Jump to content

Understanding just how compromised my PC is

WonkoTheSane
 Share

Recommended Posts

WonkoTheSane

WonkoTheSane

Posted
Posted

I have just discovered that my PC has been compromised when i found that my AV had been disabled completely (BullGuard), after which i found that Defender had been removed and updates are stuck in a loop checking for the latest versions. I used Malwarebytes to scan and remove everything that is infected and then repaired windows by refreshing from an ISO, i am not sure if that has fixed everything and i would like to know what the virus(es) were doing to see if any of my personal data i.e. passwords and bank info are at risk, any help you can give me in understanding the logs from the virus scan will be greatly appreciated.

The Logs are as follows:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/12/20
Scan Time: 9:24 AM
Log File: ca79535c-3c5b-11eb-ab89-f875a4f50478.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1130
Update Package Version: 1.0.34245
License: Trial

-System Information-
OS: Windows 10 (Build 18362.1139)
CPU: x64
File System: NTFS
User: LAPTOP-84M4JG3I\liami

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 309097
Threats Detected: 27
Threats Quarantined: 27
Time Elapsed: 1 min, 20 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 12
Backdoor.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\WDI\SrvHost, Quarantined, 887, 653659, , , , , , 
Backdoor.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{96784EDC-EA9D-4E98-B710-BEED7B0D7389}, Quarantined, 887, 653659, , , , , , 
Backdoor.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{96784EDC-EA9D-4E98-B710-BEED7B0D7389}, Quarantined, 887, 653659, , , , , , 
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Windows Error Reporting\winrmsrv, Quarantined, 503, 780529, , , , , , 
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{10A082C1-2357-45E4-B34B-69F4F1241F61}, Quarantined, 503, 780529, , , , , , 
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{10A082C1-2357-45E4-B34B-69F4F1241F61}, Quarantined, 503, 780529, , , , , , 
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Application Experience\StartupCheckLibrary, Quarantined, 503, 735770, , , , , , 
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2C24D2BA-1EF6-403D-A9BD-7160D4AABBE9}, Quarantined, 503, 735770, , , , , , 
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{2C24D2BA-1EF6-403D-A9BD-7160D4AABBE9}, Quarantined, 503, 735770, , , , , , 
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{D6EB7721-CBAA-4AE1-A296-AEBA4F3EBDD7}, Quarantined, 503, 780231, , , , , , 
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{D6EB7721-CBAA-4AE1-A296-AEBA4F3EBDD7}, Quarantined, 503, 780231, , , , , , 
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\MICROSOFT\WINDOWS\WININET\Winlogui, Quarantined, 503, 780231, 1.0.34245, , ame, , , 

Registry Value: 4
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{10A082C1-2357-45E4-B34B-69F4F1241F61}|PATH, Quarantined, 503, 780528, 1.0.34245, , ame, , , 
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2C24D2BA-1EF6-403D-A9BD-7160D4AABBE9}|PATH, Quarantined, 503, 782993, 1.0.34245, , ame, , , 
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{96784EDC-EA9D-4E98-B710-BEED7B0D7389}|PATH, Quarantined, 503, 784920, 1.0.34245, , ame, , , 
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{D6EB7721-CBAA-4AE1-A296-AEBA4F3EBDD7}|PATH, Quarantined, 503, 780232, 1.0.34245, , ame, , , 

Registry Data: 3
PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|ANTIVIRUSDISABLENOTIFY, Replaced, 14158, 293294, 1.0.34245, , ame, , , 
PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FIREWALLDISABLENOTIFY, Replaced, 14158, 293295, 1.0.34245, , ame, , , 
PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UPDATESDISABLENOTIFY, Replaced, 14158, 293296, 1.0.34245, , ame, , , 

