New
#1
Did I get Hacked - drive-by?
Hi all,
I'm just asking myself if I got infected by an drive by download.
What Happend:
It happened yesterday, when I opened a page to a maybe (?) un-trust worthy (?) website (Streaming).
At that almost very moment an Console (don't know if Batch or Powershell) window, a few lines of code run over the screen
(was really only a few, not even a full "console window") and got closed again, before I even could click in it (I tried first to visualize what this window is doing).
Now I'm asking myself if I got a problem ...
* I didn't know if the site was OK?
* Was it just a coincident?
* I didn't know what the window was doing
What I did/checked
* Windows 10 Pro (22H2 19045.3570) -> Is up to date
* Mozilla FireFox -> Is up to date
* Did a "Quick Scan" from the Windows Security -> no Threads found
* Did a "Full Scan" with form the Windows Security -> no Threads found
* scanned visually the Windows event log in the time frame (about 5 minutes)... but don't know if/what I found (some of them multiple with slightly different IDs:
Installation Started: Windows has started installing the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.399.817.0)
A service was installed in the system.
Service Name: Universal Device Client Service
Service File Name: "%SystemRoot%\System32\drivers\Lenovo\udc\Service\UDClientService.exe"
Service Type: Benutzermodusdienst
Service Start Type: Automatisch starten
Service Account: LocalSystem
HostName=ConsoleHost
HostVersion=5.1.19041.3570
HostId=c3347a4e-097a-4a54-a1e9-xxxxxxxxxxxx
HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
EngineVersion=5.1.19041.3570
RunspaceId=d589f20f-7f05-49d5-9286-xxxxxxxxxxxx
HostName=ConsoleHost
HostVersion=5.1.19041.3570
HostId=aabce0e3-491d-42a6-92f4-xxxxxxxxxxxx
HostApplication=C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive get-computerinfo -Property OSName > C:\Windows\TEMP\154CA6D5-395C-41AB-BDF3-xxxxxxxxxxxx
EngineVersion=5.1.19041.3570
RunspaceId=d22d22e7-37a9-488a-b900-xxxxxxxxxxxx
HostName=ConsoleHost
HostVersion=5.1.19041.3570
HostId=c5959b2b-1034-406b-a4aa-xxxxxxxxxxxx
HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
EngineVersion=
RunspaceId=
HostName=ConsoleHost
HostVersion=5.1.19041.3570
HostId=12b9f201-5800-4686-8225-xxxxxxxxxxxx
HostApplication=C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass -NoProfile -NonInteractive -WindowStyle Hidden -File C:\ProgramData\Lenovo\iMController\Plugins\LenovoUdcForImcPackage_\x64\Install.PS1
EngineVersion=5.1.19041.3570
RunspaceId=c6706785-50af-4212-b478-xxxxxxxxxxxx
What I plan next:
* Running an "Offline Scan" with form the Windows Security
* saving data that is not covered by my data backup (unfortunately I do not have a Sys BackUp, have to check how I would do a clean install)
* Think about running other on demand scans (suggestions welcome)
* decide if I do a clean install.
Any Other suggestions?