Jump to content

Infected or not, I don't know anymore.


Recommended Posts

Forgot to mention I ran Malwarebytes Prem.3.1 and it shows No infection, Hitman Pro Alert And Avast show no problems either. But been getting weird errors and just today right off the bat got Error: ssl_error_bad_mac_read. And netstat shows first listings TCP/UDP as 0.0.0.0.XXX. Is this anything worth concern?

 

Edited by HarassedandTired
Link to post
Share on other sites

  • Root Admin

Hello @HarassedandTired and :welcome:

Could be nothing, could be a hardware failure. Let's go ahead and run some scans and see what we find.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

I attached the Farber files above. Do you want them again?

attached MWB text.

# AdwCleaner 7.0.2.1 - Logfile created on Thu Sep 14 20:14:53 2017
# Updated on 2017/29/08 by Malwarebytes
# Running on Windows 10 Pro (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

Deleted: C:\Users\Default\AppData\Local\Host App Service
Deleted: C:\Users\Default User\AppData\Local\Host App Service
Deleted: C:\Users\defaultuser0\AppData\Local\Host App Service


***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

No malicious registry entries deleted.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0

 

9-14-17 MWB_Prem.txt

Link to post
Share on other sites

  • Root Admin

Aside from some errors in the system Event Logs, I'm not seeing any real issues in the logs.

Application errors:
==================
Error: (09/14/2017 11:19:26 AM) (Source: Windows Backup) (EventID: 4104) (User: )
Description: The backup was not successful. The error is: The system cannot find the file specified. (0x80070002).

Error: (09/08/2017 09:10:53 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DTR-417)
Description: Activation of app Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (09/08/2017 09:10:53 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DTR-417)
Description: Activation of app Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (09/07/2017 10:08:58 AM) (Source: ESENT) (EventID: 454) (User: )
Description: services (880) Database recovery/restore failed with unexpected error -551.

Error: (09/07/2017 10:08:58 AM) (Source: ESENT) (EventID: 517) (User: )
Description: services (880) Database recovery failed with error -551 because it encountered references to a database, 'C:\WINDOWS\Security\Database\secedit.sdb', which does not match the current set of logs. The database engine will not permit recovery to complete for this instance until the mismatching database is re-instated. If the database is truly no longer available or no longer required, procedures for recovering from this error are available in the Microsoft Knowledge Base or by following the "more information" link at the bottom of this message.

Error: (09/07/2017 10:08:58 AM) (Source: ESENT) (EventID: 454) (User: )
Description: services (880) Database recovery/restore failed with unexpected error -551.

Error: (09/07/2017 10:08:58 AM) (Source: ESENT) (EventID: 517) (User: )
Description: services (880) Database recovery failed with error -551 because it encountered references to a database, 'C:\WINDOWS\Security\Database\secedit.sdb', which does not match the current set of logs. The database engine will not permit recovery to complete for this instance until the mismatching database is re-instated. If the database is truly no longer available or no longer required, procedures for recovering from this error are available in the Microsoft Knowledge Base or by following the "more information" link at the bottom of this message.

Error: (09/07/2017 07:49:17 AM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: The backup did not complete because of an error writing to the backup location E:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).

Error: (09/01/2017 12:01:36 PM) (Source: Microsoft-Windows-Defrag) (EventID: 257) (User: )
Description: The volume LENOVO_PART was not optimized because an error was encountered: The disk was disconnected from the system. (0x89000011)

Error: (09/01/2017 12:01:34 PM) (Source: Microsoft-Windows-Defrag) (EventID: 257) (User: )
Description: The volume WinRE_DRV was not optimized because an error was encountered: The disk was disconnected from the system. (0x89000011)


System errors:
=============
Error: (09/08/2017 10:25:10 AM) (Source: DCOM) (EventID: 10016) (User: DTR-417)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{9E175B6D-F52A-11D8-B9A5-505054503030}
 and APPID 
{9E175B9C-F52A-11D8-B9A5-505054503030}
 to the user DTR-417\TAS SID (S-1-5-21-1433470868-4108002355-3127223310-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (09/08/2017 10:25:10 AM) (Source: DCOM) (EventID: 10016) (User: DTR-417)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{9E175B6D-F52A-11D8-B9A5-505054503030}
 and APPID 
{9E175B9C-F52A-11D8-B9A5-505054503030}
 to the user DTR-417\TAS SID (S-1-5-21-1433470868-4108002355-3127223310-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (09/08/2017 10:25:10 AM) (Source: DCOM) (EventID: 10016) (User: DTR-417)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{9E175B6D-F52A-11D8-B9A5-505054503030}
 and APPID 
{9E175B9C-F52A-11D8-B9A5-505054503030}
 to the user DTR-417\TAS SID (S-1-5-21-1433470868-4108002355-3127223310-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (09/08/2017 09:12:30 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CldFlt service failed to start due to the following error: 
The request is not supported.