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 8
Backdoor.Agent, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\WDI\SrvHost, Quarantined, 887, 653659, , , , , 2D2065A8E06A248F3E18E945BFB33AFC, D52057FD28C0B95B67D8AC82FB89B1960E7692B01B9E308A2DDA8FE6C57D3A81
Backdoor.Agent, C:\WINDOWS\SYSTEM32\WINSCOMRSSRV.DLL, Quarantined, 887, 653659, 1.0.34245, , ame, , 919611928882E781ABAB300BF9227374, CBDD93BA08E87007665250C3253A1FE9AD38511E4A8A2E5305ADC0F36E43AB44
Trojan.Agent, C:\WINDOWS\SYSTEM32\TASKS\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\WINRMSRV, Quarantined, 503, 780529, 1.0.34245, , ame, , 87544ECF215B9BAD38F6B6C126B36E70, DC87DDC347948A9E6356A8ADCEF47F2893C3DA4DDD333B318BA5F553B9736F2D
Trojan.Agent, C:\WINDOWS\SYSTEM32\TASKS\MICROSOFT\WINDOWS\APPLICATION EXPERIENCE\STARTUPCHECKLIBRARY, Quarantined, 503, 735770, 1.0.34245, , ame, , 5314D1656CD5A9710413BB0F5877DAF6, 937184B7B0231D1A4415486D2764795FA36209D28D886F65D1DD9DCD93B1E158
Trojan.Agent, C:\WINDOWS\SYSTEM32\TASKS\MICROSOFT\WINDOWS\WININET\WINLOGUI, Quarantined, 503, 780231, , , , , 432E45B4F8A5189CFB304771A16F2C4C, DE8616EC888B88E29A8C0ABBA72F996B2224F0C70E89C5D6B5B7673E924D01D0
Generic.Malware/Suspicious, C:\WINDOWS\SYSTEM32\WINRMSRV.EXE, Quarantined, 0, 392686, 1.0.34245, , shuriken, , 462EE20E8ABBBB559BD1C4F8BE87B123, 5B85CEB558BAADED794E4DB8B8279E2AC42405896B143A63F8A334E6C6BBA3FB
Generic.Malware/Suspicious, C:\WINDOWS\SYSTEM32\WSLOGON0OF.DAT, Quarantined, 0, 392686, 1.0.34245, , shuriken, , FB9F4EB58354E9D3D6B7F84F5D12B639, 91BFB82ED5C32979368EDDCD34861B631926D2352D16ADF189944C4BA8CCF4E1
Trojan.FakeMS.TskLnk, C:\WINDOWS\SYSTEM32\STARTUPCHECKLIBRARY.DLL, Quarantined, 4107, 676770, 1.0.34245, , ame, , 250532B95FBF3154FE571B65217D4B11, 8F8C635949FD4A315DC7C2D30FC9A6A18149621E72B9598ABF50D54A4BF116AC

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

Thanks for any help you can give

Liam

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello. Liam    :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.
Please put away the Windows ISO & lets not use it anymore.  That Windows version ( the build from Spring 2019 ....build 1903 ) is out of support.  I will guide you later to getting the Windows OS to be updated to a more current release version.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
Please only just attach   all report files, etc  that I ask for as we go along.  I

If you will be away for more than 4 consecutive days,  do try to let me know ahead of time, as much as possible.
 

I would appreciate  getting  additional / fuller  important details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.80.848.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one. 

Sincerely,

Maurice

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Added other NOTE:  For a general description of "Backdoor.Agent"  at the Malwarebytes Threat Center see this page https://blog.malwarebytes.com/detections/backdoor-agent/

As to "trojan.agent"  See  https://blog.malwarebytes.com/detections/trojan-agent/

I can't possibly know what may have been compromised off your computer.
 

The following is typical advice for someone who might be a victim of identity theft.
You are strongly advised to do the following 
1.  Watch closely all bank, financial accounts & credit card statements
2. For later, after we reach the point where I advise that the system is OK.  Then, on a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.
be sure you use strong passwords.     
https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/

https://www.lastpass.com/password-generator
Do NOT change passwords or do any transactions while using this current  computer until I give the all clear.  Do not play online games.  Do not do any online shopping.
 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept