Jump to content

Wacom tablet and cursor misbehaving after AdwCleaner scan


Recommended Posts

Hello,

After having factory reset and restarted my computer a few months prior to this query, I decided to reinstall adwcleaner and was met with this:

image.png.a41f246990df2e5b5c2ceeeeb939bca4.png

Right after deleting it from quarantine and restarting, I noticed that my tablet was misbehaving and I had lost control of my cursor as if someone were remotely controlling it. Even after unplugging the tablet, my cursor kept jerking or moving to the right. I don't know why this is, or why google chrome decided to show my saved passwords in incognito when it hadn't previously done this:
 image.thumb.png.ef0e02a6aad6a4f08f0d38558511eb5f.png

Keep in mind, I had experienced these issues prior during my previous issues with Lazzarus.rar, though I had forgotten to mention it as I was immensely distressed over my sole basket I had all my "eggs" (passwords and the like) spoiled by one virus, and I don't have the time to manually change each and every last password including for accounts I'm no longer on. My tablet's still plugged in - albeit nonresponsive - as of typing this, and I'm afraid that whatever trojan I erroneously opened and ran on this machine was tweaked to target drawing tablets as well, because I have no other explanation as to why my tablet is targeted. No faulty driver had ever misbehaved in such a manner (not that they work or anything), so that can't be it.

It seems to be more than a corrupted tablet registry because it was also capable of spontaneously producing mass lines of "test" repeated continuously in a single string whilst typing out of nowhere, but I can't find that specific screenshot. I have taken months to collect myself to properly articulate my issue, and I would like some assistance on the matter.

Tablet touch is on for no discernable reason, and I can't even open the settings to fix it. All of this over one adwcleaner scan. 

image.png.de21931c0ebac3e7c19f91346a7ad46c.png

From what I am able to deduce, there is a program, a registry key, an executable, or some other secret remote access trojan on my computer not only evades detection from most conventional antivirus software, but is able to remotely access my drawing tablet as an interface to cause me frustration and agony. 

 

Edited by BreadmanYan
Link to post
Share on other sites

  • Root Admin

Hello @BreadmanYan

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

This seems a bit too targeted or deliberate to simply be the fault of an outdated driver, which I've updated upon the third reset by the end of last June. Additionally, there shouldn't be any reason for such a driver to ever be detected on an Adware Cleaning software, which I assume to be a result of Wacatac.32, which is what I likely wound up executing upon running lazzarus 7 months prior. That might be why I'm still having this issue despite three resets and numerous AV scans both with and without internet connection, but I'm not an expert so I can't say for certain.

Link to post
Share on other sites

  • Root Admin

Please, never empty the quarantine right away. Once an object has been quarantined it is no longer a threat. But if you empty the quarantine and it was a False Positive then you no longer have the object to restore. Please try to remember that and adjust behavior to keep the quarantine for at least a week or more.

 

[ 1 ]

 

You have multiple entries in the Event Logs for issues with VSS (Volume Shadow Copy) service. Below is just one example of many listed.

 

Error: (10/23/2023 05:33:22 AM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} and Name SW_PROV is [0x80040154, Class not registered
].

 

Then you have the following errors logged. This could all possibly be intermittent or a one time issue. Not sure without seeing the full set of Event Logs

 

System errors:
=============
Error: (10/23/2023 02:48:28 AM) (Source: DCOM) (EventID: 10010) (User: BUNNPC-333)
Description: The server {8CFC164F-4BE5-4FDD-94E9-E2AF73ED4A19} did not register with DCOM within the required timeout.

Error: (10/23/2023 02:24:17 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Steam Client Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/23/2023 02:24:17 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The TabletServicePen service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/23/2023 02:24:17 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) Dynamic Application Loader Host Interface Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/23/2023 02:24:17 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) Management Engine WMI Provider Registration service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/23/2023 02:24:17 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The NVIDIA Display Container LS service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 6000 milliseconds: Restart the service.

Error: (10/23/2023 02:24:17 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Wacom Consumer Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/23/2023 02:02:15 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The NVIDIA Display Container LS service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 6000 milliseconds: Restart the service.

 

Please download and run the following tool with Admin rights to try to correct the VSS issues.

 

Please download and run the following  Volume Shadow Copy Service (VSS), Diagnostic Tool, from Acronis

Acronis VSS Doctor

Free tool for diagnosing and repairing Volume Shadow Copy Service issues. Download link on the bottom of the page.
Download - Acronis VSS Doctor

In many cases, it can correct the issues on its own. If not, then it will give details on what may be causing the issues. Please save the report in text format and post back that log on your next reply.

 

You can also try the tool from Macrium Reflect

Macrium Reflect Volume Shadow Copy Service (VSS) Repair Tool

 

 

[ 2 ]

Next, please do the following

 

Please make the following change in Malwarebytes if you're using the Premium or Trial version

  • Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security tab.
  • Then turn off "Always register Malwarebytes in the Windows Security Center"
  • Restart the computer

image.png.ced4aa64af4718ab767f579cc39014

 

It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions
between Malwarebytes and Windows Defender

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

[ 3 ]

Next, please do the following

Your current DNS Servers:   192.168.12.1

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 4 providers. And be aware that you need to modify 1 time for IPv4 & a 2nd pass for IPv6

  • Google Public DNSIPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • CloudflareIPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNSIPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCHIPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b


The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

RESTART THE COMPUTER NOW

 

[ 4 ]
Next, please do the following

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

Link to post
Share on other sites

3 hours ago, AdvancedSetup said:

Please, never empty the quarantine right away. Once an object has been quarantined it is no longer a threat. But if you empty the quarantine and it was a False Positive then you no longer have the object to restore. Please try to remember that and adjust behavior to keep the quarantine for at least a week or more.

 

[ 1 ]

 

You have multiple entries in the Event Logs for issues with VSS (Volume Shadow Copy) service. Below is just one example of many listed.

 

Error: (10/23/2023 05:33:22 AM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} and Name SW_PROV is [0x80040154, Class not registered
].

 

Then you have the following errors logged. This could all possibly be intermittent or a one time issue. Not sure without seeing the full set of Event Logs

 

System errors:
=============
Error: (10/23/2023 02:48:28 AM) (Source: DCOM) (EventID: 10010) (User: BUNNPC-333)
Description: The server {8CFC164F-4BE5-4FDD-94E9-E2AF73ED4A19} did not register with DCOM within the required timeout.

Error: (10/23/2023 02:24:17 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Steam Client Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/23/2023 02:24:17 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The TabletServicePen service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/23/2023 02:24:17 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) Dynamic Application Loader Host Interface Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/23/2023 02:24:17 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) Management Engine WMI Provider Registration service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/23/2023 02:24:17 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The NVIDIA Display Container LS service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 6000 milliseconds: Restart the service.

Error: (10/23/2023 02:24:17 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Wacom Consumer Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/23/2023 02:02:15 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The NVIDIA Display Container LS service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 6000 milliseconds: Restart the service.

 

Please download and run the following tool with Admin rights to try to correct the VSS issues.

 

Please download and run the following  Volume Shadow Copy Service (VSS), Diagnostic Tool, from Acronis

Acronis VSS Doctor

Free tool for diagnosing and repairing Volume Shadow Copy Service issues. Download link on the bottom of the page.
Download - Acronis VSS Doctor

In many cases, it can correct the issues on its own. If not, then it will give details on what may be causing the issues. Please save the report in text format and post back that log on your next reply.

 

You can also try the tool from Macrium Reflect

Macrium Reflect Volume Shadow Copy Service (VSS) Repair Tool

 

 

[ 2 ]

Next, please do the following

 

Please make the following change in Malwarebytes if you're using the Premium or Trial version

  • Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security tab.
  • Then turn off "Always register Malwarebytes in the Windows Security Center"
  • Restart the computer

image.png.ced4aa64af4718ab767f579cc39014

 

It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions
between Malwarebytes and Windows Defender

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

[ 3 ]

Next, please do the following

Your current DNS Servers:   192.168.12.1

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 4 providers. And be aware that you need to modify 1 time for IPv4 & a 2nd pass for IPv6

  • Google Public DNSIPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • CloudflareIPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNSIPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCHIPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b


The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

RESTART THE COMPUTER NOW

 

[ 4 ]
Next, please do the following

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

Because T-Mobile is rather tedious and inconvenient to change DNS settings on the fly (needing an external router from what I've read, unlike Verizon where I can simply do this online) I've ran an AcronisVSSDoctorReport scan and saved the file for the time being. 

AcronisVSSDoctorReport_2023-10-23-16-11-05.txt

Link to post
Share on other sites

6 hours ago, AdvancedSetup said:

The DNS setting change is simply inside the OS, not at the Router level.

Instead of first asking you Router it will ask Windows where to look for the DNS and use that. If that fails then it will ask your router.

Did you perform the other tasks?

 

image.png.2b1d3c4a762f055b19c179642254f6bb.png

Sure have; rather concerning that  ">>> Rootkit code in function Wow64Transition - standard blocking error: memory modification failed, active Rootkit counteraction is possible" shows up on AVZ Antiviral Toolkit, but it's nothing to worry about I hope.

Edited by BreadmanYan
Link to post
Share on other sites

  • Root Admin

Please go ahead and run the following scanners.

 

[ 1 ]

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

[ 2 ]

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin

Okay, neither one of those scanners found anything bad or suspicious.

Please run a scan with ESET - the settings may have changed a little but hopefully it's close.

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

Link to post
Share on other sites

  • Root Admin
3 hours ago, BreadmanYan said:

here's the Kaspersky log. 

