Possible Malware?

[Madagascar]

Got a virus a couple of days ago and had to reset Windows via USB to get rid of it, now I'm worried that I didn't get rid of it/if I have gotten a new virus since I've been getting suspicious Event Viewer messages and my PC has been freezing up and been acting weird

E.g.

• Weird Audit Policy changes
• Weird HttpServices logs (one even mentioning RDP):
• HttpServices: "Attempted to reserve URL http://+:80/Temporary_Listen_Addresses/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM"
• Attempted to reserve URL http://+:47001/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
• Attempted to reserve URL https://+:3392/rdp/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM

Creator Subject:
    Security ID:        LOCAL SERVICE
    Account Name:        LOCAL SERVICE
    Account Domain:        NT AUTHORITY

Process Information:
    New Process ID:        0x191c
    New Process Name:    C:\Windows\System32\conhost.exe
    Token Elevation Type:    TokenElevationTypeDefault (1)
    Creator Process Name:    C:\Windows\System32\appidcertstorecheck.exe
    Process Command Line:    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

 

&
 

    New Process ID:        0x1d88
    New Process Name:    C:\Windows\System32\rundll32.exe
    Token Elevation Type:    TokenElevationTypeLimited (3)
    Mandatory Label:        Mandatory Label\Medium Mandatory Level
    Creator Process ID:    0x51c
    Creator Process Name:    C:\Windows\System32\svchost.exe
    Process Command Line:    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

&

Process Information:
    New Process ID:        0x19a8
    New Process Name:    C:\Windows\System32\mmc.exe
    Token Elevation Type:    TokenElevationTypeFull (2)
    Mandatory Label:        Mandatory Label\High Mandatory Level
    Creator Process ID:    0x2a38
    Creator Process Name:    C:\Windows\explorer.exe
    Process Command Line:    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s


After scan: Malwarebytes did detect some weird Registry Key as a PUP and my Firefox configs from arkenfox so probably a false positive. AdwCleaner turned out clean but I'm 99% sure that I have some kind of virus though. My PC has never acted like this.

Malwarebytes Scan Report 2024-07-04 205413.txt FRST_04-07-2024 23.07.26.txt Addition_04-07-2024 23.07.26.txt AdwCleaner[S00].txt

[Madagascar]

Found a very suspicious file with Autoruns x64 (Not seen with x86 version): C:\Windows\system32\gatherNetworkInfo.vbs

Looks very sophisticated, not surprised if I have a rootkit or something, though I leave this evaluation to you guys since I'm not an expert in this matter. Thanks for your time.

Virustotal scan: https://www.virustotal.com/gui/file/1c9337004cbd0e1e5c09bee609ee1991be3aa791c31f1c873e6d8f70c3c876d0/behavior
 

 

[JSntgRvr]

Welcome 
 
I'll be helping you with your computer.
 
Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

• Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
• First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
• Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
• Please read ALL instructions carefully and perform the steps fully and in the order they are written.
• If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
• Continue to read and follow my instructions until I tell you that your machine is clean.
• If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
• Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. 

Let's begin... 

There are only orphaned entries in those logs. The gatherNetworkInfo.vbs is a Windows ' legit file. Lets perform a cleanup.

This Fix will empty the following folders:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns, please ask before running this fix.

The system will be rebooted after the fix has run.

FRST64 was saves as C:\Users\Daniel\Downloads\FRST64.exe

• Download the enclosed file  Fixlist.txt
• Save it in the same location FRST64 is saved. 
• Start FRST (FRST64) with Administrator privileges
• This time around Press the Fix button and wait
• When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

• The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
• Close all open applications and locate the downloaded file and double-click to run it
• The program will take a moment to launch and bring up the License and Update screen
• Place a check mark to agree to the terms and then click on the Continue button
• Click the underlined link Select objects for scanning
• On the top left click the Scanning objects that should automatically check all objects
• Click the small wrench and make sure there is a check on Automatically apply actions to threats
• Then click the large button on bottom right Start scanning
• Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
• The log is saved in the folder named Doctor Web in the top of your user profile folders
• Please attach that log on your next reply

Edited July 4 by JSntgRvr
typo

[David H. Lipman]

1 hour ago, Madagascar said:

Virustotal scan: https://www.virustotal.com/gui/file/1c9337004cbd0e1e5c09bee609ee1991be3aa791c31f1c873e6d8f70c3c876d0/behavior
 

It has been known to Virus Total vendors for years and is a product of Microsoft and the one detection is a False Positive.  It is not malicious.

