Potential infection

[coldone]

Hi there, 

so I am having that rather strange problem with my computer which is out of the blue the Remote access connection Manager service which is set to start manually was set to Automatically. The time it happened I could have sworn I have seen command windows popping up after the logon. I didn't directly think anything of it but sandboxie notified me about compatibility issues with the Remote access connection manager which is how I realized it was running in the first place and I just disabled it instantly.

Aside from basically twitch, youtube and well this site I don't surf without sandboxie and I don't use any pirated software so I am not sure what might happened there.

Thanks in advance for every assistance.

Addition.txt

FRST.txt

mbytes.txt

Edited November 8, 2017 by coldone

[Aura]

Hi coldone

From what I can see, this service is used primarily to manage dial-up and VPN connections to other networks. I see that you have Kaspersky Secure Connection installed, so it could have modified the service startup settings in order to work properly.

https://support.kaspersky.com/13494

[coldone]

Hey thanks for the quick response this program comes with Kaspersky which I installed a while ago and I have never used it so I thought I might have caught a rat. On a quick test it also doesn't seem to require the service to work so I am not really sure what happened there.

[Aura]

I reviewed your logs, and I don't see anything suspicious in them either. In that kind of situation, what we should do is a forensics investigation, not something I've been trained to do sadly, so there's not much I can do.

[coldone]

Mhh how would I go about that ?

[Aura]

I wouldn't know sadly, since as I said, I'm not trained in that domain.

Quote

The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

https://en.wikipedia.org/wiki/Computer_forensics

This is basically what we want to do here: identify what enabled the service. It isn't possible with FRST logs, nor with any of the tools we use as they are aimed at removing malware, not help us identify events that occured on a system.

[coldone]

That reads a bit too in-depth for me to do as well so I guess I am just gonna hope it wasn't anything malicious I suppose.

Edited November 8, 2017 by coldone

[Aura]

From my experience with Windows, pretty much anything could have caused this. I've dealt with Windows long enough to know that sometimes, things happens on the system for no apparent reason at all and I just live with it now (unless they are really, really weird). It's possible that one of your program enabled that service too.

Edit: You could always set it back to Manual and see if it gets enabled again?

Edited November 8, 2017 by Aura

[coldone]

Good idea restarted a couple times but it doesn't seem to happen at the moment.

[coldone]

Well ok now it finally enabled again.

[Aura]

Did you notice it right away? What were you doing when it enabled itself again?

[coldone]

I am relatively certain it requires a restart. I don't think I was doing anything in particular before that aside from surfing a bit on reddit and twitch.

Edited November 9, 2017 by coldone

[Aura]

You could always set it back to Manual, restart your computer, and then start ProcMon right away to see if we can capture the moment it gets enabled. IF it is enabled using cmd.exe, services.msc or else.

Process Monitor - Capture

• Download Process Monitor from Sysinternal Suite, and extract the ProcessMonitor.zip file;
• Right-click on Procmon.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
• Wait for the program to start capturing events (you'll see entries appears very fast);
• Wait for the service to be set to Automatic startup
• Once done, click on the little magnifying lense button to stop the capture;
  
• Click on the File menu, followed by Save... and save the logfile (by default it'll be saved in the ProcessMonitor folder);
• Right-click on the ProcMon trace file you saved (.pml file), select Send to and Compressed archive (.zip);
• Attach that .zip file in your next reply;
  

[coldone]

Well aside from me having now windows reinstalled after a sort of failed system restore trying to figure out what might have changed in between -  I am going to try although I am not sure if it'll work considering the last time I checked the change was already made when I just saw the desktop on restart.

[Aura]

Quote

Well aside from me having now windows reinstalled after a sort of failed system restore trying to figure out what might have changed in between

You just reinstalled Windows? Like, after making this thread?

[coldone]

Couple hours before my last post  - I figured I'd test out whether it would also happen when I restored my system from a week ago or something and well it did but something went wrong and I wasn't able to use office anymore at all and it was neither repair nor uninstall were working which kinda sucks when you really need access to your work.

Edited November 10, 2017 by coldone

[Aura]

Ah alright I understand. Now, is that service startup type still being changed from Manual to Automatic, or not?

[coldone]

At this point not yet but last time it took a while as well so I guess I'll just try to monitor the situation.

[Aura]

Alright. Still, I don't think that you are infected here. This service settings is probably being changed by one of your installed programs, but I don't know how to tell you which one.

[Aura]

Hi coldone,

Are you still with me?

[Aura]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!