Dillsion1 Posted April 28 ID:1564897 Share Posted April 28 Good evening, everytime I boot up I get this blocked website report from (C:\Windows\SysWOW64\PING.EXE) Categorized as a Trojan with an outbound Connection and IP 193.239.84.194 with port 0. Attached are all Logs from MalwareBytes Scans, Adwcleaner.exe, and FRST64.exe (with addition.txt) 20230427Scan.txt Addition.txt AdwCleaner[C01].txt FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 28 Root Admin ID:1564947 Share Posted April 28 Hello @Dillsion1 and We'll take a look and see what we can find. I do see you have an unbelievable amount of CustomCLSID: from Java Example of hundreds CustomCLSID: HKU\S-1-5-21-3388967864-4246774857-54345224-1001_Classes\CLSID\{CAFEEFAC-0018-0000-0370-ABCDEFFEDCBC}\InprocServer32 -> C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll (Oracle America, Inc. -> ) I assume or hope you're doing some type of Java programming Please note the following error Error: (04/27/2023 09:50:28 PM) (Source: MsiInstaller) (EventID: 11714) (User: NT AUTHORITY) Description: Product: Chrome Remote Desktop Host -- Error 1714. The older version of Chrome Remote Desktop Host cannot be removed. Contact your technical support group. System Error 1612. Error: (04/25/2023 11:02:24 PM) (Source: Application Error) (EventID: 1000) (User: NT AUTHORITY) Description: Faulting application name: remoting_host.exe, version: 103.0.5060.46, time stamp: 0x62a290ac Faulting module name: remoting_core.dll, version: 103.0.5060.46, time stamp: 0x62a290ac Exception code: 0x80000003 Fault offset: 0x0032a8ad Faulting process id: 0x0x1a9c Faulting application start time: 0x0x1d977fc49fdde57 Faulting application path: C:\Program Files (x86)\Google\Chrome Remote Desktop\103.0.5060.46\remoting_host.exe Faulting module path: C:\Program Files (x86)\Google\Chrome Remote Desktop\103.0.5060.46\remoting_core.dll Report Id: a4f03eac-ff70-4997-84e8-e9f57ec892b1 Faulting package full name: Faulting package-relative application ID: System errors:============= Error: (04/27/2023 10:24:21 PM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (45000 milliseconds) while waiting for the chromoting service to connect. Error: (04/27/2023 10:24:01 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The IntelHaxm service failed to start due to the following error: A device attached to the system is not functioning. Error: (04/27/2023 10:24:01 PM) (Source: IntelHaxm) (EventID: 3) (User: ) Description: HAXM Failed to init VMX Error: (04/27/2023 10:24:01 PM) (Source: IntelHaxm) (EventID: 6) (User: ) Description: HAXM can't work on system without VT support Windows Defender: ================ Date: 2023-04-27 22:24:50 Description: C:\Users\Dills\AppData\Local\Medal\app-4.1916.0\Medal.exe has been blocked from modifying %userprofile%\Documents\Medal\ by Controlled Folder Access. Detection time: 2023-04-28T04:24:50.312Z Path: %userprofile%\Documents\Medal\ Process Name: C:\Users\Dills\AppData\Local\Medal\app-4.1916.0\Medal.exe Security intelligence Version: 1.387.2251.0 Engine Version: 1.1.20200.4 Product Version: 4.18.2303.8 Date: 2023-04-25 23:02:59 Description: C:\Users\Dills\AppData\Local\Medal\app-4.1916.0\Medal.exe has been blocked from modifying %userprofile%\Documents\Medal\ by Controlled Folder Access. Detection time: 2023-04-26T05:02:59.479Z Path: %userprofile%\Documents\Medal\ Process Name: C:\Users\Dills\AppData\Local\Medal\app-4.1916.0\Medal.exe Security intelligence Version: 1.387.2251.0 Engine Version: 1.1.20200.4 Product Version: 4.18.2303.8 Date: 2023-04-25 22:29:16 Description: C:\Users\Dills\AppData\Local\Medal\recorder-3.648.0\MedalEncoder.exe has been blocked from modifying %userprofile%\Documents\Medal\ by Controlled Folder Access. Detection time: 2023-04-26T04:29:16.442Z Path: %userprofile%\Documents\Medal\ Process Name: C:\Users\Dills\AppData\Local\Medal\recorder-3.648.0\MedalEncoder.exe Security intelligence Version: 1.387.2251.0 Engine Version: 1.1.20200.4 Product Version: 4.18.2303.8 Can we get the following report which will also give us the logs from Malwarebytes to see what it's finding. To begin, please do the following so that we may take a closer look at your installation for troubleshooting: NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system. Download the Malwarebytes Support Tool In your Downloads folder, open the mb-support-x.x.x.xxx.exe file In the User Account Control pop-up window, click Yes to continue the installation Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply Thank you Link to post Share on other sites More sharing options...
