Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    NSA shares zero-trust guidance to limit adversaries on the network

Featured Deal: Enjoy quick, compatible data transfers with this $59.99 portable SSD

Latest Buyer's Guide:    Hotspot Shield VPN review

Generic User Avatar

Exchange 2013 infected by Backdoor:MSIL/Chopper & other variants

Started by kpatel45 , Dec 26 2023 02:51 AM

  • Please log in to reply
65 replies to this topic

#31 kpatel45

kpatel45
  • Topic Starter

  • Avatar image
  • Members
  • 35 posts
  • OFFLINE
    •  
  • Local time:07:58 AM

Posted 14 January 2024 - 12:15 PM

hi again,

 

I have analysed the 2 aspx files (err1.aspx and err4.aspx) in the C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources folder on Virustotal. the links to results are below:

 

https://www.virustotal.com/gui/file/89d47efd1d065e0a368ba392b786911d47b294c558729a0f556e21e9e34757c3

 

 

https://www.virustotal.com/gui/file/89d47efd1d065e0a368ba392b786911d47b294c558729a0f556e21e9e34757c3


BC AdBot (Login to Remove)

 

#32 Oh My!

Oh My!

    Adware and Spyware and Malware


  • Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 14 January 2024 - 05:31 PM

Thank you. We are getting closer.

Please do this.

===================================================

Farbar Recovery Scan Tool Fix

--------------------
  • Right click on the FRST64 icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
  • There is no need to paste the information anywhere, FRST64 will do it for you
Start::
Folder: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp
Folder: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa
End::
  • Click Fix
  • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
  • Fixlog

Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.
John 6:68-69

#33 kpatel45

kpatel45
  • Topic Starter

  • Avatar image
  • Members
  • 35 posts
  • OFFLINE
    •  
  • Local time:07:58 AM

Posted 15 January 2024 - 12:55 AM

results as requested:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 22-12-2023
Ran by ex-super_user (15-01-2024 09:54:00) Run:7
Running from C:\Users\ex-super_user\Desktop
Loaded Profiles: goc1 & ex-super_user
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start::
Folder: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp
Folder: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa
End::
*****************


========================= Folder: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp ========================

2019-05-29 01:02 - 2019-05-29 01:02 - 000000091 ____A [6AF21640B51FE0187091B8E842D08F3A] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\global.asax
2021-03-08 19:49 - 2021-03-08 21:09 - 000004070 ____A [151A3B53A6EAFCEA1B61A6AE244A6D23] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\web.config
2014-01-16 18:08 - 2019-05-29 01:02 - 000003858 ____A [A8AB96CD432B291AB2E21DBD1A5858EF] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\web.config.bak
2021-03-08 18:31 - 2021-03-08 18:34 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth
2019-05-29 01:02 - 2019-05-29 01:02 - 000002387 ____A [C422B197294456C66E95684C54971425] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\TimeoutLogout.aspx

====== End of Folder: ======


========================= Folder: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa ========================

