Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Possible Malware infection - help request [Solved]

malware advapi english-trainer.net

  • This topic is locked This topic is locked

#1
Maffu

Maffu

    Member

  • Member
  • PipPip
  • 29 posts

I appear to have a malware infection on my computer, but neither my antivirus (Avast) not Malwarebytes will detect it.

 
My internet connection is 350MBPS fibre, but feels nothing like it.
 
Additionally, and somewhat alarmingly, if I leave my PC idle for a short (but seemingly non-fixed/random) amount of time, a web page - english-trainer.net - opens of its own accord.
 
I had this behaviour appear several months ago when using Firefox and a bit of google fu suggested that it may be an infected Firefox extension, so after unsuccessfully trying to find the culprit I switched to Chrome, and it stopped for a while - until I had to open Firefox again to access some info I had stored in there that I'd forgotten then it started again in chrome (I'm aware that I may be seeing a coincidence as a correlation here)..  
 
I had previously thought that this only happened when my browser was already open, but today, for the first time, it actually opened the browser itself.
 
I'm seeing odd things in my event logs referring to Advapi, and googling that shows that it may be Malware.
 
Detailed Authentication Information:
Logon Process: Advapi  
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

I also noticed that on attempting to download FARBARI was denied access to my Downloads folder.and forced to use either my user folder or the desktop.  Additionally, FARBAR could not update.

Can someone help me please?
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 19-05-2021 (ATTENTION: ====> FRST version is 718 days old and could be outdated)
 
 
 
Scan results snipped
 
 

Edited by Maffu, 12 May 2023 - 01:59 AM.

  • 0

Advertisements


#2
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,218 posts

Is this computer your personal computer or a company's computer? 

 

There are a lot of items related to SAP BusinessObjects which is a business suite, used by companies. 


  • 1

#3
Maffu

Maffu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

Is this computer your personal computer or a company's computer? 

 

There are a lot of items related to SAP BusinessObjects which is a business suite, used by companies. 

Hi @theGrecianGreek,

It's kind of  both.  It's my personal computer but I now work from home and connect remotely to my machine in the office.


  • 0

#4
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,218 posts

OK. If the computer belongs to the company, then the IT staff is responsible to fix it and we can't help here, if this is the case. If the computer belongs to you, then it's fine.
 
Let's try to download FRST tool from a different source:
 
 Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.

If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

  • Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach the content of these two logs in your next reply.

(To attach the files, click on the More Reply Options at the bottom right of the reply area, and then choose Attach File)
 

 

Important note: 

Do not change anything in the logs. Otherwise, we can't provide any fix which can work.


  • 1

#5
Maffu

Maffu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

I assure you the PC is my personal machine.

I saved the FARBAR Recovery Scan Tool to, and ran it from, my desktop.

An icon appeared briefly in my taskbar notification area and then disappeared.

No files have been saved to my desktop and there is no file anywhere on my computer called frst*.txt or addition.txt except for those from earlier today that I attached to my first post.


  • 0

#6
Maffu

Maffu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

Nb still no files after 30 minutes, no running processes that I can see for the .exe file.

Additionally, I can no longer post to this forum from Chrome.and have had to use Firefox to post this reply.


  • 0

#7
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,218 posts

 

An icon appeared briefly in my taskbar notification area and then disappeared.

No files have been saved to my desktop and there is no file anywhere on my computer called frst*.txt or addition.txt except for those from earlier today that I attached to my first post.

 

Just to clarify: What happened when you click on the Scan button? 


  • 0

#8
Maffu

Maffu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

I didn't even get that far - I double clicked the icon and as I say an icon appeared in my taskbar notification area briefly, then disappeared, as did the item on my desktop.

This also seemed to wipe out my permissions on the desktop, not allowing me to save anything else there.  This happened to my downloads folder too with the earlier download.

So basically I didn't even get that far..


  • 0

#9
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,218 posts

Hi.

 

Disable Avast and try again. 


  • 0

#10
Maffu

Maffu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

Hi Dr M,

That worked. Please see the attached files.

Attached Files


  • 0

Advertisements


#11
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,218 posts

Thanks.

