Jump to content

Computer infected-website redirects-possible VM attack


PatH

Recommended Posts

All of my devices are compromised. I've downloaded Malwarebytes and Hitman. Not sure I got a complete install. Full scans complete in just minutes and find nothing.  My litmus test is https://www.microsoft.com/en-us/software-download/windows10ISO. My chromebook can access this website but my Windows machines cannot. I have a Dell Inspiron 3650 which is the machine I'm working with right now (because it's easy to remove the hard drive). So I've connected the drive to another pc (as external drive) and completely cleaned it and reformatted it. Put it back in the Dell. Booted to an install CD and reinstalled Windows 10. The web redirects continue, the machine is glitchy when I take steps to remediate problem. The screen fonts get large and mouse jumps around. I installed a new modem and router fresh out of the box and tried again. Scrubbed the drive and reinstalled Windows. Still getting website redirects. I see a lot of Hyper-V in the WINSXS directory.  I have never used or installed a virtual machine.  Any help would be appreciated.

Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:    @PatH

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim.
  • Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections.
  • If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting. This is a report only.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @PatH

Something prevented downloading of the Farbar tool and thus it's scan logs.

Please run the following and I'll check back on you again sometime tomorrow

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

ATTENTION: System Restore is disabled (Total:930.52 GB) (Free:905.33 GB) (97%)

Please enable System Protection and create a NEW Restore Point

How to Turn On or Off System Protection for Drives in Windows 10
https://www.tenforums.com/tutorials/4533-turn-off-system-protection-drives-windows-10-a.html

How to Create a System Restore Point in Windows 10
https://www.tenforums.com/tutorials/4571-create-system-restore-point-windows-10-a.html

 

 

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRST64.exe

Save the attached file:  FIXLIST.TXT to this folder C:\pat\malwarebytes\

NOTE. It's important that both files, FRST64.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

Thank you for the log @PatH

That was a good run. The script cleaned up items and also found and repaired some issues

Windows Resource Protection found corrupt files and successfully repaired them.

 

Please do the following

[ 1 ]

Your current DNS Servers:  192.168.50.1

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 4 providers. And be aware that you need to modify 1 time for IPv4 & a 2nd pass for IPv6

  • Google Public DNSIPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • CloudflareIPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNSIPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCHIPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b


The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

[ 2 ]

Please run the following after changing your DNS settings

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

[ 3 ]

Then run the following scan from Microsoft

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

Link to post
Share on other sites

Here is the msert.log. Did not take long to run as there are no files on the computer. It was a fairly fresh install. I've made the DNS changes and rebooted. I was impressed at how comprehensive the fix log was. At the beginning I said the Microsoft site was my litmus test. I've tested that and still cannot get to that webpage. I want to be sure that my installation media is pristine. Decided to try to create installation media for Windows 10 from Microsoft site (even though it seems I am still restricted). Pls see the attached jpg. I attached one usb for the media creation, but as you can see TWO usb's appeared.  Drive letter D is my usb. Drive letter F is something else.  Diskpart shows D as removable 14 GB drive which is mine. Drive letter F is labeled UEFI_NTFS, type Removable, file system fat, size 1024 KB and contains an EFI directory with 4 boot*.efi files.  A few months ago on another infected machine (laptop with i5 processor) I was going to reinstall office from CD but walked away. When I came back hours later I could see that there was another CD drive listed in addition to mine. When I mapped to it I could see that the media was Office install but it was a different version than what I intended to install. These are the things that make me suspicious that I may be in a vm bubble without real access to the hardware. What do you think?

20230831_080828.jpg

msert.log

Link to post
Share on other sites

  • Root Admin

When you say VM (Virtual Machine) - what exactly do you mean? Are you using Microsoft Hyper-V or VMware Workstation or ??

You may want to also possibly do a factory reset on your router if you're concerned about something like that.

 

 

If you own your own router and are not renting it from your Internet Service Provider

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
    Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
  • Document passwords created and store them in a safe but accessible location.

 

 

For doing a CLEAN install of Windows you would validate the HASH of the file downloaded for the ISO

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

Also, please review the following topic

Bypass Microsoft Online Account Creation during installation of Windows 11
https://forums.malwarebytes.com/topic/296613-bypass-microsoft-online-account-creation-during-installation-of-windows-11/


Recovery options in Windows
https://support.microsoft.com/en-us/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5#WindowsVersion=Windows_11

 

Link to post
Share on other sites

What do I mean by VM (Virtual Machine)?  I do not use Hyper-V or any other VM. I have about five machines that I'm working with, all seem to be highjacked. On one machine a while back systeminfo reported that a VM was detected. Whatever VM was detected, it wasn't installed by me. I've also seen some system and WMI events that reference virtual machine and complain the remote machine cannot be reached. There have been other things pop up that are suspicious but I don't want to put in a public forum.  BTW I got a voice mail from "tech support". If it was from you or someone on your team pls put a note in this topic and I will return the call to the number I saved.

