Jump to content

Is my laptop infected?


Verisah
 Share

Go to solution Solved by kevinf80,

Recommended Posts

Hello,

Would be grateful if someone could check whether my laptop is infected. I'm running Avast Premium with their Firewall on (Windows Defender is auto turned off), and Malwarebytes Free (though it's on Trial right now, I recently used the Support Tool to clean and reinstall).

Some months ago, I tried to scan with Malwarebytes but it got stuck on checking updates and internet was lagging a lot/freezing. I tried to update Avast as well but it freezed too and I had to force shutdown. I'm still not sure what happened there. I managed to download Microsoft Safety Scanner the next day and it found this:
***
Threat detected: VirTool:Win32/DefenderTamperingRestore
    regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware
        SigSeq: 0x0000055555C57273

Quick Scan Removal Results
----------------
Start 'remove' for regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware
Operation succeeded !

Results Summary:
----------------
Found VirTool:Win32/DefenderTamperingRestore and Removed!
***

But after some googling, I think that might have been a false positive. I also managed to scan with Malwarebytes and Avast(both normal and boot-time scans) and they found nothing. I've done more scans with other on-demand scanners as well, and still nothing but I'm still concerned.

The laptop seems to be working as usual except for some oddities. Like the "Windows Security" would come up blank at times, although that hasn't happened in a while since I created a standard user account (I had only one admin account before). And the laptop won't start properly sometimes, but I haven't had this problem if I shift-click on Shut down. Also, there's been some strange behaviour from the Avast Firewall. Even though I'm not connected to my wifi and with no programs open, there's a group of connections through the Avast software (AvastSvc.exe). The Network Connections list shows a lot of connections 127.0.01, remote 53 udp, 127.0.01, local port ranging ~40000-60000, 37.0 bytes. They close and then show up again continually.

I ran the Farbar Scan Tool offline, if I need to do that while online, please let me know. I bought this laptop in China, so the interface and part of the results is in Chinese language. I don't know how to get it to run in English. Also, since I re-installed Malwarebytes, the results is showing my operating system as Windows 8, though it's Windows 10..

There are some IPs that I removed from the FRST logs as I'm not sure if it's safe to show, I'll provide it in private. One of them seems strange to me. Btw I'm not tech savvy, so please bear with me. 
 

Addition.txt FRST.txt verisah-malwarebyteslogs.txt

Link to post
Share on other sites

Hello Verisah and welcome to Malwarebytes,

Top section of primary log (frst.txt) can you post the full log please. Also in same log the following entries appear to have entries removed, can you also include those please:

Tcpip\Parameters: [DhcpNameServer] ***removed***
Tcpip\..\Interfaces\{b4ce22f4-656d-4087-9ef1-d774da47eaad}: [DhcpNameServer] ***removed***
Tcpip\..\Interfaces\{d5ee2bed-2732-485c-a7b2-ecbb2c533c0a}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{d5ee2bed-2732-485c-a7b2-ecbb2c533c0a}: [DhcpNameServer] ***removed***

Thank you,

Kevin..

Link to post
Share on other sites

Hiya Verisah,

There is no Malware or Infection showing in logs from FRST. The log entries you quoted from Microsoft Safety Scanner is typical after a security program such as Avast has manipulated the registry to turn off Windows Defender.

The FRST log "addition.txt" is still showing Windows defender as disabled even though MSS log does show the reg key as restored. That will have happened after a reboot, Avast will have made the disable function again...

Did you read my PM regarding the IP address you were unsure of...? Do you require any further assistance...?

Thanks,

Kevin..

 

Link to post
Share on other sites

Thanks for the help kevinf80, it's much appreciated. I just want to make sure though, so it's for certain that my laptop is clean then?

I'm still confused why my internet got suddenly so laggy/freeze that day, do u have any idea what could have caused this? And I do still have some concerns about the 127.0.0.1 connections I mentioned.. I recently read a bit about DNS rebinding attacks and I'm kinda spooked. But maybe I should ask about this elsewhere? Since it's more about networking or so?

Link to post
Share on other sites

Hiya Verisah,

Regarding 127.0.0.1 IP address have a read at the following link, it is commonly used in the hosts file to stop software calling home...

https://www.lifewire.com/network-computer-special-ip-address-818385#:~:text=The IP address 127.0.0.1 is a special-purpose IPv4,other devices as a real IP address does.