2019-05-29 01:02 - 2019-05-29 01:02 - 000000091 ____A [6AF21640B51FE0187091B8E842D08F3A] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\global.asax
2021-03-08 19:49 - 2022-04-11 14:29 - 000006672 ____A [9CBA3586BC0B78E64721B7FCEA0B49AE] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config
2014-01-16 18:08 - 2019-05-29 01:02 - 000006365 ____A [6284CB10B95EE01AA35E83B78AEA1BDB] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config.bak
2014-01-16 13:48 - 2024-01-11 09:18 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth
2019-05-29 01:02 - 2019-05-29 01:02 - 000007716 ____A [B6B0F9840DE40C22AC40D7A280AA197E] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorFE.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000007200 ____A [10A28A8F008A75D350CACEE22696E8FB] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ExpiredPassword.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000000110 ____A [49A9DB9F86C1A322C32E9FDC0AF8403E] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\getidtoken.htm
2019-05-29 01:02 - 2019-05-29 01:02 - 000005254 ____A [04094AB25586D3451EF25B4A6CF1167D] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logoff.aspx
2019-02-05 10:12 - 2023-03-23 14:10 - 000016108 ____A [99F6D0A35A8E91618F737BEDC27DEAA5] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon.aspx
2021-03-08 21:23 - 2020-02-09 23:22 - 000016822 ____A [797B804C2F6282C4C39021819AAE7345] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon_captcha_12Apr22.aspx
2023-02-22 13:49 - 2023-02-22 14:10 - 000016121 ____A [BE5003DE7B3341DB43D927983F19280B] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon_captcha22feb2023.aspx
2015-08-27 22:05 - 2015-08-27 22:05 - 000015766 ____A [983F085A62CC27A1F66BEEB9BCB785EB] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon_origin.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000015766 ____A [983F085A62CC27A1F66BEEB9BCB785EB] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon08032021.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000001897 ____A [E32582526C6D44DE688A1846BA0525B6] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookCN.aspx
2020-02-09 17:59 - 2020-02-09 18:39 - 000000653 ____A [E2DAB1CC6D91C0E2C44A160DD79A951A] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\recaptcha.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000000332 ____A [B7C5431B19812E5BC14D5FBF65A5C290] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx.bak
2019-05-29 01:02 - 2019-05-29 01:02 - 000004475 ____A [8F7F55B223F978A43E2C3F1EE860C402] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\signout.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000004694 ____A [01FD325E91A479A7B0B50FF2F916FBE4] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\SvmFeedback.aspx
2021-03-08 18:31 - 2021-03-08 18:31 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497
2021-03-08 18:31 - 2021-03-08 18:31 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\scripts
2021-03-08 18:31 - 2021-03-08 18:34 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\scripts\premium
2019-05-29 01:02 - 2019-05-29 01:02 - 000002596 ____A [58A31CA3106DDF119E28188E7F8E80CD] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\scripts\premium\fexppw.js
2019-05-29 01:02 - 2023-03-23 14:12 - 000015398 ____A [F39978440FCFBBAF75ECA60F649C53E8] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\scripts\premium\flogon.js
2021-03-08 18:31 - 2021-03-08 18:31 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes
2021-03-08 18:31 - 2021-03-08 18:34 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources
2019-05-29 01:02 - 2019-05-29 01:02 - 000005955 ____A [672577101F5BBA594D548B01D463F155] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\bg_gradient.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000001434 ____A [700528C06D9BA83EEBB320059F27443F] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\bg_gradient_login.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000003838 ____A [56831F25A392B1DCA81C041E45AE5A6B] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\errorFE.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000007886 ____A [759FADE9033AA298629E4B000DCD6DDE] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\favicon.ico
2019-05-29 01:02 - 2019-05-29 01:02 - 000001150 ____A [F1502CFDF7B39E4C37402642297AF045] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\favicon_office.ico
2019-05-29 01:02 - 2019-05-29 01:02 - 000001196 ____A [714166E5D2FA559EE64403D971754EAE] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\icon_settings.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000001294 ____A [89C1C330BF27F9E61F4F4FA8D88996A9] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\icp.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000009311 ____A [E0A2C263C6745F251720FE0876D140C4] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgnbotl.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000000276 ____A [704330B6D293CE2D32780739218696B9] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgnbotm.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000002392 ____A [43B7C46B32691AA778C5E49D139DB8F5] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgnbotr.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000000061 ____A [873C522598FB6DA9F70D5DDE7CCF6213] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgnexlogo.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000000290 ____A [BAF34665612F4D59F7CFC06EA82DA21D] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgnleft.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000000306 ____A [391603F1FAEE60DB855BD11650DBBF72] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgnright.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000004455 ____A [6AE33A65D15F6BB5113E066FCA7FA73A] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgntopl.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000000058 ____A [0615717B3645A8573F07347CDB74D69F] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgntopm.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000000581 ____A [031BED6F568FBDDDDF550A97400B273F] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgntopr.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000009661 ____A [057E29BFB65CA8E942E8988CA4A8A0CD] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\logon.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000012337 ____A [BEEDA67B5036A5D57A729880214D4BCB] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\office365_cn.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000002503 ____A [FB4DF93A98B7AF6880C126A8318A60A8] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\olk_logo_white.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000004549 ____A [B0EDD9662E316D053763EE8DAB80031A] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\olk_logo_white_cropped.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000003595 ____A [B92016C97A84CEB7F12FDF0E7276215E] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\olk_logo_white_small.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000005856 ____A [4E5D0AABB0CB1CB62FD75C72119FB6DD] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owa_text_blue.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000010438 ____A [C9DC9654A2D203B8AA31F2A62B6B0FCB] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owafont.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000012486 ____A [D8ED69CA045C7771E85B7FFF3C9C87EF] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owafont_ja.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000012174 ____A [D52C9846FB9FAF43D4D98E21E703A66E] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owafont_ko.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000010557 ____A [C4FE731B43ACE93A895A3AC0744D3AE3] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owafont_vi.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000011760 ____A [9E7F9E67269AD7417140E671EF4DAD46] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owafont_zh_chs.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000012193 ____A [BC2CB9133F91126A31653A952ED1B51B] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owafont_zh_cht.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000026797 ____A [BFACE2B57777F49242BDE085A0B01712] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\SegoeUI-Regular.eot
2019-05-29 01:02 - 2019-05-29 01:02 - 000056760 ____A [8AF990B6AD3BA192C2DD6A193890BF5F] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\SegoeUI-Regular.ttf
2019-05-29 01:02 - 2019-05-29 01:02 - 000024345 ____A [918C4675C95F397A9FF09291A3C6FAC7] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\SegoeUI-SemiBold.eot
2019-05-29 01:02 - 2019-05-29 01:02 - 000048952 ____A [06FEF2219439F2317755635025452398] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\SegoeUI-SemiBold.ttf
2019-05-29 01:02 - 2019-05-29 01:02 - 000022084 ____A [3EB79218C6DD5AD08A606910B04D947B] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\SegoeUI-SemiLight.eot
2019-05-29 01:02 - 2019-05-29 01:02 - 000041560 ____A [6C26C24AABE31040657665B1E0D9505C] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\SegoeUI-SemiLight.ttf
2019-05-29 01:02 - 2019-05-29 01:02 - 000001441 ____A [2FC55AC36211FB6B5A051281CC4898AD] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\Sign_in_arrow.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000000604 ____A [C1A468B897CB21E8310636D6D9754C8E] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\Sign_in_arrow_rtl.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000000761 ____A [858574E345D9E320480D3F952A5706BB] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\warn.png
2014-01-16 13:48 - 2014-11-26 14:19 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.775
2014-01-16 13:48 - 2014-11-26 14:19 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.775\themes
2014-01-16 13:48 - 2014-11-26 14:13 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.775\themes\resources
2014-10-17 04:57 - 2014-07-07 13:56 - 000137385 ____A [E23658493BB1BF81AA98540F9D74385F] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.775\themes\resources\bg.png
2014-10-17 04:57 - 2014-05-28 16:13 - 000960620 ____A [8B8E2A852C4B0C350C32D31EC9941292] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.775\themes\resources\pics.jpg
2014-11-26 14:23 - 2015-12-05 02:14 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.995
2014-11-26 14:23 - 2014-11-26 14:23 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.995\scripts
2014-11-26 14:23 - 2015-12-05 02:05 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.995\scripts\premium
2014-12-09 11:02 - 2014-12-09 11:00 - 000002606 ____A [7F2F0992C90DB54773EFFAA0A64AAD5D] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.995\scripts\premium\fexppw - Copy.js
2019-03-30 21:23 - 2021-03-08 18:34 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current
2021-03-08 18:34 - 2021-03-08 18:34 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts
2021-03-08 18:34 - 2021-03-08 18:34 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium
2019-05-29 01:02 - 2019-05-29 01:02 - 000002596 ____A [58A31CA3106DDF119E28188E7F8E80CD] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium\fexppw.js
2019-05-29 01:02 - 2019-05-29 01:02 - 000014961 ____A [FF9F12054063949B0E3A933D7F5F7EC2] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium\flogon.js
2019-03-30 21:23 - 2019-03-30 21:23 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes
2019-03-30 21:23 - 2024-01-15 09:52 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources
2019-05-29 01:02 - 2019-05-29 01:02 - 000005955 ____A [672577101F5BBA594D548B01D463F155] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\bg_gradient.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000001434 ____A [700528C06D9BA83EEBB320059F27443F] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\bg_gradient_login.png
2020-03-05 11:28 - 2019-02-05 10:12 - 000000097 ____A [BE678EEB1EA08F62B1F458FD9170F0CA] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\err1.aspx
2020-03-05 11:17 - 2019-02-05 10:12 - 000000097 ____A [BE678EEB1EA08F62B1F458FD9170F0CA] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\err4.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000003838 ____A [56831F25A392B1DCA81C041E45AE5A6B] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\errorFE.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000007886 ____A [759FADE9033AA298629E4B000DCD6DDE] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\favicon.ico
