Jump to content

MB RTP detection blocking an exploit of cmd.exe


Go to solution Solved by AdvancedSetup,

Recommended Posts

I got two back to back alerts that MB quarantined, then blocked suspicious activity, but when I look at the log for those items it doesn't really say much about it. I've run a scan and it shows nothing detected, and I don't see anything in quarantine. I'd like to know if it was a real threat or just a false positive if that's possible. I think I have attached some of what you might want.

 

Thanks

Quarantined.txt blocked.txt MB scan report.txt

Link to post
Share on other sites

  • Root Admin

Hello @mike_bitwise

Let me get some other logs, please.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

So the first round of SFC returned the following.

Windows Resource Protection found corrupt files but was unable to fix some of them.

Then we ran DISM and did some repairs to the store

Then ran SFC a second time and this was the result this time

Windows Resource Protection found corrupt files and successfully repaired them.

 

Let's go ahead and run a Microsoft scan to see if it finds anything or not.

 

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

Thank you @mike_bitwise

 

Link to post
Share on other sites

  • Root Admin

Thanks @mike_bitwise

That log from Microsoft looks good. The Tamper finding is quite normal. Basically, it just found an entry that was not set to default and so it put it back to the default setting.

Please run a new Malwarebytes scan and an AdwCleaner scan. Hopefully, both are now clean.

 

Let me know if the detections or blocks are still showing up or not.

 

Then go ahead and also run the following on the system.

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Thanks for the log @mike_bitwise

Please uninstall, update, or otherwise address the following issues as appropriate for this system.

I would also highly recommend that you try to convince the customer to stop using Torrenting. There is an increased risk of being infected and if one of the Ransomware encryption attacks hit them they can potentially lose all data.

 

------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.737.17763.0 Warning! Download Update

------------------------------- [ HotFix ] --------------------------------
HotFix KB5004244 Warning! Download Update


--------------------------- [ OtherUtilities ] ----------------------------
Notepad++ (64-bit x64) v.8.1.4 Warning! Download Update

SumatraPDF v.3.1.2 Warning! Download Update

LibreOffice 7.1.3.2 v.7.1.3.2 Warning! Download Update

Python 3.8.3 (64-bit) v.3.8.3150.0 Warning! Download Update

FileZilla Client 3.46.3 v.3.46.3 Warning! Download Update

Microsoft Silverlight v.5.1.20513.0 Warning! This software is no longer supported.

 

------------------------------- [ Imaging ] -------------------------------
paint.net v.4.2.15 Warning! Download Update


-------------------------- [ IMAndCollaborate ] ---------------------------
Discord v.0.0.309 Warning! Download Update

 

--------------------------------- [ P2P ] ---------------------------------
qBittorrent 4.2.3 v.4.2.3 Warning! Download Update


-------------------------------- [ Media ] --------------------------------
VLC media player v.3.0.8 Warning! Download Update


--------------------------- [ AdobeProduction ] ---------------------------
Adobe AIR v.1.5.3.9120 Warning! Download Update

 

----------------------------- [ EmailClient ] -----------------------------
Mozilla Thunderbird 68.12.1 (x86 en-US) v.68.12.1 Warning! Download Update

 

---------------------------- [ UnwantedApps ] -----------------------------
Unity Web Player v.5.3.8p2 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

 

 

Link to post
Share on other sites

  • Root Admin

Sorry, but knowing what caused it or where it came from at this point would probably be rather time consuming and difficult.

Most often things get in by exploits from systems not being up to date or email, or bad websites

I typically clean up and provide the customer with better options to try and remain safe in the future.

Please see the following

Cheers

 

Link to post
Share on other sites

  • Root Admin
  • Solution

If the source were always known there probably wouldn't be a need for antivirus. The majority of infections do their best to hide from detection. There are rootkits out there that have hidden from detection for long periods of time from all security software before anyone was able to find or detect them. That's why human intervention sometimes is better than just automation alone.

If one really wants to know where an infection originated from you need to stop what you're doing and image the system and proceed with Forensic analysis of the system. At that point you can then use that image to use tools to dissect and attempt to track down the actual ingress into the system. 
One can do that on there own but it is a very time consuming process and require a lot of knowledge. The cost to have something like that performed can easily cost over a thousand dollars even if the final result is they're unable to track it down as many infections also remove signs of their initial ingress onto the system.

Thank you again

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

Fair enough. You've spent considerable time walking me through this and it seems ungrateful for me to keep drawing it out, so I won't. I don't have formal background in infosec or really any cybersecurity so I have to defer to you. I guess just a final thought was that my (apparently erroneous) belief was that if security software is blocking an action it would know what action it's blocking. that was why I was asking for more details about it, so that I might chase down the source. It seems I have a fundamental misunderstanding of how it works, so I'll seek to educate myself about it.

 

Again, I appreciate your help on this, have a good one.

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.