Jump to content
dsafk

Belief of Malware Infection

Recommended Posts

I`ve attached FW.zip to this reply, unzip to your Desktop so you have FW.reg right click on that file and select "Merge" agree any alerts..

Reboot when complete, any change..?

FW.zip

Share this post


Link to post
Share on other sites

Changes  took successfully then rebooted.

Was waiting to see if any notification would popup and it just did saying same thing, windows firewall has been turned off

Share this post


Link to post
Share on other sites

This is very strange one, don`t see anything in the logs to show what is turning the FW off.  All registry entries and commands look to be correct. Lets try a clean boot, see if that makes any difference..

Set windows up for "Clean Boot" mode, full instructions here: https://support.microsoft.com/en-gb/kb/929135

Basically all none MS services are disabled, see how your system runs in that mode.

Share this post


Link to post
Share on other sites

Ran across Loki IoC scanner. Still running right now. I can stop the scan and move to clean boot or let the scan finish. What do you think?

Share this post


Link to post
Share on other sites

Never heard of that scanner, let it finish see if it will produce a log...

Share this post


Link to post
Share on other sites
6 minutes ago, kevinf80 said:

Never heard of that scanner, let it finish see if it will produce a log...

Okay. It uses yara rules to detect weirdness on the system. Produces a log of everything it found. Still running, might be a bit.

Share this post


Link to post
Share on other sites

Be interesting to see the log it produces.. Just been viewing there website to see what it does...

Share this post


Link to post
Share on other sites

Nothing of note in that log. have you tried the system in clean boot mode..?

Share this post


Link to post
Share on other sites
Posted (edited)

So clean boot makes no difference, revert back to normal boot. Instructions are in the same link for clean boot.

What is/was the issue with your account..

Open an elevated command prompt, type or copy paste the following at the prompt then hit enter:

gpresult /user darkstar /h c:\gpo.html /f

gpo.html will be save to the root of C drive, can you zip and attach to next reply
Edited by kevinf80

Share this post


Link to post
Share on other sites

Couldn't see any underlying issues with the account.

Possibly because I had an old Microsoft account (.edu type) that I was using which still had Microsoft Office 365 subscription (1 yr). Switched that subscription to my new (non .edu) account once subscription ended but forgot to remove that old .edu account from the account listing. At least that's the screen that popped up under Windows 10 settings, so that's my best guess. Went ahead and clicked removed on the old account. Probably didn't fix anything.

Verified password hasn't changed for those accounts and 2FA is still present on both.

Share this post


Link to post
Share on other sites

Nothing of note in the group policy log. Try the following:

Type or copy/paste control panel into the search function, hit enter.

In the control panel select System and Security. then Windows Firewall.

On the left pane, click the Restore defaults link. then select Restore defaults button. then select Yes to confirm.

Reboot, does the FW remain on...?

 

Share this post


Link to post
Share on other sites

Nope. Followed the instructions, reset FW, then reboot.

FW "Turn on Windows Firewall" notification popped up a couple minutes after boot.

Share this post


Link to post
Share on other sites

Can you reboot again, when you get the alert to turn on the Firewall leave it, do not turn on.

Select the Windows Key and R key, type or copy/paste services.msc into the text space, then hit enter.

In the services window scroll to Windows Defender Firewall what is its status..?

Share this post


Link to post
Share on other sites

Appears to be running even though notification pops up

image.thumb.png.52410fb58ccc8b6e5a671b0c2a07c8c4.png

Share this post


Link to post
Share on other sites

To be clear, I didn't click the notification

Share this post


Link to post
Share on other sites

Hiya dsafk,

That is a definite strange one, the firewall is on but a notification is asking you to start it. I know you can turn off notifications but the dilemma would be is it ok....

This is how to turn off the notification:

Open Control Panel

select System and Security

select Security and Maintenance

Open the Security drop down

Click: "Turn off messages about network firewall"

I`m not saying that is the correct fix, maybe is a good idea to take this up with the Microsoft community for an answer. https://answers.microsoft.com/en-us

If you want to go that route please let me know the outcome...

What are your thoughts...

Cheers,

Kevin...

 

 

Share this post


Link to post
Share on other sites

Yeah, definitely some weirdness going on. Might try running some of those binaries in the Loki log through VT as a last ditch effort.

Could also just be a bug in Windows 10.

I'm gonna leave the notifications for the FW to keep track of the time when "FW is being disabled". Also going to see what the Microsoft community has to offer as far as advice. Will shoot you a DM if anything comes of that or perhaps I end up finding something deeply rooted/obfuscated.

Really appreciate the time you put into this.

 

Share this post


Link to post
Share on other sites

Hiya dsafk,

Been going through your thread checking logs etc and do note a couple of errors that may need correction to fix this gliche with security center alerts about the Firewall status...

Quote

Error: (06/09/2020 10:34:51 AM) (Source: SecurityCenter) (EventID: 17) (User: )
Description: Security Center failed to validate caller with error %1.

Error: (06/08/2020 05:14:10 PM) (Source: SecurityCenter) (EventID: 17) (User: )
Description: Security Center failed to validate caller with error %1.

 

Probably worth creating a restore point before the next step, instructions in following link if needed. https://www.windowscentral.com/how-use-system-restore-windows-10

I`ve attached wscsvc.zip to this reply, please download and unzip so you have wscsvc.reg. Right click on the reg file and select Merge, agree any alerts. Reboot when complete.

Let me know if that makes any difference..

Thank you,

Kevin...

wscsvc.zip

Share this post


Link to post
Share on other sites

Just applied reg and rebooted.

No luck, still getting the notification

Share this post


Link to post
Share on other sites
Posted (edited)

The settings you quote for Malwarebytes and Security center delayed start are correct, so should not make any difference. One thing to check is to see if Malwarebytes is registered with windows security center. If that is correct maybe is worthwhile giving the 15 seconds delayed start, see if that makes any difference. I would not recommend leaving it that way though, many things can happen in 15 seconds with no protection..

Open Malwarebytes, select "Settings" (looks like a cog wheel) then select "Security" Tab. Scroll to see if that security center setting is correct... I saw in your PM about the MS community recommendation, bad eggs me thinks...

Ah well, back to the garden. Catch up later...

seccen.JPG

Edited by kevinf80
typo

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.