Jump to content
cvan

I think I have a malware that is sending out my internet traffic

Recommended Posts

Hi, in last two weeks two of my accounts are hacked. And I strongly believe it is because of a link that I inadvertently clicked in an email around a month back. It probably installed a malware that i sending out my internet traffic or keypresses.

Here is the link: http:--centraleq.net?8KVE6=GDYLALD0mURPH*CAZTQYCQi

Any idea whether that is the issue or something else? It is very odd that 2 of my primary accounts got hacked within 2 weeks period with wildly differing login id and password.

Last night, i have installed the latest Malwarebytes and ran a scan and quarantined all. I am not sure whatever it is is gone or not. I have attached the report.

mb.txt

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions
===

Check if the password(s) have been hacked.
https://haveibeenpwned.com/Passwords

Share this post


Link to post
Share on other sites

Hi,

Nothing suspicious or malware was found in your logs.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset and clean up" > "Restore settings to their original defaults"
 
Restart Chrome.
<<<>>>

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Share this post


Link to post
Share on other sites

Hi,

Really appreciate your help.

1. I had to restore my system to 24 hours back. So I have run the FRST scan again and the fix after that. Attached all 3 files.

2. I am really worried about the link that I clicked mentioned in my original post. Can you please comment on what does it do actually?

3. Also, I attached the Malwarebytes log in my original post after quarantine. Can you please comment whether any critical malware was detected or not?

Thanks

Fixlog.txt

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites
Posted (edited)

Hi,

All the entries deleted from the Malwarebyte's scan are bad, mostly adware...

===

I have no way of knowing that the compromise message may have done.

I'm working on what I find in the computer that is not required.
===

Download load the fixlist.txt attach and run it as previously suggested.

Nothing malicious was found so you should be good.

fixlist.txt

Edited by nasdaq

Share this post


Link to post
Share on other sites
Quote

I have no way of knowing that the compromise message may have done.

I'm working on what I find in the computer that is not required.

Thank you. Please let me know what you find.

I will run the fixlist too.

Share this post


Link to post
Share on other sites

Yes to clean what was restored.

Share this post


Link to post
Share on other sites

I am having a weird problem. FRST has gone into an infinite "new update found. please wait..." loop! It just keeps updating itself (i have downloaded it again). Please help!

Share this post


Link to post
Share on other sites

I just did, but still the same problem.

Share this post


Link to post
Share on other sites

Hi,

Run  the Farbar program and scan the computer.

This will give me some logs to look at.

Post the FRST.TXT and Addition.txt log created by the program.

Share this post


Link to post
Share on other sites

As I mentioned multiple times I am not able to get out of the loop of the program updating itself again and again. It goes into "new update found. please wait..." and it keeps updating itself before I can hit scan or fix.

Share this post


Link to post
Share on other sites

Hi,

Stop the process and restart the computer in Safe Mode.

The tool should run in that mode.

Post the logs for my review.

Share this post


Link to post
Share on other sites
Posted (edited)

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Can you now run the Farbar program in Normal Mode and post the logs?

fixlist.txt

Edited by nasdaq

Share this post


Link to post
Share on other sites

I am sorry, I am still unable to run the program in normal mode. I will run the fixlist in safe mode and post the logs.

BTW, any update on the link that I posted in the original post please?

Share this post


Link to post
Share on other sites

Hi,

centraleq.net? is not active.
Do you still get notification?
===

Lets check your registry.

Download the Systemlook appropriate for you system.

SystemLook (32-Bit Version) or SystemLook (64-Bit Version)

  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :regfind 
    centraleq.net
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.


===

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======

Share this post


Link to post
Share on other sites

SystemLook: It never generated a log. However, I explicitly searched for centraleq.net in regedit and could not find any.

RogueKiller: This is also not generating txt report. Whatever file name I give, it says "File not found. Check the file name and try again...". If I create a blank file and choose that then it says "Unable to export text report". Anyway, I have attached the screenshots of whatever the scan found.

RR.docx

Share this post


Link to post
Share on other sites

Hi,

Repair these services.

Boot with Safe Mode with Networking. Execute the following.

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    10 - Remove Policies Set By Infections
    16 - Repair Windows Updates
    20 - Repair MSI (Windows Installer)
    25 - Restore Important Windows Services
    26 - Set Windows Service to Default Startup
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.


===

Restart the computer normally.
---

Can you run the RogueKiller and post the log in a text file.
If any thing is reported please delete everything.
If required the default settng will be used.

How is the computer running now?

Share this post


Link to post
Share on other sites

Attached.

Some new information. 

1. Malwarebytes just blocked the website (centraeq.net) from my laptop as Trojan! Report attached. I just searched for "centraeq.net" in google and apparently that itself caused MB to throw that alert. Or, I managed to infect my computer again somehow 😟

2. I ran an analysis on the URL that I mentioned in my original post at hybrid-analysis.com. Here is the link to the report:

https://www.hybrid-analysis.com/sample/290a26f31d2910af2372638beff8a609d75d0654c27c888a5c0fa3fc9225437f/5c7f6834028838ba7582059d

There is also a similar url that was analyzed by the same site:

https://www.hybrid-analysis.com/sample/7a5c1a353a355cca3370d92dbbb7dce107faee6b53158f3d833c68f81b45547d?environmentId=100

Question is, do I still have the trojan in my system or not? 

 

Repair_MSI_Windows_Installer.txt Repair_Windows_Updates.txt Repair_WMI.txt _Windows_Repair_Log.txt HKLM_Restore_Default_Permissions_Error_Log.txt RR.txt trjn.txt

Share this post


Link to post
Share on other sites

Hi,

Again I when to centraleq.net That site if for sale at GoodDady.

To stop any activity from that intrusion I would add this line to my host file.

0.0.0.0 centraleq.net

Learn about the HOSTS file (no extension)
What it does ...
http://winhelp2002.mvps.org/hosts.htm

If you decide to use it please read and follow the directives on the page.

You will need to add the line to block the 0.0.0.0 centraleq.net as suggested above.

Other than if you have other issues your computer is clean.

Share this post


Link to post
Share on other sites

Thank you. I have not run the FRST in fix mode yet. Do you still want me to run that?

Share this post


Link to post
Share on other sites

Hi,

Is the problem solved?

If not run the Farbar program and post the FRST.TXT and addition.txt for my review.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.