Jump to content

Recommended Posts

Hi

I'm contacting you as I'm facing some difficulties in removing a malware on a PC I've just received.
I've tried several analysis with MBAM and Adw cleaner, and cleaning the Temp folders, even in safe mode.
Unfortunately everytime I restart the computer, the threats (or different ones) are present again.

As described in the pinned post, I'm attaching the reports to this message.
Thanks a lot in advance for your help.

 

Raphael

 

 

MBAM.txt

Addition.txt

FRST.txt

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact an Administrator to let them know.

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

  1. Open Malwarebytes for Windows
  2. To the left, click Scan > Scan Types.

    auto-reply-scan-types2.jpg.86e24e955a95d
     
  3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.

    auto-reply-scan-types1.jpg.f4eee0e0c9375
     
  4. Click Start Scan
     

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  1. Double-click to run it. When the tool opens click Yes to the disclaimer.
  2. Press the Scan button.

    _frst_scan.jpg.d79beccbb6e66628e557f6c28
     
  3. It will make a log (FRST.txt) in the same directory the tool is run. Please attach or copy and paste it to your reply.
  4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.
     

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:   notify me.jpeg
 

Click "Reveal Hidden Contents" below for details on how to add attachments to your post.
Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

Please Note the Following:

  • One of our expert helpers will give you one-on-one assistance when one becomes available.
  • Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
  • If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

 

 

Link to post
Share on other sites

Hi Raphaels :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

In which log do you see the "dclogs" folder?

Link to post
Share on other sites

Hi Aura

Thanks a lot for your quick reply.
All clear to me and I'll do my best to follow your recommendations.

 

Regarding the presence of dclogs folder: it's true that in MBAM report and detection, this folder doesn't appear anymore. It was in some of the previous scans.
I don't know whether it will appear again in another scan or computer restart.

At the moment I haven't selected any action on MBAM or Farbar yet, so I can still cancel or put all threats in Quarantine for ex.

Thanks

 

Raphael

Link to post
Share on other sites

If you really had a folder called dclogs in your Malwarebytes logs, it means that at some point, this system was infected with DarkComet, a RAT (backdoor trojan).

Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, paying bills, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for taxes, email, eBay, paypal and any other online activities. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password before connecting again.

Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:


This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.


The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Therefore you have two options here. Either we continue with the clean-up, though I cannot guarantee that the system will still be safe to use afterwards, or you can do a nuke and pave (format and reinstall of Windows). I can assist you with either option, just let me know.

Link to post
Share on other sites

This system might have been backdoored since at least October 2016.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

fixlist.txt

Link to post
Share on other sites

Here's the log file:

Entfernungsergebnis von Farbar Recovery Scan Tool (x64) Version: 06.06.2018 01
durchgeführt von rsabatier (13-06-2018 16:47:04) Run:1
Gestartet von C:\Users\rsabatier\OneDrive - Jobcloud\Desktop
Geladene Profile: rsabatier (Verfügbare Profile: jcdeploy & rsabatier & dafsevgili & danlang & Administrator)
Start-Modus: Normal
==============================================

fixlist Inhalt:
*****************
CloseProcesses:
CreateRestorePoint:

GroupPolicy: Beschränkung ? <==== ACHTUNG
CHR HKLM\SOFTWARE\Policies\Google: Beschränkung <==== ACHTUNG

Task: {04752D44-D268-4469-B718-C3C5D5048967} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Keine Datei <==== ACHTUNG
Task: {30736B57-47D7-4622-AD92-875B8387F688} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Keine Datei <==== ACHTUNG
Task: {3A26B9AA-8B7D-4361-B291-2768D84B3D2A} - System32\Tasks\fhwb => C:\Users\rsabatier\fhwb\zubqjye.exe [2016-10-09] (AutoIt Team)
Task: {46EEF261-5CF2-41D3-A675-D08C967C17AE} - System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}
Task: {5C00FEF3-1564-4C9F-951C-F5E14052AE72} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Keine Datei <==== ACHTUNG
Task: {5ED1402F-AD81-4190-B8FC-72AA50B5A0F7} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Keine Datei <==== ACHTUNG
Task: {9E4DB088-D5CB-478D-8CE8-D41CB7671E91} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Keine Datei <==== ACHTUNG
Task: {D058CEBE-35F6-4705-B2BD-1CB43AC3862A} - System32\Tasks\fseczq => C:\Users\rsabatier\fseczq\wvkykon.exe [2016-10-09] (AutoIt Team)
Task: {DD538F00-A343-4A6D-9680-0DC5D5AEB086} - System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}
Task: {E207B6C1-7A6F-4894-A26E-088033CB8BC9} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Keine Datei <==== ACHTUNG
Task: {F5A0CFDE-9C69-4EEA-BFD6-4AA87D2B9D3A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Keine Datei <==== ACHTUNG
Task: {FF1CBC9D-40DA-44B4-AC8E-B886F3B6A503} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Keine Datei <==== ACHTUNG

AlternateDataStreams: C:\Windows:nlsPreferences [386]

C:\Users\rsabatier\.obs32
C:\Users\rsabatier\fhwb
C:\Users\rsabatier\fseczq
C:\Users\rsabatier\wvkykon.exe
C:\Users\rsabatier\zubqjye.exe
C:\Users\rsabatier\ntuser.pol
C:\Users\rsabatier\AppData\Roaming\A6C052D5-7E37-4797-A7BC-D87D95C03BBB