Looks to be the ESET log - nothing found.

 

Are you still having any signs of infection? We've now run 3 different scanners and nothing much really found

 

Please run the following

SecurityCheck by glax24              


I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.
CheckSecurity is a utility for quickly checking for the presence of vulnerable applications

  • Temporarily disable Microsoft SmartScreen to download the software
  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • This tool is safe.   Smartscreen is overly sensitive. You can check the VirusTotal scan of the tool from here
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheckC:\SecurityCheck\SecurityCheck.txt

Checked parameters:

  1. User Account Control (UAC).
  2. Service pack.
  3. IE version.
  4. Automatic OS update. Sets of critical KB patches when updating is disabled.
  5. Antivirus, firewall, other security utilities.
  6. Versions of Java, Oracle Virtualbox.
  7. Version of Adobe Flash Player, Adobe AIR.
  8. Versions of Adobe Reader, Acrobat Reader DC, Foxit Reader.
  9. Versions of media players (iTunes, AIMP, foobar2000).
  10. Versions of messengers (Skype, Pidgin).
  11. Versions of installed browsers (Chrome, Opera, Firefox, Yandex, SeaMonkey).
  12. Versions of mail programs (The Bat, Thunderbird).
  13. Checking running processes and security program services
  14. Searching for installed Adware programs and optimizer programs (More than 5000).

Thank you

 

Link to post
Share on other sites

As a matter of fact, there is - Discord is continually in a restarting loop, and I'm forced to Ctrl+R every five seconds just to get it to load, only for it to go into another loop. Whatever remote access program this is, it's smart enough to lie dormant when MWB is active. I also received a strange VOIP phone call yesterday morning, for some odd reason. 

Link to post
Share on other sites

Even stranger, it seems to have infected or hide behind ZDoom files. I can't for the life of me understand why, but I have a feeling those aren't exactly the root of the infection. 

Malwarebytes Report.txt

Edit: Additional logs collected while scanning in safe mode, and a familiar screenshot:

image.png.3d9d0c8ff24085cacd08e41e6f984aa1.png

The fact that the three quarantined files detected by MWB and Adwcleaner were labelled "heuristic" files is curious, considering that the AVZ scanner I used had an option to scan for heuristic files, yet invariably terminated before it could ever detect them:
image.png.051ab761798b51156c6aa9e48fd3c95c.png

image.png.eefaa0dc5b7fcd9dc17a0b4b8ae15ead.png

Running a full system scan in safe mode is when the cursor begins to erratically click+drag and rearrange icons on my desktop while deliberately attempting to stop the scan. It's almost as if there's someone or something on the other end manipulating my cursor through my tablet software, but I can't say this for certain. 

AcronisVSSDoctorReport_2023-10-25-03-46-15.txt FRST.txt Addition.txt Malwarebytes Report.txt

Edited by BreadmanYan
Link to post
Share on other sites

@AdvancedSetup 

Everything I found last night was discovered with this option unchecked:
image.png.8b0be667f50f2f6e4bccc53d9336993f.png

Once I turned it back on, Discord stopped refreshing every two seconds, and now stays loaded and fully operational. If this were a regular virus or trojan that isn't hidden deep within the machine, it would've been detected, deleted, and that would've been the end of it. Back in April when I regained control of my discord account, I noticed one of my friends had mentioned "wacatac.B!ml" after they scanned the hacker's "Free Game", and what I've read up on it lines up roughly with what I've experienced, save for the tablet control. 

Link to post
Share on other sites

  • Root Admin

Heuristic is a machine language check - basically artificial intelligence style educated guess that the object in question is either bad or possibly is bad.

 

Please fully uninstall Discord for now.

Please uncheck Windows Security Center in Malwarebytes and allow both Windows Defender and Malwarebytes to both run in full protection and scanning mode.

Then after removing Discord and resetting Malwarebytes - Restart the computer.

Then get me a fresh set of Farbar logs.

 

FRST
ADDITION

 

Thanks

 

 

Link to post
Share on other sites

21 minutes ago, AdvancedSetup said:

Heuristic is a machine language check - basically artificial intelligence style educated guess that the object in question is either bad or possibly is bad.

 

Please fully uninstall Discord for now.

Please uncheck Windows Security Center in Malwarebytes and allow both Windows Defender and Malwarebytes to both run in full protection and scanning mode.

Then after removing Discord and resetting Malwarebytes - Restart the computer.

Then get me a fresh set of Farbar logs.

 

FRST
ADDITION

 

Thanks

 

 

Uninstalled discord, and after uninstall Remote Desktop Connection I'll perform both scans in normal mode, and perhaps safe mode if there's anything lurking. I'll be sure to post both sets of logs.

Should I have both scanners run simoultaneously, or one after the other?

Edited by BreadmanYan
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.