Jump to content

Recommended Posts

Hey Guys & Gals,

I installed some trusted software yesterday I have had for years and today every few minutes I get malwarebytes popping up saying exploit blocked.

I am getting lots of them, I scan with Malwarebytes on Threat scan and it finds nothing.
Also the logs dont tell me what is causing it.

I have attached 2 exported logs as text files as I have no clue.
KAspersky also sees nothing.
The computer is only 2 weeks old and I am sure not to install bad software.

 

Can anyone lend a hand or clue me in as to what is causing this issue?

 

Thanks in  Advance

Gren

Exploit 2.txt

Exploit issue.txt

Link to post
Share on other sites

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

Hello @Grenpara and :welcome:

Well, not sure what caused it but something is kicking off a PowerShell script which is what keeps getting blocked. Let me have you run the following for me and we'll see about getting you cleaned up.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

Hello Ron,

Thanks for the fast reply to my issue.

Attached are the files you asked for.
While doing them I got a popup from Malwarebytes saying website blocked because of trojan.
I was only on Malwarebytes site and Farbar site.
 Not sure what is up.

 

Thanks in advance

Fred

AdwCleaner[S02].txt

Malwarebytes Threat scan.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

2 minutes ago, Grenpara said:

Hello Ron,

Thanks for the fast reply to my issue.

Attached are the files you asked for.
While doing them I got a popup from Malwarebytes saying website blocked because of trojan.
I was only on Malwarebytes site and Farbar site.
 Not sure what is up.

 

Thanks in advance

Fred

AdwCleaner[S02].txt

Malwarebytes Threat scan.txt

FRST.txt

Addition.txt

Sorry let me add some info.

 

The Trojan warning was outbound and not inbound. and it was blocked.

Also the software I installed was from Reallusion and Windows store appsa dn a couple others.

Thanks

Fred

Link to post
Share on other sites

Hey Ron,

Sorry for the multiple replies but I have more info.

I think the powershell blocking is a false positive thou not 100% sure and heres why.

I check Windows update and no updates today.
But My virus i can see what ran each day and I see something did run.
And around the same time as first malwarebytes message A Windows update did happen thou not in the windows update section.

When I went to add and remove programs in windows 10 I did get an update or (2).
I find it strange it did not show up in the windows update section but attached is a picture of the 2 items that ran.

961244473_Updates2.jpg.8c48061dec48defbea7685098fbc596c.jpg

 

As you can see they ran and Onenote I think like microsoft products does access onenote or am i wrong?

 

Please let me know
Thanks in advance
Fred

Link to post
Share on other sites

  • Root Admin

Thanks Fred @Grenpara but I needed both new logs from FRST.

Please go ahead and restart the computer one more time. Delete your current FRST and Additions logs. Then run FRST again and get both new logs and attach. You should post back 2 new logs. FRST.TXT and ADDITION.TXT

Not sure how that PowerShell entry got there or if it is/was bad but it's not normal. There are 5 hits on Google for it. Not good when there are hundreds of millions of Windows 10 computers out there.

Thank you again

Ron

 

Link to post
Share on other sites

Hey Ron,

My new computer is screwed up somehow and it must be a virus, thou I dont know how.

During restart computer booted but windows was acting nuts and opening and closing windows I had no control at all.
I had to hard power down the system and tried for 20 minutes to get into it and I finally did.
 

Here are the new logs you requested.

I got a weird message about tablet drive or something and not sure whats up with that.

I am running a full scan with malwarebytes again as well as kaspersky.

I am then trying sfc /scannow.

 

Thanks in advance

Fred

 

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello Ron,

Well I am still on pc trying to find out what is going on.

Ran Malwarebytes Threat scan with latest version and it came back clean. (Log Attached)

KAspersky is still running and will let you know in this same message. (Log attached shows clean)

I opened Windows Event Log and there are errors listed.
At least one error recent is about Malwarebytes Self PRotection failing to run.
It was off when I installed Malwarebytes but turned it on after I got the origional messgae about powershell.
I have disabled it again just in case.

Next error are about the tablet error (WTabletServicePro)
That could be my fault as yesterday I installed latest Wacom Tablet drives for my tablet but have not connected it yet.
I uninstalled drive to be safe until I am sure all is ok.

Also before that earlier today I downloaded your antiroot kit software and ran it.
But it did not find anything.

There are also some other errors and warnings in events log on the 7th.
I know some were my fault.
I installed a paid version of a program but company went under so I cant register it.
And I did not know if it could be used on windows 10 so I ran in sandboxie and it did not like that.

ALso Malwarebytes has a couple events of trojan website being blocked outbound from me.
That makes no sense and I have also attached a log export of one so you can see it.
I googled that and it seems malwarebytes picks that up often and has others stumped too.
If I even type the ip and hit enter I Mbam blocks it.

I ran a program called Fiddler 4 to see what is talking to the net and I see nothing strange at all.
Thou i could be wrong I know most of what is shown as safe.

Running SFC /scannow from elevated command prompt now. (found no violations)

Oh and one other note I did download a program I have only used once before but online scan showed clean.
I even sent it to Kaspersky to check and they say it clean and Malwarebytes scanned it clean.
I got it since the program I used wont work and has a trial period I am using it to keep program on trial.
I own the program I am using it on, but as said above I can no longer register it as company went under.
The program I am using to keep software on trial is https://www.nirsoft.net/utils/run_as_date.html
It forces date into software and I will use it until I can find a decent Home Inventory Software that will meet my home needs.


In event log under System is a bunch of error for today around the time of the big crash/loss of control.
Most say the following:
"- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
  <EventID Qualifiers="0">10016</EventID>
  <Version>0</Version>
  <Level>2</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8080000000000000</Keywords>
  <TimeCreated SystemTime="2018-10-09T07:55:49.619453200Z" />
  <EventRecordID>6703</EventRecordID>
  <Correlation />
  <Execution ProcessID="1476" ThreadID="4844" />
  <Channel>System</Channel>
  <Computer>DESKTOP-G8AI09A</Computer>
  <Security UserID="S-1-5-19" />
  </System>
- <EventData>
  <Data Name="param1">application-specific</Data>
  <Data Name="param2">Local</Data>
  <Data Name="param3">Activation</Data>
  <Data Name="param4">{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}</Data>
  <Data Name="param5">{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}</Data>
  <Data Name="param6">NT AUTHORITY</Data>
  <Data Name="param7">LOCAL SERVICE</Data>
  <Data Name="param8">S-1-5-19</Data>
  <Data Name="param9">LocalHost (Using LRPC)</Data>
  <Data Name="param10">Unavailable</Data>
  <Data Name="param11">Unavailable</Data>
  </EventData>
  </Event>"

I check the PID 1476 and have attached picture of it in task manager.
Not sure if that means anything.

882131427_PID1476.jpg.26f28ff7d2ff53ca76a41d49ae6a5350.jpg

Thanks in advance for the help.
And sorry for the long email.
Fred

 

KAspersky.txt

Malwarebytes threat scan after problem.txt

Trojan event Mbam.txt

Link to post
Share on other sites

16 hours ago, AdvancedSetup said:

Okay. I'll keep your post open a couple more days and if you run into any issues please let me know.

Thanks Fred

Ron

 

Help Please,

 

I am losing control of computer.

I am losing access to programs and even websites are being blocked.

Malwarebytes will no longer turn on with protection.

And I am unable to do much of anything.

This is a new computer and I installed only trusted items fresh from websites.

I was not able to access my computer again and my drives are all doing funky things like non-stop access.

Even my cd drive opened and closed one.

Can't log into windows properly it simply refuses.

Even Firefox apps cant connect to there servers like lastpass.

 

Need help please

Thanks in advance

Fred

Link to post
Share on other sites

Hello Ron,

Well My computer might still be possessed but I am on it now and appears to be working again, for now.

I am not sure if it is malware on my system as I had to do something when I got partial access again.
I had to use Kaspersky Clean Remove tool to totally remove Kaspersky from system.
I then reinstalled it and I was then able to access websites again and my programs reappeared in the start menu.

Kaspersky has no answer for this as I spent time in chat with them.
I think in near future KAspersky will be removed from my system and I'll go with eset.
USA, Canada and others all stopped allowing its use in Government.

