Jump to content

Odd entry in the FRST logs


Recommended Posts

I had ran FRST on my system and was looking through the results, and saw this entry:

HKLM\SYSTEM\ControlSet001\Services\PCDSRVC{B3325DDC-86EB73E3-06040000}_0 => c:\program files\dell\supportassistagent\pcd\supportassist\pcdsrvc_x64.pkms [56672 2021-09-02] (PC-Doctor, Inc. -> PC-Doctor, Inc.) <==== ATTENTION (Rootkit!/Locked Service)

I am pretty sure that file is just some preinstalled software, and when I scanned it with VirusTotal, it showed as clean

VT: https://www.virustotal.com/gui/file/c0895bfad6e82c8ce9f7f17b4ac36671331331dbfb6e426df5328e987a5e2442

File:

Here are the old FRST reports:

 

On reboot, it seems to have disappeared:

 

MBAM with rootkit checking enabled only found Process Hacker & my hidden version of Process Explorer:

ADWCleaner:

Is this a bug? Do I need to share more data?

Edited by AdvancedSetup
Logs removed per request
Link to post
Share on other sites

  • Root Admin

This is not a valid file. It should be deleted

C:\USERS\AXBIN\DESKTOP\SVCHOST.EXE

 

The Farbar entry for PC-Doctor is a false positive I'm sure. Once we're done if we're still getting it then I will report it.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Edited by AdvancedSetup
Updated information
  • Thanks 1
Link to post
Share on other sites

The C:\USERS\AXBIN\DESKTOP\SVCHOST.EXE file is just Process Explorer: https://www.virustotal.com/gui/file/4864843de12dbc1fcc970bb300b12aeba482609cb82ee28f4463f5098fd98607

I just named it that way as to evade any malware which tries to detect/block it.

I am running the fix and will report back with the Fixlog.

Thank you

Edited by sp123
Remove the bold
Link to post
Share on other sites

I forgot to turn off any of my security software before running, but I didn't see any issues. (MBAM normally wouldn't complain, but COMODO would)

 

Please delete this comment after you download the fixlog, as it seems to contain some personal information.

Also, there is a folder where I store malware (I am learning malware analysis, don't worry, I never run it on my system and MBAM would probably block 90% anyway) which was excluded from Defender, and now it isn't excluded (so defender will delete all of it)

 

Edited by AdvancedSetup
Logs removed per request
Link to post
Share on other sites

  • Root Admin

You should not be protecting files running from a temp folder. If you want to use the tool I'd recommend you place it in its own Utility type folder

C:\Users\axbin\AppData\Local\Temp\par-617862696e\cache-exiftool-12.25\exiftool.exe.

ControlledFolderAccessAllowedApplications     : {C:\EEK\bin64\a2cmd.exe, C:\EEK\bin64\a2emergencykit.exe, C:\Program Files\KeePass Password Safe 2\KeePass.exe, C:\Users\axbin\AppData\Local\Temp\par-617862696e\cache-exiftool-12.25\exiftool.exe...}

 

Let me have you run the following, please.

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

Thank you

 

  • Like 1
Link to post
Share on other sites

I am starting the scan.

The file being allowed was part of an application called "ExifCleaner". I have removed the exclusion.

Any idea what the difference between the "Full Scan" and a custom scan of the C: drive is? I have run full scans in the past, but am wondering if maybe I should have done the custom scan instead.

Thank you!

Edited by sp123
Question
Link to post
Share on other sites

Well, I misread your post, and did a custom scan of the C: drive. It is hard to tell if the scan is close to being done as the progress bar seems broken, but if needed I can redo it as a Full Scan (I will probably have to wait and do it tomorrow though).

Sorry for the mistake

Link to post
Share on other sites

FRST logs

FRST.txtAddition.txt

Just looking through the logs, do you have any idea why that one Group Policy restriction keeps returning?

Also, please delete the FIXLOG after you download it, as it seems to contain some personal information I would rather not be available with anyone on this forum.

Thank you.

Edited by sp123
I'm just confused
Link to post
Share on other sites

  • Root Admin

Just a reminder that services should not be setup from any temp folder. You have what appears to be fixed folders in Temp which typically are random folders. Controlled Access is a great idea, but can also be problematic if you don't keep on top of it.

 

Windows Defender:
================
Date: 2022-06-08 14:32:43
Description:
Controlled Folder Access blocked C:\Windows\Temp\inv2655_tmp\HostMetadata\NVMEHostmetadata.exe from making changes to memory.
Detection time: 2022-06-08T18:32:43.195Z
Path: \Device\Harddisk0\DR0
Process Name: C:\Windows\Temp\inv2655_tmp\HostMetadata\NVMEHostmetadata.exe
Security intelligence Version: 1.367.1237.0
Engine Version: 1.1.19200.6
Product Version: 4.18.2203.5

Date: 2022-06-08 14:32:36
Description:
Controlled Folder Access blocked C:\Windows\Temp\inv2655_tmp\Executables\SSDUpdate.exe from making changes to memory.
Detection time: 2022-06-08T18:32:36.090Z
Path: \Device\Harddisk0\DR0
Process Name: C:\Windows\Temp\inv2655_tmp\Executables\SSDUpdate.exe
Security intelligence Version: 1.367.1237.0
Engine Version: 1.1.19200.6
Product Version: 4.18.2203.5

Date: 2022-06-08 12:07:05
Description:
Controlled Folder Access blocked C:\Windows\Temp\inv411C_tmp\HostMetadata\NVMEHostmetadata.exe from making changes to memory.
Detection time: 2022-06-08T16:07:05.162Z
Path: \Device\Harddisk0\DR0
Process Name: C:\Windows\Temp\inv411C_tmp\HostMetadata\NVMEHostmetadata.exe
Security intelligence Version: 1.367.1219.0
Engine Version: 1.1.19200.6
Product Version: 4.18.2203.5

 

 

It also looks like you might be having some sort of issue with your VMware?

