Jump to content

Recommended Posts

Hello,

I'm not sure if I'm seeing normal Windows activity occurring or if there is a possible RAT on my PC. Have not seen any explicitly malicious activity, but it seems like my PC has been tampered with multiple remote procedures running at all times. I have never actively used remote PC settings or any P2P utilities (that I know of). I do not understand why I have tons of svchost services like LanmanWorkstation, LanmanServer, or RasMan are always running. Additionally, I learned the other day that my system is a vulnerable system from the Intel Management Engine on my CPU via the csme_version_detection_tool. Additionally, I think I have a memory leak from dwm.exe (which is also an exploitable bit of Windows). Can someone please help me understand what's going on with my system and if it's "normal"?

Addition.txt FRST.txt CSME-Version-Detection-Tool-DESKTOP-GT8FSOR-2022-02-03-17-19-20.log AdwCleaner[C00].txt AdwCleaner[S00].txt Scan result 2-4-22.txt

Link to post
Share on other sites

  • Root Admin

Hello @Ricked

The logs don't seem to indicate any obvious infection. There are several networking related errors in the system though.

Let's run a different AV scanner just to make sure.

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Thanks

 

Link to post
Share on other sites

Hello @AdvancedSetup

Many thanks for the reply and help. Good to know that so far things look fine. It is possible that the network related errors are what I'm seeing and not someone actually utilizing my network maliciously. It is odd that there are errors related to networking though, because I have not changed any network related settings besides choosing for the connection to be made "Public" instead of "Private". After performing the Adware scan, I selected the option to reset Winsock.

When looking at the performance monitor, I noticed that WPN is constantly connected to static remote IP. When performing an IP search it shows the IP address belongs to an Azure server (which I believe are managed by Microsoft, so not necessarily malicious). However, there was an instance where a svchost service was connected to a Verizon FIOS server, which I thought was weird, but could just have been related to DNS cache or the fact that my ISP is Comcast. I found this connection via "netstat -ano -b -o 5" on the first update, but the second and subsequent updates did not show this connection anymore (unfortunately I was not able to save a log of the IP address and associated service).

Anyways, here is the attached log of ESET. No threats were discovered.

ESET log.txt

Link to post
Share on other sites

  • Root Admin

Let's go ahead and do some generic clean up and checking of the system @Ricked

Please temporarily disable real-time antivirus and run the following fix.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Hello @AdvancedSetup

The Fixlist has been completed successfully. Please see the attached logs. There are some odd characters that appear in the log, not sure if normal or something else. It seems like my PC is using a VM, Proxy, or hosting a server and connecting to remote servers/users on a VPN? I have not tried nor do I want to make any remote connections/host a server.

Fixlog_result.txt

Link to post
Share on other sites

  • Root Admin

Thank you for the log @Ricked we're not done yet. Cleaning computers sometimes takes a while and multiple tools or script runs.

 

I would highly recommend enabling Secure Boot

Secure Boot Status: False 

How to enable or disable Secure Boot
https://maxedtech.com/how-to-enable-or-disable-secure-boot/

 

Please run the following for me.

Please download the following tool

Farbar Service Scanner and run it on the computer with the issue
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

 

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click "Scan"

It will create a log (FSS.txt) in the same directory the tool is run.
Please attach the log to your next reply.

 

Link to post
Share on other sites

Not a problem, @AdvancedSetup. I will run whatever services are needed. I have successfully enabled Secure Boot. Attached is the log file for the FSS. I ran the scan twice and the first one showed that windows defender services were not running; however, on the second one it does not indicate that. Not sure if a timing thing as I had just restarted the PC from choosing Secure Boot option in BIOS.

FSS.txt FSS.txt

Link to post
Share on other sites

  • Root Admin

Yes, it could have just been a timing thing. @Ricked

Please run the following. I'm busy working on some network updates myself so I'll be back on later tonight.

