porkclowns Posted March 21, 2021 ID:1446273 Share Posted March 21, 2021 I'll try to keep my story as short as possible. March 17, someone tried to login my Facebook account. Later that day someone hacked into my brokerage account and caused some damage. March 18, someone tried to move money from my bank account into my brokerage account. This was done through the brokerage account. I found out about the Facebook login attempt immediately however I didn't find out my brokerage account got compromised because somehow all emails from that brokerage account were filtered to be marked as read and to be sent to the trash. I never did this, I don't think I could of "accidentally" done since it takes certain steps to do it. I checked my google activity log and it shows no suspicious activity. Only I have access to my computer and phone which has access to my Facebook, gmail and brokerage account. I reformatted my phone. I was going to reformat my laptop but I had done multiple scans and nothing came up. End of the day, I blame myself for not having a strong password and not having 2FA enabled. I should of known better, live and learn! Below I've provided Malwarebytes log along with Farbar logs. If anything else is needed do let me know. Addition.txt FRST.txt Malwarebytes Full scan log.txt Malwarebytes Threat scan log.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 22, 2021 Root Admin ID:1446324 Share Posted March 22, 2021 Hello @porkclowns I don't see any type of obvious infection on the computer but there are some Event Logs issues, including our program is crashing as well. We need to look at that and get that fixed. Please run the following Google Chrome clean up. Application errors: ==================Error: (03/21/2021 02:33:08 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: mbamtray.exe, version: 4.0.0.918, time stamp: 0x60418179 Faulting module name: Qt5Core.dll, version: 5.14.1.0, time stamp: 0x603971ce Exception code: 0xc0000005 Fault offset: 0x0000000000219dc5 Faulting process id: 0x36c Faulting application start time: 0x01d71e860644e042 Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll Report Id: e800fd30-623e-41ff-8c96-a08509e20e97 Faulting package full name: Faulting package-relative application ID: Error: (03/18/2021 11:34:38 PM) (Source: DbxSvc) (EventID: 281) (User: ) Description: CertFindCertificateInStore failed with: (-2146885628) Cannot find object or property. Error: (03/18/2021 11:34:38 PM) (Source: DbxSvc) (EventID: 281) (User: ) Description: CertFindCertificateInStore failed with: (-2146885628) Cannot find object or property. Error: (03/18/2021 11:13:17 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: mbamtray.exe, version: 4.0.0.918, time stamp: 0x60418179 Faulting module name: Qt5Core.dll, version: 5.14.1.0, time stamp: 0x603971ce Exception code: 0xc0000005 Fault offset: 0x0000000000219dc5 Faulting process id: 0x2548 Faulting application start time: 0x01d71c676afd0c13 Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll Report Id: 8740000c-4f5b-4152-931d-91fd3019ab26 Faulting package full name: Faulting package-relative application ID: Error: (03/18/2021 11:09:31 PM) (Source: VSS) (EventID: 8194) (User: ) Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process. Operation: Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {41742998-c94f-4817-86ae-ebe11e459d06} Error: (03/18/2021 11:08:27 PM) (Source: VSS) (EventID: 8194) (User: ) Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process. Operation: Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {41742998-c94f-4817-86ae-ebe11e459d06} Error: (03/18/2021 11:01:36 PM) (Source: VSS) (EventID: 8194) (User: ) Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process. Operation: Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {41742998-c94f-4817-86ae-ebe11e459d06} Error: (03/18/2021 09:26:56 PM) (Source: VSS) (EventID: 13) (User: ) Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress. ] System errors: =============Error: (03/21/2021 02:11:35 PM) (Source: ACPI) (EventID: 13) (User: ) Description: : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly. Error: (03/20/2021 01:14:40 AM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) Capability Licensing Service