Jump to content

Weird issues after site redirection


Go to solution Solved by kevinf80,

Recommended Posts

Hello all, so I got redirected to a bad site 3 days ago.

I immediately ran Kaspersky, adwcleaner, Malwarebytes but nothing came up. But Virustotal said 2/70 something AV's had pinged the site as malicious with sophos flagging it as 'malware callhome, command and control'.z.thumb.png.edb4f801f5d4490ab7e88ba4004b9714.png

Recently I found that in Youtube, typing would lag a lot but nowhere else.

And today when on Reddit after waking my computer, I found I could no longer use the keyboard.

I restarted just now and the screen said it was repairing C drive first. I let that happen then upon logging in Kaspersky said it noted it could not launch the previous login and had to send an error report, but it loaded up now.

Am I infected by something?

 

Link to post
Share on other sites

For Addition.txt, it generated some results in French so I've translated here the section on Application (Program) Errors and System Errors below:

Application errors: ==================

Error: (04/24/2021 08:17:16 PM) (Source: Application Error) (EventID: 1000) (User:)

Description: Name of the failed application mbamtray.exe, version: 4.0.0.974, timestamp: 0x607861f0

Name of the failing module: Qt5Core.dll, version: 5.14.1.0, timestamp: 0x603971ce

Exception code: 0xc0000005

Error offset: 0x0000000000219dc5

Faulting process ID: 0x13a8

Start time of the failed application: 0x01d739031a0198e3

Faulting application path: C: \ Program Files \ Malwarebytes \ Anti-Malware \ mbamtray.exe

Faulty module path: C: \ Program Files \ Malwarebytes \ Anti-Malware \ Qt5Core.dll

Report ID: 2c8c3ba0-895a-45b8-8e1b-235d86ff823c Full name of the failed package:

Application ID relating to the faulty package:

Error: (04/24/2021 08:12:07 PM) (Source: OVRServiceLauncher) (EventID: 0) (User:) Description: Event-ID 0 Error: (04/24/2021 08:12:07 PM) (Source: FMAPOService) (EventID: 4) (User:) Description: Event-ID 4

Error: (04/24/2021 08:12:07 PM) (Source: FMAPOService) (EventID: 2) (User:) Description: Event-ID 2

Error: (04/24/2021 08:12:07 PM) (Source: FMAPOService) (EventID: 4) (User:) Description: Event-ID 4

Error: (04/24/2021 08:12:07 PM) (Source: FMAPOService) (EventID: 2) (User:) Description: Event-ID 2

Error: (04/24/2021 07:47:59 PM) (Source: Bonjour Service) (EventID: 100) (User:) Description: Client application bug: DNSServiceResolve (mobile._epoccam._tcp.local.) Active for over two minutes. This places considerable burden on the network.

Error: (04/24/2021 04:50:14 PM) (Source: Bonjour Service) (EventID: 100) (User:) Description: Client application bug: DNSServiceResolve (mobile._epoccam._tcp.local.) Active for over two minutes. This places considerable burden on the network.



 

System Errors part:

Error: (04/24/2021 08:42:32 PM) (Source: DCOM) (EventID: 10010) (User: LAPTOP-B03RVFCV) Description: The Microsoft.SkypeApp_15.68.96.0_x86__kzf8qxf38zg5c! App.AppXtwmqn4em5r5dpafgj4t4yyxgjfe0hr50.mca server did not register with DCOM before the time expired.

Error: (04/24/2021 08:15:06 PM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY) Description: A fatal error occurred while creating client credentials for TLS. Internal error state: 10013.

Error: (04/24/2021 08:14:35 PM) (Source: DCOM) (EventID: 10010) (User: LAPTOP-B03RVFCV) Description: The Microsoft.SkypeApp_15.68.96.0_x86__kzf8qxf38zg5c! App.AppXtwmqn4em5r5dpafgj4t4yyxgjfe0hr50.mca server did not register with DCOM before the time expired.

Error: (04/24/2021 08:13:19 PM) (Source: BugCheck) (EventID: 1001) (User:) Description: The computer has restarted after checking for error. The error check was: 0x0000010e (0x0000000000000033, 0xffff800055890d60, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C: \ WINDOWS \ MEMORY.DMP. Report ID: 23126147-bb89-40c1-90d0-d3c7729199bc.

Error: (04/24/2021 08:12:38 PM) (Source: DCOM) (EventID: 10010) (User: LAPTOP-B03RVFCV) Description: The Microsoft.SkypeApp_15.68.96.0_x86__kzf8qxf38zg5c! App.AppXtwmqn4em5r5dpafgj4t4yyxgjfe0hr50.mca server did not register with DCOM before the time expired.

Error: (04/24/2021 08:12:05 PM) (Source: EventLog) (EventID: 6008) (User:) Description: The system shutdown prior to 8:02:29 PM on 04/04/2021 was not expected.

Error: (04/24/2021 07:48:57 PM) (Source: DCOM) (EventID: 10010) (User: LAPTOP-B03RVFCV) Description: The Microsoft.SkypeApp_15.68.96.0_x86__kzf8qxf38zg5c! App.AppXtwmqn4em5r5dpafgj4t4yyxgjfe0hr50.mca server did not register with DCOM before the time expired.

Error: (04/24/2021 07:25:04 AM) (Source: DCOM) (EventID: 10010) (User: LAPTOP-B03RVFCV) Description: The Microsoft.SkypeApp_15.68.96.0_x86__kzf8qxf38zg5c! App.AppXtwmqn4em5r5dpafgj4t4yyxgjfe0hr50.mca server did not register with DCOM before the time expired.

Link to post
Share on other sites

Hello Tyrannosaur29 and welcome to Malwarebytes,

Continue:

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Users\lianh\AppData\Roaming\Adobe\Connect\connectdetector.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.

Thank you,

Kevin..

 

Link to post
Share on other sites
  • Solution

Hiya Tyrannosaur29,

FRST did flag that entry for attention, hence I ask you to upload to VirusTotal. VT does not find anything wrong, did you install that program 4th April...?

Quote

HKU\S-1-5-21-99231543-3213763393-2440185171-1001\...\Run: [ConnectDetector] => C:\Users\lianh\AppData\Roaming\Adobe\Connect\connectdetector.exe [640696 2021-04-04] (Adobe Inc. -> Adobe Systems Incorporated) <==== ATTENTION

I do not find any definite malware or infection in your logs...

Thanks,

Kevin..

Link to post
Share on other sites

Hi Kevin,

Thank you. Yes, that program's a part of my college lecture recordings. It's likely I installed it around early April.

OK. I will continue on, and will post here if anything comes up again.

Thank you so much for your time and for helping me.

 

Cheers and have a good day!

 

  • Thanks 1
Link to post
Share on other sites

Try one more scan for me...

Please download the correct portable version (32-bit or 64-bit) of RogueKiller for your system and save the file to your computer Desktop.
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, click on Results button. NOTE: DO NOT delete any found entries. All listed entries will be carefully analyzed.
  • Then click on Report button.
  • Click Export button and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.
Link to post
Share on other sites

Here's the RogueKiller log, as requested:


RogueKiller Anti-Malware V14.8.6.0 (x64) [Mar 24 2021] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.19042) 64 bits
Started in : Normal mode
User : lianh [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20210423_062556, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2021/04/25 07:05:21 (Duration : 00:06:46)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

 

Link to post
Share on other sites

Hiya Tyrannosaur29,

Lets run your system as you normally do for 24 hours and see how it responds, if your PC is normal we can clean up. Obviously if there are still issues happening we`ll need to check further.... Let me know the outcome.

Thank you,

Kevin...

Link to post
Share on other sites

Hi Kevin,

In the last 24 hours did see 2 things which were a bit weird.

The first was a watermark saying Please activate Windows 10 - go to Settings, which had already appeared once about a month ago. I went to settings and refreshed that and it went away.

The second things was I ran a Kaspersky Quick Scan just now just after I disconnected my VPN and Internet were offline and it said 1 file/object was detected, but couldn't find it anywhere in Quarantine. I ran a second scan minutes later, which apparently analysed less files and it didn't find anything.

This is a bit strange. I think I will run a full system scan now on all the files.

zrgz.thumb.png.43ca4886f939402d1a627ff262a7c209.png

Link to post
Share on other sites

Hiya Tyrannosaur29,

Thanks for the update, let me know the outcome of the full scan with Kaspersky. The point you make regarding free space on C:\ drive is definitely a problem and will cause isues with normal use of windows....

The rule of thumb for free space to allow windows to run/work effectively and efficiently is 15% free space for a mechanical drive and 25% for a solid state drive.

Thank you,

Kevin..

Link to post
Share on other sites
Hiya Tyrannosaur29,
 
Yes disk space is very important, you will have to create more room on your C:\ drive to enable even basic functions to work correctly... To clean up:
 
Uninstall the following program (unless you prefer to keepit):

RogueKiller

http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Also delete this folder if still present: C:\Prgram Data\RogueKiller

Next,

Right click on FRST here: C:\Users\lianh\Downloads\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

Condsider the following:

Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/

Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Link will also work for Opera and Edge..

PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.