Extexport.exe 1 System Override

[Eleanora Parrot]

Im not sure if I'm seeing normal Windows activity occurring or if there is a possible RAT on my PC. Have not seen any explicitly malicious activity, but it seems like my PC has been tampered with multiple remote procedures running at all times. I have never actively used remote PC settings or any P2P utilities (that I know of). I do not understand why I have tons of svchost services like LanmanWorkstation, LanmanServer, or RasMan are always running. Additionally, I learned the other day that my system is a vulnerable system from the Intel Management Engine on my CPU via the csme_version_detection_tool. Additionally, I think I have a memory leak from dwm.exe (which is also an exploitable bit of Windows). Can someone please help me understand what's going on with my system and if it's "normal"?

Many thanks for the reply and help. Good to know that so far things look fine. It is possible that the network related errors are what I'm seeing and not someone actually utilizing my network maliciously. It is odd that there are errors related to networking though, because I have not changed any network related settings besides choosing for the connection to be made "Public" instead of "Private". After performing the Adware scan, I selected the option to reset Winsock.

When looking at the performance monitor, I noticed that WPN is constantly connected to static remote IP. When performing an IP search it shows the IP address belongs to an Azure server (which I believe are managed by Microsoft, so not necessarily malicious). However, there was an instance where a svchost service was connected to a Verizon FIOS server, which I thought was weird, but could just have been related to DNS cache or the fact that my ISP is Comcast. I found this connection via "netstat -ano -b -o 5" on the first update, but the second and subsequent updates did not show this connection anymore (unfortunately I was not able to save a log of the IP address and associated service).

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The Fixlist has been completed successfully. Please see the attached logs. There are some odd characters that appear in the log, not sure if normal or something else. It seems like my PC is using a VM, Proxy, or hosting a server and connecting to remote servers/users on a VPN? I have not tried nor do I want to make any remote connections/host a server.

Not a problem, @AdvancedSetup. I will run whatever services are needed. I have successfully enabled Secure Boot. Attached is the log file for the FSS. I ran the scan twice and the first one showed that windows defender services were not running; however, on the second one it does not indicate that. Not sure if a timing thing as I had just restarted the PC from choosing Secure Boot option in BIOS.

Been using the PC for the past few days with no overt issues. Network connections seem to be stable, and without remote services trying to connect to the internet. SearchApp and WpnService still connect to the internet, but I'm assuming that's a normal process.

I'm still seeing, what I think, are odd network connections. For instance the RpcSs service is calling odd servers like Cloudflare and StackPath CDN (see attached for IP), and I have processes reported as "Can not obtain ownership information" with a PID that I could not find in Details or Services of Task Manager and connecting to Limelight Networks IP address.

Occasionally I will hear the device disconnected sound without removing a device or driver, and no associated notification pops up in the taskbar. I don't know if all of this is normal and I'm just being paranoid, or if something is behaving improperly.

There is nothing wrong or abnormal with Windows reaching out to many sites on the Internet because even images or Ads or just about anything you can think of that might be on a Website can call out to just about any site and it will then be in your log.

Hi @AdvancedSetup, many thanks for your continued support. Please see the attached log. It shows clean, but I'm thinking whatever I have is avoiding these scans. I have a feeling that I have been infected by an Astaroth attack. My system will hang when trying to explore processes and networking (as if a background task is closing all remote/duplicate/hiding activity). When using the Process Explorer App there will be multiple of the same processes running (I know that part is relatively normal), but some duplicate services will quickly close (causing a slight hang) when I'm scrolling to look at them. I open Process Explorer as an Admin and the Admin rights get taken away shortly after (paths will not populate). There have also been times when I've had to grant myself Admin access as if another Admin is on the system (although this could be normal windows protecting me from myself).

I was looking in my security settings and noticed that my exploit protection settings had been changed; I did not add these override settings for the programs (please see attached file). In further reading about the programs that have had the exploit protection turned off, it seems to be a very popular method by Astaroth attacks to utilize the ExtExport.exe program to hijack DLLs and embed itself into the system.

In looking at the event viewer for BITS associated with URLs (ID 59) there were multiple coming from an edgedl URL, not sure if normal. Also, there are many event logs that have been disabled. I downloaded the GlassWire app to monitor my network activity and noticed that Host Process for Windows Services was connecting to Lumen and Limelight servers (I don't believe non-hijacked windows would call these servers when otherwise connections are made to Microsoft servers). Is this all normal and I'm just super sensitive to the hangs/interrupts that Windows employs?

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.

That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

I'm fairly sure I've been infected by a RAT, and I have some questions - is there anyway to see if this was installed by a family member on the same network with physical access to the computer? I dread to think it was my brother but I'm fairly certain. Is this system still infected?

Please run the following steps and post back the logs as an attachment when ready.

Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.

Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.

If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

STEP 03

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

Thanks, I'll update with the logs when they're done. I've found these System overrides in my Windows Exploit Protection settings and I don't remember ever setting these, are they suspicious? Thanks so much for the help

Having a good solid back up of all your data to an external USB drive and potentially for very important data a secondary USB drive is the #1 thing you can do to ensure that even if hit by an infection you can recover.

Configure these settings using the Windows Security app on an individual device. Then, export the configuration as an XML file so you can deploy to other devices. Use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.

This article lists each of the mitigations available in exploit protection. It indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.

3a8082e126