Hidden Virus in Event Viewer, possible botnet

d9d9 · September 19, 2023

Well these are all just freshly installed programs from christitus's tool from the clean install video, edge thing is probably what was used to disable microsoft edge as I just did that he did, same goes for onedrive it's light modifications, but I can uninstall these programs to make it easier if you'd like

Edited September 19, 2023 by d9d9

d9d9 · September 19, 2023

All these 3rd party programs are clean I can assure you that, they're typical things you see in most machines the tweaks tho just came from the video u sent me that i used with his powershell tool, not sure why it'd have anything to do with the hijacked machine

d9d9 · September 19, 2023

Dont you get constant logs with people who have programs and not fresh installs? i'm actually confused like do u want me to go back to the restore point his program made.

AdvancedSetup · September 20, 2023

You started out saying that you had an infection that returns even when you reinstall Windows. That is why I said you should do it a better way.

Okay let's forget about all that for now and move forward.

Please run the following so we can verify if there is anything found bad or not.

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

You will need to send them an email to obtain a link to download the scanner, please do so

The downloaded file will normally have a unique name such as: q7a9tr4p.exe
Close all open applications and locate the downloaded file and double-click to run it
The program will take a moment to launch and bring up the License and Update screen
Place a check mark to agree to the terms and then click on the Continue button
Click the underlined link Select objects for scanning
On the top left click the Scanning objects that should automatically check all objects
Click the small wrench and make sure there is a check on Automatically apply actions to threats
Then click the large button on bottom right Start scanning
Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
The log is saved in the folder named Doctor Web in the top of your user profile folders
Please attach that log on your next reply

d9d9 · September 20, 2023

Alright, ill be following up tomorrow as I'm currently busy

d9d9 · September 20, 2023

Hello Currently the link provided

https://free.drweb.com/ just shows a grey loading page, and doesn't happen to load anywhere, it just stays grey.

d9d9 · September 20, 2023

Pretty sure it has a driver its using to do this, perhaps through the MBR but it shouldn't be happening still because I had formatted every single drive i can promise you that, I will be repeating that process tomorrow but from a USB on a laptop so its a clean ISO.

ufadraow.sys

AdvancedSetup · September 20, 2023

If you've followed the clean install directions there would not be an MBR. You'd have a GPT partitioned drive.

Not sure what's up with the URL to download the Dr Web scanner. I too am having issues accessing the Dr Web link.

Please try the following scanner instead

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

Select the

Windows Key and R Key together, the "Run" box should open.

Drag and Drop KVRT.exe into the Run Box.

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

add -dontencrypt Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.

That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

In the new window select "Change Parameters"

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

When complete, or if nothing was found select "Close"

Attach the report information as previously instructed...

Thank you

d9d9 · September 20, 2023

report_2023.09.20_09.36.54.txt

also, i'm fresh installing windows again but this time making it so I have access to the fixboot commands, and using an ISO from a separate device.

Edited September 20, 2023 by d9d9

AdvancedSetup · September 20, 2023

The fixboot would be available but NOT needed. If you need it during a fresh install you already have a problem that no one I've ever seen have.

Perhaps you may want to consider taking the computer into a local computer repair shop and having them assist you?

d9d9 · September 21, 2023

On 9/20/2023 at 4:20 PM, AdvancedSetup said:

The fixboot would be available but NOT needed. If you need it during a fresh install you already have a problem that no one I've ever seen have.

Perhaps you may want to consider taking the computer into a local computer repair shop and having them assist you?

i've decided to just leave it as is on a new windows install with a new windows key, as im able to play my games and do everything i want i'll deal with it

d9d9 · September 21, 2023

For now, ill leave this Hitman Pro EWS scan I did, mind you some could be false positives, but I believe whatever it is replaces your windows with older/modified windows files allowed themselves access, still don't know how to clean the Boot (:X) thing (I know its a normal windows/pc thing but its probably hijacked with their own files) so I still suspect it uses an exploit within that.

HitmanPro_EWS.log

AdvancedSetup · September 22, 2023

Boot ( X: ) should have been the USB disk that did the install. You can and should not try to run any FIX against that drive.

Please run the following.

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones. Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on the screen display. The only things that count are the End result at the end of the run.
The scan will take several hours. Leave it alone. It will remove any other remaining threats as it goes along. Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

Thank you

d9d9 · September 22, 2023

Also found another file in the debug folder called NetSetup.LOG, found it odd as it has some random computer name in it thats not mine.

Msert had 4 infected files during the scan, but like you said those don't matter.

msert.log NetSetup.LOG

AdvancedSetup · September 22, 2023

The NetSetup.LOG is normal. Part of the Microsoft Azure join domain. Just ignore it.

Please run the following. I'll check back on you again tomorrow, thanks.

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop. You will need to send them an email to obtain the download link, please do so.
NOTE: The instructions below may be a little different now as Sophos appears to have made some minor changes to their scanner.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

Attach the results in your next reply

Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

If no threats were found please confirm that result...

The Virus Removal Tool scans the following areas of your computer:
Memory, including system memory on 32-bit (x86) versions of Windows
The Windows registry
All local hard drives, fixed and removable
Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Please attach that log on your next reply

Thank you

d9d9 · September 22, 2023

11 hours ago, AdvancedSetup said:

The NetSetup.LOG is normal. Part of the Microsoft Azure join domain. Just ignore it.

Please run the following. I'll check back on you again tomorrow, thanks.

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop. You will need to send them an email to obtain the download link, please do so.
NOTE: The instructions below may be a little different now as Sophos appears to have made some minor changes to their scanner.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

Attach the results in your next reply

Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

If no threats were found please confirm that result...

The Virus Removal Tool scans the following areas of your computer:

Memory, including system memory on 32-bit (x86) versions of Windows

The Windows registry

All local hard drives, fixed and removable

Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Please attach that log on your next reply

Thank you

Hello, sophos found nothing but I'd like to inform you that hitmanPro.alert has been mitigating the virus, as it's looking for whatever app it can find to keep running discord was one of the victims, I found in startup it had 24 processes under it such as reg.exe, and other such exe's that I did not screenshot at the time, from then I've disabled all startup programs and just now as i've had discord open for about maybe an hour-two, HMPA caught a ROP, Drive-by Compromise - ID: T1189, Tactic: Initial Access

I would like to believe it uses some sort of kernel level mechanism, through my motherboards drivers or some sort,
I'll be copy and pasting the log below:

Mitigation ROP
Timestamp 2023-09-22T17:29:53

Platform 10.0.22621/x64 v947 06_9e
PID 10504
WoW x86
Feature 007D0A3617BF01B6
Application C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe
Created 2023-09-20T18:45:14
Description Discord 1.0

Callee Type AllocateVirtualMemory
0x3D0C4000 (241664 bytes)

Branch Trace Opcode To
-------------------------------- -------- --------------------------------
SleepEx +0xc6 RET GetQueuedCompletionStatus +0x15 ^0124
0x74F7C856 KernelBase.dll 0x75069B65 KernelBase.dll

WaitForSingleObject +0x13 ~ RET* 0x0113B580 Discord.exe ^001F
0x74FA11E3 KernelBase.dll
6a05 PUSH 0x5
68b00f7b07 PUSH DWORD 0x77b0fb0
e8d4692303 CALL 0x4371f60
8b4df4 MOV ECX, [EBP-0xc]
31e9 XOR ECX, EBP
e8c3321c03 CALL 0x42fe859
b001 MOV AL, 0x1
83c41c ADD ESP, 0x1c
5e POP ESI
5f POP EDI
5d POP EBP
c3 RET
(ABF87D29E9B59CDE)

WaitForSingleObjectEx +0xb6 ~ RET WaitForSingleObject +0x12 ^0010
0x74FA12A6 KernelBase.dll 0x74FA11E2 KernelBase.dll

WaitForSingleObjectEx +0xda RET WaitForSingleObjectEx +0xa5 ^0024
0x74FA12CA KernelBase.dll 0x74FA1295 KernelBase.dll

NtWaitForSingleObject +0xc ~ RET WaitForSingleObjectEx +0x88 ^0016
0x7713619C ntdll.dll 0x74FA1278 KernelBase.dll

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 74FA0BF0 KernelBase.dll VirtualAlloc +0x40

2 0409E858 Discord.exe
85c0 TEST EAX, EAX
0f95c0 SETNZ AL
5e POP ESI
5d POP EBP
c3 RET

3 040FCFD5 Discord.exe
4 03B50E93 Discord.exe
5 03B24801 Discord.exe
6 04B2FAFE Discord.exe
7 03AD5BD4 Discord.exe
8 03B05D28 Discord.exe
9 03CE8296 Discord.exe
10 0163A191 Discord.exe

Loaded Modules (43)
-----------------------------------------------------------------------------
00B00000-090BC000 Discord.exe (Discord Inc.),
version: 1.0.9018
770C0000-7726F000 ntdll.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
76A50000-76B40000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
73DA0000-73EBC000 hmpalert.dll (SurfRight B.V.),
version: 3.8.22.947
74E60000-750D3000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.22621.2283 (WinBuild.160101.0800)
74DC0000-74E5C000 OLEAUT32.dll (Microsoft Corporation),
version: 10.0.22621.1992 (WinBuild.160101.0800)
755B0000-75629000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.22621.608 (WinBuild.160101.0800)
750E0000-751F2000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.22621.608 (WinBuild.160101.0800)
752C0000-7553C000 combase.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
762E0000-7639A000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.22621.1992 (WinBuild.160101.0800)
76B50000-76BAF000 WS2_32.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
75660000-75763000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
6C940000-6CD75000 ffmpeg.dll (),
version:
6C5F0000-6C93C000 UIAutomationCore.DLL (Microsoft Corporation),
version: 7.2.22621.2070 (WinBuild.160101.0800)
6C410000-6C5E2000 dbghelp.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
73220000-73226000 MSIMG32.dll (Microsoft Corporation),
version: 10.0.22621.608 (WinBuild.160101.0800)
75630000-75653000 GDI32.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
760C0000-760DA000 win32u.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
76870000-76951000 gdi32full.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
76CC0000-76E68000 USER32.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
73250000-73281000 WINMM.dll (Microsoft Corporation),
version: 10.0.22621.1635 (WinBuild.160101.0800)
74110000-74134000 IPHLPAPI.DLL (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
744B0000-744B8000 VERSION.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
75ED0000-75F94000 msvcrt.dll (Microsoft Corporation),
version: 7.0.22621.608 (WinBuild.160101.0800)
744C0000-744E4000 USERENV.dll (Microsoft Corporation),
version: 10.0.22621.1928 (WinBuild.160101.0800)
6F650000-6F868000 DWrite.dll (Microsoft Corporation),
version: 10.0.22621.1635 (WinBuild.160101.0800)
6CF10000-6CF88000 WINSPOOL.DRV (Microsoft Corporation),
version: 10.0.22621.1778 (WinBuild.160101.0800)
76FE0000-770A1000 shcore.dll (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
6DE70000-6DE7A000 Secur32.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
74140000-7421C000 WINHTTP.dll (Microsoft Corporation),
version: 10.0.22621.1635 (WinBuild.160101.0800)
767E0000-76864000 sechost.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
740D0000-740E7000 dhcpcsvc.DLL (Microsoft Corporation),
version: 10.0.22621.1344 (WinBuild.160101.0800)
740A0000-740C6000 SSPICLI.DLL (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
760E0000-76105000 IMM32.DLL (Microsoft Corporation),
version: 10.0.22621.1344 (WinBuild.160101.0800)
75540000-755A2000 bcryptPrimitives.dll (Microsoft Corporation),
version: 10.0.22621.1928 (WinBuild.160101.0800)
76110000-7618D000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
744F0000-744FB000 CRYPTBASE.DLL (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
6DD90000-6DDD5000 powrprof.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
6DD80000-6DD8E000 UMPDC.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
74220000-7429F000 uxtheme.dll (Microsoft Corporation),
version: 10.0.22621.2283 (WinBuild.160101.0800)
73FA0000-73FF1000 mswsock.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
75770000-75DFF000 SHELL32.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
74490000-744A3000 kernel.appcore.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)

Process Trace
1 C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [10504]
"C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe" --type=renderer --user-data-dir="C:\Users\prere\AppData\Roaming\discord" --standard-schemes --secure-schemes=disclip --bypasscsp-schemes --cors-schemes --fetch-schemes=disclip --service-worker
2 C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]

Dropped Files
1 C:\USERS\PRERE\APPDATA\ROAMING\DISCORD\SENTRY\SCOPE_V2.JSON
Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]
2 C:\Users\prere\AppData\Roaming\discord\Local Storage\leveldb\000073.log
Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]
3 C:\Users\prere\AppData\Roaming\discord\Local Storage\leveldb\000074.ldb
Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]
4 C:\Users\prere\AppData\Roaming\discord\Local Storage\leveldb\000075.ldb
Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]
5 C:\Users\prere\AppData\Local\Temp\scoped_dir11120_1882702941\66393d9ab8472e274405461a927298e2.png
Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]
6 C:\Users\prere\AppData\Local\Temp\19b66270-2a70-4e39-9e44-480b5381e85d.tmp
Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]

Thumbprints
53de85142f2df8bc3250d3a8c67a36358427a94aabc2fade0587caa2bb52cebf

2nd log it picked up:

Mitigation ROP
Timestamp 2023-09-22T17:29:51

Platform 10.0.22621/x64 v947 06_9e
PID 12200
WoW x86
Feature 007D0A3617BF01B6
Application C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe
Created 2023-09-20T18:45:14
Description Discord 1.0

Callee Type AllocateVirtualMemory
0x1B184000 (241664 bytes)

Branch Trace Opcode To
-------------------------------- -------- --------------------------------
PeekMessageW +0x1da RET* 0x01048CB4 Discord.exe ^0284
0x76CEBFFA user32.dll
8b3b MOV EDI, [EBX]
8b7308 MOV ESI, [EBX+0x8]
89f9 MOV ECX, EDI
6a04 PUSH 0x4
6a0c PUSH 0xc
e8ecb8a302 CALL 0x3a845b0
8d480c LEA ECX, [EAX+0xc]
894f04 MOV [EDI+0x4], ECX
8930 MOV [EAX], ESI
c740046d000000 MOV DWORD [EAX+0x4], 0x6d
eb40 JMP 0x1048d15
(B286BCFEBFD86A66)

MsgWaitForMultipleObjectsEx +0x54 ~ RET* 0x01048D05 Discord.exe ^00C8
0x76CE22D4 user32.dll
028d480c894f ADD CL, [EBP+0x4f890c48]
0489 ADD AL, 0x89
30c7 XOR BH, AL
40 INC EAX
0469 ADD AL, 0x69
0000 ADD [EAX], AL
008b4d0c8948 ADD [EBX+0x48890c4d], CL
08e9 OR CL, CH
03fc ADD EDI, ESP
(FCF60F8AEADBABD9)

NtUserMsgWaitForMultipleObjectsEx +0xc ~ RET MsgWaitForMultipleObjectsEx +0x51 ^012C
0x760C5CBC win32u.dll 0x76CE22D1 user32.dll

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 74FA0BF0 KernelBase.dll VirtualAlloc +0x40

2 0409E858 Discord.exe
85c0 TEST EAX, EAX
0f95c0 SETNZ AL
5e POP ESI
5d POP EBP
c3 RET

3 040FCFD5 Discord.exe
4 03B50E28 Discord.exe
5 0156C9D6 Discord.exe
6 0153DC53 Discord.exe
7 0153B491 Discord.exe
8 01538BE5 Discord.exe
9 015410D8 Discord.exe
10 015492E8 Discord.exe