2019-05-29 01:02 - 2019-05-29 01:02 - 000001150 ____A [F1502CFDF7B39E4C37402642297AF045] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\favicon_office.ico
2019-05-29 01:02 - 2019-05-29 01:02 - 000001196 ____A [714166E5D2FA559EE64403D971754EAE] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\icon_settings.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000001294 ____A [89C1C330BF27F9E61F4F4FA8D88996A9] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\icp.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000009311 ____A [E0A2C263C6745F251720FE0876D140C4] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgnbotl.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000000276 ____A [704330B6D293CE2D32780739218696B9] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgnbotm.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000002392 ____A [43B7C46B32691AA778C5E49D139DB8F5] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgnbotr.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000000061 ____A [873C522598FB6DA9F70D5DDE7CCF6213] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgnexlogo.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000000290 ____A [BAF34665612F4D59F7CFC06EA82DA21D] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgnleft.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000000306 ____A [391603F1FAEE60DB855BD11650DBBF72] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgnright.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000004455 ____A [6AE33A65D15F6BB5113E066FCA7FA73A] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgntopl.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000000058 ____A [0615717B3645A8573F07347CDB74D69F] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgntopm.gif
2019-05-29 01:02 - 2019-05-29 01:02 - 000000581 ____A [031BED6F568FBDDDDF550A97400B273F] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgntopr.gif
2023-02-22 13:52 - 2019-05-29 01:02 - 000009661 ____A [057E29BFB65CA8E942E8988CA4A8A0CD] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\logon.css
2019-05-29 01:02 - 2023-02-22 13:53 - 000009711 ____A [9D2AA2D69C0080B27D6E0A7BD185F651] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\logon_captcha.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000012337 ____A [BEEDA67B5036A5D57A729880214D4BCB] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\office365_cn.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000002503 ____A [FB4DF93A98B7AF6880C126A8318A60A8] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\olk_logo_white.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000004549 ____A [B0EDD9662E316D053763EE8DAB80031A] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\olk_logo_white_cropped.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000003595 ____A [B92016C97A84CEB7F12FDF0E7276215E] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\olk_logo_white_small.png
2023-03-23 14:10 - 2024-01-05 09:04 - 029457936 ____A [5E91F158C17D3B818B753A93A8BA3026] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owa_logo.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000005856 ____A [4E5D0AABB0CB1CB62FD75C72119FB6DD] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owa_text_blue.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000010438 ____A [C9DC9654A2D203B8AA31F2A62B6B0FCB] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000012486 ____A [D8ED69CA045C7771E85B7FFF3C9C87EF] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont_ja.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000012174 ____A [D52C9846FB9FAF43D4D98E21E703A66E] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont_ko.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000010557 ____A [C4FE731B43ACE93A895A3AC0744D3AE3] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont_vi.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000011760 ____A [9E7F9E67269AD7417140E671EF4DAD46] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont_zh_chs.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000012193 ____A [BC2CB9133F91126A31653A952ED1B51B] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont_zh_cht.css
2019-05-29 01:02 - 2019-05-29 01:02 - 000026797 ____A [BFACE2B57777F49242BDE085A0B01712] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\SegoeUI-Regular.eot
2019-05-29 01:02 - 2019-05-29 01:02 - 000056760 ____A [8AF990B6AD3BA192C2DD6A193890BF5F] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\SegoeUI-Regular.ttf
2019-05-29 01:02 - 2019-05-29 01:02 - 000024345 ____A [918C4675C95F397A9FF09291A3C6FAC7] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\SegoeUI-SemiBold.eot
2019-05-29 01:02 - 2019-05-29 01:02 - 000048952 ____A [06FEF2219439F2317755635025452398] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\SegoeUI-SemiBold.ttf
2019-05-29 01:02 - 2019-05-29 01:02 - 000022084 ____A [3EB79218C6DD5AD08A606910B04D947B] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\SegoeUI-SemiLight.eot
2019-05-29 01:02 - 2019-05-29 01:02 - 000041560 ____A [6C26C24AABE31040657665B1E0D9505C] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\SegoeUI-SemiLight.ttf
2019-05-29 01:02 - 2019-05-29 01:02 - 000001441 ____A [2FC55AC36211FB6B5A051281CC4898AD] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\Sign_in_arrow.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000000604 ____A [C1A468B897CB21E8310636D6D9754C8E] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\Sign_in_arrow_rtl.png
2019-05-29 01:02 - 2019-05-29 01:02 - 000000761 ____A [858574E345D9E320480D3F952A5706BB] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\warn.png
2020-03-05 11:09 - 2020-03-09 10:43 - 000000000 ____D [00000000000000000000000000000000] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\Bin
2020-03-05 11:14 - 2019-02-05 10:12 - 000054272 ____A [173AE8266C754FC182FE6A8A8114A699] (Microsoft Corporation) [File not signed] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\Bin\Microsoft.Exchange.Clients.Event.dll
2020-03-09 10:43 - 2019-02-05 10:12 - 000000000 ____A [D41D8CD98F00B204E9800998ECF8427E] () <==== ATTENTION [zero byte File/Folder] C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\Bin\Microsoft.Exchange.Common.dll

