Jump to content
Worrier

I'm infected - What do I do now?

Recommended Posts

Good day Root Admin

 

My apologies for the delayed response. Please find attached the 2 scan reports from Farbar.

 

Thank you

Worrier

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

Hello Worrier and welcome to Malwarebytes,

Have you tried to run CHKDSK /r  command..? I can see it listed in your FRST logs:

BootExecute: autocheck autochk /r \??\C:autocheck autochk *

Also there are several errors listed similar to the following:

Error: (05/06/2020 08:25:08 PM) (Source: Ntfs) (EventID: 55) (User: NT AUTHORITY)
Description: A corruption was discovered in the file system structure on volume C:.

Have you tried chkdsk and it failed to run at boot..?

Thanks,

Kevin..

 

Share this post


Link to post
Share on other sites

Hello Kevinf80

I have tried the command chkdsk 😄 /f /r /x  but no scan at boot. Also sfc /scannow failed to initiate with error.

Thanks

Worrier

 

Share this post


Link to post
Share on other sites

Hello Worrier,

Run the following from an elevated command prompt, let me know the findings:

DISM /Online /Cleanup-Image /CheckHealth

Thanks,

Kevin...

 

Share this post


Link to post
Share on other sites

Kevinf80

Thank you for the reply, and thank you for the assistance

here is a copy of the command prompt: I will also attach the log file...

C:\WINDOWS\system32>DISM /Online /Cleanup-Image /CheckHealth

Deployment Image Servicing and Management tool
Version: 10.0.17763.771

Image Version: 10.0.17763.1158


Error: 87

The cleanup-image option is unknown.
For more information, refer to the help by running DISM.exe /?.

The DISM log file can be found at C:\WINDOWS\Logs\DISM\dism.log

C:\WINDOWS\system32>

Ps. Are you aware that my downloads folder is corrupt?

Thanks

Worrier

dism.log

Share this post


Link to post
Share on other sites

What is wrong with your downloads folder...?

Share this post


Link to post
Share on other sites

When I try to open it the following error pops up:Downloads is not accessable. The file or directory is corrupted or unreadable. I noticed it trying to download from all browsers. Chrome, Edge and Internet Explorer...

Share this post


Link to post
Share on other sites

From your keyboard select Windows key + R to launch the Run dialog, type or copy/paste Services.msc and press ENTER

Scroll down the services window to Windows Modules Installer What is the "Startup type"

 

Share this post


Link to post
Share on other sites

At least that setting is correct. Is there any data in the downloads folder that you need..?

Share this post


Link to post
Share on other sites

There should be... although I can't see any of it at this stage...Attachents from e-mails etc. Now it won't download with error "Download failed" most probably due to the corrupt downloads folder which is inaccessable...

Share this post


Link to post
Share on other sites
Posted (edited)

You can copy/paste a new download folder from Default folder to your username folder, it should be accessible but will be new and therefore empty.. Is that what you want, if the normal one is corrupt I doubt you would ever get the data back...

There is another error in your logs that i`m trying to find information on, not having much luck but not sure why it is being blocked...

Do this please:

Run FRST one more time:

Type the following in the edit box after "Search:".

scrobj.dll

Click Search Files button and post the log (Search.txt) it makes to your reply.

3e4874b1-0b7a-4680-b82f-9f5d107dd62e.jpg

 

Edited by kevinf80

Share this post


Link to post
Share on other sites

I do not mind replacing the Downloads folder. Would you mind elaborating on the process how to please? I will be offline now until tomorrow again. Thanking you in advance for your assistance thus far.

Worrier

FRST.txt Addition.txt Search.txt

Share this post


Link to post
Share on other sites
Posted (edited)

Thanks for those logs Worrier, continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.
 
Next,
 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

frst%20a.jpg

fixlist.txt

Edited by kevinf80
typo

Share this post


Link to post
Share on other sites

Hello again Worrier,

Run this scan and post its findings please..

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....
 
Thank you,
 
Kevin..

Share this post


Link to post
Share on other sites

Good evening Kevinf80

I have run the Scan

The logs are attached, but I do not agree with the date and time. This scan completed about 20:00 my time  2020-05-08

Rgds

Worrier

mrt.log

Share this post


Link to post
Share on other sites

Hiya Worrier,

Couple of questions, is your computer personal, work, or school. The reason I ask is down to what seems to be very unusual. Windows protection is shown to be blocking a file that is a digitally signed system file, I have been scratching my head over this for awhile:

Date: 2020-04-20 11:51:38.489
Description:
Windows blocked file \Device\HarddiskVolume2\Windows\SysWOW64\scrobj.dll which has been disallowed for protected processes.


There are several entries in the Addition.txt logs from FRST, that was the reason I asked you to do a search with FRST in reply #12. Usually if a system file is corrupt or infected we do a search for a replacement and change out the corrupt one...

The search turned up an enigma, a return i`d not seen before. After a bit of research it could have been done to stop certain settings, scripts or changes from happening, usually an Administrator may do this to control a computer, hence I ask if this is a school or work computer..

Thanks,

Kevin...

Share this post


Link to post
Share on other sites

Hi Kevin.  Private pc. I read an article today that Kaspersky also insetrs certain scripts (dont know if it's true though) will post the link if you need to read it. 

Share this post


Link to post
Share on other sites

Kevin. Here's the article copied and pasted. 

Fullscreen
x
Update: The story was updated with Kaspersky Labs comments.

This is a story of how a “feature” that exists in all of Kaspersky Lab’s antivirus software for Windows since 2016, which was discovered by a German journalist earlier this year, led to a major security issue that let cybercriminals track millions of Kaspersky customers without their knowledge.



It all started when Ronald Eikenberg, a reporter at German computer magazine C’t, began testing antivirus software for the March issue of his publication. Several months later he made a strange discovery in the HTML source code of a website he was visiting and found that Kaspersky’s antivirus software was injecting some code (a Javascript script) into webpages.

“It looks as if Kaspersky was looking for a way to interact with websites without requiring the installation of a browser extension on the user’s system,” Eikenberg told me. “One of the purposes of the script is to evaluate Google search results displayed in the user’s browser. If a link is safe, the Kaspersky software will display a green shield behind it.”



From spying to possible cyberattacks

However, in order to be able to insert the script, the Kaspersky software is analyzing the user’s web traffic including SSL-encrypted connections, Eikenberg added. Which is for me a major security and privacy issue right there as Kaspersky has now the knowledge of all of the websites its customers are visiting, including inside secure corporate networks.

“Before that day, I had observed such behavior only from online banking Trojans which is malware built to manipulate bank websites, for example, to secretly change the recipient of a money transfer,” wrote Eikenberg. “So, what the heck was Kaspersky doing there?”

I’ve contacted Kaspersky’s U.S. office regarding Eikenberg’s data leak discovery as well as Eugene, the company’s CEO and co-founder, and I will update this report with their response (see below).



Furthermore, Eikenberg also found out that Kaspersky’s servers were injecting a unique identifier into the HTML source code of the visited Web page that not only identifies a particular user but also the computer used.

“Even the incognito mode did not offer any protection against the Kaspersky-infused tracking,” added Eikenberg. “At this point, it was clear that this was a serious security issue.”

Atherton Research Insights

Last month, Kaspersky issued a patch which gives the same identifier for all the users of a specific version of the Russian company’s antivirus software (Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security) which still allows a malicious hacker to know that an antivirus software is installed on the machine and whether the version has already been patched against the ID leak—which is still very valuable information for an attacker.

To prevent Kaspersky’s antivirus to inoculate the problematic Javascript script—which it does by default—we recommend to manually uncheck it in the software settings, depending of course on how you feel about being spied upon. 


Below is Kaspersky Labs’ response to our story:

Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests. This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user’s personal information.

After our internal research, we have concluded that such scenarios of user’s privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process.

We’d like to thank Ronald Eikenberg for reporting this to us.

Share this post


Link to post
Share on other sites

Very interesting, just proves that you just cannot trust anything or anyone... I ask if your PC was school or business because Administrators can adjust settings to stop private activity etc.. as is personal I need to know if the odd settings are malicious...

I`ve asked for advice at private forum where FRST is hosted... get back to you when I have an update.

I assume, sfc, chkdsk commands are still not working, did you copy downloads folder from Default folder to user folder..?

Share this post


Link to post
Share on other sites

Hi Kevin. Wi do use this pc for school use but my knowledge is way below that level as admin to even start to understand exactly what all this means... 

To answer your last question. Nope. Not sure how to do it. If you can assist i'll appreciate

Worrier

Share this post


Link to post
Share on other sites

Does the school admin guy make any changes/alterations to your PC..?

For d/l folder:

Navigate to C:\Users\Wian open that folder, right click on "download" folder, select "Delete"

Navigate to C:\Users\default open that folder, right click on "download" folder, select "Copy"

Navigate to C:\Users\Wian do not open that folder, right click directly on Wian folder, select "Paste" fresh download folder should now be in place....

 

Share this post


Link to post
Share on other sites

Thanx for the info Kevin. No the school admin should not have access, as we do homeschooling, and I never gave explicit permissions to them either. This "intrusion" had to have happened remotely. Will you please elaborate on your term "enigma" please. 

Thanx

Worrier

Share this post


Link to post
Share on other sites

Nothing sinister with enigma, just means something that is puzzling, in this case "scrobj.dll" file and your problems with certain commands... I maybe way off the mark, but have asked for advice at FRST`s private forum....

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.