I've considered that my router was compromised so I replaced it a couple of weeks ago. I tried to make it as secure as possible. Thank you so much for data on port blocking. Great information....I'll try to get those changes configured tonight.

Link to post
Share on other sites

  • Root Admin

Windows does support Hyper-V which is a virtual machine. Having or seeing WMI entries about a virtual machine, depending on what they are, could be very normal and valid.

Please run the following

 

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

 

 

Link to post
Share on other sites

Attached is the Doctor Web log. No infected objects were detected.

This morning I reset my router to factory default and set it up and configured using the suggestions in your earlier post. Passwords are complex, ports you listed are blocked.

In the interim the Dell Inspiron 3650  was doing some auto Windows and driver updates. When I looked at Windows Update and history I saw nothing unusual.  When I look in the WinSxS and SysWOW64 directories I see lots of new directories with today's date (too many to count).

cureit.log

Link to post
Share on other sites

  • Root Admin

Yes, nothing found. That's good @PatH

 

Please open an elevated admin command prompt. Then copy and paste the following into the command windows and press the Enter key. Post back the results, please.

curl -v --sslv3 https://www.microsoft.com/en-us/software-download/windows10ISO

 

Link to post
Share on other sites

I have tried this url from Firefox, Chrome and Edge with the same result.

https://www.microsoft.com/en-us/software-download/windows10iso immediately reverts to https://www.microsoft.com/en-us/software-download/windows10 which takes me to a page that looks official but there is no option to download the ISO, and there is no hash displayed for any verification. I can download the Media Creation Tool but the actual windows 10 download to media occurs over the web, so I stopped the process before download could begin.Curl sslv3.Curl sslv3.txtCurl sslv3.txtCurl sslv3.tx

Link to post
Share on other sites

This is interesting..found in SMBClient event log this morning. Evt #31018 that reports the following:

The AllowInsecureGuestAuth registry value is not configured with default settings.

Default Registry Value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"AllowInsecureGuestAuth"=dword:0
Configured Registry Value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"AllowInsecureGuestAuth"=dword:1

Guidance:
This event indicates that an administrator has enabled insecure guest logons. An insecure guest logon occurs when a server logs the user on as an unauthenticated guest, typically in response to an authentication failure. Guest logons do not support standard security features such as signing and encryption. As a result, allowing guest logons makes the client vulnerable to man-in-the-middle attacks that can expose sensitive data on the network. Windows disables insecure guest logons by default. Microsoft does not recommend enabling insecure guest logons.

I opened Control Panel to check on accounts. The only account visible to me is my own.  Administrator and Guest are not there.

Link to post
Share on other sites

I've been careful not to install or make changes on this machine while we go..through this process.  I did install Chrome and Firefox browsers to test the windows iso link.  This machine has a new load for Windows 10 OS, it was installed on Tuesday morning,  August 29.  No apps or personal data have been added to the computer. I've been monitoring logs but not making changes. I could not remember if I added RestrictRemoteSam to the registry so checked it. I had not added it. I hope it is okay that I added it just a while ago.  I've noticed when I open regedt that if I did not close all the hives the last time that it opens to where I left off.  This is what was in view when I opened regedt, see jpg attached.  Again, I do not  use VM and have not installed any VM. I'm sending this because of the change to the guest account (see my last reply). 

20230902_122808.jpg

Link to post
Share on other sites

  • Root Admin
17 hours ago, PatH said:

I have tried this url from Firefox, Chrome and Edge with the same result.

https://www.microsoft.com/en-us/software-download/windows10iso immediately reverts to https://www.microsoft.com/en-us/software-download/windows10 which takes me to a page that looks official but there is no option to download the ISO, and there is no hash displayed for any verification. I can download the Media Creation Tool but the actual windows 10 download to media occurs over the web, so I stopped the process before download could begin.Curl sslv3.Curl sslv3.txtCurl sslv3.txtCurl sslv3.tx

That is 100% normal and what Microsoft does on purpose.

If you want to not be redirected you need to install a web browser extension to modify the user agent string so that the web browser thinks you're running Mac or Linux

I've used this one for Firefox

https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/

 

Link to post
Share on other sites

  • Root Admin

Please get me a new, fresh set of logs from Farbar

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

Thank you for suggesting the https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/.  One of my primary goals is to get a verifialbe ISO and make new installation media that I can trust. Unfortunately, no matter what parameters I choose the websites for "my user agent" always report Firefox 117 on Windows 10. I am hoping I can get this working soon.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.