Hijacked Internet connection - trojan? Help Please

[KenEgginton]

Over the last few weeks, my Windows 10 PC has been showing strange behaviour (the Desktop and Mail can take an age to start-up) and slow Internet access.  Zonealarm Firewall often pops-up when apps are started and randomly (even to ask permission for App like Store, Outlook to use explorer or connect to the Net). 

The PC has AVG installed.  I tried scanning with MBAM, SuperAntiSpyWare, AdwCleaner and Sophos to no avail - nothing detected (a couple of PUPs - AskJeeves).

SuperAntiSpyWare highlighted a number of processes running from AppData/Local/Temp/_MWI<random number> which is created on power-up.  One of the folders inside contains 'resources' that include images that look like copies of Desktop/Windows furniture/icons.  There are worrying .PYD files (with filenames like mx_windows_ and _yappi) and copies of .DLLs (like mfc90 and msvcm90).

I have spent some time reading other requests for help in this forum and see that some scan result files are often requested.  I have attached a threat scan report from MBAM (in safe mode) and FRST64 (not in safe mode) with the hope that someone can offer some help.

Cheers,

Ken

Mbam scan.txt

FRST.txt

Addition.txt

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know.

 

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

1. Open Malwarebytes for Windows
2. To the left, click Scan > Scan Types.
   
3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.
   
4. Click Start Scan

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

1. Double-click to run it. When the tool opens click Yes to the disclaimer.
2. Press the Scan button.
   
3. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply and Follow this topic to get notified when an expert has replied. Click "Reveal Hidden Contents" below for details.

Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

 

After posting your new post, make sure you click the Follow button near the top right of this page, and select the option "An email when new content is posted Change how the notification is sent" so that you're alerted by email when someone has replied to your post.

Please Note the Following:

• One of our expert helpers will give you one-on-one assistance when one becomes available.
• Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
• Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
• If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

• FAQ - Malwarebytes won't run or failed to resolve my issues
• Groups authorized to help with Malware Removal for Windows logs

[KenEgginton]

It's been 5 days since my first request for help but I understand the demand this forum can create.

Having been looking around, I think the _yappi.pyd files I was concerned about are probably googledrive related and do not pose a threat but I've been keeping the machine in question powered-down just in case.

I also have a Windows 7 machine on my home network which is playing up in a similar way - browsers, video playback in a security-cam app (iSpy Connect) seem to be running very slowly - their behaviour makes me feel that the images/pages are being processed (decrypted??) before being displayed - I worry now about ransomware.

Cheers,

Ken

 

[AdvancedSetup]

Hi Ken @KenEgginton and

Very sorry for the delay. Since it's been a long time if you still need help let me get some new logs please.

 

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes 3 installed yet please download it from here and install it.
• Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Clean.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

[KenEgginton]

Hi Ron, thanks for the response.

I am still concerned about this PC - I worry that I may be being fed spoofed web pages etc by a DNS exploited router/man-in-the-middle attack (perhaps courtesy of my security cameras or wmalware).  For example when I downloaded the latest FRST, it had the same creation date (26 Apr 2018) as the earlier one but had a later modification date (19 May rather than 26 Apr) and a different size (2,413,056 compared with the earlier  2,405,888) - and when I tried to run it Windows Defender jumped in and claimed it looked suspicious - so I ran the earlier version (which produced no such warning).  BTW, the router passes the F-Secure Router Checker test.

I usually run AVG Free anit-virus with ZoneAalrm firewall but a recent AVG update forced a trial upgrade to the full Internet Security product - this means that its Enhanced Firewall is running on top of ZoneAlarm's firewall.  Even before the AVG 'upgrade,' ZoneAlarm (set to max security) had been repeatedly popping up requests for internet access byy Office Hub Task Host and one or two other apps including Firefox, albeit just after an update but I would have thought The SmartDefense would have taken care of that, and trying to update Adobe Flash produced some really scary warnings and it trying to modify the machine and allowing apps to run wil-nilly - I tried to deny that and am now not sure whether the update completed.

Since my first contact,  the PC has updated to the 1803 version of Win 10 and one or two other AV scans have been run (no malware found).  Often the PC seems slow, start-up behaviour seems 'different' and occasionally, the screen flickers momentarily as though it was being 'recorded/replaced'.

 

Anyway, here are the files you requested:

Thanks,

ken

 

mbam report.txt

AdwCleaner[S01].txt

FRST.txt

Addition.txt

[AdvancedSetup]

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

[KenEgginton]

Thanks Ron,  Ihave not yet run the fixlist file as I'm still not sure about FRST64 itself.

It was not the OLDER version of the FRST64 that alarmed Windows Defender - it was the LATEST version.

