dadoda

Incase anyone else that has gotten this infection stumbles upon this thread via google, the problem was not fixed with the methods given here. Massively appreciate the staff taking the time to help, but with this infection, a full format seems to be the way to go. The file turns up almost fully undetectable on virus total. But If you check the VM results on virus total, at least with the file that infected me, it makes more changes to registry and things like excel en microsoft word than where fixed here. it also created a bunch of new files that look harmless, but it was impossible for me to delete them. Also I installed a firewall that only allowed connections manually approved, and some of those new files tried connecting to things. It looks like Malware bytes was able to prevent the most dangerous, final payload, the RAT itself to be installed, but there’s no telling what the malware did before that and what managed to get through. for more info google “Remcos rat powershell attack” I can’t be certain this was Remcos RAT in particular, but it def was a RAT that used the same attack method.

I would also prefer to keep the logs just in case, maybe if some weird things happen soon it might be interesting to have them. Is there also anyway you could shortly describe to me what was done/undone? Or would that take to much of your time. I think it would be valuable and educational for me to know.

One more question before I do that, a friend of mine recommended that I ran Rkill and see if it terminated any suspicious processes. It gave me this back: Performing miscellaneous checks: * Windows Defender Disabled [HKLM\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware" = dword:00000001 and Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * C:\ProgramData\Jackett\JackettService.exe (PID: 7860) [AU-HEUR] * C:\ProgramData\Jackett\JackettConsole.exe (PID: 11156) [AU-HEUR] * C:\Users\Danim\AppData\Local\Programs\restart-manager\Restart Manager.exe (PID: 22220) [UP-HEUR] * C:\Users\Danim\Downloads\FSS.exe (PID: 9628) [UP-HEUR] The one I marked red is unknown to me, and is the windows defender check suspicious?

Okay! heres the file FSS.txt

I have now updated windows

Also in execution parents there is a file called viottobinder, turns out that is a piece of software sold by the same people that sell remcos rat, so that would also make sense Just installed the updates, will now restart and check windows update

It was also almost definitely this file because its the first times in years I have downloaded something not from a official developer. It was minutes after the installation of those files that malware bytes started blocking that connection so it can't really be anything else. It seems like they just have very sophisticated defence evasion.

I did some research and checked the behavior and its not that the initial file is infected, but it goes through many steps before getting the final payload. One of the comments on virus total on the file mentioned it contained remcos rat. I googled a bit for that and what happened was indeed what was described. It was described as a first file not being infected, but after that going through many steps via powershell to eventually get the rat in the final step. Malwarebytes was constantly blocking a connection from powershell to a site so it makes sense. Also check the relations, comments and behaviour tabs on virus total and the VM results, theres more info there.

https://www.virustotal.com/gui/file/4460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31/details https://www.virustotal.com/gui/file/4d1ef869c4bddeccc318939ea2651ce5a3fc2e369ba44a2e24cb9b102ef2be19/detection These are the 2 thing I ran from the Iso file. They show up clean on the initial scan but in relations and behavior the malware shows up. Okay will do!

One other thing I noticed yesterday when removing the installed apps and sorting by install date was that window said Onedrive was installed on that day. I find that weird because it was installed a long time ago. Makes me wonder if the virus did something to it.

SecurityCheck.txtOkay here's the file! Would it also help if I gave you the virus total scan of the thing that caused the infection or attempt to infection?

logs.txtOkay here you go! going to bed now will check back here tomorrow

Thank you for the super fast help, heres the file! Fixlog.txt

In the files it says Windows 10 Professional but I'm running windows 11, is that normal? I might have bought 10 pro and updated to 11 but can't remember exactly.

Thanks man I appreciate that mbst-grab-results.zip

Hi, So I've been a fool by recklessly downloading cracked software I quickly needed. Soon after the installation malwarebytes kept blocking a windows powershell connection to k6027.eu. I did some research and saw that previously people were recommended to run the Malwarebytes adware remover. I did that, and now it has stopped giving the pop ups. But it was an iso file and the ''dvd station'' is still active and I'm wondering if it managed to do anything to my system even thought the connection was blocked. I uninstalled the apps it installed too, but not sure what to do now. Should I delete the iso file, or should i keep it there for inspection by someone else?