Continual RTP detections from discord

[AdvancedSetup]

Please run the following to get fresh, updated logs

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

[pleasedonttakemytokens]

10 hours ago, AdvancedSetup said:

How is the computer running today?

Are you still getting alerts about Discord?

 

The computer runs fine in general, although yes i am still having the issue with discord. I'll quickly summarize the issue with discord,  and how i've managed to make the issue go away temporarily just prior to us beginning this process.

1. Start up Discord
2. Log In (automatically or manually) to my account.
3. Discord is terminated and I get an RTP notification from Malwarebytes. (my latest one attached to this post)

As for how I've managed to make the problem subside prior:

1. Use Run to access \%appdata%\discord
2. Delete Cache
3. Start up application, and log in with a different account.
4. No alert, nor is the application terminated.

The instant I switch back to my actual account the problem resumes. So I can only imagine my account is loading something with an embedded payload into my cache (a ridiculously common thing on discord unfortunately). Somehow, something is attempting to run that embedded payload, and malwarebytes is considering it threatening (potentially for good reason). 

MWB_RTP 10_09_23.txt

[AdvancedSetup]

Why is it using PowerShell is the question.

Please fully uninstall Discord. Restart the computer

 

Then see if there are any other alerts and let me know

 

[pleasedonttakemytokens]

58 minutes ago, AdvancedSetup said:

Why is it using PowerShell is the question.

Please fully uninstall Discord. Restart the computer

 

Then see if there are any other alerts and let me know

 

I've uninstalled the application entirely including anything in appdata related to it specifically. I've also restarted the computer. There are no alerts at present, but i'll wait for your go ahead prior to reinstalling it and trying again, just as i'm uncertain if that was what you wanted me to check.
 

[AdvancedSetup]

It's late for me so I'll check back on you in the morning. Please run the following again now.

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system.

Please make the following changes.

 

• Temporarily disable your antivirus real-time protection or other security software first if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

 

Next, run these steps and post back the logs as an attachment when ready.

[ 1 ]

Malwarebytes for Windows

• If you already have Malwarebytes installed then open Malwarebytes and click on the small gear icon, then click on the "Check for updates" button on the General tab.
• After any updates, click the middle Scan button from the main page. It will automatically run a Threat Scan.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed, make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let us know in your next reply that the scanner would not run.

[ 2 ]

Malwarebytes AdwCleaner

• Please download Malwarebytes AdwCleaner and save the file to your Desktop or Downloads folder.
• Double-click to run the program - Malwarebytes AdwCleaner guide
• Accept the End User License Agreement.
• Wait until the database is updated.
• Click Scan Now.
• DO NOT uninstall or remove the Preinstalled software if found. Uncheck any items listed as Preinstalled
• When finished, if items are found please click Quarantine to finish the cleaning process.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach that log to your next reply.
   
• If No Detections are found, Click Skip Basic Repair
  
  WARNING: Do Not click the Run Basic Repair button unless instructed to by a Malwarebytes support agent or authorized helper

 

RESTART THE COMPUTER Before running Step 3

[ 3 ]

Gather MBST Logs

Please do the following so that we may take a closer look at your system for any possible infections.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply
  
  WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper

 

Thank you

 

[pleasedonttakemytokens]

Attached are the requested logs.

MWBthreatscan10_10_2023.txt AdwCleaner[C02].txt mbst-grab-results.zip

[AdvancedSetup]

Let's wait another day without Discord, please.

The logs indicate that PowerShell is being called with parameters that would seem to allow input from another undisclosed call that isn't being shown.

 "blockedFileName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -",

 

Again, I have Discord installed and I'm not getting any alert as I'm sure thousands of other users also have Discord installed and not reporting this same block.

Your system seems to be doing something different here.

 

Restart the computer again tonight. Then get me a new fresh set of logs from Farbar

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

[pleasedonttakemytokens]

Attached are the requested logs.

Addition101023.txt FRST101023.txt

[AdvancedSetup]

Please run our MBST tool again and get updated logs

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

[pleasedonttakemytokens]

Attached is the requested log.

mbst-grab-results.zip

[AdvancedSetup]

Please do the following steps

 

[ 1 ]

Please make the following change in Malwarebytes if you're using the Premium or Trial version

• Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security tab.
• Then turn off "Always register Malwarebytes in the Windows Security Center"
• Restart the computer

 

It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions
between Malwarebytes and Windows Deefender

 

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

Then visit the following links on how to setup exclusions in Windows Defender

How to Add or Remove Exclusions for Microsoft Defender Antivirus in Windows 10
https://www.tenforums.com/tutorials/5924-add-remove-microsoft-defender-antivirus-exclusions-windows-10-a.html

Add or Remove Exclusions for Microsoft Defender Antivirus in Windows 11
https://www.elevenforum.com/t/add-or-remove-exclusions-for-microsoft-defender-antivirus-in-windows-11.8797/

 

We are not aware of any currently known issues between Windows Defender and Malwarebytes Premium

 

 

[ 2 ]

What is this file? A Google search doesn't really show it.  Please upload to https://virustotal.com and have them scan it. Then post back the URL link to that scan.

C:\Users\manun\Desktop\ewo58t1k.exe

 

[ 3 ]

Are you loading AnyDesk on every restart of the computer on purpose? If not I would remove that from Startup

HKLM\...\StartupApproved\StartupFolder: => "AnyDesk.lnk"

 

[ 4 ]

You're loading the Folding at home which is okay if you wish to do so, but please be aware that it does consume resources of the computer pretty much at all times

HKU\S-1-5-21-918943675-1635264159-2181677596-1001\...\StartupApproved\StartupFolder: => "Folding@home.lnk"

 

[ 5 ]

The same with this file. What is it for? It loads always. Please upload it to https://virustotal.com and have it scanned as well and post back the URL link to that scan

HKU\S-1-5-21-918943675-1635264159-2181677596-1001\...\StartupApproved\StartupFolder: => "walltaker-windows-amd64.exe - Shortcut.lnk"

 

[ 6 ]

Please validate which drive this is and back up any data for it. It's quite possible that it's starting to fail. It is not normal to show these alerts in the Windows Event Logs

System errors:
=============
Error: (10/10/2023 07:57:01 PM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk1\DR1, has a bad block.

 

From an elevated admin command prompt you can run DISKPART and then the command LIST DISK and it should tell you which drive is Disk 1

 

[ 7 ]

This looks to be some type of automate logon for a Domain - DWSNET OÜ

HKLM\...\Run: [DWAgentMon] => C:\Program Files\DWAgent\native\dwaglnc.exe [187384 2022-04-29] (DWSNET OÜ -> )

If you're no longer on a Domain or this is not a business work computer you may want to consider removing that

 

[ 8 ]

Do  you recognize all of these files and want them starting every time the computer starts?

 

Startup: C:\Users\manun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Peace.lnk [2023-07-07]
ShortcutTarget: Peace.lnk -> C:\Program Files\EqualizerAPO\config\Peace.exe (Peter Eduard Verbeek -> )
Startup: C:\Users\manun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spookieware.exe [2023-06-06] () [File not signed]
Startup: C:\Users\manun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\walltaker-windows-amd64.exe - Shortcut.lnk [2022-03-21]
ShortcutTarget: walltaker-windows-amd64.exe - Shortcut.lnk -> F:\Downloads\walltaker-windows-amd64.exe\walltaker\walltaker-windows-amd64.exe () [File not signed]

 

[ 9 ]

You have the Farbar (FRST) program located here:   C:\Users\manun\AppData\Local\Temp\mwb6BEE.tmp\FRSTEnglish.exe

Please copy that to your Downloads folder or your Desktop and let me know when you have it copied there.

 

 

 

Thanks

 

[pleasedonttakemytokens]

In their respective steps, 

1. Turned Off registering, restarted, and added the Malwarebytes program folder to exclusions. 

2. This is the .exe that was generated with a random string for the Dr.Web scan done earlier, as such i have opted to skip the virus total scan for this step.

3. AnyDesk does appear to have a background process that runs with startup, but the application loading on start up has been disabled prior to this entire process via Task Manager. Still, to simplify things i have deleted it from the start up folder.

4. Similar to Anydesk, despite the shortcut being present in the startup folder, startup was disabled via Task Manager, and I have not run this program at all for no less than 2 years.

5. As for this file, it was an application I experimented with over a year ago, would allow me to change the wallpaper of my PC by uploading any image to a respective link. Since then, it has been disabled on startup via Task Manager, and has not run since. Here is the respective Virustotal scan: https://www.virustotal.com/gui/file/dd8137714c3c65a19070caab15ac9c844e0f845234609baae88dbf330e716475/detection

6.For this hard drive it is definitely an aging HDD i've had for a bit, thankful for the warning concerning its condition. I'll be addressing it sooner than later.

7. It was temporarily on a domain yes, I have opted to remove it entirely in this case.

8. I recognize the files, and only one of them is running on startup (Peace, which is a rather well known Audio Equalizer), the others previously disabled in Task Manager, which haven't been run at all on this computer from a period of months to years. I still opted to delete those from the startup folder for simplicity's sake.

