Jump to content

Mawlwarebytes .exe Being Used By Malware?

MacLueh

By MacLueh
in Resolved Malware Removal Logs

 Share

Recommended Posts

MacLueh

MacLueh

Posted
Posted

I've been recently having issues with some malware and everytime I think everything is clean, I'm greeted by obvious signs that is it not.

One the i wonder about is Malwarebytes itself, could it be possible that there is malware posing as malwarebyted, in the attached screener you'll see three seperate process groups for Malwarbytes, though one does not have the logo just a default loga. On top of that, this was taken at a time when Malwarebytes wasn't doing a scan.

Any wisdom?

Screenshot (5).png

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Lets check further.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Lenovo App Explorer (HKU\S-1-5-21-4178065831-122527589-2538240857-1001\...\Host App Service) (Version: 0.273.2.779 - SweetLabs for Lenovo) <==== ATTENTION
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

p.s.

I only see one Malwarebutes process.
Malwarebytes version 3.5.1.2522 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.5.1.2522 - Malwarebytes)

Check the program listthe Control Panel > Programs > Programs and Features.

Do you see an other version listed?
Can you remove it.

How is the computer running now?

fixlist.txt

Link to post
Share on other sites
MacLueh

MacLueh

Posted
  • Author
Posted

 After running that program the first time earlier I tried to use DSMI.exe through powershell to check files, it went kind of crazy and the computer was freaking out so I restored it to a week ago, I have attached some other log files that made me thing, wth.

 

Thank you for your time, it is greatly appreciated.

Fixlog.txt

CO_scecomp.log

dismlog.txt

dismlog2.txt

Lenovo App Explorer-2018-09-17.log

look in.txt

new 8.txt

oct693F.txt

X_scesetup.log

Link to post
Share on other sites
MacLueh

MacLueh

Posted
  • Author
Posted

Is this anything to be concerned about? I do not use NT nor am I part of a WorkGroup

 

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Link to post
Share on other sites
MacLueh

MacLueh

Posted
  • Author
Posted
12 minutes ago, MacLueh said:

Is this anything to be concerned about? I do not use NT nor am I part of a WorkGroup

 

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

 

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hi,

===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

fixlist.txt

Link to post
Share on other sites
MacLueh

MacLueh

Posted
  • Author
Posted

Here is the log, and a fresh batch of FRST, I think Chrome itself was fake, upon looking closer I noticed a lot of things in chrome were seriously off, like this site redirecting, then Google.com redirecting and my primary search being conduit dispite the lack of having a conduit bar or extension. Then when I opened task manager I noticed in the details when the admin thingy popped up asking for permission to allow Task Manager to open, was actually asking to open TaskManager/2.exe instead, then after uninstalling Chrome and trying to re-download it, the sites that were coming up in search to download form were not not the google.com/chrome but rather a mix of others.  I found a suggestion to use r-kill to kill processes and when I went to download it, there was a file switch and the file that downloaded wasn't rkill.exe. 

There are even more new hidden folders in every directory now than there was just yesterday a lot of weird stull, when I tried to re--install Chrome and the Administrator popup came up asking, I looked at the details and instead of asking to run the chrome installer it was asking to run some off the wall thing, I have included a picture of that on the screen. Some screenshots of the hidden folders and shortcuts appearing everywhere, last photo is what happened the first couple times I tried to submit

Is this malware intelligent?

IMG_0666.JPG

Screenshot (17).png

Screenshot (6).png

Addition.txt

Fixlog.txt

FRST.txt

Shortcut.txt

Screenshot (18).png

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hi,

Is ths from you?

Well MacLueh, I would have to say that you are insane to keep bothering this nice gentleman, he's not a wizard damnit, there is no magic wand that will save your brand new laptop from the evil highjacks that appear to be better designed than Windows...

Your logs are clean.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.