ticusnemernicus Posted September 18, 2023 ID:1589714 Share Posted September 18, 2023 I suspect I have been hacked on a different machine and it has now jumped on this one too. I have messed around with some pirated games on my other PC and my PC has been acting a bit strange lately ... I could see some CMD appearing for a fraction of a second, spikes in temperature, unusual fan ramp up and most importantly the last thing that happened was an update called : May 24, 2023 - Windows configuration Update that somehow crippled my internet access and the same updated seem to have worked fine on this machine. I will have to make a separate topic for my other machine as the internet connection was crippled via un update and I need to do a fresh install on that one ... Sadly I currently don't have the means to do a secure erase on the SSD's that are installed in that machine. I am currently hospitalised and I only have access to get a bootable USB to reinstall the Windows on it ... I am actually curious how it will behave on a clean boot. I suspect that it has jumped via USB stick on this computer. Now with this machine I am most likely just being paranoid but since it is my backup machine and I don't know much about security, would be great if someone can have a look at my scans. Below you can see a screenshot of my PC connecting to these two IPs belonging to Level 3 Communications / Lumen and I am unsure if they are official data centres or just an ISP provider. And the rest are the scan results from FRST and AdwCleaner. If anyone could have a look at those that would be much appreciated. I have so much stress with the hospital that hacked is the last thing to want to be hehe. Addition.txt FRST.txt Shortcut.txt AdwCleaner[C00].txt AdwCleaner[C01].txt Link to post Share on other sites More sharing options...
ticusnemernicus Posted September 19, 2023 Author ID:1589845 Share Posted September 19, 2023 I have also captured some traffic with Wireshark Wireshark.zip Link to post Share on other sites More sharing options...
1PW Posted September 19, 2023 ID:1589856 Share Posted September 19, 2023 Hello @ticusnemernicus and : While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions: Download the Malwarebytes Support Tool. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file. In the User Account Control (UAC) pop-up window, click Yes to continue the installation. Run the MBST Support Tool. In the left navigation pane of the Malwarebytes Support Tool, click Advanced. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer. WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste. For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have posted. Thank you. Link to post Share on other sites More sharing options...
ticusnemernicus Posted September 19, 2023 Author ID:1589862 Share Posted September 19, 2023 I thought that you might be asking for one so went ahead and did a scan. Here are the results: mbst-grab-results.zip Link to post Share on other sites More sharing options...
1PW Posted September 19, 2023 ID:1589866 Share Posted September 19, 2023 Hello @ticusnemernicus : The archive was incomplete. Please restart the laptop and generate a new report archive and attach as before. Thank you. Link to post Share on other sites More sharing options...
ticusnemernicus Posted September 19, 2023 Author ID:1589869 Share Posted September 19, 2023 Hi again @1PW , Please see the following: Not sure if worth to be mentioned but if I click Choose Files , the archive is not visible (I have another zip file on the desktop and that is visible. I was only able to upload it by dragging it. mbst-grab-results.zip Link to post Share on other sites More sharing options...
1PW Posted September 19, 2023 ID:1589875 Share Posted September 19, 2023 Hello @ticusnemernicus: Thank you for the additional effort. Alas, the newest archive is also incomplete, so we will let your helper sort things out. Please refrain from making any changes to that laptop before your helper weighs in. Thank you again. Link to post Share on other sites More sharing options...
ticusnemernicus Posted September 19, 2023 Author ID:1589876 Share Posted September 19, 2023 No problem! This only adds up to the paranoia 😅 . It feels that this malware is running it's own operating system and anything that I do scan wise it just won't be accurate. I know how it sounds ... but I have a very good spirit of observation and this is highly unusual. I am running windows 98 ... I know it's behaviour inside out, and ever since I got this thing , I am noticing things that never occured before. This malware, I am suspecting it to be a very clever payload, most likely mining malware. It gives me the feeling that it runs only when you're unable to notice (playing a game, watching youtube, etc) and it then hides when you try to see what's running. If I open my task manager there is an avalanche of processes and services that pop in and out before I can see what they are. On the scans that I have provided you with, which are from my backup machine, it feels like the malware is not fully deployed yet. On my other machine though, I feel it being crippled more and more by the day. I will have to open a separate topic for what I suspect to be the source of the malware, as I was trying to rollback to a different wifi driver. The hospital network (which is a very secure one) seemed to have refused acces for this machine. I am now stuck with it without internet connection. I still got an usb drive with an ISO but it is the same ISO that the machine (HP) I am enquiring about now is running. I should be able to set those and analyse later this evening. Thank you for your help! Link to post Share on other sites More sharing options...
1PW Posted September 19, 2023 ID:1589905 Share Posted September 19, 2023 @AdvancedSetup @Maurice Naggar @MKDB Link to post Share on other sites More sharing options...
ticusnemernicus Posted September 19, 2023 Author ID:1589978 Share Posted September 19, 2023 Hello again @1PW I think that I have managed to get a full log. I did a reinstall of Malwarebytes and ran the support tool again. It is significantly bigger in size so I would assume this is the correct log. Thank you for your patience! mbst-grab-results.zip Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted September 20, 2023 Root Admin Solution ID:1590149 Share Posted September 20, 2023 Hello and @ticusnemernicus My screen name is AdvancedSetup and I will assist you with your system issues. Let's keep these principles as we proceed. Make sure to read the entire post below first. Please follow all steps in the provided order and post back all requested logs Please attach all log files to your post, unless otherwise requested Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed. Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed. Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system. Before we start, please make sure that you have an external backup, not connected to this system, of all private data. Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing. Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed. Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours. If your system is running Discord, please be sure to Exit it while this case is ongoing. The logs do not indicate any obvious infection. Please go ahead though and run the following and we'll scan and see if we can find anything Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop. (Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021) Download: Kaspersky Virus Removal Tool https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe How to run a scan with Kaspersky Virus Removal Tool 2020 https://support.kaspersky.com/15674 How to run Kaspersky Virus Removal Tool 2020 in the advanced mode https://support.kaspersky.com/15680 How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan https://support.kaspersky.com/15681 Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box. That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed... Thank you Link to post Share on other sites More sharing options...
ticusnemernicus Posted September 20, 2023 Author ID:1590155 Share Posted September 20, 2023 Hello @AdvancedSetup and thank you for your help and patience! Just to make things clear this is a backup machine that I am running the scans on - let's call it Machine 2 or HP Laptop. I suspect I might have gotten this one infected too and since it is the more important of the two I have decided to start a thread with this one. The sign of malware on this one is just one really, which is the connection via svchoste.exe to some unknown IP's in the U.S. This machine doesn't have dedicated GPU so I think that even if I was to get a coin miner, it's not doing much on this one, but better safe than sorry. With this one I thought from the beginning it is 50/50 chance for it to be infected. The other one though ... I am more certain by the day. To follow up with a quick question in regards to your assistance. I wasn't feeling very well yesterday so I haven't really done much in regards to my other laptop - let's call that one Machine 1 or Lenovo laptop (which I believe to be the source of infection), but I did notice some very interesting temperature fluctuations (while AFK) and ever since the internet connection is unavailable, I get stutters when playing a game. Not only that but I have managed to reach a temperature record on my CPU : 100.5 Celsius. I should have Machine 1 reset at some point today. I will try a reset at first in the hope that the malware will persist and we will find it. Do you want me to create a different topic for that one or should we continue here? If you want us to continue here, please let me know if you want me to follow the same steps as I am following for this one: Malware scan with MB tool, Kaspersky scan. This one, at least in my opinion, 90% chances that there is something going on with it. Thank you in advance and I hope you can understand my situation! Oh and trust me, lesson is learned in regards to pirated software. Just the stress and thought that there might be something creeping on my laptop is scarry enough to make me not want to download any similar software on my machines. Good news so far on Machine 2 - HP, the scanner did not find anything. Please find attached requested log: report_2023.09.20_08.50.22.klr.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 20, 2023 Root Admin ID:1590292 Share Posted September 20, 2023 Once you've reset the other computer please run the following on it. You can run the same for both computers but let me know for sure which is which as it can easily get confusing quickly Let's go ahead and run a couple of scans and get some updated logs from your system. Please make the following changes. Temporarily disable your antivirus real-time protection or other security software first if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed. Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed. Disable-Fast-Startup Show-Hidden-Folders-Files-Extensions Next, run these steps and post back the logs as an attachment when ready. [ 1 ] Malwarebytes for Windows If you already have Malwarebytes installed then open Malwarebytes and click on the small gear icon, then click on the "Check for updates" button on the General tab. After any updates, click the middle Scan button from the main page. It will automatically run a Threat Scan. If you don't have Malwarebytes installed yet please download it from here and install it. Once installed then open Malwarebytes and select Scan and let it run. Once the scan is completed, make sure you have it quarantine any detections it finds. If no detections were found click on the Save results drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply. If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply. If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply. If Malwarebytes won't run then please skip to the next step and let us know in your next reply that the scanner would not run. [ 2 ] Malwarebytes AdwCleaner Please download Malwarebytes AdwCleaner and save the file to your Desktop or Downloads folder. Double-click to run the program - Malwarebytes AdwCleaner guide Accept the End User License Agreement. Wait until the database is updated. Click Scan Now. DO NOT uninstall or remove the Preinstalled software if found. Uncheck any items listed as Preinstalled When finished, if items are found please click Quarantine to finish the cleaning process. Your PC should reboot now if any items were found. After reboot, a log file will be opened. Attach that log to your next reply. If No Detections are found, Click Skip Basic Repair WARNING: Do Not click the Run Basic Repair button unless instructed to by a Malwarebytes support agent or authorized helper RESTART THE COMPUTER Before running Step 3 [ 3 ] Gather MBST Logs Please do the following so that we may take a closer look at your system for any possible infections. NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system. Download the Malwarebytes Support Tool In your Downloads folder, open the mb-support-x.x.x.xxx.exe file In the User Account Control pop-up window, click Yes to continue the installation Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper Thank you Link to post Share on other sites More sharing options...
ticusnemernicus Posted September 21, 2023 Author ID:1590475 Share Posted September 21, 2023 Hello, The progress was slow and painful. The internet connection is limited to 300kb/s. After a full reset, I realised that Windows doesn't come with a generic WiFi driver for my laptop so the reset was useless. The positive outcome though, is that it led me to installing Windows again with a full format of my main drive. I kept the other drive untouched as I was most certain there was something wrong with my Lenovo laptop and wanted to test capabilities of still undetected malware, if it can piggyback other hard drives or firmware. I can safely say that whatever it was it wasn't so advanced. Why do I refer to it as being part of the past? Well because it seems to be gone now (touch wood). So far after installing windows, checking for corruption, updating drivers my machine runs great again. I am watching the temperature monitor and my GPU stabilises with a maximum of .2 difference if I am not moving the mouse or opening new windows. My CPU usage is back to normal too. I saw the mighty 1% use today which is a great sign. Before reinstall was sitting at 3% most of the time, even if idling. My fans don't seem to ramp up the same way they did before. And lastly and also very important ... I have discovered what caused the network issue (this is a secure network that times out every few hours and it asks you to log in again). It was Malwarebytes itself. On a clean install it defaults to being the main Antivirus because of the free trial thing. Whatever changes it causes to the Antivirus settings or Firewall, is what prevents the log in page to pop up (tried all possible addresses that would bring it up and nothing) While I believe that the nasty is now gone from my machine, I have to ask, since I am unable to use Malwarebytes ... would you happen to know what kind of changes it makes to Windows Components / Firewall? Maybe I can manually revert changes and get away with installing Malwarebytes on it? The wifi card on the Lenovo laptop is a Mediatek MT7921 wifi 6 The backup machine doesn't seem affected anyhow, but it is also running an older wifi4 card. Link to post Share on other sites More sharing options...
ticusnemernicus Posted September 21, 2023 Author ID:1590477 Share Posted September 21, 2023 And the logs from the backup machine HP mbst-grab-results.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 21, 2023 Root Admin ID:1590507 Share Posted September 21, 2023 When you say the backup machine do you mean the one you just reinstalled Windows on? Link to post Share on other sites More sharing options...
