Jump to content
coldone

Potential infection

Recommended Posts

Hi there, 

so I am having that rather strange problem with my computer which is out of the blue the Remote access connection Manager service which is set to start manually was set to Automatically. The time it happened I could have sworn I have seen command windows popping up after the logon. I didn't directly think anything of it but sandboxie notified me about compatibility issues with the Remote access connection manager which is how I realized it was running in the first place and I just disabled it instantly.

Aside from basically twitch, youtube and well this site I don't surf without sandboxie and I don't use any pirated software so I am not sure what might happened there.

Thanks in advance for every assistance.

Addition.txt

FRST.txt

mbytes.txt

Edited by coldone

Share this post


Link to post
Share on other sites

Hi coldone :)

From what I can see, this service is used primarily to manage dial-up and VPN connections to other networks. I see that you have Kaspersky Secure Connection installed, so it could have modified the service startup settings in order to work properly.

https://support.kaspersky.com/13494

Y7kwcLA.png

Share this post


Link to post
Share on other sites

Hey thanks for the quick response this program comes with Kaspersky which I installed a while ago and I have never used it so I thought I might have caught a rat. On a quick test it also doesn't seem to require the service to work so I am not really sure what happened there.

Share this post


Link to post
Share on other sites

I reviewed your logs, and I don't see anything suspicious in them either. In that kind of situation, what we should do is a forensics investigation, not something I've been trained to do sadly, so there's not much I can do.

Share this post


Link to post
Share on other sites

I wouldn't know sadly, since as I said, I'm not trained in that domain.

Quote

The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

https://en.wikipedia.org/wiki/Computer_forensics

This is basically what we want to do here: identify what enabled the service. It isn't possible with FRST logs, nor with any of the tools we use as they are aimed at removing malware, not help us identify events that occured on a system.

Share this post


Link to post
Share on other sites

That reads a bit too in-depth for me to do as well so I guess I am just gonna hope it wasn't anything malicious I suppose.

Edited by coldone

Share this post


Link to post
Share on other sites

From my experience with Windows, pretty much anything could have caused this. I've dealt with Windows long enough to know that sometimes, things happens on the system for no apparent reason at all and I just live with it now (unless they are really, really weird). It's possible that one of your program enabled that service too.

Edit: You could always set it back to Manual and see if it gets enabled again?

Edited by Aura

Share this post


Link to post
Share on other sites

Did you notice it right away? What were you doing when it enabled itself again?

Share this post


Link to post
Share on other sites

I am relatively certain it requires a restart. I don't think I was doing anything in particular before that aside from surfing a bit on reddit and twitch.

Edited by coldone

Share this post


Link to post
Share on other sites

You could always set it back to Manual, restart your computer, and then start ProcMon right away to see if we can capture the moment it gets enabled. IF it is enabled using cmd.exe, services.msc or else.

2Pmortn.pngProcess Monitor - Capture

  • Download Process Monitor from Sysinternal Suite, and extract the ProcessMonitor.zip file;
  • Right-click on Procmon.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Wait for the program to start capturing events (you'll see entries appears very fast);
  • Wait for the service to be set to Automatic startup
  • Once done, click on the little magnifying lense button to stop the capture;
    xdIAVkH.png
  • Click on the File menu, followed by Save... and save the logfile (by default it'll be saved in the ProcessMonitor folder);
  • Right-click on the ProcMon trace file you saved (.pml file), select Send to and Compressed archive (.zip);
  • Attach that .zip file in your next reply;

Share this post


Link to post
Share on other sites

Well aside from me having now windows reinstalled after a sort of failed system restore trying to figure out what might have changed in between -  I am going to try although I am not sure if it'll work considering the last time I checked the change was already made when I just saw the desktop on restart.

Share this post


Link to post
Share on other sites
Quote

Well aside from me having now windows reinstalled after a sort of failed system restore trying to figure out what might have changed in between

You just reinstalled Windows? Like, after making this thread?

Share this post


Link to post
Share on other sites

Couple hours before my last post  - I figured I'd test out whether it would also happen when I restored my system from a week ago or something and well it did but something went wrong and I wasn't able to use office anymore at all and it was neither repair nor uninstall were working which kinda sucks when you really need access to your work.

Edited by coldone

Share this post


Link to post
Share on other sites

Ah alright I understand. Now, is that service startup type still being changed from Manual to Automatic, or not?

Share this post


Link to post
Share on other sites

At this point not yet but last time it took a while as well so I guess I'll just try to monitor the situation.

Share this post


Link to post
Share on other sites

Alright. Still, I don't think that you are infected here. This service settings is probably being changed by one of your installed programs, but I don't know how to tell you which one.

Share this post


Link to post
Share on other sites

Hi coldone,

Are you still with me?

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.