Loaded Modules (123)
-----------------------------------------------------------------------------
00B00000-090BC000 Discord.exe (Discord Inc.),
version: 1.0.9018
770C0000-7726F000 ntdll.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
76A50000-76B40000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
73DA0000-73EBC000 hmpalert.dll (SurfRight B.V.),
version: 3.8.22.947
74E60000-750D3000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.22621.2283 (WinBuild.160101.0800)
74DC0000-74E5C000 OLEAUT32.dll (Microsoft Corporation),
version: 10.0.22621.1992 (WinBuild.160101.0800)
755B0000-75629000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.22621.608 (WinBuild.160101.0800)
750E0000-751F2000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.22621.608 (WinBuild.160101.0800)
752C0000-7553C000 combase.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
762E0000-7639A000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.22621.1992 (WinBuild.160101.0800)
76B50000-76BAF000 WS2_32.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
75660000-75763000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
6C940000-6CD75000 ffmpeg.dll (),
version:
6C5F0000-6C93C000 UIAutomationCore.DLL (Microsoft Corporation),
version: 7.2.22621.2070 (WinBuild.160101.0800)
6C410000-6C5E2000 dbghelp.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
73220000-73226000 MSIMG32.dll (Microsoft Corporation),
version: 10.0.22621.608 (WinBuild.160101.0800)
75630000-75653000 GDI32.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
760C0000-760DA000 win32u.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
76870000-76951000 gdi32full.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
76CC0000-76E68000 USER32.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
73250000-73281000 WINMM.dll (Microsoft Corporation),
version: 10.0.22621.1635 (WinBuild.160101.0800)
74110000-74134000 IPHLPAPI.DLL (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
744B0000-744B8000 VERSION.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
75ED0000-75F94000 msvcrt.dll (Microsoft Corporation),
version: 7.0.22621.608 (WinBuild.160101.0800)
744C0000-744E4000 USERENV.dll (Microsoft Corporation),
version: 10.0.22621.1928 (WinBuild.160101.0800)
6F650000-6F868000 DWrite.dll (Microsoft Corporation),
version: 10.0.22621.1635 (WinBuild.160101.0800)
6CF10000-6CF88000 WINSPOOL.DRV (Microsoft Corporation),
version: 10.0.22621.1778 (WinBuild.160101.0800)
76FE0000-770A1000 shcore.dll (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
6DE70000-6DE7A000 Secur32.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
74140000-7421C000 WINHTTP.dll (Microsoft Corporation),
version: 10.0.22621.1635 (WinBuild.160101.0800)
767E0000-76864000 sechost.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
740D0000-740E7000 dhcpcsvc.DLL (Microsoft Corporation),
version: 10.0.22621.1344 (WinBuild.160101.0800)
740A0000-740C6000 SSPICLI.DLL (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
760E0000-76105000 IMM32.DLL (Microsoft Corporation),
version: 10.0.22621.1344 (WinBuild.160101.0800)
75540000-755A2000 bcryptPrimitives.dll (Microsoft Corporation),
version: 10.0.22621.1928 (WinBuild.160101.0800)
76110000-7618D000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
744F0000-744FB000 CRYPTBASE.DLL (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
6DD90000-6DDD5000 powrprof.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
6DD80000-6DD8E000 UMPDC.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
74220000-7429F000 uxtheme.dll (Microsoft Corporation),
version: 10.0.22621.2283 (WinBuild.160101.0800)
73FA0000-73FF1000 mswsock.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
75770000-75DFF000 SHELL32.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
74490000-744A3000 kernel.appcore.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
68B40000-69A5E000 discord_voice.node (),
version:
76190000-762DF000 ole32.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
76BD0000-76C1B000 SHLWAPI.dll (Microsoft Corporation),
version: 10.0.22621.1635 (WinBuild.160101.0800)
6CD80000-6CE4A000 dxgi.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
6A880000-6AAB8000 d3d11.dll (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
68AF0000-68B33000 qwave.dll (Microsoft Corporation),
version: 10.0.22621.608 (WinBuild.160101.0800)
68A20000-68AE6000 OPENH264-2.2.0-WIN32.DLL (Cisco Systems Inc.),
version: 2.2.0.2201
68500000-68A1A000 mediapipe.dll (),
version:
74380000-7439A000 bcrypt.dll (Microsoft Corporation),
version: 10.0.22621.1992 (WinBuild.160101.0800)
6DAB0000-6DAB9000 AVRT.dll (Microsoft Corporation),
version: 10.0.22621.608 (WinBuild.160101.0800)
6DC30000-6DC39000 msdmo.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
742A0000-742C4000 dwmapi.dll (Microsoft Corporation),
version: 10.0.22621.1635 (WinBuild.160101.0800)
6B820000-6B82C000 TRAFFIC.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
684F0000-684FF000 WMICLNT.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
76960000-769E2000 clbcatq.dll (Microsoft Corporation),
version: 2001.12.10941.16384 (WinBuild.160101.080
684D0000-684EC000 devenum.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
73C00000-73C3D000 CFGMGR32.dll (Microsoft Corporation),
version: 10.0.22621.1344 (WinBuild.160101.0800)
763A0000-767DD000 setupapi.dll (Microsoft Corporation),
version: 10.0.22621.1778 (WinBuild.160101.0800)
6CF90000-6CFB9000 ntmarta.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
68430000-684C7000 Windows.Devices.Enumeration.dll (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
73CD0000-73D97000 PROPSYS.dll (Microsoft Corporation),
version: 7.0.22621.2215 (WinBuild.160101.0800)
683A0000-6842C000 StructuredQuery.dll (Microsoft Corporation),
version: 7.0.22621.2070 (WinBuild.160101.0800)
74500000-7451D000 profapi.dll (Microsoft Corporation),
version: 10.0.22621.1928 (WinBuild.160101.0800)
68360000-68396000 MSWB7.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
68340000-6835C000 DevDispItemProvider.dll (Microsoft Corporation),
version: 10.0.22621.1778 (WinBuild.160101.0800)
73290000-732B4000 DEVOBJ.dll (Microsoft Corporation),
version: 10.0.22621.1344 (WinBuild.160101.0800)
769F0000-76A49000 WINTRUST.dll (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
74480000-7448E000 MSASN1.dll (Microsoft Corporation),
version: 10.0.22621.819 (WinBuild.160101.0800)
6DB30000-6DBAC000 MMDevApi.dll (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
68300000-6833B000 mfwmaaec.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
6B710000-6B818000 mfperfhelper.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
6D7C0000-6D94A000 AUDIOSES.DLL (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
682F0000-68300000 resourcepolicyclient.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
6D670000-6D77A000 Windows.UI.dll (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
682D0000-682E6000 notificationstate.node (),
version:
682B0000-682CB000 notificationstate.node (),
version:
681F0000-682B0000 discord_utils.node (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
73240000-7324B000 HID.DLL (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
681C0000-681E9000 dbgcore.DLL (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
68150000-681BA000 discord_erlpack.node (Microsoft Corporation),
version: 7.0.22621.2070 (WinBuild.160101.0800)
67D30000-67DF8000 discord_game_utils.node (Microsoft Corporation),
version: 10.0.22621.1928 (WinBuild.160101.0800)
64070000-641DD000 gdiplus.dll (Microsoft Corporation),
version: 10.0.22621.1778 (WinBuild.160101.0800)
62B90000-6406A000 discord_krisp.node (),
version:
743D0000-743E5000 CRYPTSP.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
743A0000-743D0000 rsaenh.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
75FA0000-75FBB000 imagehlp.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
74350000-74371000 gpapi.dll (Microsoft Corporation),
version: 10.0.22621.1344 (WinBuild.160101.0800)
74320000-74347000 cryptnet.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
73F90000-73F9A000 WINNSI.DLL (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
76BB0000-76BB7000 NSI.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
627F0000-62B8C000 discord_cloudsync.node (),
version:
62760000-627EC000 discord_overlay2.node (),
version:
6DC20000-6DC2E000 wbemprox.dll (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
6DBB0000-6DC17000 wbemcomn.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
6DB10000-6DB21000 wbemsvc.dll (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
6D9E0000-6DAAC000 fastprox.dll (Microsoft Corporation),
version: 10.0.22621.1635 (WinBuild.160101.0800)
6D9C0000-6D9D5000 amsi.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
6D950000-6D9BC000 MpOav.dll (Microsoft Corporation),
version: 4.18.23080.2006 (04d8e871ffe7ba6b2204046
62590000-6261D000 discord_media.node (),
version:
732C0000-732EE000 dxcore.dll (Microsoft Corporation),
version: 10.0.22621.1778 (WinBuild.160101.0800)
6BD10000-6BD4C000 directxdatabasehelper.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
740F0000-74106000 dhcpcsvc6.DLL (Microsoft Corporation),
version: 10.0.22621.1344 (WinBuild.160101.0800)
73ED0000-73F89000 DNSAPI.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
72E90000-72EA2000 napinsp.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
6F630000-6F646000 pnrpnsp.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
73210000-7321E000 winrnr.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
6F610000-6F621000 wshbth.dll (Microsoft Corporation),
version: 10.0.22621.1778 (WinBuild.160101.0800)
743F0000-74408000 nlansp_c.dll (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
62530000-62590000 discord_modules.node (),
version:
61D20000-62525000 discord_dispatch.node (),
version:
76B40000-76B46000 PSAPI.DLL (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
68070000-6814E000 AppXDeploymentClient.dll (Microsoft Corporation),
version: 10.0.22621.1928 (WinBuild.160101.0800)
67FB0000-68070000 Windows.ApplicationModel.dll (Microsoft Corporation),
version: 10.0.22621.2070 (WinBuild.160101.0800)
74520000-745E7000 wintypes.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
745F0000-74CD3000 windows.storage.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
73C40000-73CC1000 Windows.FileExplorer.Common.dll (Microsoft Corporation),
version: 10.0.22621.2215 (WinBuild.160101.0800)
67FA0000-67FB0000 mssprxy.dll (Microsoft Corporation),
version: 7.0.22621.2070 (WinBuild.160101.0800)
73B70000-73BA0000 windows.staterepositoryclient.dll (Microsoft Corporation),
version: 10.0.22621.1928 (WinBuild.160101.0800)
67F10000-67F28000 quiethours.node (),
version:
61950000-61B2A000 cld.node (),
version:

Process Trace
1 C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [12200]
"C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe" --type=renderer --user-data-dir="C:\Users\prere\AppData\Roaming\discord" --standard-schemes --secure-schemes=disclip --bypasscsp-schemes --cors-schemes --fetch-schemes=disclip --service-worker
2 C:\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]

Dropped Files
1 C:\Users\prere\AppData\Roaming\discord\Code Cache\js\index-dir\the-real-index~RF2813088.TMP
Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]
2 C:\USERS\PRERE\APPDATA\ROAMING\DISCORD\SENTRY\SCOPE_V2.JSON
Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]
3 C:\Users\prere\AppData\Roaming\discord\Local Storage\leveldb\000073.log
Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]
4 C:\Users\prere\AppData\Roaming\discord\Local Storage\leveldb\000074.ldb
Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]
5 C:\Users\prere\AppData\Roaming\discord\Local Storage\leveldb\000075.ldb
Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]
6 C:\Users\prere\AppData\Local\Temp\scoped_dir11120_1882702941\66393d9ab8472e274405461a927298e2.png
Dropped by \Device\HarddiskVolume7\Users\prere\AppData\Local\Discord\app-1.0.9018\Discord.exe [11120]

Thumbprints
d41c6aebcc41428e6707e70acaa264954b5a990ace3ef82fa6d692d4f93c8ce7

Edited September 22, 2023 by d9d9

AdvancedSetup · September 22, 2023

Not sure what to tell you except to follow the directions 100% no deviation (ensure you validate the HASH for all media) and you should not have any infection. I have built Windows doing a clean install hundreds of times, I've also helped people just like you do a clean install and no one has an infection once the directions are followed as specified. If you continue to have an issue then as recommended, please take the computer to a qualified professional computer repair store.

DO NOT use a Microsoft Account. Use a Local Account

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

Also, please review the following topic

Bypass Microsoft Online Account Creation during installation of Windows 11
https://forums.malwarebytes.com/topic/296613-bypass-microsoft-online-account-creation-during-installation-of-windows-11/

d9d9 · September 22, 2023

1 minute ago, AdvancedSetup said:

Not sure what to tell you except to follow the directions 100% no deviation (ensure you validate the HASH for all media) and you should not have any infection. I have built Windows doing a clean install hundreds of times, I've also helped people just like you do a clean install and no one has an infection once the directions are followed as specified. If you continue to have an issue then as recommended, please take the computer to a qualified professional computer repair store.

DO NOT use a Microsoft Account. Use a Local Account

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

Also, please review the following topic

Bypass Microsoft Online Account Creation during installation of Windows 11
https://forums.malwarebytes.com/topic/296613-bypass-microsoft-online-account-creation-during-installation-of-windows-11/

I've tried all that already, and erased every harddrive. Can you tell me if the HMPA log is a false positive ROP or not?

Because I'm telling you it has to be coming from another hijacked computer on my network, or someone on my network.

AdvancedSetup · September 22, 2023

I have no idea what Hitman Pro does. I do not work for them or use their product. You can check on their forums.

If you own your own router and are not renting it from your Internet Service Provider

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

Depending on one's preferences and the Router's capabilities please consider the following.

Disable acceptance of ICMP Pings
Change the Default Router password using a Strong Password
Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
Disable Remote Management
Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
Example: Keep IoT devices on one network and mobile devices on another.
Change the network name (SSID). Do not use your; Name, Postal address or other personal information. Make it unique or whimsical and known to your family/group.
Is the Router Firmware up-to-date ? Updating the firmware mitigates exploitable vulnerabilities.
Specifically set Firewall rules to BLOCK; TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
Document passwords created and store them in a safe but accessible location.

Hidden Virus in Event Viewer, possible botnet

Recommended Posts

Link to post

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information