Jump to content

Infected PC help needed


Recommended Posts

Hi guys,

My PC is infected, but I can't find everything. I Got a logg attached. I really need help because I need the PC and can't work safely now.

The 0.a9 is an infected item that I know for sure,  I tried to remove it already. But I dont know if it is completely gone.

Could you guys find some other suspicious parts?

 

I really hope that you guys can help me out, I'm desperate... 

 

Greeding 

hijackthis.log

Link to post
Share on other sites

Hi christjeeh:)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below, and provide me both FRST logs (FRST.txt and Addition.txt) and the Malwarebytes log. You can attach them in your next post, or copy/paste their content.

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

Link to post
Share on other sites

Good afternoon,

Ofcourse I respect all the rules as stated in your reply!

In the attachment i got the three loggs, the FRST ADDITION and mallwarebyte logg.

 Thank you very very much for helping! 

 

Sorry for my late reply, the PC was turned off of the internet because i didnt want to get my pc infected. 

Addition.txt

FRST.txt

mallwarebytes log.txt

Link to post
Share on other sites

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

fixlist.txt

Link to post
Share on other sites

Hi Aura,

Thank you for helping me so good. My PC is running fine now, but the problem was that i tought that before as well.. Till they hacked my accounts throu my PC.

The suspicous programs are gone, I believe. But still a few in my Task manager:

Maybe you could check if my pc is completely clean?

1. PDVD12Serv.exe PowerDVD Service (32 bit)

2. fontdrvhost.exe Usermode Font Driver Host

3. unsecapp.exe Sink to receive asynchronous callbacks for WMI client application

Link to post
Share on other sites

Supsious connection: 

