Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had a RAT on PC - Want to make sure it's gone.


  • This topic is locked This topic is locked
2 replies to this topic

#1 KSKAR

KSKAR

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 18 March 2017 - 12:09 PM

Hi,

 

Yesterday I came back to my computer and noticed Chrome was open with my PayPal logged in.  Before I left my computer, I did not have Chrome open/was not logged into my PayPal.  I noticed I had 2 payments sent for $3,500 each to some random person.  I called PayPal immediately and had them reverse the transactions and used a different computer to change all of my passwords.  I added 2-factor authentication to my PayPal now, so something like this cannot happen again.  I unplugged my computer from the internet, secure erased all my SSD's and reinstalled windows.  I just want to make sure I got rid of whatever was on my computer that let someone do that.  

 

I've attached my Farbar logs below

 

I ran RogueKiller last night AFTER reformatting and this PUM.Dns thing came up.  Not sure if it is something to worry about or not, but I deleted it.

 

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7425950e-99ce-4236-b0f3-210cff4c85df} | DhcpNameServer : 72.44.127.5 72.44.127.4 216.234.97.3 8.8.8.8 ([-][-][United States][-])  -> Replaced ()
 
I ran it again today and now these two Pum.Dns things came up.  I deleted them again as a precaution. 

 

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 72.44.127.5 72.44.127.4 216.234.97.3 8.8.8.8 ([-][-][United States][-])  -> Replaced ()
 
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7425950e-99ce-4236-b0f3-210cff4c85df} | DhcpNameServer : 72.44.127.5 72.44.127.4 216.234.97.3 8.8.8.8 ([-][-][United States][-])  -> Replaced ()

Attached Files


Edited by KSKAR, 18 March 2017 - 12:12 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:31 PM

Posted 19 March 2017 - 09:50 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your logs are clean.

You can verify your IP addresses at Who.is they look good to me.

https://who.is/

Check with your Internet Provider is you have any connection problems.
---

This may also be helpful.

How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:31 PM

Posted 25 March 2017 - 07:32 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users