====== End of Folder: ======


==== End of Fixlog 09:54:11 ====


#34 Oh My!

Oh My!

    Adware and Spyware and Malware


  • Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 15 January 2024 - 09:45 AM

Thank you for the information and continued patience.

Yes, those 2 files are on my radar already. What I find a bit troublesome is the date/time stamp on the files. I would have thought the date would be closer to present day but it isn't. This infection can infiltrate several areas of the computer and malicious files are created with various names. In order to take a surgical approach and minimize unforeseen consequences on a Server I am being very cautious and as careful as I can be.

We need to run one more thing and then I think I can provide a Fixlist for you.

Please do this.

===================================================

Farbar Recovery Scan Tool SearchAll

--------------------
  • Right click on FRST and select Run as administrator
  • Copy/paste the following in the Search: box
SearchAll: err1.aspx;err4.aspx
  • Click Search Files button
  • When completed click OK and a Search.txt document will open on your desktop
  • Copy and paste the contents of the report in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
  • Search.txt

Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.
John 6:68-69

#35 kpatel45

kpatel45
  • Topic Starter

  • Avatar image
  • Members
  • 35 posts
  • OFFLINE
    •  
  • Local time:07:58 AM

Posted 17 January 2024 - 01:38 AM

Hi Gary,

 

sorry for delay to reply. We were hit by a storm and office was closed. Please find below results:

 

Farbar Recovery Scan Tool (x64) Version: 22-12-2023
Ran by ex-super_user (17-01-2024 10:26:13)
Running from C:\Users\ex-super_user\Desktop
Boot Mode: Normal

================== Search Files: "SearchAll: err1.aspx;err4.aspx" =============

File:
========
C:\Users\ex-super_user\AppData\Roaming\Microsoft\Windows\Recent\err1.aspx.lnk
[2024-01-14 21:08][2024-01-14 21:08] 000001927 _____ () F9D85B7CE7ED889FF9F9177B2189826C [File not signed]

C:\Users\ex-super_user\AppData\Roaming\Microsoft\Windows\Recent\err4.aspx.lnk
[2024-01-14 21:08][2024-01-14 21:08] 000001927 _____ () C7CEA7AD5FD4C4D1A10043EE02535B10 [File not signed]

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\err1.aspx
[2020-03-05 11:28][2019-02-05 10:12] 000000097 _____ () BE678EEB1EA08F62B1F458FD9170F0CA [File not signed]

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\err4.aspx
[2020-03-05 11:17][2019-02-05 10:12] 000000097 _____ () BE678EEB1EA08F62B1F458FD9170F0CA [File not signed]


folder:
========

Registry:
========

===================== Search result for "err1.aspx" ==========


===================== Search result for "err4.aspx" ==========


====== End of Search ======


#36 Oh My!

Oh My!

    Adware and Spyware and Malware


  • Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 17 January 2024 - 09:49 AM

Thank you.

I think we are ready to apply a Fix.

We are going to try to gain access to the files by stopping 2 Services. Hopefully that will work but since I can't test it I am not sure.

Please do this.

