Jump to content

Computer compromised?


Go to solution Solved by AdvancedSetup,

Recommended Posts

I'll try to keep my story as short as possible.

March 17, someone tried to login my Facebook account. Later that day someone hacked into my brokerage account and caused some damage.

March 18, someone tried to move money from my bank account into my brokerage account. This was done through the brokerage account.

I found out about the Facebook login attempt immediately however I didn't find out my brokerage account got compromised because somehow all emails from that brokerage account were filtered to be marked as read and to be sent to the trash. I never did this, I don't think I could of "accidentally" done since it takes certain steps to do it. 

I checked my google activity log and it shows no suspicious activity. Only I have access to my computer and phone which has access to my Facebook, gmail and brokerage account. I reformatted my phone. I was going to reformat my laptop but I had done multiple scans and nothing came up. 

End of the day, I blame myself for not having a strong password and not having 2FA enabled. I should of known better, live and learn!

Below I've provided Malwarebytes log along with Farbar logs. If anything else is needed do let me know. 

 

Addition.txt FRST.txt Malwarebytes Full scan log.txt Malwarebytes Threat scan log.txt

Link to post
Share on other sites
  • Root Admin

Hello @porkclowns

I don't see any type of obvious infection on the computer but there are some Event Logs issues, including our program is crashing as well. We need to look at that and get that fixed.

Please run the following Google Chrome clean up.

 

 

 

Application errors:
==================
Error: (03/21/2021 02:33:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamtray.exe, version: 4.0.0.918, time stamp: 0x60418179
Faulting module name: Qt5Core.dll, version: 5.14.1.0, time stamp: 0x603971ce
Exception code: 0xc0000005
Fault offset: 0x0000000000219dc5
Faulting process id: 0x36c
Faulting application start time: 0x01d71e860644e042
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll
Report Id: e800fd30-623e-41ff-8c96-a08509e20e97
Faulting package full name:
Faulting package-relative application ID:

Error: (03/18/2021 11:34:38 PM) (Source: DbxSvc) (EventID: 281) (User: )
Description: CertFindCertificateInStore failed with: (-2146885628) Cannot find object or property.

Error: (03/18/2021 11:34:38 PM) (Source: DbxSvc) (EventID: 281) (User: )
Description: CertFindCertificateInStore failed with: (-2146885628) Cannot find object or property.

Error: (03/18/2021 11:13:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamtray.exe, version: 4.0.0.918, time stamp: 0x60418179
Faulting module name: Qt5Core.dll, version: 5.14.1.0, time stamp: 0x603971ce
Exception code: 0xc0000005
Fault offset: 0x0000000000219dc5
Faulting process id: 0x2548
Faulting application start time: 0x01d71c676afd0c13
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll
Report Id: 8740000c-4f5b-4152-931d-91fd3019ab26
Faulting package full name:
Faulting package-relative application ID:

Error: (03/18/2021 11:09:31 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {41742998-c94f-4817-86ae-ebe11e459d06}

Error: (03/18/2021 11:08:27 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {41742998-c94f-4817-86ae-ebe11e459d06}

Error: (03/18/2021 11:01:36 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {41742998-c94f-4817-86ae-ebe11e459d06}

Error: (03/18/2021 09:26:56 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]

 

 

System errors:
=============
Error: (03/21/2021 02:11:35 PM) (Source: ACPI) (EventID: 13) (User: )
Description: : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.

Error: (03/20/2021 01:14:40 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) Capability Licensing Service TCP IP Interface service to connect.

Error: (03/20/2021 01:14:40 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) TPM Provisioning Service service to connect.

Error: (03/20/2021 01:14:40 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Wondershare InstallAssist service failed to start due to the following error:
The system cannot find the file specified.

Error: (03/20/2021 12:33:37 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) TPM Provisioning Service service to connect.

Error: (03/20/2021 12:33:37 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) Capability Licensing Service TCP IP Interface service to connect.

Error: (03/20/2021 12:33:37 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Wondershare InstallAssist service failed to start due to the following error:
The system cannot find the file specified.

Error: (03/20/2021 12:33:36 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 6:06:44 PM on ‎3/‎19/‎2021 was unexpected.

 

Windows Defender did find some threats (and should have removed them already) - Let's go ahead though and do a generic clean up of the computer and then a secondary antivirus scan with ESET and then we'll see how the computer looks and go from there.

Did you setup this scheduled task? What does it do?

