Jump to content

@FirewallAPI.dll 2 rules and many suspicious ones- remote access?


Mazgad89
 Share

Recommended Posts

I had a Malware infection where I had many processes take up loads of RAM and I didn't have permissions to delete them so I installed fresh windows. I feel they are still there as the system is behaving in a similar way to the start of the previous infection. Please help!

Am I imagining it?

Malwarebytes says there no infections.

mbscan.txt

Link to post
Share on other sites

1 hour ago, AdvancedSetup said:

Windows does not look like it's setup correctly and that may be part of your issue.

What is the Manufacture name of the computer?

What is the model number?

Is it a Laptop or a Desktop?

 

It's a Huawei Matebook X pro 2019 laptop. So it's really tough for me to explain my issue but i'll try. Before formatting the computer starting running all those processes in the same suspicious way (duplicate processes, firewall rules, etc.) until one day the mic just completely stopped working and the official driver wouldn't fix it, suddenly a window pops up within the system saying it's Windows help and they noticed I was facing an issue and asked for permission to scan the device. After that all System folders changed the browsers kept redirecting to a local URL and Reset the device. It seems to be happening again. I'm seeing weird URL redirects or tunnels when going to Apple id com or googl com and so on. There's are weird files on the system like Mosetup in windows log and I don't have permission to alter it in any way. uninstalling chrome only hides it and when attempting to download it again on a disguised update file downloads. Edge can't be touched from Settings and there's an Edge Update application showing in the list of apps that I can't remove or even view the location of. System permission prompts are now from an app called Windows Operator instead of explorer. 

Link to post
Share on other sites

  • Root Admin

Well, I'm not sure this is going to help or not but give it a try please.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Thank you for your reply and I apologize for the hurried e-mail earlier, I'm aware now that mosetup is a normal folder but rest of what I said was true. I'm just not very tech savvy but I've been using windows long enough to detect something being suspicious. I also had ad emails appear in my mail inbox they were all similar to authentic emails but with a slight change like and "e" being added to the address and I think the browser had permission to reply to them because my sent folder showed the replies (see attached photos). I also attavhed a pic of the permission prompt I mentioned earlier.

I ran the tool as you instructed but it finished in a minute or two at most and after reinstalling chrome. it seems I have the url tunneling issue as well (this is the link it shows when searching for this Forum but I think your site is stopping them as it says terms denied once it loads up: https://www.google.com/search?q=malwarebytes+forum&oq=malwarebytes+forum&aqs=chrome.0.69i59j0j0i22i30l3j69i60l3.3338j0j7&sourceid=chrome&ie=UTF-8) I have attached the log file.

Fixlog.txt

IMG-0078.PNG

IMG-0077.PNG

IMG-0073.jpg

IMG-0075.PNG

IMG-0075 (1).PNG

IMG-0076.PNG

IMG-0079.PNG

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.