Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Microsoft just killed the Windows 10 Beta Channel again

Featured Deal: Study ethical hacking in this comprehensive $40 course bundle deal

Latest Buyer's Guide: PureVPN review: How good is it in 2024?

The computer behaves suspiciously(maybe RaT or dropper i think)

Started by rubyheart , Nov 11 2024 02:05 PM

Prev

Next

Please log in to reply

42 replies to this topic

#16 rubyheart

Topic Starter

Members
28 posts
ONLINE

Local time:04:14 PM

Posted Yesterday, 12:24 PM

Frst not responding after I using this script

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#17 rubyheart

Topic Starter

Members
28 posts
ONLINE

Local time:04:14 PM

Posted Yesterday, 12:29 PM

Результаты исправления Farbar Recovery Scan Tool (x64) Версия: 14-11-2024
Запущено с помощью ltvn.adm (14-11-2024 20:22:09) Run:6
Запущено из C:\Users\ltvn.adm\Desktop\_Utilities
Загруженные профили: ltvn.adm
Режим загрузки: Normal
==============================================

fixlist содержимое:
*****************
Start::
CreateRestorePoint:
CloseProcesses:
2024-11-11 09:55 - 2024-11-11 12:48 - 001013552 _ C:\WINDOWS\SysWOW64\AppRulesStorage-wal
2024-11-11 09:55 - 2024-11-11 09:55 - 000032768 _ C:\WINDOWS\SysWOW64\DnsStorage-shm
2024-11-11 09:55 - 2024-11-11 09:55 - 000032768 _ C:\WINDOWS\SysWOW64\AppRulesStorage-shm
2024-11-11 09:55 - 2024-11-11 09:55 - 000000000 _ C:\WINDOWS\SysWOW64\DnsStorage-wal
2024-11-11 08:27 - 2024-06-29 10:02 - 000012288 _ C:\WINDOWS\SysWOW64\AppRulesStorage
Emptytemp:
End::
*****************

Точка восстановления была успешно создана.
Процессы успешно завершились.
"C:\WINDOWS\SysWOW64\AppRulesStorage-wal" => не найдено
"C:\WINDOWS\SysWOW64\DnsStorage-shm" => не найдено
"C:\WINDOWS\SysWOW64\AppRulesStorage-shm" => не найдено
"C:\WINDOWS\SysWOW64\DnsStorage-wal" => не найдено
C:\WINDOWS\SysWOW64\AppRulesStorage => успешно перемещены

=========== EmptyTemp: ==========

FlushDNS => завершено
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 8595751 B
Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 0 B
Windows/system/drivers => 33722 B
Edge => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 19954 B
NetworkService => 21134 B

Attached Files

Fixlog (1).txt 1.9KB 0 downloads

Back to top

#18 rubyheart

Topic Starter

Members
28 posts
ONLINE

Local time:04:14 PM

Posted Yesterday, 12:33 PM

Sorry, I jumped to conclusions, left it for 10 minutes. the script has completed, I am attaching the current log, you can ignore previous messages

Attached Files

Fixlog (2).txt 2.33KB 1 downloads

Back to top

#19 dennis_l

Malware Response Team
4,142 posts
OFFLINE

Gender:Male
Location:UK
Local time:01:14 PM

Posted Yesterday, 02:08 PM

Ok good.
Please now run a scan with AdwCleaner.
Please download AdwCleaner.

Close all open programs and browsers
Right click on the icon and select Run as administrator
Click Scan Now
When the scan has finished AdwCleaner shows you all detected PUPs and adware.
If any are found, select them and click Quarantine. (I would suggest that you do not select Pre-installed applications for now, or any other items you wish to keep.)
AdwCleaner prompts you to save and close your work before continuing. Click Continue.
After cleaning, you are prompted to restart your device. Click Restart now to complete the cleanup process.

Once your computer has restarted ...

If it doesn't open automatically, please start AdwCleaner.
Click on View Log File button (This log can also be found in the Log Files tab).
A Notepad file will open containing the results.
Click Skip Basic Repair (if the option appears)
Please post the contents of the file in your next reply.

-------------------------------------------------------------
The run a FULL scan with ESET Online Scanner as follows.

Download ESET Online Scanner from here and save it to your Desktop.
Right click the esetonlinescanner.exe file you downloaded and select Run as administrator.
Select your desired language from the drop-down menu and click Get started.
Click Yes if a User Account window appears.
In the Terms of use screen, click Accept if you agree to the Terms of use.
Click Get started in the welcome screen.
Select your preference for the Customer Experience Improvement Program and the Detection feedback system.Click Continue.
Click Computer scan, in the Welcome back screen.
Choose Full scan on the next screen.
Select Enable ESET to detect and quarantine potentially unwanted applications.Then click Start scan
Please note that this process can take several hours to complete.
At the end of the scan, the Found and resolved detections screen may be displayed. You can click View detailed results to view specific information. Click Continue.
On the following screen click Save scan log and save it to your Desktop as ESETScan.txt. Click Continue.
ESET Online Scanner will now ask if you wish to turn on the Periodic Scan feature.I suggest that you do not do this for now Click Continue
You are offered a 30 day trial of ESET Internet Security on the next screen. Click Continue
On the next screen, you can leave feedback about the program if you wish.
There is an option to delete the application's data on closing, but we can but we can do this later.
If you left feedback, click Submit and Close. If not, click Close.
Copy and paste the contents of the ESETScan.txt file in your next reply.

Back to top

#20 rubyheart

Topic Starter

Members
28 posts
ONLINE

Local time:04:14 PM

Posted Yesterday, 08:35 PM

# -------------------------------

# Malwarebytes AdwCleaner 8.4.2.0

# -------------------------------

# Build: 03-04-2024

# Database: 2024-10-23.4 (Cloud)

# Support: https://www.malwarebytes.com/support

#

# -------------------------------

# Mode: Scan

# -------------------------------

# Start: 11-15-2024

# Duration: 00:00:04

# OS: Windows 11 (Build 22631.4317)

# Scanned: 32086

# Detected: 0

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.

AdwCleaner[S00].txt - [1420 octets] - [08/08/2024 09:01:11]

AdwCleaner[C00].txt - [1610 octets] - [08/08/2024 09:01:29]

AdwCleaner[S01].txt - [1542 octets] - [08/08/2024 09:01:52]

AdwCleaner[C01].txt - [1732 octets] - [08/08/2024 09:01:57]

AdwCleaner_Debug.log - [16978 octets] - [08/08/2024 09:07:35]

AdwCleaner[S02].txt - [1726 octets] - [08/08/2024 09:07:47]

AdwCleaner[C02].txt - [2162 octets] - [08/08/2024 09:08:04]

AdwCleaner[S03].txt - [1848 octets] - [08/08/2024 09:08:39]

AdwCleaner[C03].txt - [2284 octets] - [08/08/2024 09:08:44]

AdwCleaner[S04].txt - [1971 octets] - [15/11/2024 04:33:57]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S05].txt ##########

Attached Files

AdwCleaner_Debug.log 18.92KB 0 downloads
AdwCleanerS05.txt 1.98KB 0 downloads
AdwCleanerS04.txt 1.92KB 0 downloads
AdwCleanerS03.txt 1.8KB 0 downloads

Edited by rubyheart, Yesterday, 08:38 PM.

Back to top

#21 rubyheart

Topic Starter

Members
28 posts
ONLINE

Local time:04:14 PM

Posted Yesterday, 08:40 PM

ESET NOT WORKING. After installing a module update, percentage goes to 4444% and application closes. How to attach a image?

Back to top

#22 rubyheart

Topic Starter

Members
28 posts
ONLINE

Local time:04:14 PM

Posted Yesterday, 08:44 PM

I can attach an error from the windows event log.

Имя сбойного приложения: ESETOnlineScanner.exe, версия: 10.34.8.0, метка времени: 0x65f09154

Имя сбойного модуля: ntdll.dll, версия: 10.0.22621.4317, метка времени: 0xe4ff17f1

Код исключения: 0xc0000008

Смещение ошибки: 0x000aaafa

Идентификатор сбойного процесса: 0x0x3EB0

Время запуска сбойного приложения: 0x0x1DB36FF391A5FC3

Путь сбойного приложения: C:\Users\ltvn.adm\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe

Путь сбойного модуля: C:\WINDOWS\SYSTEM32\ntdll.dll

Идентификатор отчета: d846edc2-0813-42af-82da-4424ad9f86b6

Полное имя сбойного пакета:

Код приложения, связанного со сбойным пакетом:

- System

- Provider

[ Name] Application Error [ Guid] {a0e9b465-b939-57d7-b27d-95d8e925ff57}

EventID 1000 Version 0 Level 2 Task 100 Opcode 0 Keywords 0x8000000000000000 - TimeCreated

[ SystemTime] 2024-11-15T01:42:01.1499841Z

EventRecordID 1872 Correlation - Execution

[ ProcessID] 2256 [ ThreadID] 15912

Channel Application Computer LTVN - Security

[ UserID] S-1-5-21-620569670-1499795328-534050024-1001

- EventData

AppName ESETOnlineScanner.exe AppVersion 10.34.8.0 AppTimeStamp 65f09154 ModuleName ntdll.dll ModuleVersion 10.0.22621.4317 ModuleTimeStamp e4ff17f1 ExceptionCode c0000008 FaultingOffset 000aaafa ProcessId 0x3eb0 ProcessCreationTime 0x1db36ff391a5fc3 AppPath C:\Users\ltvn.adm\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe ModulePath C:\WINDOWS\SYSTEM32\ntdll.dll IntegratorReportId d846edc2-0813-42af-82da-4424ad9f86b6 PackageFullName PackageRelativeAppId

Контейнер ошибки 1439270301223854834, тип 1

Имя события: APPCRASH

Отклик: Нет данных

Идентификатор CAB: 0

Сигнатура проблемы:

P1: ESETOnlineScanner.exe

P2: 10.34.8.0

P3: 65f09154

P4: ntdll.dll

P5: 10.0.22621.4317

P6: e4ff17f1

P7: c0000008

P8: 000aaafa

P9:

P10:

Вложенные файлы:

\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.0e03506c-c914-4c65-9541-cf96b93d86c6.tmp.mdmp

\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.9e4b0c5c-b536-4726-afef-06bb3a562944.tmp.WERInternalMetadata.xml

WPR_initiated_DiagTrackMiniLogger_OneTrace_User_Logger_20240808_1_EC_0_inject.etl

\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.0c759398-37f6-4fe5-b9b5-1ee278973690.tmp.etl

WPR_initiated_DiagTrackMiniLogger_WPR System Collector_inject.etl

\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.78f9e0c7-cf7f-4232-8c20-79bc456a4f34.tmp.etl

\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.405a1258-77f9-4d24-96f8-bd18d2e718ef.tmp.csv

\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ace52065-2911-4609-92de-4a578b82826b.tmp.txt

\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ca01b1d6-b507-48df-98f1-64234a9b4cf1.tmp.xml

Эти файлы можно найти здесь:

\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_ESETOnlineScanne_c4c77e18f537587c6c14fa706fe26f59c17b7e3_2bf716eb_d3540ac8-967d-41d6-8dbe-2fadbaccc342

Символ анализа:

Повторный поиск решения: 0

Идентификатор отчета: d846edc2-0813-42af-82da-4424ad9f86b6

Состояние отчета: 268435456

Хэшированный контейнер: c008eaf25114a8dd83f950b6a037a2f2

Идентификатор GUID CAB: 0

- System

- Provider

[ Name] Windows Error Reporting [ Guid] {0ead09bd-2157-539a-8d6d-c87f95b64d70}

EventID 1001 Version 0 Level 4 Task 0 Opcode 0 Keywords 0x8000000000000000 - TimeCreated

[ SystemTime] 2024-11-15T01:42:03.5013235Z

EventRecordID 1873 Correlation - Execution

[ ProcessID] 2256 [ ThreadID] 15912

Channel Application Computer LTVN - Security

[ UserID] S-1-5-21-620569670-1499795328-534050024-1001

- EventData

Bucket 1439270301223854834 BucketType 1 EventName APPCRASH Response Нет данных CabId 0 P1 ESETOnlineScanner.exe P2 10.34.8.0 P3 65f09154 P4 ntdll.dll P5 10.0.22621.4317 P6 e4ff17f1 P7 c0000008 P8 000aaafa P9 P10 AttachedFiles \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.0e03506c-c914-4c65-9541-cf96b93d86c6.tmp.mdmp \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.9e4b0c5c-b536-4726-afef-06bb3a562944.tmp.WERInternalMetadata.xml WPR_initiated_DiagTrackMiniLogger_OneTrace_User_Logger_20240808_1_EC_0_inject.etl \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.0c759398-37f6-4fe5-b9b5-1ee278973690.tmp.etl WPR_initiated_DiagTrackMiniLogger_WPR System Collector_inject.etl \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.78f9e0c7-cf7f-4232-8c20-79bc456a4f34.tmp.etl \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.405a1258-77f9-4d24-96f8-bd18d2e718ef.tmp.csv \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ace52065-2911-4609-92de-4a578b82826b.tmp.txt \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ca01b1d6-b507-48df-98f1-64234a9b4cf1.tmp.xml StorePath \\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_ESETOnlineScanne_c4c77e18f537587c6c14fa706fe26f59c17b7e3_2bf716eb_d3540ac8-967d-41d6-8dbe-2fadbaccc342 AnalysisSymbol Rechecking 0 ReportId d846edc2-0813-42af-82da-4424ad9f86b6 ReportStatus 268435456 HashedBucket c008eaf25114a8dd83f950b6a037a2f2 CabGuid 0

Back to top

#23 dennis_l

Malware Response Team
4,142 posts
OFFLINE

Gender:Male
Location:UK
Local time:01:14 PM

Posted Today, 03:47 AM

ESET can be temperamental sometimes.
Let's use an alternative scanner instead.
Please run a scan with Emsisoft Emergency Kit.

Download and save the installation file from here.
Double-click on the Emsisoft Emergency Kit setup file to start the installation process and then click on the Install button.
You may be presented with a User Account Control warning, asking you if you want to run this file. Click Yes to continue.
The downloaded package unpacks to “C:\EEK” by default and this folder now opens on your screen.
To start Emsisoft, double-click on the Start Emergency Kit Scanner icon in this folder.
You may get another User Account Control warning. Click Yes to continue.
Accept the Licence Agreement.
When you launch the program for the first time, Emsisoft Emergency Kit will automatically download updates. The Scan tab changes from orange to green when the update process is completed.
Leave the settings unchanged, which include detection of Potentially Unwanted Programs.
Now click on Malware Scan in the Scan button.
When the Emsisoft scan has finished, you will see a screen reporting details of any malicious files found on your computer.(Close the pop up inviting installation of Emsisoft protection)
Click Quarantine selected objects. (Note, this option is only shown if malicious objects were detected during the scan)
You may be asked to restart your computer.
When the threats have been quarantined, click the View Report button in the lower-right corner and the scan log will open in Notepad. The logs can also be accessed in the left hand menu bar.
Please save this log on your desktop and post the contents into your next reply.
When you close Emsisoft Emergency Kit it asks if you wish to sign up for a newsletter. This is optional, and does not affect the malware removal process.