- Oct 25, 2018
Good questions, but let me observe the proper channels. To make sure your system is clean, or disinfect if it is not, let's have you start with MT's help & support group for malware removal. Click here to get to the main page, and then click the first link on that page, which should be the mandatory preparation guide. There, you'll be prompted to run a couple of scanners and paste the results for people to look at. Once we can be sure you're all set, my personal recommendation is to go back into AG configuration and untick all those checkboxes in Alerts. You'd have to be above my pay grade for those alerts to be of any real use.Thank you for the list. I will try to add some to user space, it is a learning process.
Observation: Attackers are using sc.exe to remotely turn on BITS/bitsadmin.exe service. sc.exe triggers a lot of alerts, looking at Microsoft docs it explicitly says you can use sc.exe to manage windows services remotely. AppGuard stops sc.exe from running, other security software with paranoid security settings lets it through and it does make changes to services. Reason I see this as suspicious is I have set bitsadmin service to be disabled from the start, I do not see why it would be turned on. Maybe I'm wrong and it's legit but services that are disabled don't try and turn on again in my experience without user interaction.
Another observation: There are multiple connections to C&C servers to sites hosted on Google and Amazon infrastructure I'm observing. Some are registered as much as 5 years ago. Some time out with display errors, but some hit to old blogs with very little content which is very suspicious. Why would a system idle process be listening to old blogs hosted on Google infrastructure?
Again, this a big learning experience for myself. My setup was rock solid before I thought so anyway, but I need to take it up a level.
Once you know your system is clean, you're more likely to win the lottery twice than get infected again, unless you disable AG and install a Trojan.