 

Error: (06/08/2022 10:29:06 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmware-usbarbitrator64.exe, version: 20.5.0.0, time stamp: 0x61641e52
Faulting module name: vmware-usbarbitrator64.exe, version: 20.5.0.0, time stamp: 0x61641e52
Exception code: 0xc0000005
Fault offset: 0x0000000000036b34
Faulting process id: 0x1438
Faulting application start time: 0x01d87b440006baf0
Faulting application path: C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
Faulting module path: C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
Report Id: 1c24ecb0-fbca-4916-9aab-cc06166ea4d7
Faulting package full name:
Faulting package-relative application ID:

 

 

This is an odd entry for a scheduled task. Please verify you want and use

Task: {958B2F82-3167-4F72-A3BE-313A7090E36D} - System32\Tasks\Rem => notepad [Argument = C:\Users\axbin\Downloads\rem.txt]

 

It looks like you have driver for Emsisoft installed but I don't see any sign of you running the Emsisoft software.

R1 epp; c:\eek\bin64\epp.sys [155112 2021-03-03] (Microsoft Windows Hardware Compatibility Publisher -> Emsisoft Ltd)

 

Please run the updated FIXLIST as before and post back the FIXLOG when done.

fixlist.txt

Then run the following and have it check for any other program updates

Patch My PC Home Updater
https://patchmypc.com/home-updater

 

 

It looks like the  PC-Doctor, Inc.) <==== ATTENTION is no longer showing in the logs

 

  • Like 1
Link to post
Share on other sites

Fixlog:

Fixlog.txt

Quote

Just a reminder that services should not be setup from any temp folder. You have what appears to be fixed folders in Temp which typically are random folders. Controlled Access is a great idea, but can also be problematic if you don't keep on top of it.

I am not sure what that application listed in the log is, but I will look into it & why it needs to run from temp. I understand that Controlled Access can cause problems, but I like learning about computer internals, and I would rather spend time unbreaking things then have my files encrypted or just deleted.

Quote

It also looks like you might be having some sort of issue with your VMware?

I am not sure what that error is, but I think it may be related to the fact that VMware oddly decided to put my VMs in a folder which was synced with OneDrive, which complained about their size. I don't use it at all and just have one VM which I have been too lazy to move.

Quote

This is an odd entry for a scheduled task. Please verify you want and use

I made that myself. It is just a text file which opens with reminders.

Quote

It looks like you have driver for Emsisoft installed but I don't see any sign of you running the Emsisoft software.

That looks to be part of the Emsisoft Emergency Kit, which I use as a second-opinion scanner.

PatchMyPC found 4 apps. I updated two (C++ related) and VirutalBox I can't update as the latest version doesn't work.

Oddly, it shows VLC Media Player is out-of-date but it's updater says it is fine. Bug?

image.png.fe51fd88a1e3b86137e934acd010bfac.png

Edited by sp123
Clarify
Link to post
Share on other sites

  • Root Admin

Probably just a bug for the VLC  update

Yes, I know it's part of Emsisoft but I don't see the actual scanner installed. Just a left over driver.

Again, I'd be careful with Controlled Folder Access. I saw an instance a few months ago where a user blocked their security program from stopping a ransomware attack and they lost their data. Many of the attacks don't need the temp folder to do their work.

 

 

  • Like 1
Link to post
Share on other sites

Quote

Yes, I know it's part of Emsisoft but I don't see the actual scanner installed. Just a left over driver.

The scanner is installed, but for some reason it doesn't show in the installed programs

Quote

Again, I'd be careful with Controlled Folder Access. I saw an instance a few months ago where a user blocked their security program from stopping a ransomware attack and they lost their data. Many of the attacks don't need the temp folder to do their work.

Maybe I am misunderstanding you, but I don't see TEMP in the list of protected folders. Also, I am now allowing all the MBAM executables access. If you think that will still cause problems, I can just turn it off. Maybe if I registered MBAM with Windows it might be auto-allowed, but that would be pointless, as CFA is off anyway.

Link to post
Share on other sites

  • Root Admin

From the recent Event Log section of the logs you posted from Farbar

 

Date: 2022-06-08 12:07:05   (today)
Description:
Controlled Folder Access blocked C:\Windows\Temp\inv411C_tmp\HostMetadata\NVMEHostmetadata.exe from making changes to memory.
Detection time: 2022-06-08T16:07:05.162Z
Path: \Device\Harddisk0\DR0
Process Name: C:\Windows\Temp\inv411C_tmp\HostMetadata\NVMEHostmetadata.exe
Security intelligence Version: 1.367.1219.0
Engine Version: 1.1.19200.6
Product Version: 4.18.2203.5

 

Again, nothing wrong with running Controlled Folder Access - just want you to be aware is all. No issues or problems with using it.

 

At this point now that we've gone through cleaning up the system I'd like to go ahead and do a Clean removal and reinstall of Malwarebytes

 

Can you please do the following?

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
  • NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following. RESTART THE COMPUTER then get me new logs.

  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.