Jump to content

Nanocore trying to gain access to laptop


JoshyB

Recommended Posts

Hi there,

I've been hit with some kind of unwanted intrusion where I'm being asked to install Nanocore in order for someone to access my pc remotely, I keep declining the pop-up prompt but it keeps asking every 5 minutes. After I click decline, a command prompt window flashes up and then disappears instantly.

I've seen a couple of other people also having this issue in the last few hours and was wondering if I ask for some help as well?

I've attached what I think are the relevant files.

 

report.txt

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello JoshyB and welcome to Malwarebytes,

Continue as follows please:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.


Next,

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Users\Joshua\AppData\Roaming\Local service.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.


Post those logs, also tell me if there are any remaining issues or concerns..

Thank you,

Kevin..

 

 

Link to post
Share on other sites

I did a search for RegSvcs.exe using FRST and this is the search that came back.

It's saying that there is a RegSvcs.exe file in my local user folder but I've checked and it doesn't exist, I've even tried deleting it through CMD and it's saying it doesn't exist

I've run everything you've suggested in other threads and it has come up with nothing related to this issue.

Search.txt

Link to post
Share on other sites

Just a quick update, I tried creating a RegSvcs.exe dummy file in my user folder and Windows tells me that there is a program of that name already in the folder. I can't see it though, and 'show hidden files' is turned on, and as I said the CMD prompt doesn't recognise that this other file is there.

Link to post
Share on other sites

Can you post log from the fix, also one more scan then we clean up if log is good...

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....
 
Thank you,
Kevin
Link to post
Share on other sites

Here's the log from the fix.

Interestingly it's still saying there's a hidden RegSvcs.exe file in my user directory.

From the MSRT log:


---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.42, November 2016 (build 5.42.13202.0)
Started On Fri Nov 11 06:16:20 2016

Engine: 1.1.13202.0
Signatures: 1.231.682.0
Run Mode: Scan Run From Windows Update

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Fri Nov 11 06:22:39 2016


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.42, November 2016 (build 5.42.13202.0)
Started On Sun Dec 11 08:26:52 2016

Engine: 1.1.13202.0
Signatures: 1.231.682.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Sun Dec 11 08:31:05 2016


Return code: 0 (0x0)

 

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.