Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

remote access Trojan maybe w32tm


  • This topic is locked This topic is locked
8 replies to this topic

#1 Knat

Knat

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 30 July 2018 - 05:12 AM

Hi, I have been trying to work out the cause of my computer's issues, and I found a debugging folder with some suspicious entries. Looking in nearby folder with a possibly suspicious date, I found a reference to a W32Time.exe file which does exist as described here:

https://www.bleepingcomputer.com/startups/w32time.exe-14818.html

 

Farbar Recovery Scan Tool (x64) Version: 21.07.2018
Ran by (me) (30-07-2018 02:31:10)
Running from C:\Users\--\Desktop
Boot Mode: Normal
 
================== Search Files: "w32tm.exe" =============
 
C:\Windows\WinSxS\x86_microsoft-windows-time-tool_31bf3856ad364e35_10.0.17134.1_none_766b0c29ecbb6eba\w32tm.exe
[2018-04-11 16:35][2018-04-11 16:35] 000078848 _____ (Microsoft Corporation) EAB71892185FE28F429BF45B42B8594A [File is digitally signed]
 
C:\Windows\WinSxS\amd64_microsoft-windows-time-tool_31bf3856ad364e35_10.0.17134.1_none_d289a7ada518dff0\w32tm.exe
[2018-04-11 16:34][2018-04-11 16:34] 000088576 _____ (Microsoft Corporation) 71540E4248A944A8A60E80063D423608 [File is digitally signed]
 
C:\Windows\SysWOW64\w32tm.exe
[2018-04-11 16:35][2018-04-11 16:35] 000078848 _____ (Microsoft Corporation) EAB71892185FE28F429BF45B42B8594A [File is digitally signed]
 
C:\Windows\System32\w32tm.exe
[2018-04-11 16:34][2018-04-11 16:34] 000088576 _____ (Microsoft Corporation) 71540E4248A944A8A60E80063D423608 [File is digitally signed]
 
 
====== End of Search ======
 
I have been trying to do a clean install, but I cannot create the installation media on my PC. I tried one made on someone else's computer, and even after attempting completing this, I still had a random unknown cellular connection making a hotspot (I use DSL and have tried using the creation tool over WiFi, over Ethernet, and with no connection, with the same result), and my Windows 10 PC is still enrolled in a workgroup, which should not be possible (I can see this via Belarc Advisor; my PC just seems to be syncing while having sync turned off).
 
It uses a Desktop App Installer and adds firewall rules (I tend to uninstall the app installer with PowerShell and add a firewall rules manager to prevent this, but it only sometimes works). 
 
I additionally have WAN Miniports for VPN located on the Microsoft RRAS Root Enumerator, which seems odd. I have disabled them, but that doesn't make the workgroup go away or Windows Media Creation tool work. 
 
I periodically see error messages that this or that failed because Windows couldn't find something. 
 
My machine tries to use IpV6 even when I have only IpV4, and it spams UDP. Sometimes it spams DNS, too.
 
Addition:
Spoiler

 

FRST

Spoiler

Edited by Knat, 30 July 2018 - 05:26 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 04 August 2018 - 05:15 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/681422 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Knat

Knat
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 05 August 2018 - 02:52 AM

1) already
2) will do later if needed
3) not sold with a CD/DVD
4) ok to hold off a bit; I might have found someone else to help. Might need more help later; I will update with a new log or a close request sometime next week, unless delayed.

Edited by Knat, 05 August 2018 - 02:59 AM.


#4 Knat

Knat
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 05 August 2018 - 02:58 AM

Also, Avira says my email was used to make some accounts some places I never heard of. :/

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:42 AM

Posted 07 August 2018 - 08:44 AM

Greetings Knat and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, please keep in mind most of us at BleepingComputer volunteer our assistance for your benefit in your time of need. Please try to match our commitment to you with your patience toward us.
  • It is important to not run any tools or take any steps other than those I will provide for you.
  • Please perform all steps in the order they are listed. If things are not clear or you experience problems be sure to stop and let me know.
  • Please copy and paste all logs into your post unless otherwise requested.
  • When your computer is clean I will let you know, provide instructions to remove tools and reports, and offer you information about how you can combat future infections.
  • If you do not reply to your topic after 5 days I will assume it has been abandoned and I will close it.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and let me know.

Thank you for your patience thus far.

If you still desire assistance please run a new FRST scan and copy/paste the contents of both reports in your reply, using multiple posts if necessary.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:42 AM

Posted 10 August 2018 - 08:32 AM

Greetings,

===================================================

Do You Still Need Help?

It has been 3 days since my last post.
  • Do you still need help with this?
  • If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Knat

Knat
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 12 August 2018 - 04:06 AM

Hi Gary, thanks so much for the reply. I think I need to find someone who can do hardware or firmware fixes, so its ok to close the thread. Thanks regardless, and happy weekend.

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:42 AM

Posted 12 August 2018 - 08:30 AM

Thanks for letting me know.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:42 AM

Posted 12 August 2018 - 08:30 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users