Jump to content

Recommended Posts

I've had a couple accounts compromised, both used an identical password.  I'm unsure how the password was stolen but I want to rule out possible backdoors / trojans.  I did a fresh reformat a few months ago but have sense had another account compromised (I forgot to change the password and little harm was done).  I'm unsure how my data was being stolen.  I suspect a man in the middle attack but I'd like to ensure I don't have any back doors. 

 

I started a thread a few days ago but no one responded.

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello hall140 and welcome to Malwarebytes,

Continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Next,

Download AdwCleaner by Xplode onto your Desktop.

Or from this Mirror
 
  • Double click on Adwcleaner.exe to run the tool
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...

Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply..

Thank you,

Kevin

fixlist.txt

Link to post
Share on other sites

 

Malwarebytes scan log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/29/17
Scan Time: 6:24 PM
Logfile: log11.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1837
License: Premium

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-DESVS04\Bryan

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 370346
Time Elapsed: 3 min, 3 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

 

adwCleaner Log:

# AdwCleaner v6.046 - Logfile created 29/04/2017 at 18:37:04
# Updated on 24/04/2017 by Malwarebytes
# Database : 2017-04-29.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Bryan - DESKTOP-DESVS04
# Running from : C:\Users\Bryan\Downloads\adwcleaner_6.046.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

No malicious registry entries found.


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [999 Bytes] - [29/04/2017 18:37:04]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1071 Bytes] ##########
 

MSRT log:


---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.47, April 2017 (build 5.47.13703.0)
Started On Sat Apr 29 18:40:43 2017

Engine: 1.1.13601.0
Signatures: 1.239.313.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Sat Apr 29 18:49:32 2017


Return code: 0 (0x0)
 

Link to post
Share on other sites


C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 11671766 B
Java, Flash, Steam htmlcache => 543 B
Windows/system/drivers => 2937016 B
Edge => 211 B
Chrome => 360107860 B
Firefox => 106535559 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 21322 B
NetworkService => 0 B
defaultuser0 => 128 B
Bryan => 57737431 B

RecycleBin => 305669778 B
EmptyTemp: => 805.6 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 18:15:04 ====

FRST.txt

Fixlog.txt

Link to post
Share on other sites

Run one more scan, see what the log shows...

Download and save RogueKiller to your Desktop from this link:

https://www.fosshub.com/RogueKiller.html/setup.exe

Right click setup.exe and select Run as Administrator to start installing RogueKiller.

At the next window Checkmark "Install 32 and 64 bit versions, then select "Next"

user posted image

In the next window skip Licence I.D. and Licence Key, select "Next"

user posted image

In the next window make no changes and select "Next"

user posted image

In the next window leave both "Additional Shortcuts" checkmarked, then select "Next"

user posted image

In the next window make no changes and select "Install"

user posted image

RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish.

user posted image

RogueKiller will launch. Accept UAC, then read and accept "User Agreements"

user posted image

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes select "Open Report"

user posted image

In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply

user posted image


Thank you,

Kevin....
Link to post
Share on other sites

I`d recommend we delete those entries..
 
Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC..

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes Checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked

PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 172.18.13.1 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{be9b44c8-be9e-48c9-93ca-6ff935b40049} | DhcpNameServer : 172.18.13.1 ([]) -> Found


Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply.
 
Post that log, also let me know if there are any remaining issues or concerns....
 
Thank you,
Kevin
Link to post
Share on other sites

Wait until this PC is clean, then disconnect from the network. This PC should be good to go after RogueKiller completes..

When that that is done run  the following on the other PC..

Download and save RogueKiller to your Desktop from this link:

https://www.fosshub.com/RogueKiller.html/setup.exe

Right click setup.exe and select Run as Administrator to start installing RogueKiller.

At the next window Checkmark "Install 32 and 64 bit versions, then select "Next"

user posted image

In the next window skip Licence I.D. and Licence Key, select "Next"

user posted image

In the next window make no changes and select "Next"

user posted image

In the next window leave both "Additional Shortcuts" checkmarked, then select "Next"

user posted image

In the next window make no changes and select "Install"

user posted image

RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish.

user posted image

RogueKiller will launch. Accept UAC, then read and accept "User Agreements"

user posted image

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes select "Open Report"

user posted image

In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply

user posted image

Let me see that log in your reply...
 
Thank you,
 
Kevin

 

 

Link to post
Share on other sites

Can we concentrate on the laptop if it has been reinfected...

Reset your router, instructons available at the following link:

http://setuprouter.com/networking/how-to-reset-your-router/

Follow those instructions very carefully.

Next,

Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary.

Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper
 
  • Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool, For XP just double click to run.
  • From the left hand pane select "Flush DNS"
  • From the main interface select the dropdown under "Choose a DNS Server"
  • From the list select either "Google Public DNS" or "Open DNS"
  • From the left hand pane select "Apply DNS"


When done re-boot your system....

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"
Link to post
Share on other sites

The laptop behaves fine.  This morning Windows Ink Workspace was randomly enabled, which I had never seen.  Then I noticed the reinfection.

There are 2 more entries from roguekiller on this laptop, should I delete them?

 

Link to post
Share on other sites

Can I delete both PUM.startmenu ?

 

 

 

RogueKiller V12.10.7.0 (x64) [May  1 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Bryan [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 05/01/2017 12:19:07 (Duration : 00:19:09)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 172.18.11.1 ([])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{be9b44c8-be9e-48c9-93ca-6ff935b40049} | DhcpNameServer : 172.18.11.1 ([])  -> Replaced ()
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1332302035-2113573720-2638189068-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Not selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1332302035-2113573720-2638189068-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SK hynix SH920 mSATA 128GB +++++
--- User ---
[MBR] b224d69bf1a5eb7129ae4076bb1d9402
[BSP] b13aa31d14056dfac65d48caf3d6b181 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1128448 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1161216 | Size: 121537 MB
User = LL1 ... OK
User = LL2 ... OK

 

Link to post
Share on other sites

Yes you can also delete those entries you mention... Run the following to clean up:

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Edited by kevinf80
Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.