Jump to content

Recommended Posts

I think my computer is infected but am not exactly sure where or how to check.

About my system:

  • Malwarebytes pro installed
  • Windows firewall and defender disables briefly (re-enables almost automatically) after first-boot logon
  • Nothing appearing to be suspicious is showing in registry run/runonce subkeys
  • I've reinstalled malwarebytes a few days ago purely because the post-scan report fonts were showing something like this "scan report: example". Font sizes were the same but the vertical location of every other word appeared to be slightly higher.
  • System processes appear to have regular PID #s (under 1000s)

Was hoping to get another set of eyes on this.

 

Thanks!

Link to post
Share on other sites
  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

Hello dsafk and welcome to Malwarebytes,

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\WINDOWS\system32\fjopygkbxpdjpicd.tbl
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.
  • Repeat the above steps for the following files

C:\WINDOWS\system32\befholtgfvjmbuci.dat

Thanks,

Kevin..

Link to post
Share on other sites

kevinf80,

Thank you for the response. Was looking through the FRST log files while waiting for a response and had seen those earlier. Already had scanned using virustotal with clean results. What also had caught my attention is the listings under Chrome. I don't use chrome and don't have it installed (used to at one point but have since uninstalled it). The hklm-x32 hive subkey caught my attention in particular:

CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj]

Had a subkey title of "Update URL" and value "https://clients2.google.com/service/update2/crx"

 

I have re-uploaded/analyzed, and pasted results below:

fjopygkbxpdjpicd.tbl

Result: 0/60

Basic Properties:

MD5 f8548a30af4e30ff3f23b1d31db25cd8
SHA-1 595b3b63bf63a12f9b15c204f89aac44b02e6116
SHA-256 2b1015302ca50526b183b06dc2e07eaf8e85c362b1d947f3154c7e2880911deb
SSDEEP 3:vz8L53yPjLx1Le4VqazluA3JhU0TTXI28ps2+XSxTn:AlwjLfZluahU2XI24Gu
File type unknown
Magic data
File size 128.00 B (128 bytes)
F-PROT packer appended

befholtgfvjmbuci.dat

Result: 0/60

Basic Properties:
MD5 2595a9a32c5456cf2dcf7680030a7a85
SHA-1 5b40dd2dcc291b8913303a8603f437a097bcc9c7
SHA-256 92c6ccb8699547d4dfc80d703b8e11cf6726bd7d61a5959ab1a70f9f8c01056f
SSDEEP 3:CJLg6hWal6OUdTrA5+YSgGLhWcZmcyOCwyqbV9NX62+sn:K5hWuxURrR/gwhW7h2y2NXBP
File type unknown
Magic data
File size 128.00 B (128 bytes)
F-PROT packer appended

 

Link to post
Share on other sites

Hello dsafk,

Continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes, select > "settings" > "security tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Single click on the target sight above scanner window.
  • In the new window select Report
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Export to Txt" then attach the log to your reply...


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Let me see those logs in your reply...

Thank you.

Kevin.

fixlist.txt

Link to post
Share on other sites

System appears normal. Only thing left that concerned me was the firewall being turned off after first logon at boot. Will try to replicate, and post back here.

Link to post
Share on other sites

Just rebooted. Couple minutes after login, the Windows Security "Windows Firewall is turned off" notification pops up. Is that normal?

FW_Disable_Notification.png

Link to post
Share on other sites

Hello dsafk,

That should not be happening. Select Windows key and R key together, that will open the "Run" function.  type or copy/paste services.msc into the text box then hit enter. Services window will open, scroll to Windows Defender Firewall. Are the settings correct...?

Firewall.JPG

Link to post
Share on other sites

Been looking at some of the logs from event viewer trying to match up times just before firewall was turned off. 8:05 pm (local) was when the notfication was triggered.
Security (8:03 PM)

- System
   
- Provider
      [ Name] Microsoft-Windows-Security-Auditing
      [ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}
   
  EventID 5382
   
  Version 0
   
  Level 0
   
  Task 13824
   
  Opcode 0
   
  Keywords 0x8020000000000000
   
- TimeCreated
      [ SystemTime] 2020-06-12T00:03:52.3371325Z
   
  EventRecordID 39571
   
  Correlation
   
- Execution
      [ ProcessID] 936
      [ ThreadID] 992
   
  Channel Security
   
  Computer DESKTOP-6UGLE9N
   
  Security
- EventData
    SubjectUserSid S-1-5-18
    SubjectUserName DESKTOP-6UGLE9N$
    SubjectDomainName WORKGROUP
    SubjectLogonId 0x3e7
    SchemaFriendlyName NGC Local Accoount Logon Vault Resource Schema
    Schema {1d4350a3-330d-4af9-b3ff-a927a45998ac}
    Resource NGC Local Accoount Logon Vault Resource
    Identity 0105000000000005150000003A7249FFF666FF04A46C7734E9030000
    PackageSid  
    Flags 0
    ReturnCode 1168
    ProcessCreationTime 2020-06-12T00:03:52.2973213Z
    ClientProcessId 14168

Application (8:04 PM - Intel Bluetooth)

- System
   
- Provider
      [ Name] iBtSiva
   
- EventID 3
      [ Qualifiers] 0
   
  Version 0
   
  Level 4
   
  Task 0
   
  Opcode 0
   
  Keywords 0x80000000000000
   
- TimeCreated
      [ SystemTime] 2020-06-12T00:04:24.1673249Z
   
  EventRecordID 3798
   
  Correlation
   
- Execution
      [ ProcessID] 0
      [ ThreadID] 0
   
  Channel Application
   
  Computer DESKTOP-6UGLE9N
   
  Security
- EventData
      iBtSiva
     

Siva worker elapsed

System (This one maybe seems a little suspicious - right after winlogon is executed for my SID -1001 (entry source = Winlogon, theres another entry 1 ms later from source = Kernel-Power that has a PID of 3036 which seems way too high for boot processes)

- System
   
- Provider
      [ Name] Microsoft-Windows-Kernel-Power
      [ Guid] {331c3b3a-2005-44c2-ac5e-77220c37d6b4}
   
  EventID 187
   
  Version 0
   
  Level 4
   
  Task 243
   
  Opcode 0
   
  Keywords 0x8000400000000404
   
- TimeCreated
      [ SystemTime] 2020-06-12T00:02:35.1176164Z
   
  EventRecordID 242426
   
  Correlation
   
- Execution
      [ ProcessID] 3036
      [ ThreadID] 7112
   
  Channel System
   
  Computer DESKTOP-6UGLE9N
   
- Security
      [ UserID] S-1-5-18
- EventData
    ApiCallerNameLength 53
    ApiCallerName \Device\HarddiskVolume4\Windows\System32\winlogon.exe
    SystemAction 3
    LightestSystemState 2

The surrounding processes have a PID of 4 which I understand to be normal for boot process

 

 

 

 

 

Link to post
Share on other sites

I'd have to recreate the process and watch real-time but the setting for firewall service appears to not change from automatic. Leads me to believe that firewall was running and something stopped it

 

Link to post
Share on other sites

Thanks for that information... try the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.