Now  using a different PC & router (which could also be infected - I moved this PC (not the one you have the scans of) to a different router after I started to become suspicious and switch ADSL connections), I've just downloaded FRST64 again and submitted it to VirusTotal.  5 of the scanners report it as dangerous.  I will attach both the FRST64.exe and the VirusTotal report.

How do I know I can trust the new FRST64 itself?  Can I run the fixlist with the older version?

I think I need to download it on different PC/router combinations and compare  the filesize/timestamp - what do you think?

Ken

FRST64.zip

[AdvancedSetup]

I think the file is fine. You can run the fixlist with an older version though as long as it's not too old. If it's too old it won't run all the way

 

[KenEgginton]

Thanks Ron,

Sorry for the delay, I get limited time to work on this problem.

I ran the slightly older FRST64 and selected Fix.  The PC was not connected to the 'net at the time and so couldn't update but it ran ok to completion anyway.  Although as you will see from the Fixlog, the performance countersetting couldn't be rebuilt.

After reboot, Zonealarm popped up notifications asking whether I wanted to allow 'Office Hub Task Host' and 'Microsoft Outlook Communications' to connect to the 'net - so some issue remains.

Over the last few days I have seen photos & video tiles in the Google Photos app on my Android tablet go blank (and videos refuse to play).

I booted the PC using both Linux Mint 18.3 live CD and a Kaspersky Rescue Disk on USB drive - neither could accessthe hard-drive (Linux reported that the NTFS was in an unstable state and it refuse to mount).

On another PC (Win 7) a lot of files are reported by SuperAntiSpyware as to having no 'certificate' even though they apparently check out ok in VirusTotal.  One such file is PrintDisp.exe.  Many of the 'date accessed' attributes are set within seconds/minutes of each other and 'date created/modified' seem at odds with what they should be (modified?) Images in Google Photos on the website are often shown taken on the wrong dates.

Could it be that files (system & data) are being modified (or their Alternate Data Streams - SAS reports many unknown ADSs, esp for Dropbox files but that may be normal for DB ) in readiness for a Ransomware attack and demand?

I can't say yet whether I see any other improvements in behaviour - I don't know enough about theworkings of Windows to know whether I should see 'System Interrupts', 'Usedmode Font Driver Host', 'CTLoader' etc often taking high cpu places in the Task Manager.  It makes me feel system files are being hijacked.  Meanwhile AVG, SAS and MBAM report nothing to worry about - ho hum.

Over to you & Thanks for your time

Ken

Fixlog.txt

[AdvancedSetup]

Let me have you run a Kaspersky antivirus scan and see what it can find.

 

Please download and run the following Kaspersky antivirus to remove any found threats

Kaspersky Virus Removal Tool

 

Let me know what it finds.

Thanks

Ron

 

[KenEgginton]

Sorry for the delay - scanning now. 

Haven't been using this PC (I've been working on my Win 7 machine that seems to not want to update Windows) - Might need help wityh that.  Scared myself silly when I spotted a Windows Credentials entry for 'virtualapp/didlogical' with a username '02zdjlqfggl' and it took me a while to learn that it's created by Windows Live apps (I hope).  I worry that I'm running in a virtual machine under control of malware.

Did try Kapsersky Resue Disk 10 before going into Windows and this time (post Fixlist) it DID mount hard-drive - but I stopped it as the database files were out-of-date - will try again later now that I have it connected to the 'net.

Will be back when the scan has finished.

Ken.

[KenEgginton]

Hi Ron,

After a complete Kaspersky Virus Removal Tool scan of the hard-drive tc, it reported just these three objects:

not-a-virus:NetTool.Win32.RemoteExec.a
File: C:\Users\Clive\Desktop\Utils - System\Guru3D DDU\DDU v16.0.0.1.exe
Legal software that can be used by criminals to damage your computer or personal data
    MD5:  21EF151DC6EFD4622B5A4A67FCB6C400
    SHA256:  7C86F0F3D62698455C349D9B03D880DC0BF12D20FD10A3228C84F4E3E80BAA0E
--------------------------------------------------------
not-a-virus:NetTool.Win32.RemoteExec.a
File: C:\Users\Clive\Desktop\Utils - System\Guru3D DDU\Display Driver Uninstaller.exe
Legal software that can be used by criminals to damage your computer or personal data
    MD5:  9400915176047D97782C045638491284
    SHA256:  64AB9B8173B7718FD63D7666E0FF549B1EC1615A560F2CA6A644BBF64409CB73
--------------------------------------------------------
not-a-virus:NetTool.Win32.RemoteExec.a
File: C:\Users\Clive\Desktop\Utils - System\Guru3D DDU\x64\paexec.exe
Legal software that can be used by criminals to damage your computer or personal data
    MD5:  22E9853298C96B1AB89D8F71C4E82302
    SHA256:  01A461AD68D11B5B5096F45EB54DF9BA62C5AF413FA9EB544EACB598373A26BC

I deleted them - along with the rest of the files they came with - they had been on the PC  since June 2016.