Hosts:
EmptyTemp:
*****************

Prozesse erfolgreich geschlossen.
Wiederherstellungspunkt wurde erfolgreich erstellt.
C:\WINDOWS\system32\GroupPolicy\Machine => erfolgreich verschoben
C:\WINDOWS\system32\GroupPolicy\GPT.ini => erfolgreich verschoben
"HKLM\SOFTWARE\Policies\Google" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{04752D44-D268-4469-B718-C3C5D5048967}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{04752D44-D268-4469-B718-C3C5D5048967}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{30736B57-47D7-4622-AD92-875B8387F688}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{30736B57-47D7-4622-AD92-875B8387F688}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3A26B9AA-8B7D-4361-B291-2768D84B3D2A}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3A26B9AA-8B7D-4361-B291-2768D84B3D2A}" => erfolgreich entfernt
C:\WINDOWS\System32\Tasks\fhwb => erfolgreich verschoben
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\fhwb" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{46EEF261-5CF2-41D3-A675-D08C967C17AE}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{46EEF261-5CF2-41D3-A675-D08C967C17AE}" => erfolgreich entfernt
C:\WINDOWS\System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA} => erfolgreich verschoben
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5C00FEF3-1564-4C9F-951C-F5E14052AE72}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C00FEF3-1564-4C9F-951C-F5E14052AE72}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5ED1402F-AD81-4190-B8FC-72AA50B5A0F7}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5ED1402F-AD81-4190-B8FC-72AA50B5A0F7}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9E4DB088-D5CB-478D-8CE8-D41CB7671E91}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9E4DB088-D5CB-478D-8CE8-D41CB7671E91}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D058CEBE-35F6-4705-B2BD-1CB43AC3862A}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D058CEBE-35F6-4705-B2BD-1CB43AC3862A}" => erfolgreich entfernt
C:\WINDOWS\System32\Tasks\fseczq => erfolgreich verschoben
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\fseczq" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DD538F00-A343-4A6D-9680-0DC5D5AEB086}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD538F00-A343-4A6D-9680-0DC5D5AEB086}" => erfolgreich entfernt
C:\WINDOWS\System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202} => erfolgreich verschoben
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E207B6C1-7A6F-4894-A26E-088033CB8BC9}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E207B6C1-7A6F-4894-A26E-088033CB8BC9}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F5A0CFDE-9C69-4EEA-BFD6-4AA87D2B9D3A}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F5A0CFDE-9C69-4EEA-BFD6-4AA87D2B9D3A}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FF1CBC9D-40DA-44B4-AC8E-B886F3B6A503}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FF1CBC9D-40DA-44B4-AC8E-B886F3B6A503}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => erfolgreich entfernt
C:\Windows => ":nlsPreferences" ADS erfolgreich entfernt
C:\Users\rsabatier\.obs32 => erfolgreich verschoben
C:\Users\rsabatier\fhwb => erfolgreich verschoben
C:\Users\rsabatier\fseczq => erfolgreich verschoben
C:\Users\rsabatier\wvkykon.exe => erfolgreich verschoben
C:\Users\rsabatier\zubqjye.exe => erfolgreich verschoben
C:\Users\rsabatier\ntuser.pol => erfolgreich verschoben
C:\Users\rsabatier\AppData\Roaming\A6C052D5-7E37-4797-A7BC-D87D95C03BBB => erfolgreich verschoben
C:\Windows\System32\Drivers\etc\hosts => erfolgreich verschoben
Hosts erfolgreich wiederhergestellt.

=========== EmptyTemp: ==========

BITS transfer queue => 10510336 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 18011760 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 151318709 B
Edge => 645264 B
Chrome => 711755075 B
Firefox => 384132745 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 6308 B
LocalService => 0 B
NetworkService => 37792 B
NetworkService => 0 B
JCDeploy => 3440 B
rsabatier => 130048257 B
dafsevgili => 0 B
danlang => 56941 B
Administrator => 30274 B

RecycleBin => 59168 B
EmptyTemp: => 1.3 GB temporäre Dateien entfernt.

================================


Das System musste neu gestartet werden.

==== Ende von Fixlog 16:48:19 ====

Fixlog.txt

Link to post
Share on other sites

I tried to deactivate all I could (Win Defender, MBAM), even trying creating the zip in Safe Mode, but I keep getting the following error message:

    C:\FRST\Quarantine.zip: Impossible d'ouvrir C:\FRST\Quarantine\C\WINDOWS\system32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}.xBAD
!   Accès refusé.
    C:\FRST\Quarantine.zip: Impossible d'ouvrir C:\FRST\Quarantine\C\WINDOWS\system32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}.xBAD
!   Accès refusé.

So archive is probably incomplete.

Its total size is more than 220Mo so I tried creating it in separated files of 50Mo.
Can I still post it or it won't help?

Link to post
Share on other sites

That works. And it's okay, I won't need the 2 files that couldn't be added to the .zip. Now let's do a sweep with AdwCleaner and RogueKiller.

zcMPezJ.pngAdwCleaner - Fix Mode

  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

RQKuhw1.pngRogueKiller

  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

Your next reply(ies) should therefore contain:

  • Copy/pasted AdwCleaner clean log
  • Copy/pasted RogueKiller clean log

Link to post
Share on other sites

I looked into the samples you sent me from the computer, and it is indeed infected with a backdoor trojan. One that can also log what is being done on the system, so you should consider the data entered on that system as compromised (passwords for instance).

Link to post
Share on other sites

The infection "itself" is removable from the system. However, since an unknown attacker had access to the access, it's impossible to know with certainty what he did on the system and if he opened other backdoors on the system, in case his main one (the RAT) gets closed. So yes, I highly recommend to format and reinstall Windows on that system, seeing that it was infected with a backdoor trojan and that it was still actively logging the activity on this system.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.