Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer possibly compromised


  • This topic is locked This topic is locked
23 replies to this topic

#1 Zassaliss

Zassaliss

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 02 July 2017 - 07:24 AM

Odd behaviour that is difficult to explain, very little activity although accounts have been affected

Attached Files



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:50 AM

Posted 02 July 2017 - 07:45 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Please download Security Analysis by Rocket Grannie from here
  • Save it to your Desktop.
  • Close your security software to avoid potential conflicts.
  • Double click RGSA.exe
  • Click OK on the copyright-disclaimer
  • When finished, a Notepad window will open with the results of the scan.
  • The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
  • Please copy and paste the contents of that log in this topic.
  • Note:
If you get a Warning from Windows about running the program, click on More info and then click Run Anyway to run it even though Windows says it might put your PC at risk.
 

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 Zassaliss

Zassaliss
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 02 July 2017 - 08:58 AM

Malwarebytes Anti-Rootkit found nothing

Attached Files



#4 Jo*

Jo*

  • Malware Response Team
  • 3,326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:50 AM

Posted 02 July 2017 - 09:33 AM

Hello,

:step1: Run Malwarebytes Anti-Rootkit again: Double click mbar.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Scan your system for malware
  • If malware is found, click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


:step3: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


:step4: How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 Zassaliss

Zassaliss
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 02 July 2017 - 11:30 AM

Malwarebytes Anti-Rootkit found nothing again

Attached Files



#6 Jo*

Jo*

  • Malware Response Team
  • 3,326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:50 AM

Posted 02 July 2017 - 12:21 PM

Run Zoek

Please temporarily disable your AV program.

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications [url=[object Object]]here.
  • on Windows Vista, 7, 8 and 10, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    autoclean;
    emptyclsid;
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.
Can you tell me how your computer is running now and if there are any remaining problems.


---

FRST / FSRT64: run it again.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Put a check into the boxes next to Addition.txt and Shortcut.txt. Then press the Scan button.
  • When finished, it will produce logs called FRST.txt, Shortcut.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 Zassaliss

Zassaliss
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 02 July 2017 - 12:46 PM

phone may be an issue as well, can you help with that?

 

too early to tell, will keep this thread updated

Attached Files



#8 Zassaliss

Zassaliss
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 02 July 2017 - 12:59 PM

still affected



#9 Jo*

Jo*

  • Malware Response Team
  • 3,326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:50 AM

Posted 02 July 2017 - 01:44 PM

Cannot help you with your phone.

What problems do you have with your Windows computers?

If it is browser related: Do you have problems with every browser or only with a special one (which one)?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#10 Zassaliss

Zassaliss
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 02 July 2017 - 10:09 PM

haven't tried other browsers only chrome

 

scripts running when they shouldnt be



#11 Jo*

Jo*

  • Malware Response Team
  • 3,326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:50 AM

Posted 03 July 2017 - 02:32 AM

Can you give me details about the running scripts? Name, popup or message you can see?

---


Hello,
 

***


Copy FRST / FSRT64.exe to your desktop!

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt


Start
CreateRestorePoint:
CloseProcesses:
CHR Extension: (Flash Video Downloader) - C:\Users\Vincent\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiimdkdngfcipjohbjenkahhlhccpdbc [2017-07-03]
CHR Extension: (Chrome Media Router) - C:\Users\Vincent\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-25]
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.

The tool will make a log (Fixlog.txt) please post it to your reply.


How the computer is running now?

---

Download and run Chrome Software Cleaner


--- ---

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#12 Zassaliss

Zassaliss
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 03 July 2017 - 04:13 AM

post with update when i notice something

Attached Files


Edited by Zassaliss, 03 July 2017 - 04:13 AM.


#13 Jo*

Jo*

  • Malware Response Team
  • 3,326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:50 AM

Posted 03 July 2017 - 08:06 AM

Hello again,

:step1: Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7/8/10 users need to right click and choose Run as Administrator
You only need to get one of them to run, not all of them.Do not reboot your computer after running rkill as the malware programs will start again.


---


:step2: Malwarebytes' Anti-Malware
If this program is already installed: Skip the installation and run only the scan!
Download and install: Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
How to get logs: (Export log to save as txt)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
(Copy to clipboard for pasting into forum replies or tickets)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

---


:step3:
ZN3USrZ.png Emsisoft Emergency Kit
  • Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    yEgPemv.png
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    RUeRoi4.png
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    P7FSALs.png
  • Please Copy and Paste the contents of the scan log in your next reply.

***


:step4: How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#14 Zassaliss

Zassaliss
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 04 July 2017 - 10:25 AM

computer rebooted without bringing up malwarebytes log

 

emsisoft found nothing



#15 Zassaliss

Zassaliss
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 04 July 2017 - 10:26 AM

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 7/5/17
Scan Time: 1:12 AM
Log File: 
Administrator: Yes
 
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.160
Update Package Version: 1.0.2290
License: Free
 
-System Information-
OS: Windows 10 (Build 15063.447)
CPU: x64
File System: NTFS
User: DESKTOP-8RERDFJ\Vincent
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 368919
Threats Detected: 5
Threats Quarantined: 5
Time Elapsed: 1 min, 12 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 5
PUP.Optional.Plumbytes, C:\USERS\VINCENT\DOWNLOADS\ANTIMALWARESETUP.EXE, Quarantined, [9125], [123575],1.0.2290
PUP.Optional.MindSpark, C:\USERS\VINCENT\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\http_getformsonline.dl.myway.com_0.localstorage, Quarantined, [283], [240305],1.0.2290
PUP.Optional.MindSpark, C:\USERS\VINCENT\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\http_getformsonline.dl.myway.com_0.localstorage-journal, Quarantined, [283], [240305],1.0.2290
PUP.Optional.MindSpark, C:\USERS\VINCENT\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\http_getformsonline.dl.tb.ask.com_0.localstorage, Quarantined, [283], [240306],1.0.2290
PUP.Optional.MindSpark, C:\USERS\VINCENT\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\http_getformsonline.dl.tb.ask.com_0.localstorage-journal, Quarantined, [283], [240306],1.0.2290
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users