Jump to content

Malware Infection - TeamViewer / AnyDesk - Temp Folder


Recommended Posts

Support -

I have a file, Intuit Quickbooks .exe (space intentional to match exact file naming) that persistently appears after deleting it multiple times in my AppData\Local\Temp folder.  I highly suspect that this file is either malware or deployed from a malware payload elsewhere on the comuputer.  All Malwarebytes system wide scans report that there are no issues at all.  Late at night, I have foud AnyDesk and TeamViewer appearing suddenly on my computer for no reason without any intervention on my part.  I have found the AnyDesk and TeamViewer portable applications within the same AppData\Local\Temp folder.  Please confirm that the Intuit Quickbooks .exe is malware and advise on how to eliminate this threat from my computer.  I've attached the suspect zipped file and screenshot of related suspect files that appear in my AppData\Local\Temp folder as well as FRST/Addition/MBAM Scan Logs.  Thank you for your help.

jcarrier

IntuitQuickBooks .zip ScanLogs.zip

Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites

Hello @jcarrier and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Link to post
Share on other sites

  • Root Admin

Hello @jcarrier

I'm sorry but this computer appears to possibly be used for stealing software. We can work with you to clean the computer but that would entail us also deleting at least certain files and programs from your system.

Let me know if you're okay with that or not.

Why are you running Microsoft SQL Server on a Desktop computer? That is pretty rare for most people.

Thanks

 

  • Like 1
Link to post
Share on other sites

Thanks, please clarify/elaborate on what you mean by "this computer appears to possibly be used for stealing software".  Also, I have SQL Server on premise (developer edition) because I am a SQL Server developer.  Please let me know specifically what programs/files will be removed to eradicate/eliminate the malware from my computer.  I am okay with that given that I know exactly what is going to be deleted.  Thank you for your help.  It's much appreciated.

Link to post
Share on other sites

  • Root Admin

127.0.0.1 lmlicenses.wip4.adobe.com
127.0.0.1 lm.licenses.adobe.com

Microsoft Office 2016 is using a crack and should be uninstalled and a legal licensed version used.

 

IntuitQuickBooks .exe appears to be either installed or ran from the Temp folder and that alone makes it invalid as QuickBooks does not run from a Temp folder

 

We would be cleaning the entire Temp folders which potentially could effect SQL, but according to others should not really.

"SQL Server itself is not going to fall over if you start to purge files in C:\WINDOWS\TEMP. There is a faint risk that you have a CLR procedure, an extended stored procedure or similar that for some reason is dumping data for future use here. And for that matter it could be a regular stored procedure using xp_cmdshell. But not only is this unlikely, it would also be very bad practice. "

 

It is running the Adobe AdobeCS6ServiceManager which I don't think can be licensed and used from Adobe anymore. I have a legal copy of CS6 Master Suite myself but Adobe no longer runs the license server for it.

 

You have custom policies to prevent executable files from running. We don't precision dissect policies and remove all during a clean up as policies are often used to infect not to prevent. You'd need to reapply said policies.

Example of just some you  have

HKLM Group Policy restriction on software: %USERPROFILE%\AppData\Roaming\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\Roaming\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\Local\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\Temp\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\Local\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\Temp\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <==== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <==== ATTENTION

 

The system runs AutoKMS which is designed to steal both Windows itself and MS Office products

 

This computer is just not safe to save or run personal data on. You can do as you wish but I'd never store any of my data on a system like this.

 

 

 

Link to post
Share on other sites

I'm not sure I follow, is this malware removal or license montioring, I'm concerned about the actual malware on my computer.  Please identify that based on the logs previously provided.  As for the Group Policy rules, I added those intentionally to prevent the IntuitQuickbooks .exe suspect file (or any other executable file for that matter) from running from a rogue location within the system itself.  What is the actual malware specifically that you have idientified on my computer?  Thanks.

Link to post
Share on other sites

  • Root Admin

Microsoft office itself could be malware when you steal it. Is is no longer a trusted source from Microsoft.

I'm sorry. We're not here to discuss what you believe is malware or not. If you don't want us to clean the computer please seek assistance from another vendor.

 

Link to post
Share on other sites

  • Root Admin

I already told you what was running on the computer that should not be running. Remove it and fix the settings. Then scan the computer again.

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.