Jump to content

Malware threat (Unknown User in C:\ Files... Anti-theft not optimized)

OrionsBelt

By OrionsBelt
in Malware Finding and Cleaning

 Share

Recommended Posts

OrionsBelt

OrionsBelt 0

Posted
Posted (edited)

Hello.
I fear my laptop has been infected.
Quite unsure of how deep in the system the malware has reached. But I suspect it may have managed to read many of the basic systems through access to my laptop's Microsoft account, and maybe even read my laptop's ESET licence.

Not sure if this would go in somenother sub-forum. I apologize I placed it wrong.
Main issue is malware threat, and system vulnerable because apparently I didn't understand how to configure Anti-theft with Windows and an active Microsoft account.

Trying shorten the details of a long story:
ESET warns me of strange device using my wifi. (I've changed router name and wifi signal's name and password. Still haven't discovered how to block another device.)
I find a strange User in the files of my system. (I remove the strange user, supposedly.)
My phone starts showing small but very suspicious sudden issues. (My smartphone's main email is the same as my laptop's Microsoft account. Dumb. I realize now. I plan on changing that if I can.)
On my laptop, MyEset starts warning me my Anti-theft feature isn't optimized for Windows/Microsoft. (Why didn't it warn me before?) I don't, not sure if it might make things worse. Yeah, probably another bad move.
Full deep scan with Eset Internet Security reveals 9 suspicious files. Unfortunately, I didn't see the note at the end of the detection details that advised me to wait for the scan to complete before taking an action. Another Eset window opened, during the scan, offering to erase the first 6 (I think), and I did. But once the scan ended, it didn't let me erase the last 3 suspicious files. And a later scan finds no detections. Which makes me fear the system has already accepted and integrated those 3 files.
I restart my laptop on Safe Mode, and scan with Eset SysInspector. And it finds many many suspicious files.
I completely disconnect my laptop from the internet.
MyEset registers strange logins from "my phone" in cities I've never been. (Bug? Or more serious?)

After much, I seem to have recovered control of my phone. But not sure how much that will change once I reconect my laptop, and it reconnects to my Microsoft account.

Now, I do have month-old Windows System Copy ("Copia de Seguridad de Windows", no idea what's the technical name in english), on an external USB drive. From before I activated Anti-theft. Not sure if I should just use that, and skip restarting my laptop as it is now, or if it would just activate the Anti-theft feature as it is now, without optimization and leaving my Microsoft account exposed anyway.

I'll greatly appreciate any information and advice on my next options.
Specially regarding:
- any insight into the potential danger of the files detected and my general situation described;
- my options with managing the Anti-theft feature;
- how to check and make sure no-one else has access to my laptop's ESET licence.

I know it's a lot. Thank you seriously in advance for any and all assistance.

SUSPICIOUS FILES DETECTED:

c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {C9C9C056-98EC-4026-BDE9-5C8C950250EC}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración
c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {881EC7F2-82EE-477C-A829-78518783EC1F}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración
c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {F6D787F3-D9C5-4E45-9C81-DA2D83628EE3}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración
 
c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {C9C9C056-98EC-4026-BDE9-5C8C950250EC}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración
c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {881EC7F2-82EE-477C-A829-78518783EC1F}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración
c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {F6D787F3-D9C5-4E45-9C81-DA2D83628EE3}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración
 
C:\Windows\Firmware\SystemFirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {C9C9C056-98EC-4026-BDE9-5C8C950250EC}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración
C:\Windows\Firmware\SystemFirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {881EC7F2-82EE-477C-A829-78518783EC1F}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración
C:\Windows\Firmware\SystemFirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {F6D787F3-D9C5-4E45-9C81-DA2D83628EE3}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración
 
  --------------------  
 
FULL SCAN REGISTRY:
 
Registro
Registro de la exploración
Versión del motor de detección: 23983 (20210918)
Fecha: 18-09-2021 Hora: 12:46:51
Discos, carpetas y archivos explorados: Memoria operativa;Sectores de inicio/UEFI;Base de datos WMI;Registro del sistema;C:\Sectores de inicio/UEFI;C:\;D:\Sectores de inicio/UEFI;D:\
\Device\HarddiskVolume3\EFI\Microsoft\Boot\BCD - no se puede abrir [4]
\Device\HarddiskVolume3\EFI\Microsoft\Boot\BCD.LOG - no se puede abrir [4]
Memoria operativa = C:\Windows\explorer.exe - está correcto
Memoria operativa = C:\Windows\System32\dllhost.exe - está correcto
c:\windows\notepad.exe - no se puede abrir [4]
c:\windows\system32\notepad.exe - no se puede abrir [4]
c:\windows\syswow64\notepad.exe - no se puede abrir [4]
c:\windows\notepad.exe - no se puede abrir [4]
c:\windows\system32\notepad.exe - no se puede abrir [4]
c:\windows\syswow64\notepad.exe - no se puede abrir [4]
c:\windows\system32\windowspowershell\v1.0\powershell.exe - no se puede abrir [4]
...
c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {C9C9C056-98EC-4026-BDE9-5C8C950250EC}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - eliminado
c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {881EC7F2-82EE-477C-A829-78518783EC1F}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - eliminado
c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {F6D787F3-D9C5-4E45-9C81-DA2D83628EE3}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - eliminado
C:\Windows\Firmware\SystemFirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {C9C9C056-98EC-4026-BDE9-5C8C950250EC}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - eliminado
C:\Windows\Firmware\SystemFirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {881EC7F2-82EE-477C-A829-78518783EC1F}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - eliminado
C:\Windows\Firmware\SystemFirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {F6D787F3-D9C5-4E45-9C81-DA2D83628EE3}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - eliminado
C:\Windows\System32\DriverStore\FileRepository\capsule.inf_amd64_4fcb7dad6b5872d4\SystemFirmware.bin - no se puede abrir [4]
Cantidad de objetos explorados: 730210
Cantidad de detecciones: 9
Cantidad de objetos desinfectados: 6
Tiempo restante: 13:30:24 Tiempo total de exploración: 2613 seg (00:43:33)
 
Notas:
[4] El objeto no se puede abrir. Es posible que otra aplicación o sistema operativo lo estén usando.

 

 

Edited by Marcos
Log shortened
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

I would say your computer is malware free if no threat is found. As for the UEFI Computrace detection, it's just a potentially unsafe application which resides in UEFI you can't do much about it. We recommend creating a detection exclusion for it:

https://support.eset.com/en/kb6567

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...