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Yes, the WpnService is normal. Here below is an example showing it's running on my system too. @Ricked

 

C:\>sc qc WpnService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WpnService
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINDOWS\system32\svchost.exe -k netsvcs -p
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Windows Push Notifications System Service
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem

C:\>sc queryex WpnService

SERVICE_NAME: WpnService
        TYPE               : 30  WIN32
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 5652
        FLAGS              :

 

Yes, SearchApp is part of Windows too

 

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  3. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  4. Install a content blocker for your browser. Malwarebytes Browser Guard (Free)
    Firefoxhttps://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/  
    Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee 
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

Many thanks again @AdvancedSetup for your help. It's much appreciated. Please see the attached log.

I'm still seeing, what I think, are odd network connections. For instance the RpcSs service is calling odd servers like Cloudflare and StackPath CDN (see attached for IP), and I have processes reported as "Can not obtain ownership information" with a PID that I could not find in Details or Services of Task Manager and connecting to Limelight Networks IP address.

Occasionally I will hear the device disconnected sound without removing a device or driver, and no associated notification pops up in the taskbar. I don't know if all of this is normal and I'm just being paranoid, or if something is behaving improperly.

RPCSS calling Cloudflare.PNG

kprm-20220209133521.txt

Link to post
Share on other sites

  • Root Admin

There is nothing wrong or abnormal with Windows reaching out to many sites on the Internet because even images or Ads or just about anything you can think of that might be on a Website can call out to just about any site and it will then be in your log.

We can run some other scans though if you like to help try to ease your mind on this.

As for the disconnect that can happen for various reasons too. I just had a very fast, minor power surge that took some drives offline for a brief second and they came right back.

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

Hi @AdvancedSetup, many thanks for your continued support. Please see the attached log. It shows clean, but I'm thinking whatever I have is avoiding these scans. I have a feeling that I have been infected by an Astaroth attack. My system will hang when trying to explore processes and networking (as if a background task is closing all remote/duplicate/hiding activity). When using the Process Explorer App there will be multiple of the same processes running (I know that part is relatively normal), but some duplicate services will quickly close (causing a slight hang) when I'm scrolling to look at them. I open Process Explorer as an Admin and the Admin rights get taken away shortly after (paths will not populate). There have also been times when I've had to grant myself Admin access as if another Admin is on the system (although this could be normal windows protecting me from myself).

I was looking in my security settings and noticed that my exploit protection settings had been changed; I did not add these override settings for the programs (please see attached file). In further reading about the programs that have had the exploit protection turned off, it seems to be a very popular method by Astaroth attacks to utilize the ExtExport.exe program to hijack DLLs and embed itself into the system.

In looking at the event viewer for BITS associated with URLs (ID 59) there were multiple coming from an edgedl URL, not sure if normal. Also, there are many event logs that have been disabled. I downloaded the GlassWire app to monitor my network activity and noticed that Host Process for Windows Services was connecting to Lumen and Limelight servers (I don't believe non-hijacked windows would call these servers when otherwise connections are made to Microsoft servers). Is this all normal and I'm just super sensitive to the hangs/interrupts that Windows employs? 

Again, I thank you very much for your hard work, time, and patience while determining if my system/network is potentially compromised.

report_2022.02.15_10.53.06.klr.txt BITS ID 59 log.txt Exploit_Settings.txt

Link to post
Share on other sites

  • Root Admin

Please click on Start / Search and type in CMD.EXE and then start it with Admin rights. Then copy / paste the following and press the Enter key.

Then post back the results of the 0 file.

This is all one single, long line

echo > 0 & sc qc securityhealthservice >>0 & sc queryex securityhealthservice >> 0 & sc qc wdnissvc >> 0 & sc queryex wdnissvc>> 0 & sc qc windefend>> 0 & sc queryex windefend>> 0 & notepad 0 | ECHO >NUL  & DEL 0

 

 

Link to post
Share on other sites

  • Root Admin

Please click on Start / Search and type in PowerShell and run that with Admin rights. Then copy / paste the following into the windows and press the Enter key.

Get-EventLog -LogName Application -Source MSIInstaller | Where-Object {$_.EventID -eq '1034'}

Then highlight the results with your mouse and press the Enter key and it will copy the results to your clipboard where you can paste it back here.

 

Link to post
Share on other sites

Here are the results of the commands:

PS C:\Windows\system32> Get-EventLog -LogName Application -Source MSIInstaller | Where-Object {$_.EventID -eq '1034'}

   Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
    2322 Dec 22 15:24  Information MsiInstaller                 1034 Windows Installer removed the product. Product ...
    2311 Dec 22 15:24  Information MsiInstaller                 1034 Windows Installer removed the product. Product ...

