Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer attempts to login as Guest to each networked PC


  • This topic is locked This topic is locked
31 replies to this topic

#1 BASystems

BASystems

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 20 June 2018 - 04:47 PM

Please help me trace down this worrisome issue.  I have a couple of computers on this network that seem to be attempting to login to each other network PC as guest every 3 hours or so.  The Guest accounts are all disabled, but we are still getting alerts about the failed logins.  This computer is not used much, so I have a good candidate for any scanning or fixing you recommend.

 

Thanks,

 

BAAttached File  Addition.txt   24.87KB   23 downloadsAttached File  FRST.txt   49.54KB   23 downloads



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:20 AM

Posted 20 June 2018 - 05:15 PM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Please download Security Analysis by Rocket Grannie from here
  • Save it to your Desktop.
  • Close your security software to avoid potential conflicts.
  • Double click RGSA.exe
  • Click OK on the copyright-disclaimer
  • When finished, a Notepad window will open with the results of the scan.
  • The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
  • Please copy and paste the contents of that log in this topic.
  • Note:
If you get a Warning from Windows about running the program, click on More info and then click Run Anyway to run it even though Windows says it might put your PC at risk.
 

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 BASystems

BASystems
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 20 June 2018 - 05:45 PM

Here are the files you asked for.  MBAR did not find Malware.Attached File  SALog.txt   967bytes   18 downloadsAttached File  AdwCleanerS00.txt   1.71KB   19 downloads



#4 Jo*

Jo*

  • Malware Response Team
  • 3,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:20 AM

Posted 20 June 2018 - 06:01 PM

Hello,

:step1: Run Malwarebytes Anti-Rootkit again: Double click mbar.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Scan your system for malware
  • If malware is found, click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


:step3: How the computer is running now?



***


:step4: Please download Zemana AntiMalware and save it to your Desktop.
- Start it...
- Without changing any options, press Scan to begin.
After the short scan is finished, if threats are detected press Next to remove them.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

- Open Zemana AntiMalware again.
- Click on icon and double click the latest report.
- Now click File > Save As and choose your Desktop before pressing Save.
The only left thing is to attach saved report in your next message.


:step5: FRST / FSRT64: run it again.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Put a check into the box next to Addition.txt. Then press the Scan button.
  • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply.

Edited by Jo*, 20 June 2018 - 06:02 PM.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 Jo*

Jo*

  • Malware Response Team
  • 3,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:20 AM

Posted 25 June 2018 - 05:18 PM


Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Thread will be closed if no response within 3 days.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#6 BASystems

BASystems
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 25 June 2018 - 06:14 PM

The computer has been shutdown and I can't access it remotely.  I will update you soon.



#7 BASystems

BASystems
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 27 June 2018 - 02:44 PM

Sorry for the delay.  I was attempting to keep up with the assigned tasks remotely but I inadvertently shutdown the computer instead of restarting.

 

The MBAR scan did not find Malware.

Adwcleaner was run and allowed to CleanAttached File  AdwCleanerC01.txt   1.75KB   17 downloads

Zemana scan was clean.Attached File  2018.06.27-15.28.46-i0-t92-d0.txt   815bytes   15 downloads

Frst logs attached.Attached File  FRST.txt   51.01KB   16 downloadsAttached File  Addition.txt   25.38KB   15 downloads

 

As an update, I now have an additional computer that is attempting to login to each computer as guest approximately every 3 hours.

 

Please advise.

 



#8 Jo*

Jo*

  • Malware Response Team
  • 3,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:20 AM

Posted 28 June 2018 - 02:04 AM

Copy FRST / FSRT64.exe to your desktop!

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt



Start::
CreateRestorePoint:
CloseProcesses:
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Engine\21.5.0.19\IPS\IPSBHO.DLL => No File
Toolbar: HKU\S-1-5-21-210943464-601019782-2743124420-1236 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
R2 trufos; C:\Windows\System32\DRIVERS\trufos.sys [438840 2018-05-24] (BitDefender S.R.L.)
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S3 NAVENG; \??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.9.3.13\Definitions\SDSDefs\20170204.002\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.9.3.13\Definitions\SDSDefs\20170204.002\NAVEX15.SYS [X]
CustomCLSID: HKU\S-1-5-21-210943464-601019782-2743124420-1236_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\Seth\AppData\Local\Citrix\GoToMeeting\4190\G2MOutlookAddin64.dll => No File
End::

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 BASystems

BASystems
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 29 June 2018 - 10:15 AM

I've run the scan as requested Attached File  Fixlog.txt   2.78KB   15 downloads

 

Unfortunately, I am still seeing this system attempt to login to each other networked computer about every 3 hours.

 

Please advise.



#10 Jo*

Jo*

  • Malware Response Team
  • 3,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:20 AM

Posted 29 June 2018 - 10:41 AM

Are you able to run this pc from the Recovery Environment as well?

---

We now will run ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Then Enable your anti virus program(s).

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 BASystems

BASystems
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 29 June 2018 - 11:13 AM

I am unsure what you mean by Recovery Environment.  I was able to run Combofix. Attached File  ComboFix.txt   22.34KB   16 downloads

 

Thanks again for your help!

 

 



#12 Jo*

Jo*

  • Malware Response Team
  • 3,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:20 AM

Posted 29 June 2018 - 11:25 AM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt
Start::
VirusTotal: C:\Windows\System32\DRIVERS\trufos.sys
End::
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

---

If the problem after the Combofix scan still exists, we could be forced to use Recovery Environment.

In that case I would need 2 or 3 days for research and preparing that.

This is RE:


Boot in the Recovery Environment
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.

Edited by Jo*, 29 June 2018 - 01:36 PM.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 BASystems

BASystems
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 03 July 2018 - 09:47 AM

Sorry for the delay, here is the log: Attached File  Fixlog.txt   641bytes   16 downloads



#14 Jo*

Jo*

  • Malware Response Team
  • 3,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:20 AM

Posted 03 July 2018 - 10:02 AM

Log on to all your Windows user accounts now - without restarting !

FRST / FSRT64: run it again.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Put a check into the box next to Addition.txt. Then press the Scan button.
  • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply.
-----

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants. Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process. Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. DSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#15 BASystems

BASystems
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 03 July 2018 - 10:07 AM

So you want me to run FRST and TDSSKiller as each user profile?  They are not needed, so I can delete all but the active user.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users