they are. I don't run/operate/have a "network" other than a wifi router.  That makes these dependencies look suspicious to me since I don't run to my knowledge a proxy or vpn setup.netw1.thumb.PNG.34bb96d8990ab8d6da6fa46321d735a8.PNG

 netw2.thumb.PNG.a6769414fce9e8160504ef5a957c99f7.PNG

Maybe it's normal, I don't know.

Below I've included running services which may or may not be normal.

serviceslist1.thumb.PNG.5360ea50134eb65cb074fe20d1f1e6d2.PNGserviceslist2.thumb.PNG.922c3e71f76c049e76cb772635b150fd.PNGserviceslist3.thumb.PNG.7dae7e800b90f5102cc397a661c6f079.PNGserviceslist4.thumb.PNG.c81a5a59650e794ed235eab9cedaeb94.PNGserviceslist5.thumb.PNG.452d87b2344e9592100a42beeaa1be1c.PNGserviceslist6.thumb.PNG.45166072a74c38cef0b1cc67903d1f5d.PNGserviceslist7.thumb.PNG.a210ad4b9aa315473c8f24dee968d706.PNG 

Which to me looks like a ton of services, but what do I know?  Not much.

 

Lastly, here are the system events of the last 12 hours before sending this back.  Me leaving computer around 3:30 as I triggered a shutdown,returning around 10:30 or so this evening starting it up.

sysev12.txt

After the events, are the security log from the same time period roughly.

seclog.txt

Which, I don't know what the empty name space entries are.  I don't know what the NT authority rights changes are.  All happening while I was searching through looking for thet hings that looked like the suspicious events.

Certs1.thumb.JPG.4b56d924b935b5a0db3c29093ce509ae.JPG

Why is my cert for my computer listed as remote desktop?  Doesn't make sense for it to be remote if I am logged into it and sitting in front of it.  It should be verified I would think and not reside in remote desktop folder. If I open it, it says I have the private key. But I don't want to move it to trusted, if say, I had a UTN user trust cert that was bunk with a pre SHA1 cert (MC5 I think),that had let something in before I started using better security.

Hopefully that gives more detail.  Maybe it's uber paranoia after a breach, or maybe it is something. Again, Newb.

Thank you.

 

Edited by l3arnin6Quick
Link to post
Share on other sites

  • Root Admin

Please download the following root certificates scanner. Remember where you save it. Then quit all browsers and double-click on RCC.exe to run the scanner.
Post back the results of the scanner.

You can also download Microsoft SigCheck to verify the certificates and signatures of files.
Here is an article on using the tool to check all the files in a specified folder.

Use Microsoft’s Sigcheck 2.0 to check all files in a folder on Virustotal  

Overall I don't believe there is an issue there, but these tools can help you to check that.

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.