9. I believe this file is located where it is because of its inclusion in the Malwarebytes Support tool. I do already have a version of FRSTEnglish.exe located in my downloads but decided to copy this one as you said to the desktop.

[AdvancedSetup]

I see you have - F:\Downloads\FRST64.exe which is good as well.

The logs indicate that Discord is installed. Please uninstall it as we discussed.

 

 

 

 

Please run the following fix - I'll check back on you tomorrow.

 

NOTE: Please read all of the information below before running this fix.

• NOTICE: This script was written specifically for this user, for use on this particular machine.
• Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRST64.exe

Save the attached file:  FIXLIST.TXT to this folder F:\Downloads\

NOTE. It's important that both files, FRST64.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
               Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[pleasedonttakemytokens]

Attached is the Fixlog, as for discord i did uninstall it when requested, still haven't reinstalled it. the only thing i could imagine it picking up was an .exe file discord had in a seperate place specifically for start up. Got rid of that too when i found it but uninstalling through app management in settings clearly missed that file, not sure if there's any other you might mean.

Fixlog.txt

[AdvancedSetup]

From the log

Windows Resource Protection found corrupt files and successfully repaired them.

 

The logs indicate that Windows Defender has invalid restrictions set. Let me have you run the following again

 

 

The Farbar (FRST) program is located here in your downloads folder:  F:\Downloads

Please follow the process below to perform a fix in Safe Mode

 

Start in Safe mode:

• Press the Windows icon on the keyboard together with the letter I, to get into the Settings.
• Choose Update and Security.
• From the menu at the left, choose Recovery.
• Under the title Advanced startup at the right, choose Restart now.
• From the window that will appear choose Troubleshoot and then Advanced options.
• Choose Startup Settings and then Restart.
• Press number 5, for choosing Safe mode with networking.
• You will know that you are in Safe mode, if the background is black and Safe mode is written at the four corners of the screen.

After that:

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

 

Start::
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction
GroupPolicy: Restriction
End::

 

• Right-click on FRSTEnglish in your Downloads folder, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in your Downloads folder or where you have the Farbar program located.
• Attach that log in your next reply.

 

Thank you

 

 

[pleasedonttakemytokens]

Attached is the Fixlog.

Fixlog101123.txt

[AdvancedSetup]

Great, that says it was removed.

Get me a new fresh set of logs from Farbar (FRST) scanner.

 

FRST.TXT
ADDITION.TXT

 

Thanks

 

[pleasedonttakemytokens]

Attached are the requested logs.

Addition.txt FRST.txt

[AdvancedSetup]

Great. The restrictions have not returned

How is the computer running now?

Are there still any other signs of infection at this time?

 

[pleasedonttakemytokens]

 

3 hours ago, AdvancedSetup said:

Great. The restrictions have not returned

How is the computer running now?

Are there still any other signs of infection at this time?

 

There are no other apparent signs of infection, and the computer runs fine. However, both of these were true prior to this process.

The only sign of any form of infection was the one file detected by Dr.Web, which you suspected an FP, and i'm inclined to agree likely was just a necessary piece to do with the Domain from a long while ago.

On 10/7/2023 at 9:34 PM, pleasedonttakemytokens said:

The threat detected and acted on by the program is C:\Program Files\DWAgent\native\dwaggdi.dll

I suspect there are only two ways for me to go about solving the, as detected by MWB RTP, (potential) powershell payload process exploit. 

Especially seeing as it is an issue that seems to relate more to my specific discord account rather than the discord installation itself, or the system. The reason I have come to believe that is that I, prior to this process, tried solving the issue by logging into the Windows client for discord with a fresh discord account, and managed to avoid the problem entirely.

The two (potential) solutions in my mind

1. Attempt to get more information on the potential exploit itself via another diagnostic tool that is able to at least display the attempt and failure of the process (via reinstalling discord, logging in, and letting RTP stop the attempt) even if not the nature of it, be it one present in windows already or one that you recommend.

2. Work with Discord support themselves on a solution that more directly involves me taking action on my account itself (which can be done safely both via my mobile and browser clients), or action on their end.

If you suspect the former wouldn't give us anything useful information wise, i think the next step is the latter solution, which I would be very willing to report any found solution discovered here if nothing else to prevent potential future headaches.

[AdvancedSetup]

 

Can you please do the following?

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
• NOTE: Please have patience as it can take a while to remove and reinstall. Once the install has completed please RESTART THE COMPUTER

After the restart please do the following

• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

[pleasedonttakemytokens]

Here is the requested log.

mbst-grab-results.zip

[AdvancedSetup]

Sorry for the delay @pleasedonttakemytokens

Looks like I missed that you had replied.

What is your status now?

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks