Jump to content
TToaster

Possible infection.

Recommended Posts

Hi, 

 Just for peace of mind would somebody be able to check these logs for any malicious activity. I did have an infection a couple of months ago but have been using Malwarebytes since and it hasn't found anything recently. Noticed some really weird Powershell scripts in event viewer being run remotely but I have no idea what they mean. Thanks.

MBlog.txt FRST.txt Addition.txt

Share this post


Link to post
Share on other sites

Hi,  @TToaster      :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.   Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

Let's start with what follows.

[  1  ]

Let's have you run the Microsoft Malicious Software Removal Tool   (  MS  MSRT ).

This tool is a limited one.  It targets some specific "common" malicious threats.  It is a tool run typically once a month when your Windows does a Windows Update check.

I would just like a one time on demand run.

Point your browser to this MS website link    https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx

Look to see it matches your language & your version of Windows in terms of 64-bit or 32-bit

Download and save the tool.   Then go to the folder where saved  ( should be the Downloads folder).  

Double click the tool   and allow it to Run.   It should not take more than 12 - 15 minutes.


[   2  ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.

Kindly do have patience during all this.

[    3    ]

Please download MiniToolBox save it to your desktop and run it.

Reply YES when prompted by Windows to Allow the program to run.

Reply YES when prompted by the tool to proceed.

 

Checkmark the following check-boxes:

  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices


Click Go and post the result ( MTB.txt ). A copy of Result.txt will be saved in the same directory the tool is run.

 

Please know I help here as a volunteer.  and that I am not on 24 x 7.

Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Sincerely.

Share this post


Link to post
Share on other sites

Also the second tool found one infected file during the scan. Will that be in the log? I didn't see any options to remove it post scan.

Share this post


Link to post
Share on other sites

Hi Craig.

Thanks for the reports.

Quote

No infection found as part of the extended scan

Results Summary:
----------------
No infection found.
Microsoft Safety Scanner Finished On Sat Jan 11 22:47:29 2020

 

Quote

Microsoft Windows Malicious Software Removal Tool v5.78, December 2019 (build 5.78.16632.1)
Started On Sat Jan 11 22:53:08 2020

Results Summary:
----------------
No infection found.

 

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

 

Share this post


Link to post
Share on other sites

Thanks.  That is excellent result.   That is the 3rd security tool to report no malware.

 

At this point, lets make very sure that Malwarebytes for Windows has the latest component package.

Start Malwarebytes for windows.  Click the Settings (gear ) icon at the top.   Look on the General tab.

Click on the button "Check for Updates".   Follow the prompts if advised and have patience.

Close the program when done.

 

Let us do one other scan / check.

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

  •  
  • Save the file first,
  • Close any running programs that you started on your own ( if any).

 

Double-click  RogueKillerx64.exe to run the program.

Follow the prompts. If a browser window opens, close the window.

 

In the HOME tab, click Start Scan.

Upon completion, a browser window may open. Close this window.

 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.

Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.

Please attach the file in your next reply.

 

Share this post


Link to post
Share on other sites

Hi Maurice,

I'm really sorry but I reinstalled windows. I tried to toggle the two VPN options in windows (allow over metered etc) but they just kept turning back on. Looked up how to disable it via registry and couldn't see the VpnCostedNetworksettings string so I panicked. 

I haven't connected the pc to the internet yet but if I look in computer management / shared folders/shares I see:

Admin - remote admin 

C and D drives as default shares.

IPC - remote IPC 

Admin, C, D and IPC have dollar signs Infront.

I honestly don't know what to do or if it even means anything. As I write this I'm thinking maybe this is something the people I bought the PC from set in place. As in remote assistance if I ever needed support. I won't be able to get an answer from them until tomorrow.

Any advice you can offer is much appreciated.

Share this post


Link to post
Share on other sites

Hello TToaster.

You report you reinstalled Windows.

You are always in control of what accounts are there on the operating system.   You should keep your own administrator-level account,  and also keep the Windows built-in administrator account.

Any other accounts you do not recognize you may remove.

NOTE:  I hope we are not confusing user-login-accounts vs  shared folders/shares 

 

Run a new FRST64 report  and you will be able to see at the top of the ADDITION text a list of all accounts.

 

1: Please download FRST64 from the link below and save it to your desktop:

"Download link for 64-Bit Version Windows"

Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file to the downloads folder

Run report with FRST64

Right-click on FRST64 icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

 

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.





The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Share this post


Link to post
Share on other sites

Thanks.   I notice just your Windows-account and the normal others  that are standard on Windows 10 O.S.

 

I do not see Malwarebytes for Windows installed here.   nor much of anything else.

also, be sure you do one Microsoft Windows Update ( check for updates )  to be sure it is all current with Microsoft Windows security updates.

Share this post


Link to post
Share on other sites

I did install the Windows updates before I ran the scan but maybe didn't restart the system. I hadn't got round to installing Malwarebytes yet but I will as soon as I can.

Tbh I'm just making myself paranoid looking at things I don't fully understand. I'll keep ontop of scanning with AV and make a new topic if anything shows up. 

So unless theres anything else you'd like me to check I'm happy to close this post. Thanks for your time and patience.

Share this post


Link to post
Share on other sites

Your pc should always have Malwarebytes for Windows Premium so that it has all real-time protections.

 

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

Stay safe.   I am glad to have helped you.

Sincerely,

Maurice

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.