Dillsion1 Posted April 28 Author ID:1564953 Share Posted April 28 Attached is the requested Zip from the Support tool I appreciate the speedy replies on this because I booted up today and it happened again. mbst-grab-results.zip Link to post Share on other sites More sharing options...
Dillsion1 Posted April 28 Author ID:1564955 Share Posted April 28 And no, I haven't touched and Java programming in months but I used to mess around with it. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 28 Root Admin ID:1564958 Share Posted April 28 So the block is an old block and the site is now down, so we'll remove the block. However, that does not answer why your computer is calling out to it in the first place. Here it is in our log "websiteData": { "blockType": 15, "ip": "193.239.84.194", "isInbound": false, "port": 0, "processPath": "C:\\Windows\\SysWOW64\\PING.EXE", "url": "" Please run the following Create an Autoruns Log: Please download Sysinternals Autoruns from here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it. Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard. Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images Then click the Rescan button. Agree to the VirusTotal EULA Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns. Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply. Thank you Link to post Share on other sites More sharing options...
Dillsion1 Posted April 28 Author ID:1564961 Share Posted April 28 I just left for work but I will upload this when I return sometime around 6pm MST Just wanted to send so you don't wait around Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 28 Root Admin ID:1564962 Share Posted April 28 Thank you for the update. Have a good day @Dillsion1 Link to post Share on other sites More sharing options...
Dillsion1 Posted April 29 Author ID:1565019 Share Posted April 29 Attached is the Autoruns.zip you requested I appreciate the patience with me today! TYH93HV2MG.zip Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted April 30 Root Admin Solution ID:1565134 Share Posted April 30 Please run the following fix @Dillsion1 NOTE: Please read all of the information below before running this fix. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply Farbar program: FRST64.exe Save the attached file: FIXLIST.TXT to this folder C:\Users\Dills\Downloads\ NOTE. It's important that both files, FRST64.exe, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it. Run the Farbar program with Admin rights and press the Fix button just once and wait. The fix may possibly take up to 60 minutes to complete If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply. NOTE: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed in most, but not all cases. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Discord cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Thanks Link to post Share on other sites More sharing options...
Dillsion1 Posted April 30 Author ID:1565242 Share Posted April 30 Attached is the fixlog you requested, Thanks for taking the time! Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 1 Root Admin ID:1565316 Share Posted May 1 Thank you @Dillsion1 that log looks pretty good overall. Are you still getting the PING alert? Link to post Share on other sites More sharing options...
Dillsion1 Posted May 2 Author ID:1565518 Share Posted May 2 I am no longer getting the ping alert, everything seems to be working as it should now! Thank you so much for your help, it was truly the most annoying thing as well as worrying. Have a wonderful rest of your day! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 2 Root Admin ID:1565522 Share Posted May 2 Great, glad to hear all is better. Please run the following @Dillsion1 We're not quite done yet. SecurityCheck by glax24 I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications. Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe If Microsoft SmartScreen blocks the download, click through to save the file This tool is safe. Smartscreen is overly sensitive. If SmartScreen blocks the file from running click on More info and Run anyway Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Thank you Link to post Share on other sites More sharing options...
Dillsion1 Posted May 4 Author ID:1565875 Share Posted May 4 Security check.txt attached! SecurityCheck.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 4 Root Admin ID:1565882 Share Posted May 4 Thank you. Please uninstall, update, or otherwise address the following as appropriate for your system. Notepad++ (64-bit x64) v.8.4.8 Warning! Download Update Node.js v.18.3.0 Warning! Download Update Python 3.9.13 (64-bit) v.3.9.13150.0 Warning! Download Update Discord v.1.0.9004 Warning! Download Update Telegram Desktop version 4.0.2 v.4.0.2 Warning! Download Update ---------------------------- [ UnwantedApps ] ----------------------------- Driver Easy 5.7.2 v.5.7.2 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program. ----------------------------- [ End of Log ] ------------------------------ Then restart the computer and check for Windows Updates and install any found Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted Tuesday at 11:23 PM Root Admin ID:1569909 Share Posted Tuesday at 11:23 PM Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Tips to help protect from infection Thanks Link to post Share on other sites More sharing options...
Recommended Posts