Jump to content

lavt91

Members
  • Content Count

    12
  • Joined

  • Last visited

About lavt91

  • Rank
    New Member
  1. Hi there. I ran the scan, and no additional results were found. If the infection came from the E drive, that must mean that the removable device I installed Windows from (which was made on the infected machine, unfortunately) must have been compromised. My guess is that during the remote connection, the .vbs payload was added to the bootable USB install. Attached is the file. Can I repeat these same steps (searching with Farbar) on other machines to ensure they are clean? Thanks again for all your help. Search.txt
  2. Yes! I will follow these steps and update progress tonight.
  3. Sorry, I meant: Is it possible the .vbs payload was laying dormant on this internal drive?
  4. Hi there. Thank you! During the reformat, I did not have an external drive, but I did have another internal drive (besides the SSD, which is where Windows was). Is it possible the .vbs payload was laying dormant on this external drive? If so, how would I go about searching for this file? Would it be hidden? That may also held identify the source of the infected file (aka whatever I downloaded, most likely).
  5. Hi there. Thank you again for your help. I have attached the Fixlog.txt file you requested. Upon restarting, those suspicious processes no longer started, so that's a good sign! 😃 Do you have any insights into what type of infection this is? Also, should this avoid the infection returning after a reformat? I'm still a bit puzzled as to how that happen. I appreciate your expertise! Thanks in advance. Fixlog.txt
  6. Thanks for your help. I actually read some other threads on here and ended up using Panda USB Vaccine, which worked fine. Here are the logs you requested. FRST.txt Addition.txt
  7. Tried one more thing just in case the program isn't able to run in Safe Mode. I followed this guide (https://www.bitdefender.com/consumer/support/answer/13426/) to completely disable my antivirus, and the result is the same unfortunately.
  8. I tried restarting in Safe Mode with Networking to redownload the file, hooked up with an ethernet cable, and got it again from the link provided above. I forgot to mention it before, but I am running it as administrator. I honestly have no idea - when I run it, nothing happens.
  9. Hmm...I did full Windows updates, made sure all .NET framework was installed, even tried running Flash_Disinfector.exe in safe mode. Also tried compatibility mode for XP/7. I can't get the software to run or even open! Any help would be appreciated.
  10. Hi there! Thank you very much for your clear instructions. I am running a flash drive off a brand new laptop with nothing on it. However, Flash_Disinfector.exe doesn't run. Nothing happens. The first time, I got a popup asking if the program installed correctly. Right now, I'm performing Windows updates (the machine is new so it's out of date) in hopes this fixes the problem. Do you have any suggestions or alternatives? Thanks again!
  11. Thank you for your quick reply! However, there are two concerns: 1) The machine is infected and cannot be connected to the network. I could put the tool on a USB drive, but then it would be risky bringing the log files back to another machine. 2) Same thing with the log files - how can I transfer .txt documents to a working computer while ensuring I'm not infecting it? EDIT: Well, I tried to post this but the forum marked it as "spam" so I'll add more info. Basically, I'm just super paranoid that this trojan/virus could spread to another drive when plugging it in. As of now, I have a brand new modem/router and the infected machine has never been on the network. Just trying to figure out a way I can do it without worsening the issue. I think I mentioned this in my original post, but whenever I restart the machine WITH the internet connected (even for a second), it launches a sketchy file in the background. When booting with no internet connection, I get a Windows popup saying the process failed to start.
  12. So basically, I got infected with the worst virus/trojan/malware I’ve ever seen in 20+ years of working on PCs. At this point, I’m really just looking for some insight and information as to what happened! On 6/15, I was playing a game and decided to pause and minimize the window to take a shower. Roughly 15 minutes later, I came back into the room to see my mouse moving across the screen. At first, I thought some sort of popup had appeared (like those old ones you used to see back in the day with a fake dialogue box). Upon looking closer, I realized that this was actually my cursor moving towards the “Save” button on Chrome trying to download a file. I immediately grabbed my mouse and moved the cursor, and for a brief moment there was a “struggle” of sorts. It felt like whoever was controlling my mouse tried to fight me for control for a second. I don’t really know what info is relevant and what isn’t, so I’m just going to describe everything. The window that was open was for “KO Player” - this is the file that was trying to be downloaded. From what I looked up, it appears to be an Android emulator. I decided to go through my download history, and I found a piece of software called “AnyDesk.” From what I understand this is a remote desktop access software, so I’m not entirely sure why they would need this if access had already been gained to my machine. I ended up finding traces of this in my appdata “Roaming” folder...more on that later. I really should have pulled the plug immediately, but I wasn’t thinking at the time. I decided to check my history, and I saw that the hacker had been searching my emails for anything to do with cryptocurrency or bitcoin: Because I had 2FA enabled on all my accounts, none of the hacker's attempts to change my passwords were successful. I ended up going to the task manager to see if there were any strange processes that shouldn’t be running. At this point, I found a process called “Windows Fing H” - it had also been set as a startup item with high impact. I killed the process, which I hope stopped the remote connection. I cannot find anything about this process. I was, however, able to trace the task manager process to the file’s location. The startup process was located here: C:\Users\ME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ It led to a .scr file called “Windows12.scr” - in addition, there’s a strange 4.0.3.t.dat file in there that I’m not really sure where it came from. Perhaps it has to do with .NET framework? More info on the file: Okay, so this is when it gets weird – I decided to just do a full reformat. So I did – completely wiped the SSD twice, including the recovery partitions, until it was just “unallocated space.” I should mention that I also had an internal HDD that I didn’t do anything to, and it was plugged in during the process. This is dumb of me, and I should’ve removed it first. Regardless, I wiped the machine, reinstalled Windows, so far so good. A few hours into it, my paranoia gets the better of me and I decide to start snooping. I check the Event Viewer and things are going crazy: Alright, so at this point I don’t have more screenshots because they’re on the infected machine. Not sure how to grab them off without infecting another machine without snapping a photo of the monitor itself. But here’s what happened next: Using the event viewer, I find an application that was installed shortly after the reformat. Somehow, 7Zip was put into the Temp folder (I had not installed 7Zip yet), and it extracted something called “PACKAGE.7z.” This contained a file called “Chrmoe Sevrice.exe” or something along those lines – clearly fishy. So I keep searching more, and I then find files in the roaming folder containing extractions from Chrome. They were text documents, each with a username and password for every domain that had been saved. Luckily I’ve used a third-party password manager for the last several years so the old passwords in Chrome were long gone – but still, a tool had been used to extract saved images and forms from Chrome. If I had used Chrome to save passwords, these people could’ve done some serious damage. This same process was repeated for my other profile in Chrome, which I primarily use for work. I’m not exactly sure if they were able to monitor the tool in real time, or if the goal is to go back to the machine later when unoccupied (using a remote connection) to retrieve the files containing passwords and logins. I’m not a virus expert, so I’m not really sure what’s possible these days. I should mention that this time I unplugged the internet right away. When restarting, Windows would error because it could not connect to a file called winup.js – I also remember seeing something like winit.js, and there was a .vbs file that was constantly trying to launch. This would only happen with the internet disconnected, so I’m guessing it has something to do with a remote connection. I also recall seeing galcod.scr at one point in this process, but I can’t recall if that was pre-format or post-format. So, what am I dealing with here? Is it most likely that the virus was dormant on my secondary HDD? Some of my tech buddies have also said my hardware may be compromised – I’ve heard everything from my network card’s MAC address being compromised to peripherals with upgradeable firmware being hacked (gaming monitor, mouse, etc). Regardless, the machine is now sitting unplugged in a closet. I reformatted (using DBAN) the other PC in my house to be sure nothing got transferred over the network, and the machine I’m on now is brand new. I also threw my old modem and router in the trash and bought a new unit just to be safe. Made sure to change every password, including the router login. I should also mention that during this time, neither MalwareBytes, HitmanPro, or Adwcleaner detected anything – even when scanning the files I knew to be malicious. However, Windows defender did pop up warning that the .js file was detected as “Trojan:JS/Foretype.A!ml”. All my machines now have MalwareBytes Premium as well as BitDefender (paid) – so I’m definitely going to be cautious moving forward. As to how I got the infection, I’m guessing it’s because I stupidly downloaded a software torrent I shouldn’t have. I always buy my software, but sometimes I would download something first (like a game) to see if it would run on my machine before purchasing it on Steam. Regardless, I’ve learned my lesson, and I won’t be torrenting anything anymore. I have done all the necessary precautions (changed every password, removed all authorized devices from my accounts, etc). I even printed new 2FA backup codes (voiding the old ones) in the rare case that the hacker was able to print out my old codes when they had access to my Google account. Any advice or feedback would be appreciated. Thanks!
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.