C:\WINDOWS\system32>netstat -ba

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            Chris-Lenovo:0         LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            Chris-Lenovo:0         LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:2869           Chris-Lenovo:0         LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:5040           Chris-Lenovo:0         LISTENING
  CDPSvc
 [svchost.exe]
  TCP    0.0.0.0:17500          Chris-Lenovo:0         LISTENING
 [Dropbox.exe]
  TCP    0.0.0.0:49664          Chris-Lenovo:0         LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:49665          Chris-Lenovo:0         LISTENING
  EventLog
 [svchost.exe]
  TCP    0.0.0.0:49666          Chris-Lenovo:0         LISTENING
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49667          Chris-Lenovo:0         LISTENING
 [spoolsv.exe]
  TCP    0.0.0.0:49668          Chris-Lenovo:0         LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:49674          Chris-Lenovo:0         LISTENING
 [lsass.exe]
  TCP    0.0.0.0:50128          Chris-Lenovo:0         LISTENING
 Can not obtain ownership information
  TCP    127.0.0.1:843          Chris-Lenovo:0         LISTENING
 [Dropbox.exe]
  TCP    127.0.0.1:17600        Chris-Lenovo:0         LISTENING
 [Dropbox.exe]
  TCP    127.0.0.1:30000        Chris-Lenovo:0         LISTENING
 [McAfee.TrueKey.Service.exe]
  TCP    127.0.0.1:31752        Chris-Lenovo:0         LISTENING
 [GDCAgent.exe]
  TCP    127.0.0.1:44117        Chris-Lenovo:0         LISTENING
 [fshoster64.exe]
  TCP    127.0.0.1:44117        Chris-Lenovo:58231     ESTABLISHED
 [fshoster64.exe]
  TCP    127.0.0.1:44117        Chris-Lenovo:58232     ESTABLISHED
 [fshoster64.exe]
  TCP    127.0.0.1:44117        Chris-Lenovo:58256     ESTABLISHED
 [fshoster64.exe]
  TCP    127.0.0.1:44117        Chris-Lenovo:58257     ESTABLISHED
 [fshoster64.exe]
  TCP    127.0.0.1:44117        Chris-Lenovo:58258     ESTABLISHED
 [fshoster64.exe]
  TCP    127.0.0.1:44117        Chris-Lenovo:58259     ESTABLISHED
 [fshoster64.exe]
  TCP    127.0.0.1:58190        Chris-Lenovo:58191     ESTABLISHED
 [Dropbox.exe]
  TCP    127.0.0.1:58191        Chris-Lenovo:58190     ESTABLISHED
 [Dropbox.exe]
  TCP    127.0.0.1:58210        Chris-Lenovo:58211     ESTABLISHED
 [Dropbox.exe]
  TCP    127.0.0.1:58211        Chris-Lenovo:58210     ESTABLISHED
 [Dropbox.exe]
  TCP    127.0.0.1:58216        Chris-Lenovo:58217     ESTABLISHED
 [Dropbox.exe]
  TCP    127.0.0.1:58217        Chris-Lenovo:58216     ESTABLISHED
 [Dropbox.exe]
  TCP    127.0.0.1:58231        Chris-Lenovo:44117     ESTABLISHED
 [chrome.exe]
  TCP    127.0.0.1:58232        Chris-Lenovo:44117     ESTABLISHED
 [chrome.exe]
  TCP    127.0.0.1:58256        Chris-Lenovo:44117     ESTABLISHED
 [chrome.exe]
  TCP    127.0.0.1:58257        Chris-Lenovo:44117     ESTABLISHED
 [chrome.exe]
  TCP    127.0.0.1:58258        Chris-Lenovo:44117     ESTABLISHED
 [chrome.exe]
  TCP    127.0.0.1:58259        Chris-Lenovo:44117     ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:139    Chris-Lenovo:0         LISTENING
 Can not obtain ownership information
  TCP    192.168.178.234:58170  ec2-34-254-119-56:https  ESTABLISHED
 [fshoster32.exe]
  TCP    192.168.178.234:58187  162.125.65.3:https     CLOSE_WAIT
 [Dropbox.exe]
  TCP    192.168.178.234:58188  162.125.65.3:https     CLOSE_WAIT
 [Dropbox.exe]
  TCP    192.168.178.234:58189  162.125.34.6:https     CLOSE_WAIT
 [Dropbox.exe]
  TCP    192.168.178.234:58195  ec2-54-236-121-227:https  CLOSE_WAIT
 [Dropbox.exe]
  TCP    192.168.178.234:58196  162.125.65.7:https     CLOSE_WAIT
 [Dropbox.exe]
  TCP    192.168.178.234:58197  162.125.65.5:https     CLOSE_WAIT
 [Dropbox.exe]
  TCP    192.168.178.234:58198  162.125.18.133:https   ESTABLISHED
 [Dropbox.exe]
  TCP    192.168.178.234:58214  162.125.18.133:https   ESTABLISHED
 [Dropbox.exe]
  TCP    192.168.178.234:58215  162.125.65.3:https     CLOSE_WAIT
 [Dropbox.exe]
  TCP    192.168.178.234:58223  ams16s31-in-f3:https   ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58226  eg-in-f188:5228        ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58235  ams16s32-in-f14:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58242  ams16s32-in-f14:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58284  ams16s32-in-f14:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58289  108.177.119.157:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58294  151.101.2.110:https    ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58346  ams16s31-in-f3:https   ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58352  151.101.2.114:https    ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58369  a95-100-162-237:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58402  fra02s28-in-f14:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58437  152.199.19.161:https   LAST_ACK
 [SearchUI.exe]
  TCP    192.168.178.234:58449  104.237.191.1:https    ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58455  server-13-32-182-2:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58458  ams15s29-in-f106:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58461  151.101.1.2:https      ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58495  151.101.1.69:https     ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58499  104.16.30.34:https     ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58500  192.0.73.2:https       ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58507  ams16s32-in-f3:https   ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58654  ams16s21-in-f2:http    ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58655  ams16s32-in-f3:https   ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58657  wordpress:https        ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58658  server-13-32-182-222:https  CLOSE_WAIT
 [chrome.exe]
  TCP    192.168.178.234:58660  ec2-50-17-52-222:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58664  192.0.76.3:https       ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58666  server-13-32-211-76:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58667  104.16.207.165:https   ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58669  server-13-32-182-86:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58670  ams16s32-in-f8:http    ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58671  a23-202-229-73:http    ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58680  94:https               ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58682  224:http               ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58683  server-13-32-182-86:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58684  104.17.144.111:https   ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58685  server-13-32-181-87:https  CLOSE_WAIT
 [chrome.exe]
  TCP    192.168.178.234:58686  ams15s40-in-f10:http   ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58687  server-13-32-182-118:https  CLOSE_WAIT
 [chrome.exe]
  TCP    192.168.178.234:58688  224:http               ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58691  224:http               ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58692  224:http               ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58693  224:http               ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58694  224:http               ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58695  224:http               ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58696  104.16.207.165:https   ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58697  server-13-32-181-104:https  CLOSE_WAIT
 [chrome.exe]
  TCP    192.168.178.234:58706  ams16s32-in-f3:https   ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58713  ams16s32-in-f14:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58723  lga25s62-in-f3:https   ESTABLISHED
 [chrome.exe]
  TCP    192.168.178.234:58724  ec2-18-195-44-5:http   ESTABLISHED
 [fsorsp64.exe]
  TCP    192.168.178.234:58725  ec2-18-195-44-5:http   CLOSE_WAIT
 [fsorsp64.exe]
  TCP    192.168.178.234:58726  a23-208-79-207:http    ESTABLISHED
  BITS
 [svchost.exe]
  TCP    192.168.178.234:58727  a-0001:https           ESTABLISHED
 [SearchUI.exe]
  TCP    192.168.178.234:58728  a-0001:https           ESTABLISHED
 [SearchUI.exe]
  TCP    192.168.178.234:58729  65.55.163.80:https     ESTABLISHED
  wlidsvc
 [svchost.exe]
  TCP    192.168.178.234:58730  13.107.18.11:https     ESTABLISHED
 [SearchUI.exe]
  TCP    192.168.178.234:58731  52.97.157.162:https    ESTABLISHED
 [SearchUI.exe]
  TCP    192.168.178.234:58732  13.107.255.104:https   ESTABLISHED
 [SearchUI.exe]
  TCP    192.168.178.234:58733  13.107.255.105:https   ESTABLISHED
 [SearchUI.exe]
  TCP    192.168.178.234:58734  13.107.246.254:https   ESTABLISHED
 [SearchUI.exe]
  TCP    192.168.178.234:58735  204.79.197.222:https   ESTABLISHED
 [SearchUI.exe]
  TCP    192.168.178.234:58736  ec2-54-215-241-186:https  SYN_SENT
 [GDCAgent.exe]
  TCP    192.168.178.234:61419  40.67.255.199:https    ESTABLISHED
  WpnService
 [svchost.exe]
  TCP    [::]:135               Chris-Lenovo:0         LISTENING
  RpcSs
 [svchost.exe]
  TCP    [::]:445               Chris-Lenovo:0         LISTENING
 Can not obtain ownership information
  TCP    [::]:2869              Chris-Lenovo:0         LISTENING
 Can not obtain ownership information
  TCP    [::]:17500             Chris-Lenovo:0         LISTENING
 [Dropbox.exe]
  TCP    [::]:49664             Chris-Lenovo:0         LISTENING
 Can not obtain ownership information
  TCP    [::]:49665             Chris-Lenovo:0         LISTENING
  EventLog
 [svchost.exe]
  TCP    [::]:49666             Chris-Lenovo:0         LISTENING
  Schedule
 [svchost.exe]
  TCP    [::]:49667             Chris-Lenovo:0         LISTENING
 [spoolsv.exe]
  TCP    [::]:49668             Chris-Lenovo:0         LISTENING
 Can not obtain ownership information
  TCP    [::]:49674             Chris-Lenovo:0         LISTENING
 [lsass.exe]
  TCP    [::]:50128             Chris-Lenovo:0         LISTENING
 Can not obtain ownership information
  UDP    0.0.0.0:500            *:*

Link to post
Share on other sites

  • 5 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.