Jump to content

Am I being paranoid?


Go to solution Solved by AdvancedSetup,

Recommended Posts

I suspect I have been hacked on a different machine and it has now jumped on this one too. I have messed around with some pirated games on my other PC and my PC has been acting a bit strange lately ... I could see some CMD appearing for a fraction of a second, spikes in temperature, unusual fan ramp up and most importantly the last thing that happened was an update called : May 24, 2023 - Windows configuration Update that somehow crippled my internet access and the same updated seem to have worked fine on this machine. 

I will have to make a separate topic for my other machine as the internet connection was crippled via un update and I need to do a fresh install on that one ... Sadly I currently don't have the means to do a secure erase on the SSD's that are installed in that machine. I am currently hospitalised and I only have access to get a bootable USB to reinstall the Windows on it ... I am actually curious how it will behave on a clean boot. 

I suspect that it has jumped via USB stick on this computer. Now with this machine I am most likely just being paranoid but since it is my backup machine and I don't know much about security, would be great if someone can have a look at my scans. Below you can see a screenshot of my PC connecting to these two IPs belonging to Level 3 Communications / Lumen and I am unsure if they are official data centres or just an ISP provider. And the rest are the scan results from FRST and AdwCleaner. 

If anyone could have a look at those that would be much appreciated. I have so much stress with the hospital that hacked is the last thing to want to be hehe.

Screenshot 2023-09-18 174137.png

Addition.txt FRST.txt Shortcut.txt AdwCleaner[C00].txt AdwCleaner[C01].txt

Link to post
Share on other sites

Hello @ticusnemernicus and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.  WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have posted.

Thank you.

Link to post
Share on other sites

No problem! This only adds up to the paranoia 😅 . It feels that this malware is running it's own operating system and anything that I do scan wise it just won't be accurate. I know how it sounds ... but I have a very good spirit of observation and this is highly unusual. I am running windows 98 ... I know it's behaviour inside out, and ever since I got this thing , I am noticing things that never occured before. 

This malware, I am suspecting it to be a very clever payload, most likely mining malware. 

It gives me the feeling that it runs only when you're unable to notice (playing a game, watching youtube, etc) and it then hides when you try to see what's running. 

If I open my task manager there is an avalanche of processes and services that pop in and out before I can see what they are. 

On the scans that I have provided you with, which are from my backup machine, it feels like the malware is not fully deployed yet. 

On my other machine though, I feel it being crippled more and more by the day. 

I will have to open a separate topic for what I suspect to be the source of the malware, as I was trying to rollback to a different wifi driver. The hospital network (which is a very secure one) seemed to have refused acces for this machine. I am now stuck with it without internet connection. 

I still got an usb drive with an ISO but it is the same ISO that the machine (HP) I am enquiring about now is running. I should be able to set those and analyse later this evening. 

Thank you for your help!

Link to post
Share on other sites

  • Root Admin
  • Solution

Hello  and  :welcome:    @ticusnemernicus

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim.
  • Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections.
  • If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

The logs do not indicate any obvious infection. Please go ahead though and run the following and we'll scan and see if we can find anything

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

Hello @AdvancedSetup and thank you for your help and patience! 

Just to make things clear this is a backup machine that I am running the scans on - let's call it Machine 2 or HP Laptop. I suspect I might have gotten this one infected too and since it is the more important of the two I have decided to start a thread with this one. The sign of malware on this one is just one really, which is the connection via svchoste.exe to some unknown IP's in the U.S. This machine doesn't have dedicated GPU so I think that even if I was to get a coin miner, it's not doing much on this one, but better safe than sorry. With this one I thought from the beginning it is 50/50 chance for it to be infected. The other one though ... I am more certain by the day.

To follow up with a quick question in regards to your assistance. I wasn't feeling very well yesterday so I haven't really done much in regards to my other laptop - let's call that one Machine 1 or Lenovo laptop (which I believe to be the source of infection), but I did notice some very interesting temperature fluctuations (while AFK) and ever since the internet connection is unavailable, I get stutters when playing a game. Not only that but I have managed to reach a temperature record on my CPU : 100.5 Celsius. 

I should have Machine 1 reset at some point today. I will try a reset at first in the hope that the malware will persist and we will find it. Do you want me to create a different topic for that one or should we continue here? If you want us to continue here, please let me know if you want me to follow the same steps as I am following for this one: Malware scan with MB tool, Kaspersky scan. This one, at least in my opinion, 90% chances that there is something going on with it.

Thank you in advance and I hope you can understand my situation! Oh and trust me, lesson is learned in regards to pirated software. Just the stress and thought that there might be something creeping on my laptop is scarry enough to make me not want to download any similar software on my machines.

Good news so far on Machine 2 - HP, the scanner did not find anything.

Please find attached requested log: 

 

report_2023.09.20_08.50.22.klr.txt

Link to post
Share on other sites

  • Root Admin

Once you've reset the other computer please run the following on it. You can run the same for both computers but let me know for sure which is which as it can easily get confusing quickly

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system.


Please make the following changes.

 

  • Temporarily disable your antivirus real-time protection or other security software first if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

 


Next, run these steps and post back the logs as an attachment when ready.


[ 1 ]

Malwarebytes for Windows

  • If you already have Malwarebytes installed then open Malwarebytes and click on the small gear icon, then click on the "Check for updates" button on the General tab.
  • After any updates, click the middle Scan button from the main page. It will automatically run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed, make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let us know in your next reply that the scanner would not run.

