Jump to content

RAT Threat

MohamedShibl
 Share

Recommended Posts

kevinf80

kevinf80

Posted
Posted

Hello and welcome,

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


 

Let me see those logs...

 

Kevin...

Link to post
Share on other sites
MohamedShibl

MohamedShibl

Posted
  • Author
Posted

Hello and welcome,

P2P/Piracy Warning:

 

 

 

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

  • Double-click to run it. When the tool opens click Yes to disclaimer.

    (Windows 8 users will be prompted about Windows SmartScreen protection - click More information and Run.)

  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Let me see those logs...

 

Kevin...

I Downloaded it but it self closes it too.. and about privacy piracy all my softwares are legal

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

The opening reply regarding P2P/Piracy warning is a standard forum reply, it is not suggesting anything, it is designed to make everyone aware of forum policy....

 

Follow the instructions in the following link to show hidden files:

http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

 

next d/l FRST again, this time rename to Find.com run the tool, select scan... Post the two produced logs...
 

Link to post
Share on other sites
MohamedShibl

MohamedShibl

Posted
  • Author
Posted

The opening reply regarding P2P/Piracy warning is a standard forum reply, it is not suggesting anything, it is designed to make everyone aware of forum policy....

 

Follow the instructions in the following link to show hidden files:

http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

 

next d/l FRST again, this time rename to Find.com run the tool, select scan... Post the two produced logs...

 

I did unhide but still it sef closes programs what should i do ...

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

See if this will run...

 

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.


 

Try FRST after that...

Link to post
Share on other sites
MohamedShibl

MohamedShibl

Posted
  • Author
Posted

See if this will run...

 

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.

 

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.

 

 

Try FRST after tha

Here it's but still my antiviruses don't run Rkill.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Change back to mbam.exe....

 

Run the following:

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 

Again it will have to be renamed, try winlogon.com

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
  • Close the program > Don't Fix anything!


 

Link to post
Share on other sites
MohamedShibl

MohamedShibl

Posted
  • Author
Posted

Change back to mbam.exe....

 

Run the following:

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 

Again it will have to be renamed, try winlogon.com

 

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
  • Close the program > Don't Fix anything!

Why not to fix anything..? it found some roots.. by the way the scan not done yet so.. when it's done i will put log

Link to post
Share on other sites
MohamedShibl

MohamedShibl

Posted
  • Author
Posted

Change back to mbam.exe....

 

Run the following:

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 

Again it will have to be renamed, try winlogon.com

 

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
  • Close the program > Don't Fix anything!

 

 

Here is it hope it helps (I Hid the files before doing it)

Scan.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Double-click RogueKiller.exe to run again. (Vista/7/8 right-click and select Run as Administrator)

When "initializing/pre-scan” completes  press the Scan button, this may take a few minutes to complete.

When the scan completes open the Registry tab and locate the following detections:


[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4113773215-1896902246-4033210979-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://login.hhtxnet.com/ -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4113773215-1896902246-4033210979-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://login.hhtxnet.com/ -> Found

Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.

Open the Files tab and locate the following detections:

[suspicious.Path|Suspicious.Startup][File] C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk -> Found
[suspicious.Path|Suspicious.Startup][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk -> Found
[PUP][Folder] C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} -> Found

Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.

Hit the Delete button, when complete select "Report" in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference.

 

Next,

 

Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt


 

Post those logs...

Link to post
Share on other sites
MohamedShibl

MohamedShibl

Posted
  • Author
Posted

Double-click RogueKiller.exe to run again. (Vista/7/8 right-click and select Run as Administrator)

When "initializing/pre-scan” completes  press the Scan button, this may take a few minutes to complete.

When the scan completes open the Registry tab and locate the following detections:

[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> Found

[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4113773215-1896902246-4033210979-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://login.hhtxnet.com/ -> Found

[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4113773215-1896902246-4033210979-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://login.hhtxnet.com/ -> Found

Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.

Open the Files tab and locate the following detections:

[suspicious.Path|Suspicious.Startup][File] C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk -> Found

[suspicious.Path|Suspicious.Startup][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk -> Found

[PUP][Folder] C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} -> Found

Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.

Hit the Delete button, when complete select "Report" in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference.

 

Next,

 

Please download Malwarebytes Anti-Rootkit from here

 

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

 

 

Post those logs...

Thank you Sir! Now i can run malware bytes and normal cleaning programs... Does that mean the threat got solved? ... and what about that thing should i delete it too? And about the logs i will post it when scans are done

post-194538-0-49933800-1445948640_thumb.

Link to post
Share on other sites
MohamedShibl

MohamedShibl

Posted
  • Author
Posted

Double-click RogueKiller.exe to run again. (Vista/7/8 right-click and select Run as Administrator)

When "initializing/pre-scan” completes  press the Scan button, this may take a few minutes to complete.

When the scan completes open the Registry tab and locate the following detections:

[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> Found

[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4113773215-1896902246-4033210979-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://login.hhtxnet.com/ -> Found

[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4113773215-1896902246-4033210979-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://login.hhtxnet.com/ -> Found

Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.

Open the Files tab and locate the following detections:

[suspicious.Path|Suspicious.Startup][File] C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk -> Found

[suspicious.Path|Suspicious.Startup][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk -> Found

[PUP][Folder] C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} -> Found

Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.

Hit the Delete button, when complete select "Report" in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference.

 

Next,

 

Please download Malwarebytes Anti-Rootkit from here

 

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

 

 

Post those logs...

Here is the logs 

Export.txt

mbar-log-2015-10-27 (15-28-19).txt

system-log.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

The thing you mention in the image is related to IOBit, I would recommend that you uninstall anything related to IOBit, Advanced System Care and anything else related to IOBit.

 

Next,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two logs....

 

Post those logs, also let me know if there are any remaining issues or concerns....

 

Kevin...
 

Link to post
Share on other sites
MohamedShibl

MohamedShibl

Posted
  • Author
Posted

The thing you mention in the image is related to IOBit, I would recommend that you uninstall anything related to IOBit, Advanced System Care and anything else related to IOBit.

 

Next,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two logs....

 

Post those logs, also let me know if there are any remaining issues or concerns....

 

Kevin...

 

But why isn't Advanced system care a very good program..? And here is the logs ( First time i didn't checkmark addition so Here is both FRST(S)

FRST.txt

FRST (2).txt

FRST (2).txt

Addition.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Advanced System Care and IOBit the same company, a few years back IOBit were accused of stealing Malwarebytes databases. The company is based in China so proving the issue was difficult...

 

Read this thread: https://forums.malwarebytes.org/index.php?/topic/29681-iobit-steals-malwarebytes-intellectual-property/

I still do not recommend IOBit or any associated programs, obviously the choice is yours...

Those logs are clean, no obvious malware or infection. Continue to clean up...

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:



  •    
  • Remove disinfection tools
       
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
       
  • Reset system settings



Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…
 

Next,

 

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

let me know if we can close out..

Kevin...  busy.gif
 

Link to post
Share on other sites
MohamedShibl

MohamedShibl

Posted
  • Author
Posted

Advanced System Care and IOBit the same company, a few years back IOBit were accused of stealing Malwarebytes databases. The company is based in China so proving the issue was difficult...

 

Read this thread: https://forums.malwarebytes.org/index.php?/topic/29681-iobit-steals-malwarebytes-intellectual-property/

I still do not recommend IOBit or any associated programs, obviously the choice is yours...

Those logs are clean, no obvious malware or infection. Continue to clean up...

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 

  •    
  • Remove disinfection tools

       

  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.

       

  • Reset system settings

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

 

 

Next,

 

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

let me know if we can close out..

Kevin...  busy.gif

 

I Think that everything i in order now Thanks alot for help sir  :D

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.