Edit:

C:\Windows\System32\gatherNetworkInfo.vbs

 

Edited July 4 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[JSntgRvr]

I had some technical difficulties on my part. The fix is now corrected.

 

[Madagascar]

11 hours ago, JSntgRvr said:

Hello JSntgRvr

• Cureit found no malicious files
• Fixes are done

 

cureit.log Fixlog_05-07-2024 11.31.45.txt

[JSntgRvr]

This free tool created by niemiro is a very good starting point for the diagnosis and repair of all Windows Update and System File Checker corruptions. We therefore need you to run this tool prior to collecting logfiles.

• First download and run a copy of the tool from http://www.sysnative.com/niemiro/apps/SFCFix.exe.
• Work through any on-screen prompts and then await completion (runtime can be upwards of 15 minutes depending on the options you selected during the on-screen prompts).
• Once it has finished, if there are any unrepaired corruptions (the tool will notify you if it has succeeded in repairing all corruptions if they're simple in which case we're no longer needed) or unresolved problems with your computer, you need to post us the complete logfile which opens on exit. Simply copy (Ctrl-A, Ctrl-C) and paste (Ctrl-V) the entire logfile into your new reply (also known as a 'topic').

[Madagascar]

@JSntgRvr

Will do this now!

Btw, I did a scan with your Anti-Rootkit scanner and found this:

[Madagascar]

SFCFix version 3.0.2.1 by niemiro.
Start time: 2024-07-05 17:59:56.547
Microsoft Windows 10 Build 22631 - amd64
Not using a script file.

AutoAnalysis::
SUMMARY: No corruptions were detected.
AutoAnalysis:: directive completed successfully.

Successfully processed all directives.

Failed to generate a complete zip file. Upload aborted.

SFCFix version 3.0.2.1 by niemiro has completed.
Currently storing 0 datablocks.
Finish time: 2024-07-05 18:13:53.091
----------------------EOF-----------------------

system-log (mwb Anti-rootkit BETA).txt

[JSntgRvr]

Attach Malwarebytes Report:

• Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.

 

View Reports and History in Malwarebytes for Windows v4
https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows

Malwarebytes for Windows v4 guide
https://support.malwarebytes.com/hc/en-us/articles/360038984693-Malwarebytes-for-Windows-v4-guide

 

View Scan and History reports in Desktop Security v5
https://support.malwarebytes.com/hc/en-us/articles/29233513949331-View-Scan-and-History-reports-in-Desktop-Security

Desktop Security guide v5
https://support.malwarebytes.com/hc/en-us/articles/28528342426131-Desktop-Security-guide

Attach the report.

[JSntgRvr]

Open a command prompt as an Administrator. At the prompt type the following and press Enter.

SFC /ScanNow

Post a screenshot of the results.

[JSntgRvr]

1 hour ago, Madagascar said:

@JSntgRvr

Will do this now!

Btw, I did a scan with your Anti-Rootkit scanner and found this:

Those could be False Positives.

[Madagascar]

I can no longer open cmd as administrator so I guess my PC is bricked

[JSntgRvr]

Press the Windows key +R. Try this command:

rstrui

Restore the computer to an earlier date.

Edited July 5 by JSntgRvr
typo

[Madagascar]

@JSntgRvr Was able to run in Terminal

I guess there's no evidence of viruses so should I just Reset my PC to be sure or is there anything else?

[JSntgRvr]

Are you able to open the Command prompt (CMD)?

[JSntgRvr]

Malwarebytes no longer support Malwarebytes Anti-Rootkit standalone application. Do not run this program any longer. The main Malwarebytes provides more powerful rootkit scanning than the older product did.

[Madagascar]

@JSntgRvr Yes I'm sorry, didn't know this. Anyway. I have fully reset my PC via USB from BIOS and I have now run sfc /scannow from administered cmd. It said it found a corrupted file and fixed it. Log file is linked below.

Though I'm having some of the same warnings/errors that I had before the reset in Event Viewer and I do not know if this is something I should fix or let be:

• Event ID: 6155 LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard. (negoexts, kerberos, msv1_0, tspkg, pku2u, cloudap, wdigest, schannel, sfapm
• Event ID: 219 The driver \Driver\WUDFRd failed to load for the device HID\VID_046D&PID_0AAA&MI_03&Col02\8&35c17930&0&0001.
• Event ID: 27 The description for Event ID 27 from source e2fexpress cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. (Inter Ethernet Controller I225-V)
• Event ID: 4101 Display driver nvlddmkm stopped responding and has successfully recovered.
• Event ID: 5156 Windows Filtering has permitted a connection (via Application Name: \deviceharddiskvolume3\windows\system32\svchost.exe, Destination Port: 5353, Destination Address: 224.0.0.251 )

Event ID: 5156 Looks very suspicious to me and it send 3 of these logged events every second as long as the PC is powered on. On closer lookup I found two different svchost.exe files. svchost1: C:\Windows\WinSxS\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.22621.1_none_17512554f90bee24  &  svchost2:    C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.22621.1_none_21a5cfa72d6cb01f     &    The other legitimate svchost paths: %SystemRoot%\System32\svchost.exe    &   %SystemRoot%\SysWOW64\svchost.exe

Analysis with Virustotal: svchost1 Came up as clean but svchost2 matched critical sigma rule: Typical Dridex Process Pattern & Detects logon with "Special groups" and "Special Privileges"

Also worth noting that yesterday before resetting my PC I booted into safe mode and quickly opened Sysinternals TCP view I noted two very suspicious remote IP's/DNS servers one pointing to China and the other one pointing to Germany through port 80. I have these written down. I have never seen these on regular boot, upon searching these up on AbuseIPDB they were reported as C2 servers, bruteforcing ports, port scanning etc.

CBS.log

[JSntgRvr]

Re-scan with FRST64 (C:\Users\Daniel\Downloads\FRST64.exe) and post new logs.

[JSntgRvr]

Also perform the following scans and attach the reports.

Scan with SecurityCheck by glax24 - PC Self-Help Articles and Guides - Malwarebytes Forums

Scan with FSS Farbar Service Scanner - PC Self-Help Articles and Guides - Malwarebytes Forums

 

[Madagascar]

Done

FRST.txt Addition.txt SecurityCheck.txt FSS.txt

[JSntgRvr]

FRST64 was saved as C:\Users\Daniel\Downloads\FRST64.exe

• Download the enclosed file  Fixlist.txt
• Save it in the same location FRST64 is saved. 
• Start FRST (FRST64) with Administrator privileges
• This time around Press the Fix button and wait
• When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

Restart the computer.

You seem to be having problems with Windows Activation.

Open the Command Prompt as an administrator Windows cmd. To open the Command Prompt as an administrator, right-click the Command Prompt and click Run as Administrator.
You must be signed in to Windows with an administrative account in order to open the Command Prompt as an administrator.

First, to display your product key, type the following command and press Enter.

wmic path softwareLicensingService get OA3xOriginalProductKey

Then follow these steps to activate Windows and let me know the outcome..

Activate Windows 11 Tutorial | Windows 11 Forum (elevenforum.com)

[Madagascar]

Done!

Fixlog.txt

[JSntgRvr]

How is the computer doing?

[Madagascar]

Actually quite well! Thanks for your patience with me and my virus paranoia! 😅