Error: (09/08/2017 09:11:25 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Appinfo service.

Error: (09/08/2017 09:10:53 AM) (Source: DCOM) (EventID: 10010) (User: DTR-417)
Description: The server Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy!Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider did not register with DCOM within the required timeout.

Error: (09/08/2017 09:10:53 AM) (Source: DCOM) (EventID: 10010) (User: DTR-417)
Description: The server Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy!Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider did not register with DCOM within the required timeout.

Error: (09/07/2017 11:20:13 AM) (Source: DCOM) (EventID: 10016) (User: DTR-417)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{9E175B6D-F52A-11D8-B9A5-505054503030}
 and APPID 
{9E175B9C-F52A-11D8-B9A5-505054503030}
 to the user DTR-417\TAS SID (S-1-5-21-1433470868-4108002355-3127223310-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (09/07/2017 11:20:13 AM) (Source: DCOM) (EventID: 10016) (User: DTR-417)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{9E175B6D-F52A-11D8-B9A5-505054503030}
 and APPID 
{9E175B9C-F52A-11D8-B9A5-505054503030}
 to the user DTR-417\TAS SID (S-1-5-21-1433470868-4108002355-3127223310-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (09/07/2017 11:20:13 AM) (Source: DCOM) (EventID: 10016) (User: DTR-417)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{9E175B6D-F52A-11D8-B9A5-505054503030}
 and APPID 
{9E175B9C-F52A-11D8-B9A5-505054503030}
 to the user DTR-417\TAS SID (S-1-5-21-1433470868-4108002355-3127223310-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

 

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files


Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

 

Link to post
Share on other sites

Downloading now but a couple of questions.

Know this will sound ungrateful so I apologize profusely in advance...but with the Minitoolbox and all that it covers will this expose pc more? Can it be used to open the windows wide and let all comers surf around the pc or network?

Have had such a difficult time trying to get "my friend" out of and off network am concerned 1) this is all a waste of your time and my frustration, and 2)let them in more cuz all settings are/have been/will lock me out again.

Link to post
Share on other sites

  • Root Admin

It will reset some defaults which in most cases is a good thing.

Another thing you may want to do is reset your router.

Please review the following website and read it before continuing and then do a Hard Reset back to Factory Defaults for your router.
This information is only for resetting the router DO NOT erase, install, or update the firmware, just reset your router to factory defaults.

Reset And Reboot

Hard reset or 30/30/30

 

Link to post
Share on other sites

another dumb question or two, three...

which defaults and are they important for keeping d baddies out?

what state are you in and do you work on pc's? I have one OLD pc completely trashed when they got(combo OLD+what was "installed" plus a laptop(they got to both). Would like to use them again but no reliable places round here. Unfortunately, when I went to ask the Black&Orange Squad about everything I knew more than they did:o:(

Link to post
Share on other sites

  • Root Admin

The Windows 10 default network settings are pretty secure. Much more so than any of their previous versions of Windows. With both the router reset and Windows 10 set and running it's firewall a remote attack is nearly impossible. Email and Web Browsing are the number one methods of entry, not remote attacks. Basically it's easier to try to trick a user into running a file than it is to actually spend the time trying to remotely find an exploit to get in especially when there is little chance of monetary gain.

If you boot the computers up still then we can probably fix them.

 

Link to post
Share on other sites

Well....they broke:ph34r: into my house After buying new pc&router and physically accessed the pc/router/gateway then posted pc name somewhere my husband and I could see it broadcast :(:'(

Really??? That would be awesome.

Ran MTB and will work on the router thing.

Any other advice  to lock pc&router down? Particular software? Already have wifi on gateway& router turned off.

 

Edited by HarassedandTired
Link to post
Share on other sites

  • Root Admin

No, you're probably just fine, but if you had someone break into the home and steal your stuff that's not exactly the same thing as someone remotely attacking your computer.

Make sure that ALL places you visit on the Web, etc. that you've changed your passwords and you're using strong passwords too. If they had full access to your computer then you may have had passwords somewhere on your computer that allowed them to access other sites too. Normally they would have full access to your email as well since most email just opens on a computer and does not ask for a password. See note about mail below though. Don't want to change passwords if someone has access to your old email.

You might want to consider quitting your current email and starting a new free one from Outlook or Gmail or even Mail.com or Hushmail - simply changing a password on your old mail account would possibly send them the information too in email thus invalidating the change.

Please go ahead and run the MiniToolbox and post back that log. Then look at doing the Router Reset and let me know how things are going.

 

Edited by AdvancedSetup
Link to post
Share on other sites

  • Root Admin

Volume is encrypted by BITLOCKER

As you're using disk encryption we're unable to load the driver.

We can try the Kaspersky Antivirus scanner and see if it finds anything. Use of Encryption has it's pros and cons.

 

Please download and run the following tool to remove any found threats

Kaspersky Virus Removal Tool

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.