ticusnemernicus Posted September 21, 2023 Author ID:1590511 Share Posted September 21, 2023 They both have a pretty fresh install. But no, that one I just installed today is a Lenovo Legion and is main, which I believed was infected. I wanted the backup checked as I have plugged an usb stick into both of them. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 21, 2023 Root Admin ID:1590515 Share Posted September 21, 2023 I don't see an obvious infection but Microsoft Teams keeps faulting in the Event Logs If you're not using Microsoft Teams I'd recommend you uninstall it. If you do use it then try to manually uninstall and reinstall Then perhaps run an AV scan on it to make sure. Please run the following ESET Online Scanner and perform a Full Scan Click the following link to save the installer for ESET Online Scanner https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get started. When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue When prompted for scan type, Click on the Full Scan button Enable ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click the Start scan button. Have patience. The entire process may take a few hours or more. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log and give it a name and location you remember. If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files” ( in blue, at the bottom). Press Continue when all done. You should click to turn off the offer for “periodic scanning”. Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program. Note: If you do need to do a File Restore from ESET please follow the directions below [KB2915] Restore files quarantined by the ESET Online Scanner version 3 https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner Please attach the ESET scan log you saved at the end to your next reply Link to post Share on other sites More sharing options...
ticusnemernicus Posted September 23, 2023 Author ID:1590910 Share Posted September 23, 2023 Hello Sorry for taking so long but after running the Eset tool I had the WiFi Issue on the laptop... I was unable to get the log-in page to show up... Some times I managed to reset it via ipconfig /flushdns but others it just didn't work that's why the reset again. I had to do a reset of this PC ... and it has been a bit weird after the reset ... After booting, all components of Windows Security were disabled, and this morning I found the PC with the pop-up: Memory integrity disabled. I am starting to believe that there might be something on this backup machine (HP Laptop) and that something might be a rootkit... I have managed to get a log for Eset, but I am not sure how accurate will that be considering one driver did not load ethdriver.sys which is apparently responsible for rootkit detection (as per Eset moderator) I am not trying to see if I manage to load the driver by disabling Microsoft Security and currently downloading a rescue disk image (Kaspersky) to see if I have any luck with that... I ran another FSRT scan as well. You can see the errors there. Will run a Malwarebytes Tool soon and attach the logs again. Sorry for the hassle but things are not so smooth apparently. asdf.txt Addition.txt FRST.txt Link to post Share on other sites More sharing options...
ticusnemernicus Posted September 23, 2023 Author ID:1590928 Share Posted September 23, 2023 I just ran TDDS killer from Kaspersky and had to do a system restore. I was stuck boot loop. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 23, 2023 Root Admin ID:1590936 Share Posted September 23, 2023 1 hour ago, ticusnemernicus said: I just ran TDDS killer from Kaspersky and had to do a system restore. I was stuck boot loop. Did it actually find and clean something? If you run the scanner but don't actually fix anything it should not lock up Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 23, 2023 Root Admin ID:1590938 Share Posted September 23, 2023 The Kaspersky full scan also has pretty much all that TDSSKiller has which I provided above already Link to post Share on other sites More sharing options...
ticusnemernicus Posted September 23, 2023 Author ID:1590941 Share Posted September 23, 2023 No. At least not on the first scan. That is the weird thing about it ... It notified me that there is a driver that must loaded in order for the tool to run correctly. I was a bit skeptical as the driver had a name made of 8 digits. Initially I said no to the prompt, ran a scan, found nothing, and the ran another with that loaded driver. My computer rebooted in order to load the driver and then it entered the bootloop. It was going in recovery saying the system did not load properly and I have tried to just skip it / to restart and nothing worked apart from using a restore point that I have created earlier (seems to be a good way of maintaining the wifi up and running) So if you ask me, this tool didn't run properly either since it was missing a driver and after loading the driver I got the BSOD Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 23, 2023 Root Admin ID:1590943 Share Posted September 23, 2023 Yeah, the tool (not sure where you got a copy of the program) has not been updated in a while. Kaspersky appears to have taken down the utility a while ago. Use of their main KAV Scanner is now the tool to use. It should have all the functionality of TDSSKiller within it. Link to post Share on other sites More sharing options...
ticusnemernicus Posted September 23, 2023 Author ID:1590945 Share Posted September 23, 2023 That might explain the BSOD. I am still going to do a check with some live disks and if nothing is found than I believe that this laptop is safe and clear. In relation to the other laptop, it still behaves normally but the wifi issue just doesn't give me a break. It was all done with updates and everything yesterday and before I managed to run anything on it, it decided to lose connection again. I need a small break from this so please keep the thread open even if I haven't replied for the next few days. I will try again, and If I manage to get a restore point working after all the updates are done, I should be able to get all the tools and run all the scans. Thank you 🫡 Link to post Share on other sites More sharing options...
Recommended Posts