Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan: Win32/Fuery.B!cl , and Viruses and Bears, OH MY!


  • This topic is locked This topic is locked
6 replies to this topic

#1 mbienert

mbienert

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:22 AM

Posted 24 February 2017 - 03:39 AM

I am SO TIRED of someone else controlling my computers!!! Case in point, I li9terally just spent 45 minutes typing a post for above Trojan and it my post vanished! Gone! Deleted!
 
OK, so here is the shorter post of things I am sick and tired of that have plagued me for far too long:
 
  • Sketchy drivers installed, not legit. See attached Hit Man Pro report. This is a continual issue.
  • (Remote and other) Service settings set up and disabled by me, then changed back and re-enabled to run automatically
  • Same with Task Manager items
  • Same with Registry settings
  • Key Loggers ​and Camera installed on mine and my son's Mac NOTE: Installed on the same day by an IT individual working in Cyber Crime in DC sent here to "secure my home network and devices", who I later learned works for the "Dark Side" (I am currently in litigation and the opposing party has access to our email, home network, kids' pcs, iPads, phones, printers etc.)
  • Viruses set upon Networked Printers
  • ​Someone is checking my Outlook email every hour on the hour and more in both Los Angeles and a suburb of DC in northern Virginia at the same location in both using a myriad of IP addresses that I cannot trace
  • In Security Options settings according to Speccy, Accounts: Block Microsoft accounts ​and Devices: Allow undock without having to log on​, Devices: Prevent users from installing printer drivers, and Network access: Let Everyone permissions apply to anonymous users ​to name only a few...
  • My mouse moves by itself at night when I am trying to work and am idle for a moment or two.
 
Can someone please help me secure my PC and home? I am starting to think that there really is no security or privacy anymore and they are just faded memories.
 
Most immediately I'd like to get rid of the sketchy drivers​ (See Hit man Pro Report) but also see what else is going on here.
 
I just did yet another clean install and am currently using Windows 10 Pro but have a license for Home. I have tried going back to Windows 8.1 and back to Windows 10 again. Every time I get my notebook dialed in and what I feel is secure, it starts all over again. I am on a perpetual treadmill of this repetitive cycle and I need to get off!
 
The specs for this notebook are attached to my profile. Any suggestions for settings, software, firewalls (on modem), DNS server ( I can't believe I don't have one and am pretty sure I used to) etc will definitely be appreciated.
 
Frustrated in OC,
MB

Attached Files



BC AdBot (Login to Remove)

 


#2 CKing123

CKing123

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:12:22 AM

Posted 25 February 2017 - 01:26 PM

Hello mbienert and :welcome: to Bleeping Computer's Malware Response Forums

I am CKing123 and I will be assisting you with your malware issue. Before we begin, please read this:
  • The logs that you will post will take time for me to analyze, and so I will not post immediately, but I will reply in 24 hours or at the maximum in 48 hours, but I will let you know if it will take longer for me.
  • While you are being assisted, I ask that you do not seek assistance elsewhere while we work on this issue. This is so that we are on the same page of what happens on the system. If you are going to do any modifications on you own, please let me know.
  • If you are having any problem following the instructions, just ask!
  • I am still in training, so my posts will be delayed so that the instructor can approve them
  • Please understand that I am a volunteer, so I may get busy in real life, and that can further delay my responses
  • Backup your data! Malware removal can be tricky and can result in unpredictable behaviour including losing all your data!
Now, let's get started in removing the malware off your system (and into oblivion) :warrior:
 
Allow me some time to review over the logs :)
 
-CKing

If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase


#3 mbienert

mbienert
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:22 AM

Posted 26 February 2017 - 06:11 AM

OK, thank you.



#4 CKing123

CKing123

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:12:22 AM

Posted 26 February 2017 - 11:54 AM

Hi
 
I did not find any signs of malware at all in the logs. As for the HitmanPro logs, you have used the Early Warning Score scan. This scan type is usually intended for new malware samples that might not be detected and, rather than identifying malware, it tries to use behavior of files. This means that a lot of normal files get detected, and HitmanPro leaves it up to the user to decide what to do from the information. Those drivers are indeed normal.
 
Let's take a look at this:

1. Time indicates that the file appeared recently on this computer.
2. The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
3. The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

1. The first one is because you did reinstalled Windows a few days ago.
2 and 3. These files are system files (and hence protected by Windows File Protection) and that is why they are in system32 folder
 
As for drivers:

1. Starts automatically as a service during system bootup.
2. Program starts automatically without user intervention.         
3. Time indicates that the file appeared recently on this computer.
4. The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system     tools, drivers and hacking utilities.
5. The file is a device driver. Device drivers run as trusted (highly privileged) code.
6. The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.

1 and 2. Drivers are what allows Windows to essentially "talk" to all the hardware in your computer. This is why they need to start early so Windows can start properly.
3. Again, this is because you reinstalled Windows recently
4. This is a driver, and drivers are located in C:\Windows\system32\drivers
5. Again, since drivers directly talk to hardware, they run as trusted code
6. Most of the drivers are installed by Windows itself so they are protected automatically
 
As for the other symptoms, could you elaborate on this:

• (Remote and other) Service settings set up and disabled by me, then changed back and re-enabled to run automatically
Which services did you disable?
• Same with Task Manager items
I only see that you disabled OnlineBackup. Did you disable any other startup tasks?
• Same with Registry settings
I am not sure what you mean here. Did you disable the startup entries in the registry?
• Key Loggers ​and Camera installed on mine and my son's Mac NOTE: Installed on the same day by an IT individual working in Cyber Crime in DC sent here to "secure my home network and devices", who I later learned works for the "Dark Side" (I am currently in litigation and the opposing party has access to our email, home network, kids' pcs, iPads, phones, printers etc.)
I did not see any signs of a keylogger running on this computer. 
​• Someone is checking my Outlook email every hour on the hour and more in both Los Angeles and a suburb of DC in northern Virginia at the same location in both using a myriad of IP addresses that I cannot trace
Could you elaborate? Are you finding the ip address of the Outlook server itself, or someone who tried to access your emails?

 
 
Thanks,
-CKing


If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase


#5 CKing123

CKing123

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:12:22 AM

Posted 02 March 2017 - 01:15 PM

Hi
 
It has been a while since you last responded. Do you need help? If you are confused about something, just let me know :)
 
If you don't respond to this topic in 48 hours, this topic will be closed.
 
-CKing

If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase


#6 mbienert

mbienert
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:22 AM

Posted 02 March 2017 - 02:32 PM

Sorry, yes I need to reply. Back in a lil bit.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:22 AM

Posted 01 April 2017 - 11:23 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users