yamaci17 Posted September 23, 2022 ID:1535037 Share Posted September 23, 2022 Hello, I'm on new Windows 22H2 build. I was trying to install Call of duty MW open beta and after installation began this happened; I'm not sure if the incident is linked to Battle.net or installation. I tried uninstalling the game and launcher and reinstalled in hopes of reproducing the block, but it never happened again. I also shared report so I would be glad if you can help me regarding if this is something I should worry about or not. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/23/22 Protection Event Time: 4:19 PM Log File: 542b68ce-3b42-11ed-a369-2cf05d79a0f8.json -Software Information- Version: 4.5.14.210 Components Version: 1.0.1767 Update Package Version: 1.0.60360 License: Premium -System Information- OS: Windows 11 (Build 22621.521) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Malware.Exploit.Agent.Generic, C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe Shell32.dll,Control_RunDLL input.dll,,{C07337D3-DB2C-4D0B-9A93-B722A6C106E2}{HOTKEYS}, Blocked, 0, 392684, 0.0.0, , -Exploit Data- Affected Application: Windows Control Panel Protection Layer: Application Behavior Protection Protection Technique: Exploit Office loading points abuse blocked File Name: C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe Shell32.dll,Control_RunDLL input.dll,,{C07337D3-DB2C-4D0B-9A93-B722A6C106E2}{HOTKEYS} URL: (end) Link to post Share on other sites More sharing options...
1PW Posted September 23, 2022 ID:1535118 Share Posted September 23, 2022 Hello @yamaci17 and : Thank you for the screenshot & exploit notification. While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following: I'm infected - What do I do now? Remember, please be certain to attach (not Copy and Paste) the three (3) resulting report files in your next reply to this topic. Thank you. Link to post Share on other sites More sharing options...
yamaci17 Posted September 23, 2022 Author ID:1535144 Share Posted September 23, 2022 Well, I got spooked and nuked all my hard drives. After nuking the drives, and installing the Windows + Malwarebytes and once activated, I also pulled the plug of the internet. Used PC around 2-3 hrs, doing practically nothing and trying to reproduce the issue. Finally, randomly when I tried to deactivate license for Mbytes it got popped again. It happens when Windows randomly (I dont still know the exact trigger) displays a notification about input switch shortcuts. Once that happens and you click on "customize", the Mbytes blocks it. I will leave the logs. Hope I'm not infected by a super nasty persistent virus that tries to hack its way into my system even when I'm offline and after a full format. At this point I've become overly paranoid. . I just hope these logs are useful and you can tell me that my system is clean or not. Or else I will have to change my modem or something because at this point I'm clueless as to why this happens. I've posted a thread scan report, the export of the detection, FRST thingy, and its addition. Addition.txt FRST.txt detection.txt threat scan report.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 25, 2022 Root Admin ID:1535311 Share Posted September 25, 2022 Hello @yamaci17 My screen name is AdvancedSetup and I will assist you with your system issues. Let's keep these principles as we proceed. Make sure to read the entire post below first. Please follow all steps in the provided order and post back all requested logs Please attach all log files to your post, unless otherwise requested Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed. Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed. Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system. Before we start, please make sure that you have an external backup, not connected to this system, of all private data. Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing. Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed. Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours. If your system is running Discord, please be sure to Exit it while this case is ongoing. Did you manually create this entry on purpose for a shortcut or service? TextInputManagementService https://winaero.com/text-services-input-languages-shortcut-windows-10/ Please save the following attached file FIXLIST.TXT to the same location as the Farbar program. Then run the Farbar program with Admin rights and click on the FIX button. This will try to disable one task and zip up a file for me to review. The zip file should be on your desktop with date and time .zip There will also be a FIXLOG.TXT file when the fix has been completed. Please attach that log and the zip file on your next reply. NOTE: The computer will be restarted so please make sure you save and close all applications before running this fix. fixlist.txt Thanks 1 Link to post Share on other sites More sharing options...
