Jump to content

File with hkl estension in temp folder

Matfra

By Matfra
in Resolved Malware Removal Logs

 Share

Recommended Posts

Matfra

Matfra

Posted
Posted

Hello everyone, some minutes ago, while checking my temp folder to make sure everything was right, I found this folder with a single file in it that I had never seen, so I got scared. From what I see online this file is from a game called warhammer but I didn't even know this game existed so that's not where it came from.I also read that there is a program on Windows called hardware lab kits, and the acronym could lead to it but from what I read it should read and produce hlkx files, not hlk. I attach photo of the file (the name of the folder is readable in the path above the file) an the required logs. I don't really think it's malicious seen as malwarebytes didn't report it and windows defender didn't report an attempt at modifying files, but I want to be sure or else I'll never get this paranoia out of my head.

Thank you

Screenshot (673).png

Addition.txt FRST.txt Malwarebytes_textlog.txt

Link to post
Share on other sites
  • Replies 65
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

Matfra

Matfra

Posted
  • Author
Posted

Good morning, I might have figured out the issue. When I tried to delete the file it gave me this notification that the file was open in rdrleakdiag.exe and, when I researched the process, it turns out it's a windows program. So everything should be ok, I think, but if somebody confirmed this to me when they have the time it would be wonderful. Also, when I closed and reopened the pc the folder, along with the file, was gone.

Thanks again,

Mattia

Screenshot (676).png

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello @Matfra

The temp folder is used for all types of logs, installation start up, renaming, staging, etc. so the file and folder names there can and will change. Name alone is not always an indicator of good or bad.

Overall your logs look good. The only item of potential issue may be from this entry.

Dates: 2021-08-17 11:12:38
Description:
C: \ Windows \ System32 \ WindowsPowerShell \ v1.0 \ powershell.exe has been blocked from controlled folder access and cannot modify% system% \ CatRoot.
Detection time: 2021-08-17T09: 12: 38.738Z
User: (unknown user)
Path:% system% \ CatRoot
Process name: C: \ Windows \ System32 \ WindowsPowerShell \ v1.0 \ powershell.exe
Security Intelligence Version: 1.345.677.0
Engine version: 1.1.18400.4
Product Version: 4.18.2107.4

If you were running PowerShell yourself then okay, but if it was running due to another unknown process that's not good.

Just to double-check let me have you run a 3rd party antivirus scanner.

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Thanks

 

Link to post
Share on other sites
Matfra

Matfra

Posted
  • Author
Posted

Hello, yeah I never run Powershell but every 7 days or so it always gets blocked from accessing the same folder, so I always tought it was windows trying to do something but never gave it access nonetheless. What could it be if it's not normal? I never tought it was a problem, now I'm running the scan and I'll soon post the results here

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay, well that is a no go. Let's find out why it's running. Please do the following for me.

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here.
  • Save Autoruns.exe to your desktop and double-click it to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures and Check VirusTotal.com and Submit Unknown Images
  • Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
  • When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder you just created to your next reply

 

image.png

 

Thanks

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Well, its up to you but it's not normal for PowerShell to run on it's own. It is a very powerful program that can do many good things but can also do many bad things in the hands of bad actors.

If you're not concerned we can stop here but I would suggest trying to determine why or what is calling and running it since it appears to be on a scheduled task.

 

Link to post
Share on other sites
Matfra

Matfra

Posted
  • Author
Posted

Hello, no I'm really concerned, it's not something I don't want to discover the cause of, I just wanted to know if it's for sure a virus, seen as I get very anxious from viruses for some reason that I too don't comprehend. So if you want, I would continue investigating why powershell is acting like this some and get to the root of the problem. Also, the Eset scan should be done soon so I'll postt it here when it's done.

Thank you,

Mattia

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The current logs do not show any signs of an infection and neither Malwarebytes or ESET antivirus are showing one either.

Please open an elevated admin command prompt. Click on Start / Search and type in CMD.EXE and when it shows on the menu right-click and select "Run as administrator" then copy/paste the following and press the Enter key.

It will open Notepad with all your tasks. Save the file and attach it and I'll take a look and see what I can find. 

SCHTASKS /Query /fo table /v > 0 && notepad 0 | ECHO >NUL  & DEL 0

Thanks

 

Link to post
Share on other sites
Matfra

Matfra

Posted
  • Author
Posted

If it could help, I want to add a little bit of behaviour that I observed seen as it was almost always regular: when I boot u the pc for the first time that day, after other programs do their usual routine, It opens up for a second and then windows defender blocks it. If I remember correctly it's usually preceded by another program that should e windows related too, but too time has passed to be sure of what I'm saying. If I boot up the pc the same day it doesn't show up again, nor it shows up at  times other than about 2-4 minutes after the boot up of the machine. Hope this helps, I'm not an espert and don't really know what information can be useful or not.

Thanks again,

Mattia

Link to post
Share on other sites
Matfra

Matfra

Posted
  • Author
Posted

Hello, if you mean that if I shut down and then turn on in the same day, no it doesn't come back, it only does it once the first time I turn it on that day, then nothing. What is a computer vendor? You mean windows/microsoft or the physical person that soldthe pc?

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Actually, I wonder if PowerShell will give us that answer.

Please click on Start / Search and type in PowerShell and when it shows on the menu right-click and select "Run as administrator" then copy/paste the following and press the Enter key and then show me the results please. 

Get-MpThreatDetection

Thanks

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Thank you for the ESET log. That helps to confirm that there are no signs of an infection. Now we just want to know why PowerShell is running.

 

The reply from the PowerShell command I gave you should be right there. Using your mouse you can highlight all of it and then normally hit the enter key to copy to the clipboard or possibly right-click and copy.

Then paste it back here. You can also take a screenshot if wanted.

 

Link to post
Share on other sites
Matfra

Matfra

Posted
  • Author
Posted

Huh, that's strange, it does nothing when it runs, or to better say: when I run normally, there is a message that it can't complete the operation because a file can't be read or is missing. At the same time, windows defender blocks powershell and conhost from doing things. When I give them access and run the code again nothing happens, I'm going to take screenshots right now. So, if I got what you said correctly, there is absolutely no chance that there is a virus on my pc, right?

Thank you,

Mattia

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.