Jump to content

Outbound Trojan Alerts


Recommended Posts

Hi all, 
 

I've been advised to post in here as in the last few days I've had a couple of pop ups from Malwarebytes telling me than a website has been blocked due to an outbound trojan (event logs attached). This has only happened when I've been on google images, and when I've subsequently scanned my computer with both Malwarebytes, Adware Cleaner, and my antivirus program it keeps coming back telling me there are no problems. I've run the FRST scan and attached the subsequent logs, along with a log of a Malwarebytes scan run today. I'm hoping someone can help me make sense of this.

 

Thanks in advance

FRST.txt Addition.txt Full scan.txt trojan report 2.txt trojan report.txt

Link to post
Share on other sites

  • Root Admin

Hello @QualityPie

The logs indicate you removed Comdo but it still has elements of the program installed. You have quite a few errors in the Event Logs as well.

Normally the Google Chrome clean up would probably correct this detection but perhaps your Avast is blocking part of the clean up.

I would suggest you temporarily uninstall Avast. Then reboot and run FRST again and get me both new logs again and I'll write up a cleanup script to see if we can fix some of the issues.

 

Application errors:
==================
Error: (04/08/2021 04:11:51 PM) (Source: Microsoft-Windows-Perflib) (EventID: 1023) (User: NT AUTHORITY)
Description: Windows cannot load the extensible counter DLL "C:\WINDOWS\system32\sysmain.dll" (Win32 error code 126).

Error: (04/07/2021 05:05:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: AUDIODG.EXE, version: 10.0.19041.804, time stamp: 0x985b4154
Faulting module name: RtkIntU642.dll, version: 11.0.6000.806, time stamp: 0x5f3b9dc6
Exception code: 0xc0000005
Fault offset: 0x000000000014c08e
Faulting process ID: 0x3d78
Faulting application start time: 0x01d72b3b17d2187e
Faulting application path: C:\WINDOWS\system32\AUDIODG.EXE
Faulting module path: C:\WINDOWS\System32\DriverStore\FileRepository\realtekintapo2.inf_amd64_64d7b2bc2fb3fd41\RtkIntU642.dll
Report ID: 0d9c4327-202b-40dc-854f-00cf3ce53616
Faulting package full name:
Faulting package-relative application ID:

Error: (04/07/2021 05:05:31 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SysInfoCap.exe, version: 1.30.2273.0, time stamp: 0x602eee5e
Faulting module name: combase.dll, version: 10.0.19041.844, time stamp: 0xdd615a1e
Exception code: 0xc0000005
Fault offset: 0x0000000000083fc5
Faulting process ID: 0x4a08
Faulting application start time: 0x01d72b3b92f0bbfe
Faulting application path: C:\WINDOWS\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_5451dfef9ec90792\x64\SysInfoCap.exe
Faulting module path: C:\WINDOWS\System32\combase.dll
Report ID: 00e63c1a-c3da-4551-820b-dabdeeb4743e
Faulting package full name:
Faulting package-relative application ID:

Error: (04/05/2021 06:08:59 PM) (Source: Microsoft-Windows-Perflib) (EventID: 1023) (User: NT AUTHORITY)
Description: Windows cannot load the extensible counter DLL "C:\WINDOWS\system32\sysmain.dll" (Win32 error code 126).

Error: (04/04/2021 09:19:23 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program RailWorks.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 4bb4

Start Time: 01d7298fc603720e

Termination Time: 4294967295

Application Path: C:\Program Files (x86)\Steam\steamapps\common\RailWorks\RailWorks.exe

Report Id: ba1c87b5-f624-475b-b9fa-47ecb3a04eac

Faulting package full name:

Faulting package-relative application ID:

Hang type: Unknown

Error: (04/04/2021 03:50:33 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program explorer.exe version 10.0.19041.844 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 2754