Task: {91FE2DFB-7E64-4F23-9062-DD5DFDCC2FD4} - System32\Tasks\Services\Diagnostic => C:\Users\Admin\AppData\Local\Disk\AutoIt3\AutoIt3_x64.exe -> "C:\Users\Admin\AppData\Local\Disk\AutoIt3\Settings.au3"

 

Nothing wrong with using it but you do have Chrome Remoting enabled. I'm not a fan of leaving such services up and running all the time. I prefer on-demand usage if possible.

R2 chromoting; C:\Program Files (x86)\Google\Chrome Remote Desktop\89.0.4389.25\remoting_host.exe [72808 2021-01-27] (Google LLC -> Google LLC)

You also have Team Viewer also running as a service

R2 TeamViewer; O:\Program Files\TeamViewer\TeamViewer_Service.exe [12727576 2021-02-17] (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)

 

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: This fix will also reset your entire network stack back to default settings including resetting the Firewall back to defaults

 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies, and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

 

Once that fix has completed please run the following ESET antivirus scan and post back the log

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Thank you

 

Link to post
Share on other sites

Hi @AdvancedSetup

I went ahead and disabled the services for Chrome Remote Desktop and TeamViewer.

Regarding AutoIt3, I have a vague memory about this. I don't have it installed since it doesn't show on my installed application. How could I remove the scheduled task?

The 4 files ESET log found seem to be false findings from my understanding. If there is any other steps I need to take do let me know.

Thank you,

Regards.

Fixlog.txt ESET log.txt

Link to post
Share on other sites
  • Root Admin

I can write a script to remove the AutoIT task.

The ESET files could be a false positive. You'd need to upload them to https://virustotal.com and have them scanned to make sure.

[KB2915] Restore files quarantined by the ESET Online Scanner version 3
https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please restart the computer one more time. Then run the FRST program again and click on the SCAN button and post back both new log files.

Thank you @porkclowns

 

Link to post
Share on other sites
  • Root Admin

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites
  • Root Admin

The following VSS error seems to return.

 

Application errors:
==================
Error: (03/22/2021 11:28:16 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine QueryFullProcessImageNameW.  hr = 0x80070006, The handle is invalid.
.


Operation:
   Executing Asynchronous Operation

Context:
   Current State: DoSnapshotSet

 

The System errors look to remain as well. Let's hope the VSS fix can possibly correct some.

System errors:
=============
Error: (03/22/2021 11:33:36 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) TPM Provisioning Service service to connect.

Error: (03/22/2021 11:33:36 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) Capability Licensing Service TCP IP Interface service to connect.

Error: (03/22/2021 11:33:36 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Wondershare InstallAssist service failed to start due to the following error:
The system cannot find the file specified.

Error: (03/22/2021 11:32:55 PM) (Source: DCOM) (EventID: 10010) (User: T500)
Description: The server {FD06603A-2BDF-4BB1-B7DF-5DC68F353601} did not register with DCOM within the required timeout.

Error: (03/22/2021 11:30:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Steam Client Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (03/22/2021 11:30:14 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.

Error: (03/22/2021 11:29:15 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) TPM Provisioning Service service to connect.

Error: (03/22/2021 11:29:15 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) Capability Licensing Service TCP IP Interface service to connect.

 

 

 

Please download and run the following  Volume Shadow Copy Service repair tool from Macrium Reflect

Macrium Reflect Volume Shadow Copy Service (VSS) Repair Tool


Once you've run the repair tool you need to restart your computer.
Then check your Event Logs to see if the error was corrected. You can post new logs from FRST which will also show the Event Log entries 

 

Thank you

 

Link to post
Share on other sites
  • Root Admin

VSS stands for Volume Shadow Copy service which is a key element of Windows. Without it working well you can experience all kinds of problems on Windows

Were you able to run the VSS tool? What did it say? Do you have logs for it?

 

Link to post
Share on other sites
34 minutes ago, AdvancedSetup said:

Were you able to run the VSS tool? What did it say? Do you have logs for it?

 

After I click OK it runs for a few seconds then it automatically closes, no txt file log is generated.

VSS.png.ae344f78d0a545bff7ec6ad09e9636aa.png

34 minutes ago, AdvancedSetup said:

Please click on Start and type in "Check for updates"

Then download any updates found and let Windows update itself please.

 

I've been doing this before and after each time I run FRST64. Should I install the optional update?

Optional.png.d70376d4e522045b51a0863afbcb76b3.png

Link to post
Share on other sites
  • Root Admin
  • Solution
Posted (edited)

Please check for more updates from Microsoft

You're still on this version:   Windows 10 Home Version 2004 19041.870 (X64)

If possible you should try to get on this builld: 20H2   19042.870

 

https://docs.microsoft.com/en-us/windows/release-health/release-information

 

image.png

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites
  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.