Mwrrn

CLOSED Is there anything weird in these logs?

Recommended Posts

I saw some outgoing internet traffic while doing nothing, and earlier when i started pc the File Explorer was open when i came to look at pc, so i wasnt even at my pc when that folder was opened, though that happened before i even was connected to pc as I just had installed motherboard drivers before connecting to internet. Also when i opened edge browser, it also opened another smaller window.

 

FRST.txt

Addition.txt

Shortcut.txt

Share this post


Link to post
Share on other sites

Hello,i did a secure erase after that thread. Then i made new farbar logs which i posted to bleepingcomputers, and they found out something weird in them. I know this is not bleepingcomputer, but I would like to have second eye evaluating what these findings are, people in bleepingcomputer may not be able to determine what these files were.

 

This thing needs to be investigated throughly, because I have been experiencing lots of weird stuff for months now. As I do secure erases and install new bios chips chips very often eliminating bios viruses, I still experience weird things happening to me. Is this NSA/CIA tools being used? Anyway, there might be some very high level malware going on.

 

https://www.bleepingcomputer.com/forums/t/649128/i-saw-some-black-box-appearing-from-right-side-of-the-screen/

 


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Task: {09E4FF00-2CA2-4AEA-A4DD-2BA948DD926C} - System32\Tasks\Microsoft\Windows\supdt\updtcln => C:\Program Files\supdt\updtcln.exe [2017-05-23] ()
Task: {E23B4FA1-408E-438C-B8B3-35F569D5134A} - System32\Tasks\Microsoft\Windows\supdt\updtdgn => C:\Program Files\supdt\updtdgn.exe [2017-05-23] ()
C:\Windows\System32\Tasks\Microsoft\Windows\supdt\updtcln
C:\Program Files\supdt

End

The results were

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-06-2017
Ran by ODWDK (13-06-2017 22:06:43) Run:1
Running from C:\Users\ODWDK\Downloads
Loaded Profiles: ODWDK (Available Profiles: ODWDK)
Boot Mode: Normal
==============================================

fixlist content:
*****************

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Task: {09E4FF00-2CA2-4AEA-A4DD-2BA948DD926C} - System32\Tasks\Microsoft\Windows\supdt\updtcln => C:\Program Files\supdt\updtcln.exe [2017-05-23] ()
Task: {E23B4FA1-408E-438C-B8B3-35F569D5134A} - System32\Tasks\Microsoft\Windows\supdt\updtdgn => C:\Program Files\supdt\updtdgn.exe [2017-05-23] ()
C:\Windows\System32\Tasks\Microsoft\Windows\supdt\updtcln
C:\Program Files\supdt

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{09E4FF00-2CA2-4AEA-A4DD-2BA948DD926C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09E4FF00-2CA2-4AEA-A4DD-2BA948DD926C} => key removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\supdt\updtcln => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\supdt\updtcln => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E23B4FA1-408E-438C-B8B3-35F569D5134A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E23B4FA1-408E-438C-B8B3-35F569D5134A} => key removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\supdt\updtdgn => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\supdt\updtdgn => key removed successfully
"C:\Windows\System32\Tasks\Microsoft\Windows\supdt\updtcln" => not found.
C:\Program Files\supdt => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 6053888 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9619862 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 812332 B
Edge => 6819974 B
Chrome => 0 B
Firefox => 382010965 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 25300 B
NetworkService => 5882 B
ODWDK => 129485978 B

RecycleBin => 70848934 B
EmptyTemp: => 577.6 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 22:07:20 ====

Share this post


Link to post
Share on other sites

Also I emphazise alot, that no virus scan ever finds anything, not even in this case when farbar found something that cannot be found in google at all. So in any case, we are dealing with a very high level security threat.

Share this post


Link to post
Share on other sites

I'm not sure what those tasks belonged to, as no information on them is available.  That is usually a sign that it could be malicious in nature.

If everything is running fine after running the fix from BC then you should be fine.

Share this post


Link to post
Share on other sites

The point is, that after drastic security measures, I still get these weird things going on, even after changing entire computers. I do take my security seriously, keep antiviruses updated and as I say, secure erase and change bios chips very often. Something really fishy is going on. What ever I can do to help you determine the threat that is going on, i am here to assist you. This very well could be one of those leaked CIA hacking tools in action. All antivirus and antimalware protections and scanners are futile in this, they dont ever find anything, not even in this case. You are part of antimalware corporation, this is your arena.

Share this post


Link to post
Share on other sites

Unless you BIOS is infected or faulty, you should not be changing out your BIOS EPROM.  Firmware malware is extremely rare and is targeted.  Meaning that if your system BIOS was infected by malware you were deliberately targeted.  Most of the CIA hacking tools are old and specifically exploit vulnerabilities in Windows XP.  Windows 8.1 & 10 are surprising resilient operating systems. For the most part, they are immune to Windows XP exploits.  That is not to say that there is a Windows XP exploit that is not valid for Windows 8.1 or 10.  There is always the unknown.

 

Share this post


Link to post
Share on other sites

Actually there were leaks recently discovering all sorts of backdoors in windows 10.

Also, i checked the addition.txt from the starting post in this thread, and i found those same files:

Task: {A8FEABF5-4217-4159-96E0-8707A14F4B0A} - System32\Tasks\Microsoft\Windows\supdt\updtcln => C:\Program Files\supdt\updtcln.exe [2017-05-23] ()
Task: {AB168470-E72B-43CF-BCF9-406BEB8BDE2A} - System32\Tasks\Microsoft\Windows\supdt\updtdgn => C:\Program Files\supdt\updtdgn.exe [2017-05-23] ()

So if these are malicious, its very serious because they have survived SSD secure erase. No usb sticks or other external storages have been plugged to this pc, nothing was backupped from old OS install.

Share this post


Link to post
Share on other sites

It is a Microsoft update for Windows 10 version 1507 and 1511.  The MS article I linked to explains it all.

Share this post


Link to post
Share on other sites

Those tasks are responsible for running the executables responsible for the new security enhancements for Windows 8.1 & 10.

Share this post


Link to post
Share on other sites

If they are critical more than likely Windows added them right back.

Run a fresh scan with FRST and attach the new scan logs to your reply.

Share this post


Link to post
Share on other sites

Windows did not restore those entries.  Uninstall  kb4022868.  Restart the system.  Run Windows Update.

Share this post


Link to post
Share on other sites

I am more interested what exactly those files did. If i was more vulnerable to attacks than normally, i will just erase the disk and start over

Besides, i cant uninstall that update because its not on the list of the updates anymore. I have Creators update version, installed on top of 1511. Which begs question, why did those files still were present there?

Share this post


Link to post
Share on other sites

The windows update said that there was critical updates needed and system was out of date and at risk etc, with red text. I updated the system, scanned with some scanners and didnt find anything. But I am still VERY worried something attacked my system after it was broken when I deleted those files earlier. Could you do throughout check for these three files to see if there are any indication of malicious actions?

 

Addition.txt

FRST.txt

Shortcut.txt

Share this post


Link to post
Share on other sites

Interesting thing in those newest logs is, that even after updating Windows the deleted files did not come back. Those updates that updater urged me to get with red text, were entirely different and meant for 1701 build which I have been using all this time. I updated Windows to 1701 on top of 1511 using Update assistant.

Updates that I was asked to install were:

KB4022725

KB4022730

KB4022405

KB4020821

KB890830

Share this post


Link to post
Share on other sites

If you are on Win10 CU then you do not need KB4022868.  The KB was only for WIN10 v1507 and v1511.  Creators Update is WIN10 v1703.

This month's Patch Tuesday contained several bug fixes and fixed two vulnerabilities in Windows that are currently being exploited by Cybercriminals.

Share this post


Link to post
Share on other sites

So deleting those files did not harm my system, they were relics from when i had 1511 version?

What about those latest logs, were they clean?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.