Jump to content

PayloadProcessBlock: cmd.exe \c reg.exe Cryptography \v MachineGuid


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello,

I followed the instructions in pinned post, and have attached three things mentioned there. Along with that, I have also attached 4 detection*.txt files which shows the details about the detection that caused me to open this support thread.

Please let me know what other information I can provide.

 

Thanks!

detection4_2023_10_09.txt FRST.txt scan_report_2023_10_09.txt Addition.txt detection1_2023_10_09.txt detection2_2023_10_09.txt detection3_2023_10_09.txt

Link to post
Share on other sites

Hello @Mehul and welcome back:

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.  WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have posted.

Thank you.

Edited by 1PW
Link to post
Share on other sites

Hello :welcome:@Mehul My name is Maurice. The exploit message you have seen may just be a false positive. But be sure to provide the ZIP from the support tool so it can be reviewed. It will have much fuller details. Go ahead and do the following.

Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

This is a good point to emphasize not playing online games or games in general, while the case is on-going.
I would also emphasize to reduce the auto-started applications that start with Windows down to the absolute minimum. Which would basically be just security applications. Just do not mess with Microsoft Windows services.
Apply these principles now from the following How-to
How to perform a clean boot in Windows

Link to post
Share on other sites

As requested, please find mbst-grab-results.zip attached to this post. I have also enabled hidden files and folder along with disabling fast startup.

Unfortunately, due to my previous commitments, I will still need to continue playing one online game. Please let me know if this is going to be an issue during our troubleshooting.

 

Thanks,

Mehul

mbst-grab-results.zip

Link to post
Share on other sites

Thank you. If you yourself "tweaked" or "amped up" on your own any Application Behavior Protection setting within Malwarebytes....let me know. In the SECURITY tab of Malwarebytes, we need "Brute force protection" to be OFF.

Can you check if the "Penetration testing" toggle in the UI is ON ? If it is ON, please turn it OFF and Hit Apply

You can find it by going to Security->Exploit Protection->Advanced settings.  Press Restore Defaults. Press Apply button.

image.png.bca550c40a23e21f57ddccdfee3db04e.png

image.png.1769c8240a8ccb4fb62543f25e2093ed.png

Link to post
Share on other sites

Both "Brute force protection" and "Penetration Testing" were already set to OFF.

I may have tweaked something in the past, but I can just reset it back to default if that helps. I don't think I need anything special at the moment.

I usually shutdown the computer at the end of the day, but I forgot it is not the same as restart. I'll restart later tonight.

Thanks for your help!

Link to post
Share on other sites

Hello. IF this computer participates in a company or organization network or such, do let me know. I am assuming this is your home computer.
I assume you do not do any sort of special, unique software Virtualization.
There is one scheduled task that may well be what triggers the Exploit alarm by Malwarebytes.
The alarm may well be a false alarm. But since you likely do not need to have the task

Virtualization based Isolation master policy change


I am suggesting to run a custom script to remove that scheduled task.
Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

Please Close all open work before you actually do begin this run.

Farbar  FRSTENGLISH program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

<- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

Edited by Maurice Naggar
Link to post
Share on other sites

The last time the alert popped up was when I started(with fastboot enabled at the time) my computer after it had been shutdown the night before.

And yes, this is my personal computer, not work computer. I do have a few virtualization going on:

  1. VMWare workstation for regular VMs
  2. Docker Desktop for Windows containers for building apps
  3. Hyper-V enabled in order to run Windows Subsystem for Linux

And regarding "Virtualization based Isolation master policy change", I am assuming one of my virtualization tools enabled this? I don't remember manually changing any policies.

It looks like that policy is used for hardening Windows to provide additional security. So, I am a bit hesitant to run that script to disable it.

Do we absolutely have to disable it?😔

Link to post
Share on other sites

Hello. I have modified the run to not remove the mentioned task. It will instead get more detail about it and the scheduled tasks.

Please Close all open work before you actually do begin this run.