TCP IP Interface service to connect. Error: (03/20/2021 01:14:40 AM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) TPM Provisioning Service service to connect. Error: (03/20/2021 01:14:40 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Wondershare InstallAssist service failed to start due to the following error: The system cannot find the file specified. Error: (03/20/2021 12:33:37 AM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) TPM Provisioning Service service to connect. Error: (03/20/2021 12:33:37 AM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) Capability Licensing Service TCP IP Interface service to connect. Error: (03/20/2021 12:33:37 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Wondershare InstallAssist service failed to start due to the following error: The system cannot find the file specified. Error: (03/20/2021 12:33:36 AM) (Source: EventLog) (EventID: 6008) (User: ) Description: The previous system shutdown at 6:06:44 PM on 3/19/2021 was unexpected. Windows Defender did find some threats (and should have removed them already) - Let's go ahead though and do a generic clean up of the computer and then a secondary antivirus scan with ESET and then we'll see how the computer looks and go from there. Did you setup this scheduled task? What does it do? Task: {91FE2DFB-7E64-4F23-9062-DD5DFDCC2FD4} - System32\Tasks\Services\Diagnostic => C:\Users\Admin\AppData\Local\Disk\AutoIt3\AutoIt3_x64.exe -> "C:\Users\Admin\AppData\Local\Disk\AutoIt3\Settings.au3" Nothing wrong with using it but you do have Chrome Remoting enabled. I'm not a fan of leaving such services up and running all the time. I prefer on-demand usage if possible. R2 chromoting; C:\Program Files (x86)\Google\Chrome Remote Desktop\89.0.4389.25\remoting_host.exe [72808 2021-01-27] (Google LLC -> Google LLC) You also have Team Viewer also running as a service R2 TeamViewer; O:\Program Files\TeamViewer\TeamViewer_Service.exe [12727576 2021-02-17] (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords. NOTE-3: This fix will also reset your entire network stack back to default settings including resetting the Firewall back to defaults The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies, and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Once that fix has completed please run the following ESET antivirus scan and post back the log Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking. I would suggest a free scan with the ESET Online Scanner Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. Thank you Link to post Share on other sites More sharing options...
porkclowns Posted March 22, 2021 Author ID:1446381 Share Posted March 22, 2021 Hi @AdvancedSetup I went ahead and disabled the services for Chrome Remote Desktop and TeamViewer. Regarding AutoIt3, I have a vague memory about this. I don't have it installed since it doesn't show on my installed application. How could I remove the scheduled task? The 4 files ESET log found seem to be false findings from my understanding. If there is any other steps I need to take do let me know. Thank you, Regards. Fixlog.txt ESET log.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 22, 2021 Root Admin ID:1446436 Share Posted March 22, 2021 I can write a script to remove the AutoIT task. The ESET files could be a false positive. You'd need to upload them to https://virustotal.com and have them scanned to make sure. [KB2915] Restore files quarantined by the ESET Online Scanner version 3https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner Please restart the computer one more time. Then run the FRST program again and click on the SCAN button and post back both new log files. Thank you @porkclowns Link to post Share on other sites More sharing options...
porkclowns Posted March 22, 2021 Author ID:1446482 Share Posted March 22, 2021 That would be great if you could. 4 hours ago, AdvancedSetup said: I can write a script to remove the AutoIT task. I've attached the files from the new scan. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 23, 2021 Root Admin ID:1446518 Share Posted March 23, 2021 Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Thanks Link to post Share on other sites More sharing options...
porkclowns Posted March 23, 2021 Author ID:1446548 Share Posted March 23, 2021 I went ahead and did it. I also made sure everything was up to date, rebooted and ran FRST64 again. FRST.txt Addition.txt Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 23, 2021 Root Admin ID:1446554 Share Posted March 23, 2021 The following VSS error seems to return. Application errors:================== Error: (03/22/2021 11:28:16 PM) (Source: VSS) (EventID: 8193) (User: ) Description: Volume Shadow Copy Service error: Unexpected error calling routine QueryFullProcessImageNameW. hr = 0x80070006, The handle is invalid. . Operation: Executing Asynchronous Operation Context: Current State: DoSnapshotSet The System errors look to remain as well. Let's hope the VSS fix can possibly correct some. System errors: =============Error: (03/22/2021 11:33:36 PM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) TPM Provisioning Service service to connect. Error: (03/22/2021 11:33:36 PM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) Capability Licensing Service TCP IP Interface service to connect. Error: (03/22/2021 11:33:36 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Wondershare InstallAssist service failed to start due to the following error: The system cannot find the file specified. Error: (03/22/2021 11:32:55 PM) (Source: DCOM) (EventID: 10010) (User: T500) Description: The server {FD06603A-2BDF-4BB1-B7DF-5DC68F353601} did not register with DCOM within the required timeout. Error: (03/22/2021 11:30:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. Error: (03/22/2021 11:30:14 PM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect. Error: (03/22/2021 11:29:15 PM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) TPM Provisioning Service service to connect. Error: (03/22/2021 11:29:15 PM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (45000 milliseconds) while waiting for the Intel(R) Capability Licensing Service TCP IP Interface service to connect. Please download and run the following Volume Shadow Copy Service repair tool from Macrium Reflect Macrium Reflect Volume Shadow Copy Service (VSS) Repair Tool VSSfix 32bit - download VSSfix 64bit - download Once you've run the repair tool you need to restart your computer. Then check your Event Logs to see if the error was corrected. You can post new logs from FRST which will also show the Event Log entries Thank you Link to post Share on other sites More sharing options...
porkclowns Posted March 23, 2021 Author ID:1446705 Share Posted March 23, 2021 Our of curiosity, what does this VSS error exactly mean/do to my computer? FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 23, 2021 Root Admin ID:1446721 Share Posted March 23, 2021 VSS stands for Volume Shadow Copy service which is a key element of Windows. Without it working well you can experience all kinds of problems on Windows Were you able to run the VSS tool? What did it say? Do you have logs for it? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 23, 2021 Root Admin ID:1446722 Share Posted March 23, 2021 Please click on Start and type in "Check for updates" Then download any updates found and let Windows update itself please. Link to post Share on other sites More sharing options...
porkclowns Posted March 23, 2021 Author ID:1446726 Share Posted March 23, 2021 34 minutes ago, AdvancedSetup said: Were you able to run the VSS tool? What did it say? Do you have logs for it? After I click OK it runs for a few seconds then it automatically closes, no txt file log is generated. 34 minutes ago, AdvancedSetup said: Please click on Start and type in "Check for updates" Then download any updates found and let Windows update itself please. I've been doing this before and after each time I run FRST64. Should I install the optional update? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 24, 2021 Root Admin ID:1446755 Share Posted March 24, 2021 Yes, please exit out of Malwarebytes and close all applications. Then install the Cumulative Update Link to post Share on other sites More sharing options...
porkclowns Posted March 24, 2021 Author ID:1446948 Share Posted March 24, 2021 Updated, rebooted and ran the scan again. By the looks of it, the error is still there. If its not fixable, it's no problem.. The main point is that my PC isn't infected. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted March 24, 2021 Root Admin Solution ID:1446949 Share Posted March 24, 2021 (edited) Please check for more updates from Microsoft You're still on this version: Windows 10 Home Version 2004 19041.870 (X64) If possible you should try to get on this builld: 20H2 19042.870 https://docs.microsoft.com/en-us/windows/release-health/release-information Edited March 24, 2021 by AdvancedSetup updated information Link to post Share on other sites More sharing options...
porkclowns Posted March 25, 2021 Author ID:1447183 Share Posted March 25, 2021 Thank you for your assistance @AdvancedSetup I appreciate the time and effort you put into helping me with my problem. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 25, 2021 Root Admin ID:1447188 Share Posted March 25, 2021 Were you able to update to the latest version now? You can download and run the update manually if wanted? https://www.microsoft.com/en-us/software-download/windows10 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 5, 2021 Root Admin ID:1449233 Share Posted April 5, 2021 Are you still with us @porkclowns Do you still need further assistance? Please post a status update when you have a moment Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 12, 2021 Root Admin ID:1450785 Share Posted April 12, 2021 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Tips to help protect from infection Thanks Link to post Share on other sites More sharing options...
Recommended Posts