 

I'll be back to you in an hour or two. 

 

Letting you know that my time is CEST + 1. 


  • 1

#12
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,218 posts

OK, here are my first comments/instructions, based on the logs:
 
1. P2P program

You have μΤorrent installed in your computer. This is a P2P program. P2P programs form a direct conduit on to a computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. If you don't uninstall it, your computer will probably get infected soon or later. But it is your computer and of course your decision.

  • If you decide to keep it, DON'T use it during the cleaning procedure.
  • If you decide to uninstall it, uninstall it along with the unwanted programs in Step 2 below.

 

2. Java

There are very few reasons these days to continue having Java installed on your computer. However, if you do elect to keep Java, it needs to be updated to the latest version which you can find here: Java SE Runtime Environment 8 - Downloads. Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
 
For now, uninstall Java. You will install the latest version when we finish the cleaning procedure.
 
To do that:

  • Press the Windows Key + R.
  • Type appwiz.cpl in the Run box and click OK.
  • The Add/Remove Programs list will open. Locate the following program on the list:
Java 8 Update 281
μTorrent *
  • Select the above program and click Uninstall.
  • Restart the computer.

 

3. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Start::
CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{321F46A6-D8F8-4C44-ADD0-AF926E3606A9}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{3E888169-3C1E-43AA-BB32-87F6E985A44E}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{4279CFB2-D26D-4340-86E7-E7C7AF79F081}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{66C7C6A4-92CB-4203-944E-4A3F4323F497}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{77953D65-F265-485F-B67D-A34DE8045BFC}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{90489ADC-89AF-4E4D-9ED1-BB6B32C31E65}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{922D9A3B-8481-460C-9B73-5710AEB8423D}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{9324F009-C35E-4D14-9D20-0CE8A2A3E330}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{981637F7-4585-4D55-B365-A5C5B82F4CEB}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{C4B4627E-9496-4AD1-AC60-EFD2EB437A79}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{C8120E54-622E-4452-9974-87AC65D79CB6}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{CAEF3289-33A4-4931-AEC5-A610BEAA6AB0}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{D26F8E90-55B7-4753-9D33-F32FF52FF920}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{DEF990D9-9913-4AF0-9B4B-8D9F294F122E}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{DEFF582C-FF7C-4D00-8AE5-0E9EBC978C7F}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{F6764025-F2CA-4914-95BC-0F2F52FD9946}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
CustomCLSID: HKU\S-1-5-21-2763654447-502089044-3427749853-1001_Classes\CLSID\{FCF17890-E5E6-46CF-872C-75712AC0429B}\InprocServer32 -> C:\Users\Maffu\AppData\Local\VidyoConnect\VidyoNeoRDO64.dll => No File
HKLM\...\.scr: SageThumbsImage.scr => "%1" /S <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
DPF: HKLM {583C990C-2D38-410c-9A4A-0932D66A754F} hxxps://pulsesecure.net/dana-cached/sc/PulseSetupClient64.cab
DPF: HKLM-x32 {8E375A63-C616-46F1-AC77-59DF78F3A826} hxxps://pulsesecure.net/dana-cached/sc/PulseSetupClient.cab
Handler: AutorunsDisabled - {314111c7-a502-11d2-bbca-00c04f8ec294} -  No File
Handler: AutorunsDisabled - {D924BDC6-C83A-4BD5-90D0-095128A113D1} -  No File
FirewallRules: [TCP Query User{DE3CB516-D806-462C-920E-3E8017277430}C:\users\maffu\appdata\local\vidyoconnect\vidyoconnect.exe] => (Allow) C:\users\maffu\appdata\local\vidyoconnect\vidyoconnect.exe => No File
FirewallRules: [UDP Query User{BECAED13-B4C4-4F83-A13B-ECBAB0601FD9}C:\users\maffu\appdata\local\vidyoconnect\vidyoconnect.exe] => (Allow) C:\users\maffu\appdata\local\vidyoconnect\vidyoconnect.exe => No File
FirewallRules: [{21A6A617-274E-416E-A997-6FBA654F9CE4}] => (Allow) E:\Games\Steamer\steamapps\common\Kerbal Space Program\KSP_x64.exe => No File
