Wifi anomalies on wireshark and Autoruns red processes

[Immanuel]

Hi there, I'm analyzing the same problem I've written you about...I've firstly get clear that even disabling 5G modem wifi, the second SSID with a "2" on it but named the same as mine, it won't disappear. This is the Autoruns .txt: 

https://file.io/Ne37iE3amP7Q

 

This is the wireshark report: https://file.io/2VtWaoGJTMz5

I've realized I can send certified emails only connecting myself to the "same SSID name" 2...this is surely made by criminals in Italy

Edited November 9, 2023 by AdvancedSetup
Corrected font issue

[Immanuel]

HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Sat Dec 7 10:15:08 2019
_wow64cpu File not found: C:\WINDOWS\Syswow64\wow64cpu.dll
_wowarmhw File not found: C:\WINDOWS\system32\wowarmhw.dll
_wowarmhw File not found: C:\WINDOWS\Syswow64\wowarmhw.dll
_xtajit File not found: C:\WINDOWS\system32\xtajit.dll
_xtajit File not found: C:\WINDOWS\Syswow64\xtajit.dll
wow64 File not found: C:\WINDOWS\Syswow64\wow64.dll
wow64win File not found: C:\WINDOWS\Syswow64\wow64win.dll

Windows Update Health is red and disabled from Autoruns non 64:
uhssvc Microsoft Update Health Service: Maintains Update Health (Not Verified) Microsoft Corporation C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Mon Sep 25 21:43:54 2023
red and enabled:
WMPNetworkSvc Windows Media Player Network Sharing Service: Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play (Not Verified) Microsoft Corporation C:\Program Files\Windows Media Player\wmpnetwk.exe Wed Oct 11 13:10:58 2023

red and enabled:
\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler Performs periodic Windows Update maintenance tasks. (Not Verified) Microsoft Corporation C:\Program Files\RUXIM\PLUGscheduler.exe Fri Sep 15 20:37:12 2023

red and enabled:
\Microsoft\Windows\Windows Media Sharing\UpdateLibrary This task updates the cached list of folders and the security permissions on any new files in a user’s shared media library. (Not Verified) Microsoft Corporation C:\Program Files\Windows Media Player\wmpnscfg.exe Fri Dec 6 22:15:00 2019

disabled again net tcp port sharing for safety 

Edited November 9, 2023 by AdvancedSetup
Corrected font issue

[AdvancedSetup]

Can you please do the following?

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
• NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following

• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

[Immanuel]

mbst-grab-results.zip

[Immanuel]

I'm going to reinstall Malwarebytes anyway

[AdvancedSetup]

You have Kaspersky installed and it may be blocking too much

The logs do not indicate that the computer is infected.

Please disable Kaspersky and run the following

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

[Immanuel]

Ok, but what can you say about this?
\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler Performs periodic Windows Update maintenance tasks. (Not Verified) Microsoft Corporation C:\Program Files\RUXIM\PLUGscheduler.exe Fri Sep 15 20:37:12 2023

[Immanuel]

Oh no I was sure to have show all folders enabled but it wasn't...I'm gonna repeat the full scan. Can you explain how can this impact the scan? I'm curious...

[Immanuel]

msert.log

[Immanuel]

Malwarebytes complete scan didn't find anything. The problem is just the network.

[AdvancedSetup]

By showing the hidden extensions and folders helps us to help you if or when you need to get to specific folders when or if asked.

The plug may not be wanted. So many users install items like this on purpose though.. We'll take a closer look. Please run the following

 

 

Create an Autoruns Log:

• Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
• Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
• Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
• Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
• Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
• Then click the Rescan button. Agree to the VirusTotal EULA
• Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
• Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
• Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

 

 

Thank you

 

 

[Immanuel]

DESKTOP-DL2BG03vv.zip

[AdvancedSetup]

This was not run correctly. Many if not most of the VirusTotal columns are blank.

You need to wait a LONG time until ALL entries for the VT column have been completed.

 

[AdvancedSetup]

DISABLE Kaspersky Real-Time protection when running this.

 

[Immanuel]

This is from Autoruns (not 64 or 64a)

DESKTOP-DL2BG03vvv.zip

Edited November 10, 2023 by Immanuel

[AdvancedSetup]

You can see here that the PLUG entry is from Microsoft

https://learn.microsoft.com/en-us/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004

 

AutoRuns color meanings

Green: Green color is generally used to identify a startup item which isn’t there according to the previous known scan.

Yellow: Yellow color is generally used to identify a start up item which no longer exists.

Pink/Red: Pink/Red is used to identify the start up item with no code signatures or the publisher information

 

 

 

If you own your own router and are not renting it from your Internet Service Provider

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

Depending on one's preferences and the Router's capabilities please consider the following.

• Disable acceptance of ICMP Pings
• Change the Default Router password using a Strong Password
• Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
• Disable Remote Management
• Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
  Example: Keep IoT devices on one network and mobile devices on another.
• Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
• Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
• Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
• Document passwords created and store them in a safe but accessible location.

 

 

 

 

[Immanuel]

I've downloaded (before doing Autoruns) the missing dlls except for xtajit.dll...Now I see I can't delete them and sfc /scannow didn't find anything before and after edits. Is it ok? 

[AdvancedSetup]

Manually downloading and installing a DLL is HIGHLY frowned upon as that is NOT the normal delivery or install process.

What specific file are you wanting to remove and why?

Include the FULL path to the file

 

[Immanuel]

HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Sat Dec 7 10:15:08 2019
_wow64cpu File not found: C:\WINDOWS\Syswow64\wow64cpu.dll
_wowarmhw File not found: C:\WINDOWS\system32\wowarmhw.dll
_wowarmhw File not found: C:\WINDOWS\Syswow64\wowarmhw.dll
_xtajit File not found: C:\WINDOWS\system32\xtajit.dll
_xtajit File not found: C:\WINDOWS\Syswow64\xtajit.dll
wow64 File not found: C:\WINDOWS\Syswow64\wow64.dll
wow64win File not found: C:\WINDOWS\Syswow64\wow64win.dll

[AdvancedSetup]

Those are fine. Just leave them alone. What are you trying to do or achieve?

What issue are you having?

 

[Immanuel]

I was experiencing multiple reports of the modem security that says ping of death attacks, icmp redirect and port scan

Edited November 11, 2023 by Immanuel

[AdvancedSetup]

These thing are going to happen. There are always bots and people trying to find exploits

Please try resetting your router.

 

 

If you own your own router and are not renting it from your Internet Service Provider

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

Depending on one's preferences and the Router's capabilities please consider the following.

• Disable acceptance of ICMP Pings
• Change the Default Router password using a Strong Password
• Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
• Disable Remote Management
• Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
  Example: Keep IoT devices on one network and mobile devices on another.
• Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
• Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
• Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
• Document passwords created and store them in a safe but accessible location.

 

 

[Immanuel]

I've found anomalies, virustotal checked in Autoruns

DESKTOP-DL2BG03today.txt

[Immanuel]

There was also a fourth user in Autoruns...IIS what is this? I've disabled remote desktop clipboard.

Edited November 12, 2023 by Immanuel

[Immanuel]

VirusTotal - File - af92673f0c25e1c5d8e2919b84bb52b67e1aaee360f4e9950701924d82b40fad

 

this is caused by hash corruptor in my network surely