===================================================

Farbar Recovery Scan Tool Fix

--------------------
  • Click Start, type cmd, then select Run as administrator
  • Type Net Stop IISAdmin then hit Enter and confirm action if asked
  • Confirm it was successful
  • Type Net Stop w3svc and hit Enter
  • Confirm it was successful or the service was not running (may be stopped by IISAdmin command)
  • If you are unable to complete the above stop and let me know
  • Right click on the FRST64 icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
  • There is no need to paste the information anywhere, FRST64 will do it for you
Start::
CloseProcesses:
C:\Users\ex-super_user\AppData\Roaming\Microsoft\Windows\Recent\err1.aspx.lnk
C:\Users\ex-super_user\AppData\Roaming\Microsoft\Windows\Recent\err4.aspx.lnk
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\err1.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\err4.aspx
End::
  • Click Fix
  • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
  • Fixlog

Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.
John 6:68-69

#37 kpatel45

kpatel45
  • Topic Starter

  • Avatar image
  • Members
  • 35 posts
  • OFFLINE
    •  
  • Local time:07:58 AM

Posted 19 January 2024 - 11:57 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 22-12-2023
Ran by ex-super_user (19-01-2024 20:34:31) Run:8
Running from C:\Users\ex-super_user\Desktop
Loaded Profiles: goc1 & ex-super_user
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start::
CloseProcesses:
C:\Users\ex-super_user\AppData\Roaming\Microsoft\Windows\Recent\err1.aspx.lnk
C:\Users\ex-super_user\AppData\Roaming\Microsoft\Windows\Recent\err4.aspx.lnk
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\err1.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\err4.aspx
End::
*****************

Processes closed successfully.
C:\Users\ex-super_user\AppData\Roaming\Microsoft\Windows\Recent\err1.aspx.lnk => moved successfully
C:\Users\ex-super_user\AppData\Roaming\Microsoft\Windows\Recent\err4.aspx.lnk => moved successfully
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\err1.aspx => moved successfully
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\err4.aspx => moved successfully


The system needed a reboot.

==== End of Fixlog 20:34:57 ====


#38 Oh My!

Oh My!

    Adware and Spyware and Malware


  • Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 19 January 2024 - 02:58 PM

Very good.

Let me know if detections continue.
Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.
John 6:68-69

#39 kpatel45

kpatel45
  • Topic Starter

  • Avatar image
  • Members
  • 35 posts
  • OFFLINE
    •  
  • Local time:07:58 AM

Posted 24 January 2024 - 12:32 AM

Microsoft Safety Scanner v1.403, (build 1.403.2501.0)
Started On Mon Jan 22 09:20:28 2024

Engine: 1.1.23110.2
Signatures: 1.403.2501.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode

Full Scan Results:
------------------
Threat Detected: Backdoor:Win32/Rollingaim.A!dha, for cleaning, the system needs to be restarted.
  Action: Remove, Result: 0x00000000
    file://C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owa_oma\2af6b05a\6793747e\assembly\dl3\edc30a5e\0073cdbc_19bdd401\Microsoft.Exchange.Clients.Event.DLL
        SigSeq: 0x0001187857DE8A8B
    file://C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owa_calendar\50586abb\43fe3563\assembly\dl3\71c14e76\0073cdbc_19bdd401\Microsoft.Exchange.Clients.Event.DLL
        SigSeq: 0x0001187857DE8A8B
    file://C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owa\8e05b027\e164d61b\assembly\dl3\085cc50c\0073cdbc_19bdd401\Microsoft.Exchange.Clients.Event.DLL
        SigSeq: 0x0001187857DE8A8B
    file://C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\Bin\Microsoft.Exchange.Clients.Event.dll
        SigSeq: 0x0001187857DE8A8B

Results Summary:
----------------
Found Backdoor:Win32/Rollingaim.A!dha, for cleaning, the system needs to be restarted.
Microsoft Safety Scanner Finished On Mon Jan 22 15:17:05 2024


Return code: 10 (0xa)
Failed to submit MAPS report: 0x80072EE2


#40 Oh My!

Oh My!

    Adware and Spyware and Malware


  • Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 24 January 2024 - 12:12 PM

Thank you.

I believe this is a False Positive detection but I am conferring with one of my colleagues to get a second opinion.
Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.
John 6:68-69

#41 Oh My!

Oh My!

    Adware and Spyware and Malware


  • Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 24 January 2024 - 05:14 PM

I have consulted with my colleague and he confirms this is a false positive. A very good explanation of the MSS process by Rob Koch can be found here. Of particular note is the MAPS portion of the process, a critical step in the ultimate determination whether or not a file is malicious/suspicious.

 

Failed to submit MAPS report: 0x80072EE2

In a nutshell, MSS flagged these legitimate files as suspect but because your system failed to submit the MAPS report to the server for final determination (and clearance resulting in no detections) the entries remained in the report.

 

I would recommend using other scanning software instead of MSS as this is a longstanding concern about the process and results. At the very least, if you use MSS and a detection is noted you should seek confirmation from another scanning program.

 

Let me know if you have any questions.
 


Edited by Oh My!, 24 January 2024 - 05:15 PM.

Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.
John 6:68-69

#42 kpatel45

kpatel45
  • Topic Starter

  • Avatar image
  • Members
  • 35 posts
  • OFFLINE
    •  
  • Local time:07:58 AM

Posted 25 January 2024 - 11:47 PM

Hi Gary,

 

thanks for the explanation, clarification and assistance. I have used Symantec Endpoint Protection (SEP) Suite to scan. However by default, the app excludes exchange installation folders from scanning. I did get a notification from SEP about a file in Windows\Temp folder. It detected a file Sourcedoc1 as a virus but was unable to take any action with error Äccess Denied". I tried to manually access the file and got same issue. I manually changed the permission on the parent folder, inherited by child object. Only then I could access the file and delete it. However, more folders when then created each containing the same file and no access permissions. I am attaching a log file and a few screenshots as reference.

 

Filename Risk Action Risk Type Logged By Original Location Computer User Status Current Location Primary Action Secondary Action Action Description Date and Time   sourcedoc1 Scr.Malcode!gen59 Deleted Heuristic Virus Auto-Protect scan C:\Windows\Temp\XCCache\f4c9d1b6-dca0-46ec-9b12-19fc5e9c9f1e\451a18cb90dd44bfbd5565b6139e8878\1F-68-2F-D5-C1-3A-03-62-21-53-0F-8D-01-5F-20-A1\ C11-EX-SVR-MBX3 SYSTEM Deleted Deleted Quarantine Leave alone (log only) The file was deleted successfully. 1/24/2024 10:28:21 AM

 

The same path is found on all four mailbox servers and the same kind of file being generated.

Attached Files


#43 Oh My!

Oh My!

    Adware and Spyware and Malware


  • Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 27 January 2024 - 05:40 PM

Please do this.

===================================================

Farbar Recovery Scan Tool Fix

--------------------
  • Right click on the FRST64 icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
  • There is no need to paste the information anywhere, FRST64 will do it for you
Start::
CloseProcesses:
C:\Windows\Temp\XCCache
End::
  • Click Fix
  • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Farbar Recovery Scan Tool Search

--------------------
  • Launch FRST
  • Type the following in the Search: box
EQNEDT32.EXE
  • Click Search Files button
  • When completed click OK and a Search.txt document will open on your desktop
  • Copy and paste the contents of that document your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
  • Fixlog
  • Search.txt

Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.
John 6:68-69

#44 kpatel45

kpatel45
  • Topic Starter

  • Avatar image
  • Members
  • 35 posts
  • OFFLINE
    •  
  • Local time:07:58 AM

Posted 29 January 2024 - 01:25 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 22-12-2023
Ran by ex-super_user (29-01-2024 10:03:31) Run:9
Running from C:\Users\ex-super_user\Desktop
Loaded Profiles: ex-super_user & share-port_sysadmin4
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start::
CloseProcesses:
C:\Windows\Temp\XCCache
End::
*****************

Processes closed successfully.

"C:\Windows\Temp\XCCache" folder move:

C:\Windows\Temp\XCCache => moved successfully


The system needed a reboot.

==== End of Fixlog 10:04:23 ====

 

Farbar Recovery Scan Tool (x64) Version: 22-12-2023
Ran by ex-super_user (29-01-2024 10:19:03)
Running from C:\Users\ex-super_user\Desktop
Boot Mode: Normal

================== Search Files: "EQNEDT32.EXE" =============


====== End of Search ======


#45 Oh My!

Oh My!

    Adware and Spyware and Malware


  • Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 30 January 2024 - 08:52 AM

Thank you.

Can you tell me if the folders/files are still being created?
Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.
John 6:68-69
Back to Virus, Trojan, Spyware, and Malware Removal Help


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·