Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Defender skips scanning an element because of exclusion or network settings


  • This topic is locked This topic is locked
12 replies to this topic

#1 sajagin

sajagin

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:49 AM

Posted 06 July 2018 - 08:35 AM

Hi guys,

 

yesterday I got a trojan named O97M/DPlink.A on Win 10

 

Windows defender did not wished to delete it first. Then it did. After playing with few removing tools, it seemed to finally been deleted.

 

I receive since then after every Defender check the message: "Windows Defender antivirus skipped an element because of exclusion or network settings."

 

There is nothing in the exclusions. Even thought, yesterday I gave it a permit after Defender asked me.

Anyway this isn't adding to exclusions.

 

I suspect that the trojan is still somewhere there an is doing something, because for the last two years Defender is telling me only, that nothing was found after the scan.

 

I have added the screenshot of the trojan and a *.log file from HijackThis.

 

Maybe someone can give a hand here, who is an old hand at this.

 

Thanks a lot!

 

P.S./ There were actually two trojans, who spread after launching an infected setup.exe. I've just added the second screenshot too. It was on a mounted *.iso file, as partition G:\

Attached Files


Edited by sajagin, 06 July 2018 - 02:52 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:49 AM

Posted 07 July 2018 - 08:07 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

HijackThis is no longer supported and not ready for your Operating system.
I suggest your remove via the Control panel > Programs > Programs and Features.
Use the Farbar Recovery Scan Tool from now on to report problems.
<<<>>>

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Wait for further instructions.

#3 sajagin

sajagin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:49 AM

Posted 07 July 2018 - 02:36 PM

Hello nasdaq, :)

 

thank you for your reply and the kind welcoming. I am happy to be a member of bleepingcomputer.

 

To the point: I followed your instructions, but I couldn't manage it to upload the two text files, which were created by Farbar. I received on every try the message:

 

Error No file was selected for upload

I tried with both basic and advanced file uploader, and with both Firefox and Edge.

 

Should I post the text as plain text?  For any case I uploaded them on Google Drive: Addition.txt and FRST.txt

 

By the way: Defender is going nuts. Today it showed me that there were 9 threats after the automated scan. I clicked on the message in the Win10 sidebar to take a look. Defender opened, there was nothing! Everything clean. So! I did a new full scan with Defender, and guess what, because there was something suspicious during the scan, it told me about the new cloud feature, and directed me to the MS page with information about "Block at first side feature" :police: . I followed the instructions and enabled everything. After the scan there was nothing.

 

Thank you!

Kind regards,

Daniel


Edited by sajagin, 08 July 2018 - 09:41 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:49 AM

Posted 08 July 2018 - 08:15 AM

Hi,

I cannot get to Google to see the files.

Have you tried to click the Choose a File button?
The navigate to the folder where the files are located.
Click the file (FRST.TXT)
Click attach this file

Repeat the instructions for the Addition.txt file

Click the Add reply.

You did it when you attached the Hijackthis.log.

#5 sajagin

sajagin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:49 AM

Posted 08 July 2018 - 09:44 AM

Hi nasdaq,

 

It worked out today with the basic uploader, yesterday for some reason it didn't want to. Also I edited the G-Drive permissions for the two links (for any case).

 

Hope you can finally take a look on the logs :)

 

Greetings

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:49 AM

Posted 08 July 2018 - 01:43 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ACHTUNG: Systemwiederherstellung ist deaktiviert
ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ACHTUNG
HKU\S-1-5-21-2120262504-1198491942-3011422282-1005\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
GroupPolicy\User: Beschränkung ? <==== ACHTUNG
HKLM\SYSTEM\CurrentControlSet\Services\45834546F9C1C770 <==== ACHTUNG (Rootkit!)

Task: {76562CEC-A0EA-4B52-8B48-BC551C278AF3} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe [2018-05-30] ()
Task: {95AF2D04-F0D5-45B3-86EC-1CE671FE6E14} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Keine Datei <==== ACHTUNG
Task: {E76AA72B-7A33-46B3-AC0A-EEC3952AF81C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Keine Datei <==== ACHTUNG
C:\WINDOWS\AutoKMS\AutoKMS.exe

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Malwarebytes Anti-Rootkit

Please download Anti-Rootkit BETA and save it to your Desktop. <check the version below....
  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Please copy and paste the entire content of that log in your next reply;
If you have any problems running either one come back and let me know.
===

Please let me know what problem persists with this computer.

#7 sajagin

sajagin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:49 AM

Posted 08 July 2018 - 04:21 PM

Hi nasdaq,

 

there was a lot to do. But I did everything you described, event thought I enabled and created the restore point after the FRST scan and fix.

 

I think there were few badsters on the system (like macros, KMS stuff, rootkits as you wrote, and other maybe). I deleted everything that was detected and offered to be deleted.

 

I really hope that the Windows is fine now. I have attached the two files bellow.

 

Thank you so much!