 

I am wondering if Google's 'backup & sync' was getting its knickers in a twist - I've disconnected the service and the PC seems quieter.

Your thoughts?

Ken

 

 

[AdvancedSetup]

Google Sync can be good, but if it gets bad data in it then it will propagate it right back onto an otherwise clean system. I know it makes things easy, but I don't use Chrome or Firefox sync myself. I manually keep up on passwords and bookmarks.

 

[KenEgginton]

Thanks Ron - initially I didn't recognize that the link to miekiemoes's post was related (it refers to detections that return, I'm seeing no detections) but I shall check it out as soon as I can.

In the meantime I have tried a number of scans including MBAM, Windows Defender Offline (pre-Windows)  and Kaspersky Rescue Disk 10 (Offline) - none of which detect any mlware acgtivity - and yet I still see 'unlikely' processes running in Task Manager and their exe files seem to have sizes and timestamps that do not correspond to reported values on sites like file.net.  This PC is one of several on my home network and there are a couple of mobile devices that use the same router too - I am scanning those as well, with no detections revealed yet.

Are there any other tools I might be able to use to detect a worm (or whatever) that modifies apps or verify that apps have indeed been compromised?

Ken

[AdvancedSetup]

Hi @KenEgginton

Let me get a new FRST set of logs and I'll review what's running. Very unlikely anything wrong if multiple programs are not finding anything.

You can also run our standalone anti-rootkit program

 

 

Let me have you run the following please. Make sure you temporarily disable your antivirus.

 

Please download Malwarebytes Anti-Rootkit from here
If needed there is a self help tutorial here: MBAR tutorial

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

 

[KenEgginton]

Thanks Ron for the guidance.

I ran FRST and the MBAR scanners.  The anti-rootkit utility didn't find anything and so therefore no cleanup was offered (and no second scan after reboot).

The logs are attached.

Thanks for your time,

Ken

FRST.txt

Addition.txt

mbar-log-2018-06-08 (19-47-30).txt

system-log.txt

[AdvancedSetup]

Let me have  you temporarily uninstall AVG antivirus and reboot.

Then save the following tool from AVG to your computer and run it too to finishing removing any leftover elements of AVG
 

https://files-download.avg.com/util/tools/AVG_Remover.exe

Then reboot again and let me know how the computer is running now.

 

[KenEgginton]

Thanks, I will try this as soon as I can but I'm not quite sure what sort of difference I an expect to see. Maybe I will have a look see whether the processes in task manager look 'right' and watch for other oddities.  As I explained initially, I fear that legitimate apps are being altered to get them to capture data for nefarious purposes.

Using Spybot S&D (or was it SuperAntiSpyware?), I see a lot of Alternate Data Streams attached to certain files on anothe PC (I haven't tried those appps on this PC yet) can Malwarebytes check for and/or removed ADSs (I thought I read somewhere that it can)?

Should I be ensuring that Windows Defender is enabled while AVG is uninstalled?

btw I was going to have to uninstall/reinstall AVG - they had forced a trial of their Internet Security package on me and it had expired yesterday - it seems to having a problem reverting to the free AV version and repeatedly asks for the PC to be rebooted.

Cheers,

Ken

 

 

 

[KenEgginton]

Hi Ron,

I have now uninstalled AVG and am relyhing on Windows Defender - the machine seems a whole lot more responsive and task manager isn't showing the Disk at 100% all the time.  It's difficult to say in the short time since just whether everything else looks better (updates are astill kicking-in I guess) but I shall monitor it over the next day or so.

Interestingly, when I first powered-up today (after trying to update AVG last night and it requiring many reboots) - I was met with a black screen after the log-in screen - no desktop at all other than a pop-up from MBAM to say it needed updating.  I had to reboot (via Ctrl-Alt-Del) to get going again.  I then uninstalled AVG).

I now remember that Zonealarm hadn't used to play nicely with AVG on my old Vista machine (I had to remove AVG and use ZoneAlarm's anti-virus) - maybe there is still an incompatibity?

Anyway, as I said I'll monitor the situation over the next few days and get back to you

One thing I did notice, is that after scanning my Win 7 machine with the latest Spybot S&D (2.7), it reported a lot of registry changes attributed to a user S-1-5-21.xxxx-xxxx-1004.  On the Win10 machine this is translated on folder properties>security tabs (for desktop icons) as 'HomeUsers'.  It worried me that this was a backdoor account but I think there has beeen a change in Homegroup services in the latest Win10 update (1803) and I'm wondering if that's the cause of these extra registry entries? 

Does it seem normal to you to have FOUR users in these security tabs (SYSTEM, My username, HomeUsers, Administrators) ALL with FULL permissions?

Cheers,

Ken

 

[AdvancedSetup]

Since you're using Windows 10, it has rather good built-in antivirus nowadays.

As for the user names, yes they look just fine and nothing shown out of the normal.

Let me know if there are any other signs of an infection or other issues.

Thanks

Ron

 

[KenEgginton]

Thanks Ron, 

The Win10 PC seems to be running ok without AVG but I guess I'm just waiting for the other shoe to drop.  I may try to install the ZoneAlarm AV in a week or so, just to be on the safe-side.  I still haven't attempted to reinstate Dropbox or Google Drive.

As I suggested earlier, I do have a number of other machines & mobile devices and I have seen little 'issues' with each of them.  These could be down to updates but they make me nervous.  Currently, I am keeping them isolated from the network & internet unless using them (and even then I switch between two different routers in case one of them has been hacked) - it's quite inconvenient.  I should think that it would be better for me to begin a new thread for each, as & when I can, am I right?

There is one new observation that makes me worry though - perhaps you could shed some light?

Yesterday, I ran Windows Update on three of the machines (a different Win10 and two Win7 machines) - now the two Win7 PCs did the same thing:  I had Task Manager open to monitor the Network (Ethernet) traffic during the download, the 224Mb update should have taken about 4 minutes at my connection speeds but the Task Manager showed downloading for only about 10% of the process (the % indicator still took about 4 mins but the downloading was apparently over in in about 20 seconds or so). The Win10 download seemed to go as expected.

I can think of two reasons:

1. Windows Update fetches a small file which then downloads the larger update - but in a way that doesn't register in Task Manager.  Could WU be downloading using a protocol that doesn't show up in TM?  I did think that maybe part of the update have already been downloaded but that makes a nonsense of the progress bar (unless that includes some installation time).  I just don't know enough about the mechanics of this.

2. Update is being spoofed - and I am not getting what I should be.  DNS hijacking or a fake WU utility could be at play.

Is there any way I can check that the update was genuine? (Examine a modified file for example?)  I can't find any information on how to do that.

I tried downloading a copy of the June Security update (KB4284826) manually (albeit on the same PC) directly from the Microsoft catalog and it took about 4 minutes as expected and when trying to run it, it reported that that update was already installed on the machine.  But does it really check or does it just look at the update history - which could be fake?

You can see, I am quite paranoid by now - but I keep reading of such attacks, so anything you can suggest will be appreciated.  I just don't know if my system is compromised at present.

Cheers,

Ken

 

 

 

 

 

[AdvancedSetup]

No, Microsoft checks what needs to be replaced. It will often list the bigger file download but then once it confirms other files are in place it won't download the bigger files and will only replace those that need updating. So from that point of view a bit of a red herring if you will trying to monitor and base an opinion that something is wrong. Serving less data makes it faster and easier for Microsoft, and you too.

The only connection point of view I can think of is/was the Google Chrome which can sync all devices. So if something bad was on one unit it will sync all the other units and put that bad stuff on them too. Sorry, I know I've said it before but I'm not a fan of sync technology for reasons like that. I'm old school and will manage all of that on my own.

 

[KenEgginton]

Thanks Ron,

Yes, I have come to the conclusion that syncing utilities might be more trouble than they're worth - a real gift for malware writers, they do half the job for them.  At the start of all tese problems, I removed my main Google account on my Android phone, now, having signed-in again, I can't get Google Play Store to recognize the phone has a connection to the Internet - I'm working through various help offered on various forums but it all takes time.

Yes again, I did notice something on one of the Microsoft web pages that suggested only missing elements of an update package will be downloaded - so that helps me to breathe easier - thank you.

I'll keep you informed about the Win10 machine as I use it a little more ove the next few days - I ran the June update earlier, after which I ran a MBAM scan - no problems so far.  I'm really battling with my older Win7 machine though (it mainly runs security camera software), as I said I updated it yesterday and today, it wanted to update a number of other apps (inc MBAM, Chrome and the Radeon driver) the machine went extremely slow and even after a few reboots, it feels laggy, particularly when connected to the Internet (which it's not most of the time at present) - I'm doing a MBAM scan right now and will see how it goes over the next day or so.

Cheers,

Ken

[AdvancedSetup]

Well, if you like you can post logs for the Windows 7 machine. I can take a look if anything obvious wrong with it and if possible fix. If nothing found I can help you to uninstall old, unwanted software and stop programs from loading each time the computer starts which can help it perform better. All computer operating systems get slower over time though. It's a natural process that cannot be completely undone without a fresh install of the operating system.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

[KenEgginton]

Thanks Ron, I will get to it as soon as I can.

I know systems get slower,  getting 'clogged-up' with time, but this was almost a complete standstill.  I suspect it was related to the updates installing - having said that, one of my security cameras needed rebooting and that sometimes causes weird hold-ups.

Cheers,

Ken