The other IP addresses that you had hidden and PM`d them to me are very much harmless and not really cause for concern. Two of them were IP Addresses that are used as default gateway to login to your router.

To manage your router, fill in 192.168.100.1 in your browser's address bar. After you successfully access the router management panel, you can adjust/change settings and protocols.

The other address IP 40.55.1.13 seems also to be harmless: https://www.virustotal.com/gui/ip-address/40.55.1.13/detection

If you do not want that IP address then you could easily remove from your PC via the registry, or I could move it with a fix via FRST.

If you are still concerned run the following:

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Thanks,

Kevin..

Link to post
Share on other sites

Hello, ty for the instructions.

So I installed Sophos and let it update. I then disconnected from the internet and started the scan. No threats were found. But the logs shows that it 'could not open' some system files I think, and some files in Avast, System Volume Information and Microsoft\WindowsApps folders. But I'm assuming that's normal..?

About the IP 40.55.1.13, it may seem harmless but I'm still puzzled. If I understand correctly, the DhcpNameServer is for DNS server but the IP doesn't seem to be one.. It says the organization is "Eli Lilly and Company", a pharmaceutical company according to Google? I'm not even familiar with the name and never heard of it before. I don't understand how this IP got into the registry in the first place, and if the way it got there itself is cause for concern.

I have removed the IP from the registry (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b4ce22f4-656d-4087-9ef1-d774da47eaad}) and left it blank. If I need to actually delete "{b4ce22f4-656d-4087-9ef1-d774da47eaad}" entirely from the registry, please let me know.

The 127.0.0.1 is still a headscratcher for me.. I have attached a screenshot of the connections. These connections happen even though not connected to internet. If I check the "Resolve names" option, the 53 show up as "Domain". One last thing, my Malwarebytes scan logs are showing my operating system as Windows 8 instead of Windows 10. Do I need to do something about it or can I simply ignore it?

avast-connections.png

Link to post
Share on other sites

Hiya Verisah,

Those 27.0.0.1 addresses you quote are Avast loopback listening ports and are quite harmless.

If you open an elevated command prompt, type or copy/paste netstat -aon then hit the enter key. You will see a full list of connections.... I`ve attached my own for you to look over....

The information you mention for Sophos AV scan is expected and normal outcome. Regarding Malwarebytes showing your system as Windows 8 and not 10 has me baffled, not sure why that happens. FRST identifies as Windows 10 Pro: Platform: Windows 10 Pro 版本 1903 18362.1139 (X64) 语言: Chinese (Simplified, China)

Maybe sommething to do with the translation.. 

As logs we have seen are clean, I do not see any reason for you to be concerned.. Let me know your thoughts..

Thank you,

Kevin

 

 

kevnetstat.txt

Link to post
Share on other sites

Yes, I'm confused about the Malwarebytes logs too. As I mentioned in my 1st post, I recently used the Support Tool to clean and re-install. And I'm fairly certain the OS showed up correctly before I did that.. But well, since it seems like a minor thing and Malwarebytes seems to be working fine, I'll just let it be and perhaps it'll fix itself somehow or if I try to re-install some other time.

So, I did the command prompt thingy and mine looks kinda similar to yours - except that yours shows some PID 4 but mine doesn't have any. But I guess there's nothing to it.

Alright, I think that's it. Although I mean to keep an eye on the registry and see if any suspicious IPs show up again just in case.

Again, thanks for your help kevinf80, much appreciated.

Link to post
Share on other sites

  • Solution

Hello Verisah,

Thanks for the information update, continue to clean up:

Uninstall the following program:

Sophos AV

http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Also delete this folder if still present: C:\ProgramData\Sophos

Next,

Right click on FRST here: D:\Downloads\Security\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

I uninstalled Sophos successfully.

I renamed FRST to uninstall but Avast Shield popped up again when I ran it. I think it interrupted it because the exe and log files are still there after restart. Is it ok if I just delete the files or should I run the uninstall again?

Link to post
Share on other sites

So I ran it again, and after restart, the logs disappeared but the uninstall.exe was still there. I tried to delete it and it went to the Recycle Bin. I'm going to assume it's all good? If not, please let me know.

And thanks for the links, I'll take a look at them 👍

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.