Jump to content

Malware.Exploit.Agent.Generic


yamaci17

Recommended Posts

Hello, I'm on new Windows 22H2 build. I was trying to install Call of duty MW open beta and after installation began this happened;

 

w.png.f73ad7183a4650f476e7d302c4ed7876.png

I'm not sure if the incident is linked to Battle.net or installation. I tried uninstalling the game and launcher and reinstalled in hopes of reproducing the block, but it never happened again.

I also shared report so I would be glad if you can help me regarding if this is something I should worry about or not.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/23/22
Protection Event Time: 4:19 PM
Log File: 542b68ce-3b42-11ed-a369-2cf05d79a0f8.json

-Software Information-
Version: 4.5.14.210
Components Version: 1.0.1767
Update Package Version: 1.0.60360
License: Premium

-System Information-
OS: Windows 11 (Build 22621.521)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe Shell32.dll,Control_RunDLL input.dll,,{C07337D3-DB2C-4D0B-9A93-B722A6C106E2}{HOTKEYS}, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: Windows Control Panel
Protection Layer: Application Behavior Protection
Protection Technique: Exploit Office loading points abuse blocked
File Name: C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe Shell32.dll,Control_RunDLL input.dll,,{C07337D3-DB2C-4D0B-9A93-B722A6C106E2}{HOTKEYS}
URL: 



(end)

 

Link to post
Share on other sites

Hello @yamaci17 and :welcome::

Thank you for the screenshot & exploit notification.

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following:

I'm infected - What do I do now?

Remember, please be certain to attach (not Copy and Paste) the three (3) resulting report files in your next reply to this topic.

Thank you.

Link to post
Share on other sites

Well, I got spooked and nuked all my hard drives. After nuking the drives, and installing the Windows  + Malwarebytes and once activated, I also pulled the plug of the internet. Used PC around 2-3 hrs, doing practically nothing and trying to reproduce the issue. Finally, randomly when I tried to deactivate license for Mbytes it got popped again. It happens when Windows randomly (I dont still know the exact trigger) displays a notification about input switch shortcuts. Once that happens and you click on "customize", the Mbytes blocks it.

I will leave the logs. Hope I'm not infected by a super nasty persistent virus that tries to hack its way into my system even when I'm offline and after a full format. At this point I've become overly paranoid. . I just hope these logs are useful and you can tell me that my system is clean or not. Or else I will have to change my modem or something because at this point I'm clueless as to why this happens.

 

I've posted a thread scan report, the export of the detection, FRST thingy, and its addition.

 

 

Addition.txt FRST.txt detection.txt threat scan report.txt

Link to post
Share on other sites

  • Root Admin

Hello  @yamaci17

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

 

Did you manually create this entry on purpose for a shortcut or service?

TextInputManagementService

https://winaero.com/text-services-input-languages-shortcut-windows-10/

 

 

Please save the following attached file FIXLIST.TXT to the same location as the Farbar program.

Then run the Farbar program with Admin rights and click on the FIX button.

This will try to disable one task and zip up a file for me to review. The zip file should be on your desktop with date and time .zip

There will also be a FIXLOG.TXT file when the fix has been completed. Please attach that log and the zip file on your next reply.

NOTE: The computer will be restarted so please make sure you save and close all applications before running this fix.

fixlist.txt

Thanks

 

 

  • Thanks 1
Link to post
Share on other sites

"Did you manually create this entry on purpose for a shortcut or service?"

I didn't, at least purposefully. I played around input / language settings to replicate the issue however, added and removed languages in the hopes of replicating it. 

I've ran the test as you asked, it prompt a disk check after restart. Here are the files you've requested.

Is my UEFI / BIOS / MOBO is compromised? Even after complete nukes and full reinstalls, this still happens. Is something intercepting the install process and injects itself into the system from the BIOS side? If so will I have to change my entire mobo? I even tried reflashing a newer BIOS version, yet it still happened. I also have this "SecureBootEncodeUEFI" file that is not signed or approved by Microsoft (which I believe you removed something about it, and wanted a copy of). Even after full reinstals, the entries you deleted with Fixlist comes back, and same Alt+Shift exploit detection occurs. In every clean install the "SecureBootEncodeUEFI" also is there always, unsigned.

Am I doomed? I can't move on with my life, I also have crucial PC-related jobs, I'm really in a pickle here :(

 

 

25.09.2022_10.45.03.zip Fixlog.txt

Edited by yamaci17
Link to post
Share on other sites

  • Root Admin

The file "SecureBootEncodeUEFI" is not a threat according to VirusTotal

https://www.virustotal.com/gui/file/d27a0554ea4b6de34c1bc4f6118730c945e834a425484b9039eda21fb7b4c63c/detection

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.