Farbar  FRSTENGLISH program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

Edited by Maurice Naggar
Link to post
Share on other sites

Regret to hear that news. Please run this.  Farbar MiniToolBox

  • Please download MiniToolBox and download it to your desktop
  • Close any browsers you may have open
  • Right click the icon and select Run as administrator
  • Make sure only the following options are checked:
Report IE Proxy Settings
Report FF Proxy Settings
List content of Hosts
List Devices - Only Problems
List last 10 Event Viewer log
List Installed Programs
List Devices
List Users, Partitions and Memory size.
List Minidump Files
  • Click Go and once the scan is completed a MTB.txt Notepad document will open on your desktop
  • Please SAVE the report-file.
  • Then attach that report with next reply.
Link to post
Share on other sites

This first part is some housekeeping. The old app named "Bonjour" is not needed/
1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-window.
2. Type

appwiz.cpl


and tap Enter.
The Programs and Features window will appear.   Locate on the list "Bonjour".

Do a right-click on it.  Then choose Uninstall.   Let it proceed.

Exit Programs and Features, when done.
Now do a Windows Restart.

The report did not shed light on the system-abort-crash  ( BSOD). But the STOP screen grab you had provided before seems to point to some sort of conflict or failure ( perhaps) of a DirectX graphis subsystem driver.
It is likely a good idea to initiate and to have Windows run its CHKDSK utility.

First you will want to save all current edits ( if any) and Save your work files ( if any ). Exit your own open programs.
Open an elevated Command window i.e. run Command Prompt as an administrator .

On the Taskbar Search box, type in

cmd.exe


click the line for "run as administrator"


It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
On that Command prompt,  Copy & Paste this command 

echo Y | chkdsk C: /F

 

press Enter-key on keyboard   This says to accept a run of CHKDSK at the next time the system Reboots.
Once that is in place, do a Windows RESTART by using the Windows Start menu >>> Power >>> Restart.

Do not interfere with the CHKDSK as the system reboots and then begins the run of CHKDSK

Link to post
Share on other sites

I have removed "Bonjour" and also ran check disk. I noticed some left over artifacts from when I was testing Windows Defender ATP a little while back. I went ahead and ran the off boarding script to properly clean up that as well.

Should I try to run the fix again and pray it doesn't crash? Or did you want to get some more information on why it crashed first?

Due to currently configured settings, I also have a 2.65GB MEMORY.DMP file if that helps.

image.png

Link to post
Share on other sites

I pass on anything as regards the dump file. Go ahead and delete it. No, I do not desire to rerun any fix script.

I would to get a special report.
Temporarily disable Microsoft SmartScreen to download the next software below 

Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

The SecurityCheck report has highlighted these applications that need your attention & follow-up.
KeePass Password Safe 2.47 v.2.47  Warning! Download Update

Git version 2.31.1 v.2.31.1  Warning! Download Update

Notepad++ (64-bit x64) v.7.9.5  Warning! Download Update

TeamViewer v.15.42.9  Warning! Download Update

VMware Workstation v.16.2.1  Warning! Download Update

WinSCP 5.19.4 v.5.19.4  Warning! Download Update

Python 3.9.2 (64-bit) v.3.9.2150.0  Warning! Download Update

Microsoft Visual Studio Code (User) v.1.62.2  Warning! Download Update

Wireshark 3.4.9 64-bit v.3.4.9  Warning! Download Update

7-Zip 19.00 (x64) v.19.00  Warning! Download Update
Uninstall old version and install new one.

GIMP 2.10.30 v.2.10.30  Warning! Download Update

Discord v.0.0.311  Warning! Download Update

WhatsApp (Outdated) v.2.2319.9  Warning! Download Update

Zoom v.5.10.4 (5035)  Warning! Download Update

ProtonVPN v.2.4.3  Warning! Download Update

Java 8 Update 321 (64-bit) v.8.0.3210.7  Warning! Download Update
Uninstall old version and install new one (jre-8u381-windows-x64.exe).

VLC media player v.3.0.12  Warning! Download Update

iTunes v.12.12.7.1  Warning! Download Update
^Please use Apple Software Update tool.^

HandBrake 1.5.1 v.1.5.1  Warning! Download Update

JDownloader 2 v.2.0  Warning! Suspected Adware! Not recommended.

When you get the chance, let me know, How is the situation at this time?. Keep me advised.

Link to post
Share on other sites

  • 2 weeks later...
  • Solution

👌💢 Temporarily disable Microsoft SmartScreen to download the next software below

Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_2-15.exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • You may attach that file to your next reply. (not compulsory)
  • Delete mb-support-1.9.2.982.exe
  • Delete mbst-grab-results.zip on the Desktop.

Your system is good-to-go.
Sincerely.

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.