[ 2 ]

Malwarebytes AdwCleaner

  • Please download Malwarebytes AdwCleaner and save the file to your Desktop or Downloads folder.
  • Double-click to run the program - Malwarebytes AdwCleaner guide
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • DO NOT uninstall or remove the Preinstalled software if found. Uncheck any items listed as Preinstalled
  • When finished, if items are found please click Quarantine to finish the cleaning process.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach that log to your next reply.
     
  • If No Detections are found, Click Skip Basic Repair

    WARNING: Do Not click the Run Basic Repair button unless instructed to by a Malwarebytes support agent or authorized helper


 

RESTART THE COMPUTER Before running Step 3

[ 3 ]

Gather MBST Logs

Please do the following so that we may take a closer look at your system for any possible infections.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

    WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper

 

Thank you

 

Link to post
Share on other sites

Hello,

The progress was slow and painful. The internet connection is limited to 300kb/s. After a full reset, I realised that Windows doesn't come with a generic WiFi driver for my laptop so the reset was useless. 

The positive outcome though, is that it led me to installing Windows again with a full format of my main drive. I kept the other drive untouched as I was most certain there was something wrong with my Lenovo laptop and wanted to test capabilities of still undetected malware, if it can piggyback other hard drives or firmware. I can safely say that whatever it was it wasn't so advanced. Why do I refer to it as being part of the past? Well because it seems to be gone now (touch wood).

So far after installing windows, checking for corruption, updating drivers my machine runs great again. I am watching the temperature monitor and my GPU stabilises with a maximum of .2 difference if I am not moving the mouse or opening new windows. 

My CPU usage is back to normal too. I saw the mighty 1% use today which is a great sign. Before reinstall was sitting at 3% most of the time, even if idling. 

My fans don't seem to ramp up the same way they did before. 

And lastly and also very important ... I have discovered what caused the network issue (this is a secure network that times out every few hours and it asks you to log in again).

It was Malwarebytes itself. On a clean install it defaults to being the main Antivirus because of the free trial thing. Whatever changes it causes to the Antivirus settings or Firewall, is what prevents the log in page to pop up (tried all possible addresses that would bring it up and nothing) 

While I believe that the nasty is now gone from my machine, I have to ask, since I am unable to use Malwarebytes ... would you happen to know what kind of changes it makes to Windows Components / Firewall? Maybe I can manually revert changes and get away with installing Malwarebytes on it?

The wifi card on the Lenovo laptop is a Mediatek MT7921 wifi 6

The backup machine doesn't seem affected anyhow, but it is also running an older wifi4 card.

Link to post
Share on other sites

  • Root Admin

I don't see an obvious infection but Microsoft Teams keeps faulting in the Event Logs

If you're not using Microsoft Teams I'd recommend you uninstall it. If you do use it then try to manually uninstall and reinstall

 

Then perhaps run an AV scan on it to make sure.

 

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

Link to post
Share on other sites

Hello

Sorry for taking so long but after running the Eset tool I had the WiFi Issue on the laptop... I was unable to get the log-in page to show up... Some times I managed to reset it via ipconfig /flushdns but others it just didn't work that's why the reset again.

I had to do a reset of this PC ... and it has been a bit weird after the reset ... After booting, all components of Windows Security were disabled, and this morning I found the PC with the pop-up: Memory integrity disabled. I am starting to believe that there might be something on this backup machine (HP Laptop) and that something might be a rootkit...

I have managed to get a log for Eset, but I am not sure how accurate will that be considering one driver did not load ethdriver.sys which is apparently responsible for rootkit detection (as per Eset moderator)

I am not trying to see if I manage to load the driver by disabling Microsoft Security and currently downloading a rescue disk image (Kaspersky) to see if I have any luck with that... 

I ran another FSRT scan as well. You can see the errors there. Will run a Malwarebytes Tool soon and attach the logs again. Sorry for the hassle but things are not so smooth apparently.

 

asdf.txt Addition.txt FRST.txt

Link to post
Share on other sites

No. At least not on the first scan.

That is the weird thing about it ... It notified me that there is a driver that must loaded in order for the tool to run correctly. I was a bit skeptical as the driver had a name made of 8 digits. Initially I said no to the prompt, ran a scan, found nothing, and the ran another with that loaded driver. 

My computer rebooted in order to load the driver and then it entered the bootloop. It was going in recovery saying the system did not load properly and I have tried to just skip it / to restart and nothing worked apart from using a restore point that I have created earlier (seems to be a good way of maintaining the wifi up and running)

So if you ask me, this tool didn't run properly either since it was missing a driver and after loading the driver I got the BSOD

Link to post
Share on other sites

  • Root Admin

Yeah, the tool (not sure where you got a copy of the program) has not been updated in a while. Kaspersky appears to have taken down the utility a while ago.

Use of their main KAV Scanner is now the tool to use. It should have all the functionality of TDSSKiller within it.

 

 

Link to post
Share on other sites

That might explain the BSOD. I am still going to do a check with some live disks and if nothing is found than I believe that this laptop is safe and clear. 

In relation to the other laptop, it still behaves normally but the wifi issue just doesn't give me a break. It was all done with updates and everything yesterday and before I managed to run anything on it, it decided to lose connection again. 

I need a small break from this so please keep the thread open even if I haven't replied for the next few days. 

I will try again, and If I manage to get a restore point working after all the updates are done, I should be able to get all the tools and run all the scans.

Thank you 🫡

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.