yamaci17 Posted September 25, 2022 Author ID:1535321 Share Posted September 25, 2022 (edited) "Did you manually create this entry on purpose for a shortcut or service?" I didn't, at least purposefully. I played around input / language settings to replicate the issue however, added and removed languages in the hopes of replicating it. I've ran the test as you asked, it prompt a disk check after restart. Here are the files you've requested. Is my UEFI / BIOS / MOBO is compromised? Even after complete nukes and full reinstalls, this still happens. Is something intercepting the install process and injects itself into the system from the BIOS side? If so will I have to change my entire mobo? I even tried reflashing a newer BIOS version, yet it still happened. I also have this "SecureBootEncodeUEFI" file that is not signed or approved by Microsoft (which I believe you removed something about it, and wanted a copy of). Even after full reinstals, the entries you deleted with Fixlist comes back, and same Alt+Shift exploit detection occurs. In every clean install the "SecureBootEncodeUEFI" also is there always, unsigned. Am I doomed? I can't move on with my life, I also have crucial PC-related jobs, I'm really in a pickle here :( 25.09.2022_10.45.03.zip Fixlog.txt Edited September 25, 2022 by yamaci17 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 26, 2022 Root Admin ID:1535390 Share Posted September 26, 2022 The file "SecureBootEncodeUEFI" is not a threat according to VirusTotal https://www.virustotal.com/gui/file/d27a0554ea4b6de34c1bc4f6118730c945e834a425484b9039eda21fb7b4c63c/detection Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop. (Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021) Download: Kaspersky Virus Removal Tool How to run a scan with Kaspersky Virus Removal Tool 2020https://support.kaspersky.com/15674 How to run Kaspersky Virus Removal Tool 2020 in the advanced modehttps://support.kaspersky.com/15680 How to restore a file removed during Kaspersky Virus Removal Tool 2020 scanhttps://support.kaspersky.com/15681 Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt Note the space between KVRT.exe and -dontencryptC:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box. That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed... Thank you Link to post Share on other sites More sharing options...
yamaci17 Posted September 26, 2022 Author ID:1535402 Share Posted September 26, 2022 (edited) Thanks for help I added the log I also recorded the detection as it happens. It is %100 preproducible on Clean installs. It can report_2022.09.26_08.45.01.zip Edited September 26, 2022 by yamaci17 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 26, 2022 Root Admin ID:1535516 Share Posted September 26, 2022 I'm pretty sure it's a False Positive Let me have someone from Research take a look Thanks @yamaci17 Link to post Share on other sites More sharing options...
yamaci17 Posted September 27, 2022 Author ID:1535590 Share Posted September 27, 2022 Thanks better safe than sorry Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 27, 2022 Root Admin ID:1535595 Share Posted September 27, 2022 Have not heard back from them, but that office was closed today due to the storm in Florida Hoping they're all safe and we hear back from them soon 1 2 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 27, 2022 Root Admin ID:1535646 Share Posted September 27, 2022 Have not hear anything and I know that many have already evacuated the area. Sorry for the delay, but that team is the experts on this. We'll have to continue to wait and see what they say. Link to post Share on other sites More sharing options...
Staff Arthi Posted September 28, 2022 Staff ID:1535786 Share Posted September 28, 2022 Hi yamaci17, This is an FP. I can confirm that, Please turn off "Office loading points abuse protection". You can find it in Settings->Security-> Exploit Advanced settings -> Application Behavior tab. Thanks. 2 Link to post Share on other sites More sharing options...
yamaci17 Posted September 28, 2022 Author ID:1535787 Share Posted September 28, 2022 Thanks a lot, I appreciate it highly! 1 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 28, 2022 Root Admin ID:1535800 Share Posted September 28, 2022 Unless there is something else, I'll go ahead and close your topic now @yamaci17 1 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 28, 2022 Root Admin ID:1535804 Share Posted September 28, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts