USB Drive Anti-Virus [ New V.3.0 Build 1001 ] KEYGEN
Nadia Grubb
put a USB drive in my computer a few days ago, computer started acting strangly. Adobe Illustrator not working properly, anti-virus programs not working properly, even FRST didn't load correctly until I re-downloaded it. I notice a lot of entries in my process list using process explorer and dozens of outbound connections using svchost and system. I had to boot in safe mode and run an old copy of FRST because I couldn't downlaod a fresh copy without networking.
NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.
Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.
NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.
NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.
NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.
Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.
I've gone into process explorer and found a bunch of very odd looking processes, further investigation in the properties that a lot of these processes have in common. They all have administrator flagged for DENY. The owner is NT AUTHORITY/LogonSessionID_0_1053163. Most run from "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\", and there is about 30-40 processes using svchost. and some operating system files are not signed. Looking at the TCP connections, there is a lot of SYSTEM connections with "TIME WAIT" going to a random IP hosted by amazon or some other big provider.
The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is illegal, and there is always a chance of prosecution if caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. However, be aware that we have seen increased malware bundled with software downloads over P2P.
Recent Ransomware infections have been seen to encrypt user data so that no one can decrypt the data without the private key.
When sharing files, please keep in mind that you're increasing your system's attack surface area, which can increase the risk of infection.
....and more, I can see usually see at least 10 or more more of them at a time using netstat or simply looking at my firewall status.These are all on port 443 or 80, all in TIME WAIT status with SYSTEM as the PID. Other strange activity as well.
We need to see alerts, blocks from onboard security software, event log entries, obvious issues in Windows. We've now run a few different antivirus scanners and Windows is looking clean at this point.
These are connections that are made to PID 4 which is a process that runs in Windows 11. This has nothing to do with my router. The firewall is a software based firewall called Tinywall, which is how I am able to see where these connections are being made.
We recognize many customers are under pressure to deploy new Teams in anticipation of the upcoming June 30, 2024 deprecation of classic Teams. We have released this version "out of band" of our expected integration in the Azure marketplace images in order to expedite the adoption process. This version will be pre-installed in the Azure marketplace images on March 12th, 2024. We had to slip the date for the marketplace images. We will plan a new blog post when HF4 nears GA.
This hotfix release specifically enables compatibility and support for the new version of Microsoft Teams which became generally available on December 5th, 2023. Following our preview release of hotfix 3, we found some minor changes needed for the behavior when using profiles and ODFC or ODFC only. We have an outstanding bug for Windows Server 2019, and it continues to be one of our top priorities.
@Karl_Wester-Ebbinghaus FSLogix requires customers to use our latest version or in this case a "preview" version in order to provide support. We don't align versions of FSLogix with versions of Citrix. The articles below outline how we support FSLogix across versions.
We were eagerly looking forward to this but despite implementing everything exactly as indicated the new Teams client still wont function in our environment in conjunction with FSLogix. Perhaps the official hotfix 3 will nail it.
Also, has anyone looked at updating your GPO and literature? In particular, I think the ODFC Locked Retry Count and Locked Retry Interval are swapped according to what the Profile container settings are and log files indicate. Finally, the GPO verbiage says the CleanupInvalidSessions settings is Enabled by default. However your webpage regarding the settings states it is Disabled by default.
As for the GPO(s), I'll have to double check based on your feedback. We did have some minor issues in our build pipleline and the ADMX files in the hotfix 3 zip file may not have the most recent changes. The docs at would be the most accurate place for how the setting works and their default settings.
@Jason_Parker Message sent!! Also I did go back and change to the GPO templates from the official hotfix 2 and sure enough settings are different and worded properly. I presume official HF3 will have that ironed out as well.
@Karl_Wester-Ebbinghaus Yes I followed the exact details provided in all MS articles. We are using CVAD but I didnt even bother to get that far. I was directly logging into the VM's console and just trying to see if it would run.
HI @Jason_Parker I have sent a separate email, but also for the benefit of the community, for us this release doesn't work for new Teams (V 2.1) on a Windows Server 2019 RDSH. This is Ctirix CVAD VDA 2305.
If we login with a user which is within the FSLogix Profile Exclude List then Teams V2.1 does run and does login. Similarly if we disable the FSLogix Apps Services Service, then the user will login to Teams V2.1 ok. Obviously both of these logins are using a local profile and not the FSLogix Profile.
For us it was our AV, which is SentinelOne. As soon as we disable it everything works fine. As soon as we re-enable it everything breaks down. I dont think SentinelOne's behavior detection AI likes what FSLogix is doing in the User Profile.
@D2theZ Nice find. I've been troubleshooting issues with UWP applications like Nvidia Control Panel and the new Teams on our pre-production environment for about a week now. I knew FSLogix preview worked for the new Teams because I setup a seperate Windows Server 2022 environment with FSLogix and the new Teams and it worked flawlessly.
When we first started using SentinelOne we tried disabling / removing it when troubleshooting a lot, since it was to blame for a lot of issues, but lately, it was never the culprit ... . However, this time it is!!
So I just uninstalled SentinelOne on a test device of our pre-production environment and the issues are gone with all UWP apps tested. Now to find a way to fix this, without removing or disabling the antivirus :).
Hi @D2theZ
Thankyou for the heads up on checking the A/V. That has in part helped. We are using Palo Alto Cortex XDR, and on first restart of the server (WinSrv 2019) and with Cortex XDR disabled, a user can login correctly with SSO and use Teams V2.1 - however on subsequent occasions before the server is restarted the current user or any other user are unable to run Teams.
It does appear there is interactions going on that A/V Software is interacting with. We haven't as yet tried with the Cortex XDR fully uninstalled - just disabled. It's worth noting that Cortex XDR has not indicated that it has blocked anything or detected any suspicious activity.
On the AV part given the recommendations one should exclude profile containers. Defender will have automated exclusions but unfortunately other vendors don't make it that easy even if they could just Import recommendations from Microsoft and provide them as a settings package.
Attached files:
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER500E.tmp.dmp
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER5232.tmp.WERInternalMetadata.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER5291.tmp.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER5295.tmp.csv
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER52D4.tmp.txt
I'm also struggeling with the New Teams issues and until now it's not solved. Until now I have a strange thing about the FSLogix Version. After deinstalling FSLogix_Apps_2.9.8612.60056 and installing FSLogix_Apps_2.9.8716.30241 I have following behaviour. In FrxTray Driver Interface is say still 2.9.8612.60056 for Service, Kernel and Kernel Virtualization Driver but when doing a frx version on cmd version 2.9.8716.30241 is listed. Also in Registry as InstalledVersion 2.9.8716.30241 is listed. So who is telling the truth? Any Idea @Jason_Parker
b1e95dc632