So right now how can I be sure there is no malware?
Malwarebytes Threat scan shows as clean and trendmicro free online scan showed as clean before I used revo to get rid of any files left by it.

I dont know what other programs to use to scan for malware except Malwarbytes and now that it is working again shows clean.

Please let me know.
Thanks

Fred

 

Link to post
Share on other sites

  • Root Admin

Hi Fred,

If you're having trouble with other Antivirus you might want to read the following article and make up your own mind how you want to protect your system.

https://www.howtogeek.com/225385/what’s-the-best-antivirus-for-windows-10-is-windows-defender-good-enough/

If you do need further assistance please let me know.

Ron

 

Link to post
Share on other sites

35 minutes ago, AdvancedSetup said:

Hi Fred,

If you're having trouble with other Antivirus you might want to read the following article and make up your own mind how you want to protect your system.

https://www.howtogeek.com/225385/what’s-the-best-antivirus-for-windows-10-is-windows-defender-good-enough/

If you do need further assistance please let me know.

Ron

 

Hey Ron.

Not Anti Virus either.

I cant access system restore at all.

Computer is still acting weird and shutting of all kinds of files and drives have started to do mass access. (Lots of Activitity more than normal.)

Is there an advanced tool to verify MAlwarbytes is working and has not been effected?

I am now sure there is something on the system.

I had to switch to MS Edge to contact forum as firefox was dead and I had to remove it.

Please help and advise.

Thanks in advance

Fred

Link to post
Share on other sites

  • Root Admin

Please at least temporarily uninstall Kaspersky antivirus. The built-in Windows Defender will take over as the default antivirus.

Then run a new FRST scan and make sure you place a checkmark in the Additions.txt check box and post back both new logs.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
Link to post
Share on other sites

7 minutes ago, AdvancedSetup said:

Please at least temporarily uninstall Kaspersky antivirus. The built-in Windows Defender will take over as the default antivirus.

Then run a new FRST scan and make sure you place a checkmark in the Additions.txt check box and post back both new logs.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Hey Ron,

 

Thanks will do that shortly.

I will let you know that what ever is happening is causing system corruption.
sfc /scannow has found problems and repaired them.

I will post logs as soon as I can.

Thanks in advance

Fred

Link to post
Share on other sites

26 minutes ago, AdvancedSetup said:

Please at least temporarily uninstall Kaspersky antivirus. The built-in Windows Defender will take over as the default antivirus.

Then run a new FRST scan and make sure you place a checkmark in the Additions.txt check box and post back both new logs.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Hey Ron,

 

Ok Kaspersky is gone and did a restart and ran FRST as said.

Attached are the 2 files you asked for.

I would like to thank you again for all the help and time.

Sincerely 
Fred

Addition.txt

FRST.txt

Link to post
Share on other sites

  • Root Admin

Please run the following fix. This will also run a Full Disk Check which may possibly take a few hours to run. Let it run

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

The logs also show something wrong with VSS - Volume Shadow Copy service. Please download and run the following tool when you're done with the above and see if it can locate the issue and fix it or not and let me know.

VssDiag: Volume Shadow Copy Service Diagnostics Freeware

http://backupchain.com/en/vssdiag/


Thanks, Ron

 

Link to post
Share on other sites

Hey Ron,

 

Ok I removed Kaspersky Secure Connection (did not know it didn't uninstall with Kaspersky).

I will run the other instructions as soon as I do restart as it need to after KSC was removed.
I will then run the VSSdiag after that is done.

I have to take my mother to doctor in the morning so I will respond as result as soon as I am back.
its 2 am here so I will start the process and let it run all night.

Thanks again for the help.
Fred

 

Link to post
Share on other sites

3 minutes ago, AdvancedSetup said:

Sounds good. It's about 12:20 am here. I'll check back on you again some time tomorrow.

Ron

 

Hey Ron,

 

Well that did not take long at all.

So FRST ran deleted lots of stuff and then appears to have run chkdsk and then restarted.

I then ran vssdiag and it finds nothing.

I get message "No relevant entries found. Please check manually on host or inside VMs"

 

Not sure whats up with that.

Thanks in advance
Fred

Talk later in the day.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.