FirewallRules: [{675589D1-FF6D-48BA-BB2F-AC069FFF2AD9}] => (Allow) E:\Games\Steamer\steamapps\common\Kerbal Space Program\KSP_x64.exe => No File
FirewallRules: [{348BB91E-DDEA-428C-B2FD-570CEDEDE5A3}] => (Allow) E:\Games\Steamer\steamapps\common\Yakuza Like a Dragon\runtime\media\startup.exe => No File
FirewallRules: [{1DF402D7-0E44-464F-8CB1-924685AC549B}] => (Allow) E:\Games\Steamer\steamapps\common\Yakuza Like a Dragon\runtime\media\startup.exe => No File
FirewallRules: [TCP Query User{4F402EEF-26B2-49EA-9786-FD886488711B}D:\games\epic\pathfinderkingmaker\kingmaker.exe] => (Allow) D:\games\epic\pathfinderkingmaker\kingmaker.exe => No File
FirewallRules: [UDP Query User{666A7E19-955F-4498-AAD1-9839728970F2}D:\games\epic\pathfinderkingmaker\kingmaker.exe] => (Allow) D:\games\epic\pathfinderkingmaker\kingmaker.exe => No File
FirewallRules: [{6BE6A838-5075-4C9E-B7E3-AB9744B44944}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe => No File
FirewallRules: [{05ABF53C-D11B-4019-B11D-F23A7452C819}] => (Allow) E:\Games\Steamer\steamapps\common\Dying Light\DevTools\DyingLightPlayer.exe => No File
FirewallRules: [{A42CE8BE-82F1-461B-9FCA-3FD372B64DEA}] => (Allow) E:\Games\Steamer\steamapps\common\Dying Light\DevTools\DyingLightPlayer.exe => No File
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKLM\Software\...\Authentication\Credential Providers: [AutorunsDisabled] -> 
HKLM\Software\...\Authentication\Credential Provider Filters: [AutorunsDisabled] -> 
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2022-11-06]
Startup: C:\Users\Maffu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2022-10-08]
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {11F110E5-3636-434C-9BF1-77CA3817F448} - System32\Tasks\GoogleUpdateTaskMachineUA{94E9F92D-0F3C-4D4E-AE18-BC433213574A} => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler (No File)
Task: {BB99C98B-459A-40AA-934C-B320E321A31E} - System32\Tasks\GoogleUpdateTaskMachineCore{7A02C385-8D26-41D7-806B-BC90EB10767C} => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c (No File)
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
S4 DFWSIDService; C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe [X]
S4 ElevationService; C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\Backup\ElevationService.exe [X]
S4 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S4 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S4 WsDrvInst; C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\Repair\DriverInstall.exe [X]
Hosts: 
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

 

 

In your next reply please post:

  1. What did you decide about the Torrent client
  2. If the uninstalling procedure ran smoothly
  3. The fixlog.txt

  • 0

#13
Maffu

Maffu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

Hi Dr M,

Thanks for that.

1. I uninstalled uTorrent (I used Revo Uninstaller Pro)

2. The uninstall went without incident

3. I have attached the fixlog.txt

 

 

Attached Files


  • 0

#14
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,218 posts

Thanks.
 
I assume you uninstall Java as well, right?
 
Let's proceed to a bit more cleaning:


1. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.

  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Files tab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

 

2. Run Malwarebytes (scan only)

  • Open Malwarebytes you have already installed.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) the option is NOT checked.
    Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Threat Scan Summary window open.

If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.

  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

 

 

In your next reply, please post:

  • The AdwCleaner[S0*].txt
  • The Malwarebytes report

  • 0

#15
Maffu

Maffu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

Hi,

I did indeed uninstall Java in the previous step.

Here are the results of the scans.

Attached Files


Edited by Maffu, 08 May 2023 - 12:46 PM.

  • 0






Similar Topics


Also tagged with one or more of these keywords: malware, advapi, english-trainer.net

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP