Jump to content
sheepdisease

Amazon Vouchers Purchased Without Consent, do I have a Rootkit?

Recommended Posts

Hello there, I am very savvy when it comes to not getting caught out by phishing scams and any attempts to get me to provide sensitive information of bogus websites.

That being said, somehow someone ordered two £100.00 Amazon Vouchers without my consent and not using my laptop this month. I know it is true because when I log into amazon.co.uk it shows as an order.

I have contacted Amazon to inform them about it but it has left me wondering how this is even possible. I have two step authentication set up, so even if they knew my password from one of the many breaches which seem to happen all the time with websites being hacked, how did they get in? Even when I try to login, it usually asks me to verify using my phone.

That makes me wonder if there is actually something on my system that I should be concerned about.

I am using Bitdefender Total Security 2019 (fully up-to-date), which has detected nothing malicious during a thorough scan of everything (it took over 15 hours).

I ran GMER 2.2.19882 and couldn't see anything obvious, could someone else please cast their eye over this?

Needless to say, in the mean time I have changed my password.

rootkit.log

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Lets see what we can find.

Please download Malwarebytes Anti-Malware from here
 

  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.


Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Malwarebytes your Desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.

IMPORTANT

  • If you click the Clean button all items listed in the report will be removed.

If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).


===

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Choose a File.
Navigate to the location of the File.
Click the file. It will appear in section.
Click the Saving button.

Wait for further instructions
====

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites

Hi,

ATTENTION: System Restore is disabled
Turn System Restore ON for Drives in Windows 10 - Immediately.
https://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
<<<>>>

Delete this entry reported by the AdwCleaner tool.
C:\Users\Hill\AppData\Roaming\AdvertismentImages
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

 

fixlist.txt

Share this post


Link to post
Share on other sites

Thanks for your reply. I have attached the results of your instructions.

 

Can you please tell me what this is?

C:\Users\Hill\AppData\Roaming\AdvertismentImages

C:\Users\Hill\AppData\Roaming\AdvertismentImages

Also, I have a partition set up for backups. Can I tell Windows where to store the backup for the C:\ drive to another partition?

Fixlog.txt

Share this post


Link to post
Share on other sites
Quote

 

Can you please tell me what this is?

C:\Users\Hill\AppData\Roaming\AdvertismentImages

 

If 
If you Google this string "AppData\Roaming\AdvertismentImages" with the quotes you will find out that most of not all delete it with the AdwCleaner tool.

If there are files in the folder then have a look at them and Google the names and find out what they are for.

===

Do you mean to backup your 😄 drive or just some files?

Share this post


Link to post
Share on other sites

I did look up that folder and saw that the tool always deleted it but nothing explained why. I don't have the files any more to check them out.

I mean the restore points that you asked me to enable. I want them to be saved to a different partition.

Share this post


Link to post
Share on other sites

Hi,

Read this post and proceed as you wish.

https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings/create-system-restore-on-different-drive/fa4c07f9-2c2b-4f7e-bc9d-a4750dd09657
===

If this is still being reported C:\Users\Hill\AppData\Roaming\AdvertismentImages It may be because you are using the Sync function with the browser and  other devices.

Your log shows that you used Opera so check this out.

Opera synchronized between my devices.
http://help.opera.com/opera/Windows/2393/en/sync.html

Hope that helps.

Share this post


Link to post
Share on other sites

If all is well it should be.

For your peace of mind run this scan.

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.



Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.