Jump to content

escalation privilege


Recommended Posts

Hello AISS and welcome to Malwarebytes,

Continue:

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image

Thank you,

Kevin....
Link to post
Share on other sites

RTP detection

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/11/21
Protection Event Time: 10:22 AM
Log File: b6a026e8-9a6c-11eb-8eb0-0c9d92141306.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1249
Update Package Version: 1.0.39289
License: Trial

-System Information-
OS: Windows 10 (Build 17763.1817)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent - Exploit payload process blocked, C:\Windows\system32\regsvr32.exe \s hnetcfg.dll, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: Power Shell
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\system32\regsvr32.exe \s hnetcfg.dll
URL: 



(end)

 

7C3EA81DF17C002F9259A570B987AC135CEF2B05E8704BAA83ABC1E67D0CCA44
{
   "applicationVersion" : "4.3.0.98",
   "chromeSyncResetQueryRequested" : false,
   "chromeSyncResetQueryResult" : false,
   "clientID" : "",
   "clientType" : "other",
   "componentsUpdatePackageVersion" : "1.0.1249",
   "coreDllFileVersion" : "0.0.0",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.39289",
   "detectionDateTime" : "2021-04-11T02:22:17Z",
   "fileSystem" : "NTFS",
   "id" : "b6a026e8-9a6c-11eb-8eb0-0c9d92141306",
   "isUserAdmin" : true,
   "licenseState" : "trial",
   "linkagePhaseComplete" : false,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows 10 (Build 17763.1817)",
   "schemaVersion" : 18,
   "sourceDetails" : {
      "type" : "ae"
   },
   "threats" : [
      {
         "ddsSigFileVersion" : "",
         "linkedTraces" : [

         ],
         "mainTrace" : {
            "archiveMember" : "",
            "archiveMemberMD5" : "",
            "cleanAction" : "block",
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2021-04-11T02:22:17Z",
            "exploitData" : {
               "appDisplayName" : "Power Shell",
               "blockedFileName" : "C:\\Windows\\system32\\regsvr32.exe \\s hnetcfg.dll",
               "documentFileName" : "",
               "layerText" : "Application Behavior Protection",
               "protectionTechnique" : "Exploit payload process blocked",
               "url" : ""
            },
            "generatedByPostCleanupAction" : false,
            "hubbleRequestErrorCode" : 0,
            "id" : "bc985084-9a6c-11eb-8ac6-0c9d92141306",
            "igExitCode" : "",
            "isPEFile" : false,
            "isPEFileValid" : false,
            "linkType" : "none",
            "objectMD5" : "",
            "objectPath" : "",
            "objectSha256" : "",
            "objectSize" : -1,
            "objectType" : "exploit",
            "resolvedPath" : ""
         },
         "ruleID" : 392684,
         "ruleString" : "",
         "rulesVersion" : "0.0.0",
         "srcEngineComponent" : "unknown",
         "srcEngineThreatNames" : [

         ],
         "threatID" : 0,
         "threatName" : "Malware.Exploit.Agent - Exploit payload process blocked"
      }
   ],
   "threatsDetected" : 1
}

 

Capture.JPG

Addition.txt FRST.txt

Link to post
Share on other sites

Here are instructions again....

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 

  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…



Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 

  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply
Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.