Start Time: 01d7296193a7bcb1

Termination Time: 0

Application Path: C:\Windows\explorer.exe

Report Id: 10bb995c-eaf1-454f-9f84-b315966c1b87

Faulting package full name:

Faulting package-relative application ID:

Hang type: Cross-process

Error: (04/04/2021 02:05:22 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: RailWorks.exe, version: 0.0.0.0, time stamp: 0x6024f5cf
Faulting module name: OpenAL32.dll, version: 1.20.1.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x000247d9
Faulting process ID: 0x50dc
Faulting application start time: 0x01d728e7d82d261d
Faulting application path: C:\Program Files (x86)\Steam\steamapps\common\RailWorks\RailWorks.exe
Faulting module path: C:\Program Files (x86)\Steam\steamapps\common\RailWorks\OpenAL32.dll
Report ID: cdaf15f1-d8ec-496c-adb0-9b2e5b8e76cb
Faulting package full name:
Faulting package-relative application ID:

Error: (04/04/2021 01:05:28 AM) (Source: Microsoft-Windows-Perflib) (EventID: 1023) (User: NT AUTHORITY)
Description: Windows cannot load the extensible counter DLL "C:\WINDOWS\system32\sysmain.dll" (Win32 error code 126).


System errors:
=============

Error: (04/08/2021 05:21:46 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80073d02: 9NZKPSTSNW4P-Microsoft.XboxGamingOverlay.

Error: (04/08/2021 04:13:26 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The HP Comm Recovery service failed to start due to the following error:
The system cannot find the file specified.

Error: (04/08/2021 04:11:23 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 02:56:31 on ‎08/‎04/‎2021 was unexpected.

Error: (04/08/2021 04:07:30 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\IntelIHVRouter08.dll

Error: (04/08/2021 04:07:27 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\IntelIHVRouter08.dll

Error: (04/08/2021 04:07:26 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\IntelIHVRouter08.dll

Error: (04/08/2021 04:07:23 PM) (Source: Microsoft-Windows-NDIS) (EventID: 10317) (User: )
Description: Miniport Microsoft Wi-Fi Direct Virtual Adapter #4, {bac46afb-ee56-4d7a-934e-770a1c7c2bfa}, had event 74

Error: (04/08/2021 02:59:46 AM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\IntelIHVRouter08.dll

 

Thanks

 

Link to post
Share on other sites

  • Root Admin

Please go to Control Panel, Programs, Programs and Features and uninstall the following.

Internet Security Essentials
 

After the removal above, please run the following fix.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Thank you for all your help! I did as you said. Is there anything else that I need to do?

Also, can I just ask for my own peace of mind, has this been caused by comodo and the internet security essentials program, or has this been caused by something malicious?

Thank you ever so much once again

Link to post
Share on other sites

Windows defender was all green when I initially checked it but while I waited for windows defender to update, the "App & Browser control" setting displayed a warning triangle. When I looked at it "reputation based protection" was turned off. Should I turn it back on now, or wait?

I ran the quick scan and it came back clean, no threats were found.

Link to post
Share on other sites

  • Root Admin

No, no problem. Don't need the Browser Guard (though I will say it is a good thing to have in today's world over overkill Ads)

Here is a link with information to help you better protect your computer data and privacy. I'd recommend you bookmark it and review as you have time. It does include Content blockers for your browser.

I'll go ahead then and close your topic and wish you well

Take care and stay safe out there

Cheers

 

Link to post
Share on other sites

  • Root Admin

I believe more than likely all it was, was probably some Ad or JavaScript dumped an entry into your cache that links to a known bad site. Then our real-time protection module detected it and triggered on it.

In the majority of cases a good cleaning of Google Chrome will correct the issue. Why it did not for you I'm not sure, but we did do a manual clean up of temp files and other entries.

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

  • Root Admin

All is good. If you really want to double-check we can run another antivirus scan. Please exit out of Malwarebytes and temporarily disable Windows Defender - Real-Time protection and run this scan.

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

  • Thanks 1
Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.