Lots of Blessings :)

Attached Files


Edited by sajagin, 08 July 2018 - 04:21 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:49 AM

Posted 09 July 2018 - 10:01 AM

Hi,

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#9 sajagin

sajagin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:49 AM

Posted 11 July 2018 - 02:40 AM

Hi,

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

 

Hi nasdaq, once again - thanks a lot. I can say that my computer is performing a bit faster now and more smooth.

 

I will also take a look on the pages you shared and will be applying the good tipps, that bleepingcomputer has suggested there.

 

Just want to ask, if I can apply the FRST tool to any computer without the fix-file that you created, just scanning and then fixing?

 

Regards,

Daniel :)

 

P.S. / As I know bleepingcomputer from Heise, here is some good information, which I can suggest to be added to bleepingcomputer's security tipps. It is a topic contributed to Windows certificate system, and that more and more trojans install their own root CAs in Windows to sign their malicious programs or to manipulate Web page calls. It says that such leftovers in the context of cleaning are often not discovered and consequently not removed. They offer a tool from Microsoft, which I would like to test as well.


Edited by sajagin, 11 July 2018 - 04:14 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:49 AM

Posted 11 July 2018 - 07:40 AM

Hi,

Just want to ask, if I can apply the FRST tool to any computer without the fix-file that you created, just scanning and then fixing?


You can scan all the computers you used.
But you need a fix file for the Fix button to execute.

I do not suggest you create a fix file as it may damage the computer completely, if the wrong file/service is removed.

===

Your Good information link would need to be translated.
Our General instructions are for the General Public.
There are many things we can add but I like to keep it sample.

Thanks.

#11 sajagin

sajagin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:49 AM

Posted 11 July 2018 - 11:53 AM

Nasdaq, may I ask you to help me with the FRST scan for my laptop too? It has Win 8.1, and I am using both PCs in a network. Maybe I can analyze afterwards what you have done and learn to do it by myself. I often meet people who have problems on their machines and I would use it with pleasure to help myself and anybody else along the way.

 

If you don't have time or interest, it is ok. Thanks a lot anyway!!

 

 

I have translated the topic bellow for you. Maybe you will find it useful. The link for the MS tool is already in english.

 

"Vermins undermine Windows certificate system 

 

More and more Trojans install their own root CAs in Windows to sign their malicious programs or to manipulate Web page calls. 

 

Certificates secure encrypted connections and use digital signatures to identify the software of trusted developers. Certificates and signatures are considered valid, if they are signed by a recognized certificate publisher. Criminals increasingly trust themselves to do so by installing an appropriate certificate on their victims' own systems. 

 

A common on Youtube vermin impersonated himself as a Coin Generator and Aimbot for the survival game Fortnite. In the background, he reads the gamers web page invocations, and injects there his own advertising. In order to do this with encrypted HTTPS pages, he installs his own root CA and then latches himself as Man in the Middle in the connections (see: Man in the Middle Attack: Online gamblers in the sights of online criminals) 

 

Miner or Ransomware  

 

The malicious downloader Rakhni, analyzed by Kaspersky, installs electively a crypto miner or a blackmail Trojan on his victim's system. Before that, however, he does a lot to pave the way for the actual malicious software. He first tests in different ways, whether he is running in a virtual machine, whether analysis tools are running and he deactivates antivirus software like the Windows Defender. And before he reloads further malicious programs, he also corrupts the Windows certificate system sustainably.  

 

To do this, he installs a new root CA in the certificate store of the Windows system via a brought-in original command line tool. The new certification authority is issued in the name of Microsoft or Adobe and may in the future then confirm the authenticity of digital signatures. The criminals are making heavy use of it: all subsequent malware components are signed with it. Presumably, the authors hope to gain on this way the trust of virus guards or avoid special security policies. 

 

Checking Windows Crypto Infrastructure

 

These are not the first cases of malicious root CAs that deliberately infiltrate vermins into the system. The Trojan Retefe, for example, installed an alleged Thawte certificate for online banking scams years ago. With the increasing use of TLS and digital signatures, more and more malware is now using such tricks. This is treacherous, especially given the fact that such leftovers are often not discovered during a cleaning and are therefore not removed. 

 

Checking the authenticity of CA certificates installed on a Windows system is astoundingly difficult. And it is by no means enough to compare the certificates with a clean reference system, because Microsoft dynamically adds CAs as needed. Only with the addition of tools such as sigcheck from the Sysinternals suite can you compare the currently installed certificates to Microsoft's official directory of registered CAs."

 

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:49 AM

Posted 11 July 2018 - 01:01 PM

Hi,

I can help you but we do not service 2 computers on the same topic.

Start a new topic for this computer.

Post your remarks and logs.

When done give me the URL in your next post.

I will expedite the matter.

#13 sajagin

sajagin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:49 AM

Posted 13 July 2018 - 09:58 AM

Hi,

I can help you but we do not service 2 computers on the same topic.

Start a new topic for this computer.

Post your remarks and logs.

When done give me the URL in your next post.

I will expedite the matter.

 

Hi nasdaq,

 here comes the link:  https://www.bleepingcomputer.com/forums/t/680587/malisious-software-possibly-slowing-down-pc/

 

Thank you!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users