PS C:\Windows\system32> Get-WinEvent -FilterHashtable @{logname = 'System'; id = 1074, 6005, 6006, 6008} -MaxEvents 15 | Format-Table -AutoSize


   ProviderName: EventLog

TimeCreated            Id LevelDisplayName Message
-----------            -- ---------------- -------
2/16/2022 4:07:41 PM 6005 Information      The Event log service was started.
2/16/2022 4:07:20 PM 6006 Information      The Event log service was stopped.


   ProviderName: User32

TimeCreated            Id LevelDisplayName Message
-----------            -- ---------------- -------
2/16/2022 4:07:16 PM 1074 Information      The process C:\Windows\System32\RuntimeBroker.exe (DESKTOP-GT8FSOR) has initiated the restart of computer DESKTO...


   ProviderName: EventLog

TimeCreated             Id LevelDisplayName Message
-----------             -- ---------------- -------
2/16/2022 11:28:43 AM 6005 Information      The Event log service was started.
2/15/2022 6:11:25 PM  6006 Information      The Event log service was stopped.


   ProviderName: User32

TimeCreated            Id LevelDisplayName Message
-----------            -- ---------------- -------
2/15/2022 6:11:21 PM 1074 Information      The process C:\Windows\System32\RuntimeBroker.exe (DESKTOP-GT8FSOR) has initiated the power off of computer DESK...


   ProviderName: EventLog

TimeCreated             Id LevelDisplayName Message
-----------             -- ---------------- -------
2/15/2022 10:37:14 AM 6005 Information      The Event log service was started.
2/12/2022 5:07:09 PM  6006 Information      The Event log service was stopped.


   ProviderName: User32

TimeCreated            Id LevelDisplayName Message
-----------            -- ---------------- -------
2/12/2022 5:07:05 PM 1074 Information      The process C:\Windows\System32\RuntimeBroker.exe (DESKTOP-GT8FSOR) has initiated the power off of computer DESK...


   ProviderName: EventLog

TimeCreated             Id LevelDisplayName Message
-----------             -- ---------------- -------
2/12/2022 11:29:26 AM 6005 Information      The Event log service was started.
2/11/2022 4:34:31 PM  6006 Information      The Event log service was stopped.


   ProviderName: User32

TimeCreated            Id LevelDisplayName Message
-----------            -- ---------------- -------
2/11/2022 4:34:27 PM 1074 Information      The process C:\Windows\System32\RuntimeBroker.exe (DESKTOP-GT8FSOR) has initiated the power off of computer DESK...


   ProviderName: EventLog

TimeCreated            Id LevelDisplayName Message
-----------            -- ---------------- -------
2/11/2022 4:10:41 PM 6005 Information      The Event log service was started.
2/11/2022 4:10:18 PM 6006 Information      The Event log service was stopped.


   ProviderName: User32

TimeCreated            Id LevelDisplayName Message
-----------            -- ---------------- -------
2/11/2022 4:10:13 PM 1074 Information      The process C:\Windows\System32\RuntimeBroker.exe (DESKTOP-GT8FSOR) has initiated the restart of computer DESKTO...

 

Link to post
Share on other sites

  • Root Admin

Thank you, that all looks normal.

Please download and run the Sophos Scan and Clean tool.

You will need to answer a couple of questions and have them email you the link to download the file.

https://www.sophos.com/en-us/products/free-tools/virus-removal-tool

 

image.png

Link to post
Share on other sites

  • Root Admin

Well, that is that person's idea for making sales but I don't know of any trained experts that agree on using a program like that on Windows.

No real harm to the computer but not needed software either.

To ease you mind let's go ahead and run one more scanner.

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

Thank you

 

Link to post
Share on other sites

  • Root Admin

Great, no infection found with that one as well.

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Wed Feb 16 19:40:55 2022

 

None of the scans we've run find any infection or anything to indicate there may be an infection. We've looked for signs of someone else possibly logging onto the system and nothing found.

 

The only other piece in the process you might consider is doing a Factory Reset of your router

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

 

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.