mike_bitwise Posted October 30, 2021 ID:1486205 Share Posted October 30, 2021 I got two back to back alerts that MB quarantined, then blocked suspicious activity, but when I look at the log for those items it doesn't really say much about it. I've run a scan and it shows nothing detected, and I don't see anything in quarantine. I'd like to know if it was a real threat or just a false positive if that's possible. I think I have attached some of what you might want. Thanks Quarantined.txt blocked.txt MB scan report.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 30, 2021 Root Admin ID:1486212 Share Posted October 30, 2021 Hello @mike_bitwise Let me get some other logs, please. Please download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well. Thank you Link to post Share on other sites More sharing options...
mike_bitwise Posted October 30, 2021 Author ID:1486222 Share Posted October 30, 2021 (edited) Attached, thanks. Edit: sanitized some data and re-uploaded FRST.txt Addition.txt Edited October 31, 2021 by mike_bitwise Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 31, 2021 Root Admin ID:1486390 Share Posted October 31, 2021 Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords. NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Thanks Link to post Share on other sites More sharing options...
mike_bitwise Posted November 1, 2021 Author ID:1486421 Share Posted November 1, 2021 Fixlog attached, thanks Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 1, 2021 Root Admin ID:1486425 Share Posted November 1, 2021 So the first round of SFC returned the following. Windows Resource Protection found corrupt files but was unable to fix some of them. Then we ran DISM and did some repairs to the store Then ran SFC a second time and this was the result this time Windows Resource Protection found corrupt files and successfully repaired them. Let's go ahead and run a Microsoft scan to see if it finds anything or not. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Please let me know the results of this scan. The log is named MSERT.log the log will be at %SYSTEMROOT%\debug\msert.log which in most cases is C:\Windows\debug\msert.log Please attach that log with your next reply. Thank you @mike_bitwise Link to post Share on other sites More sharing options...
mike_bitwise Posted November 1, 2021 Author ID:1486434 Share Posted November 1, 2021 MSERT log attached, I'm probably heading off to bed for the evening but I appreciate your help so far. msert.log Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 1, 2021 Root Admin ID:1486438 Share Posted November 1, 2021 Thanks @mike_bitwise That log from Microsoft looks good. The Tamper finding is quite normal. Basically, it just found an entry that was not set to default and so it put it back to the default setting. Please run a new Malwarebytes scan and an AdwCleaner scan. Hopefully, both are now clean. Let me know if the detections or blocks are still showing up or not. Then go ahead and also run the following on the system. SecurityCheck by glax24 I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications. Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe If Microsoft SmartScreen blocks the download, click through to save the file This tool is safe. Smartscreen is overly sensitive. If SmartScreen blocks the file from running click on More info and Run anyway Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Thank you Link to post Share on other sites More sharing options...
mike_bitwise Posted November 1, 2021 Author ID:1486439 Share Posted November 1, 2021 MB scan was clear, so was ADW. SecurityCheck log attached. SecurityCheck.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 1, 2021 Root Admin ID:1486499 Share Posted November 1, 2021 Thanks for the log @mike_bitwise Please uninstall, update, or otherwise address the following issues as appropriate for this system. I would also highly recommend that you try to convince the customer to stop using Torrenting. There is an increased risk of being infected and if one of the Ransomware encryption attacks hit them they can potentially lose all data. ------------------------------- [ Windows ] ------------------------------- Internet Explorer 11.737.17763.0 Warning! Download Update ------------------------------- [ HotFix ] -------------------------------- HotFix KB5004244 Warning! Download Update --------------------------- [ OtherUtilities ] ---------------------------- Notepad++ (64-bit x64) v.8.1.4 Warning! Download Update SumatraPDF v.3.1.2 Warning! Download Update LibreOffice 7.1.3.2 v.7.1.3.2 Warning! Download Update Python 3.8.3 (64-bit) v.3.8.3150.0 Warning! Download Update FileZilla Client 3.46.3 v.3.46.3 Warning! Download Update Microsoft Silverlight v.5.1.20513.0 Warning! This software is no longer supported. ------------------------------- [ Imaging ] ------------------------------- paint.net v.4.2.15 Warning! Download Update -------------------------- [ IMAndCollaborate ] --------------------------- Discord v.0.0.309 Warning! Download Update --------------------------------- [ P2P ] --------------------------------- qBittorrent 4.2.3 v.4.2.3 Warning! Download Update -------------------------------- [ Media ] -------------------------------- VLC media player v.3.0.8 Warning! Download Update --------------------------- [ AdobeProduction ] --------------------------- Adobe AIR v.1.5.3.9120 Warning! Download Update ----------------------------- [ EmailClient ] ----------------------------- Mozilla Thunderbird 68.12.1 (x86 en-US) v.68.12.1 Warning! Download Update ---------------------------- [ UnwantedApps ] ----------------------------- Unity Web Player v.5.3.8p2 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering. Link to post Share on other sites More sharing options...
mike_bitwise Posted November 1, 2021 Author ID:1486508 Share Posted November 1, 2021 Will do. I appreciate you going through all this, however I still need to determine the source or reason for the alert. I understand this might not be the appropriate area to discuss it, so I can mark this solved and repost elsewhere if you'd prefer. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 1, 2021 Root Admin ID:1486514 Share Posted November 1, 2021 Is the block still happening? Link to post Share on other sites More sharing options...
mike_bitwise Posted November 2, 2021 Author ID:1486595 Share Posted November 2, 2021 Nope, it only happened the one time before posting anything here. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 2, 2021 Root Admin ID:1486597 Share Posted November 2, 2021 Sorry, but knowing what caused it or where it came from at this point would probably be rather time consuming and difficult. Most often things get in by exploits from systems not being up to date or email, or bad websites I typically clean up and provide the customer with better options to try and remain safe in the future. Please see the following Cheers Link to post Share on other sites More sharing options...
mike_bitwise Posted November 2, 2021 Author ID:1486610 Share Posted November 2, 2021 Well that's a bummer. I won't beat a dead horse since there wasn't apparently any infection, but shouldn't MB logs from the block/quarantine alert say what the source is or the reason it's blocking something, or is it just blocking based on suspicious behavior? Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted November 2, 2021 Root Admin Solution ID:1486683 Share Posted November 2, 2021 (edited) If the source were always known there probably wouldn't be a need for antivirus. The majority of infections do their best to hide from detection. There are rootkits out there that have hidden from detection for long periods of time from all security software before anyone was able to find or detect them. That's why human intervention sometimes is better than just automation alone. If one really wants to know where an infection originated from you need to stop what you're doing and image the system and proceed with Forensic analysis of the system. At that point you can then use that image to use tools to dissect and attempt to track down the actual ingress into the system. One can do that on there own but it is a very time consuming process and require a lot of knowledge. The cost to have something like that performed can easily cost over a thousand dollars even if the final result is they're unable to track it down as many infections also remove signs of their initial ingress onto the system. Thank you again Edited November 2, 2021 by AdvancedSetup updated information Link to post Share on other sites More sharing options...
mike_bitwise Posted November 2, 2021 Author ID:1486723 Share Posted November 2, 2021 Fair enough. You've spent considerable time walking me through this and it seems ungrateful for me to keep drawing it out, so I won't. I don't have formal background in infosec or really any cybersecurity so I have to defer to you. I guess just a final thought was that my (apparently erroneous) belief was that if security software is blocking an action it would know what action it's blocking. that was why I was asking for more details about it, so that I might chase down the source. It seems I have a fundamental misunderstanding of how it works, so I'll seek to educate myself about it. Again, I appreciate your help on this, have a good one. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 2, 2021 Root Admin ID:1486731 Share Posted November 2, 2021 In many cases it will tell you where it found it but not always. I do hear you though and agree it would be nice if it always told you where it came from. Cheers Take care and stay safe out there Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 2, 2021 Root Admin ID:1486740 Share Posted November 2, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts