Jump to content

Search the Community

Showing results for tags 'certificates'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes 3 Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 2 results

  1. My 1-year old Mac Air laptop was massively hacked on 3/28/19. I’ve figured out how it happened and it disguised itself as a source for published medical papers. It made its debut by shutting my laptop down and when I restarted it I couldn’t use google as my safari search engine despite it showing in system preferences. All searches were directed to Yahoo! and the sites there weren’t authentic. I couldn’t even get on Apple support. I believe the malware may have gotten in through my gmail as that account was seriously affected. The more I tried to figure out what was going on by going by searching system information the more I lost access to them. Eventually my entire interface changed - it looked more like a bad reproduction of the real interface. I called apple support and they connected with my screen. We downloaded a virus detector which showed nothing but I could tell it was still there because the margins on any site were too large I’m not at all a technical person but I was driven to figure this out. I used every system investigation I could and found out my network was being entirely redirected; commands were being blocked; data was being accessed and large and continuous data packets were being sent even though my computer wasn’t on or another time while I was completely off line. I found 2 mysterious “printers” and think those were involved in redirecting my network. Going into logs I could see a lot of commands the malware set up which were very disquieting. I saw instructions related to the camera and microphone, commands to circumvent the virus scanner, activating a control to get into computer while shut off and rerouting my network. I somehow found a malicious certificate and traced it to root systems. I called in our tech person and she downloaded Malwarebytes and ran every choice but it too showed nothing She wasn’t interested in the information I’d found and trusted that the virus scan was correct She rebooted our internet and we created all new names and passwords and it seemed like it worked for about 4 days but then it showed up again The malware changed so many things especially related to keychains and passwords were being rejected Finally I sent my laptop out and it was download on an external drive Had the whole operating system deleted and downloaded it again But I’m still really concerned I’m still vulnerable and I’ll admit I’ve become extremely paranoid Could the data reloaded from the backup contain malware? I’d appreciate any input on this This malware sounds very like one i saw on this blog but it seems more advanced by protecting itself from discovery especially by deep virus scanners I documented a lot of data I found including taking screenshots with my phone If anyone is interested in that or name of site where I made that fateful download let me know Side note: My iPhone was also affected likely through gmail. My photos were being accessed as well as contacts I got locked out, had it deleted but couldn’t reactivate because my gmail was disabled.
  2. What is WdfLoad? The Malwarebytes research team has determined that WdfLoad is a Trojan.Dropper. These trojans are designed to download other malware. The Scheduled Task How do I know if my computer is affected by WdfLoad? You may see an entry similar to this in your list of Scheduled Tasks: How did WdfLoad get on my computer? Trojans use different methods for distributing themselves. This particular one was bundled with other software. How do I remove WdfLoad? Our program Malwarebytes can detect and remove this trojan. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of WdfLoad? This PUP creates a randomly named scheduled task that is intended to download and run a cryptocurrency miner. It will also store antivirus software certificates in the "Untrusted" section. You can read here how to check for and, if necessary, remove Scheduled Tasks. If you receive the error Runtime Error 49:120 could not call proc this means the certificates have already been placed. In these cases you should download and run Malwarebytes Anti-Rootkit BETA. After using Malwarebytes Anti-Rootkit BETA, reboot the system and follow the instructions above to run Malwarebytes. Thjis should work now. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this trojan. As you can see below the full version of Malwarebytes would have protected you against the WdfLoad trojan. It would have warned you before the trojan could install itself, giving you a chance to stop it before it became too late. And we block the connections the second stage of the infection makes: Technical details for experts Possible signs in FRST logs: C:\Windows\System32\Tasks\Bix Cup 98 demo Task: {8D9FA929-30BD-49A0-952A-47B88E8F7079} - System32\Tasks\Bix Cup 98 demo => Rundll32.exe "C:\Program Files\Bix Cup 98 demo\Bix Cup 98 demo.dll",iNCHhtDzdDmt FirewallRules: [{1874C08B-5604-4F97-A8D1-746D88B73F02}] => (Allow) C:\Windows\system32\rundll32.exe Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Bix Cup 98 demo Adds the file 1290507146"="6/12/2017 4:11 PM, 60 bytes, A Adds the file Bix Cup 98 demo.dll"="6/1/2015 7:31 PM, 2128896 bytes, A In the existing folder C:\Users\{username}\Desktop (-)(FILE) webfriend2.exe"="6/9/2017 12:02 PM, 1309278 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Bix Cup 98 demo"="6/12/2017 4:13 PM, 16724 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\KHT] "(Default)"="REG_SZ", "" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/12/17 Scan Time: 4:23 PM Log File: mbamWdfLoad.txt Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.141 Update Package Version: 1.0.2137 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 334575 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 1 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Trojan.Wdfload, C:\PROGRAM FILES\BIX CUP 98 DEMO\BIX CUP 98 DEMO.DLL, Delete-on-Reboot, [457], [406241],1.0.2137 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.