Jump to content
flashpointsumone

I Think I was infected by a spyware

Recommended Posts

Hi Everyone, I have been reading a lot about this forum this past week. I own a business and with business comes professional rivalry. A friend of mine gained my trust, and visited my office. Unfortunately at the time my laptop was on and unlocked, and when I went to the rest room, he installed Radmin along with some possible spyware. Since its appearance in my start menu, I have formatted all my dives, and installed windows OS from a usb stick, but ISO was made from the infected laptop and a backup of my files was also created using the same USB drive. The reason I believe that he might have installed a rootkit based spyware is because he has a couple of cousins who are into system security at an IT firm, and post installation they were talking about IP attacks and custom codes to gain access ( I assumed it is directed towards kernels via firmware or BIOS, sorry if I sound naive, but I have limited knowledge of computers as it isn't my field).  Since then I have performed  multiple scans, but none of the AVs have caught anything, but the strange thing is, files from my steam library got vanished, post attack, about 18.7GB! and now yesterday again, post HDD wipe and reinstall, few files went missing about 300KB.. while this might not be related, I just want to be sure. The "friend" in question also shared a snap shot of his PC that was apparently hacked, along with a location pin. So I believe that this spyware might be transmitting my location every time it connects to the internet. So i need help. I went here first https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ and installed FRST, and I am attaching the logs here as instructed. Kindly advice.

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

Hello @flashpointsumone

What is this file?
D:\Downloads\dpcsnlbm.exe

Why do you have an ESET antivirus driver failing to load when the logs don't show that ESET is installed?
 

Do you have / own your own network router?

You have quite a few tasks without a file path listing which is a bit odd especially since Windows was installed 3 days ago.

 

ATTENTION: System Restore is disabled (Total:118.61 GB) (Free:58.16 GB) (49%)

 

If you're concerned about infection then I wouldn't be installing music and game software until you know for sure your system and data are secured. These are not exactly business related software packages.

Spotify
Steam

 

Overall not too concerned with what is shown in the logs but the tasks seem the most odd to me without knowing a history of what they are why their path is not shown.

You're using Controlled Folder Access from Windows Defender which is okay but it can have some complications when certain things are blocked that should not be blocked. 

 

You also have what appears to be Ring of Elysium game from Steam that is blocked. Again, I would highly recommend removal of all non-essential software until you've confirmed this new installation of Windows is safe and secure.

Code Integrity determined that a process (\Device\HarddiskVolume6\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe) attempted to load \Device\HarddiskVolume6\ProgramData\A-Volute\A-Volute.Nahimic\Modules\Scheduled\x64\NahimicOSD.dll that did not meet the Store signing level requirements.

 

I await your reply on a couple of the questions above.

I would like you to temporarily disable Folder Access. Install Malwarebytes and do a Threat Scan and post back that log please.

 

Share this post


Link to post
Share on other sites

Hi @AdvanceSetup, thank you for taking the time to look at those logs.

dpcsnlbm.exe  is GMER.

I was reading about rootkit infections here and ran a few scans after new install. ESET online scan was run while windows defender real time scan was disabled. May be this has something to do with the driver failing to load ?

I do have my own network router, it is a home/ office connection. I have reset it and changed the SSID, user name and password by logging into it. I have also turned it's firewall on.

I have a backup of all the DATA on another Desktop PC which isn't connected to the network currently. I had the restore point enabled before I wiped my HDD, but did a clean install anyways.

I opened GMER ( cause I forgot it's name) and the initial scan ran just now, and flagged steam as being modified and being potentially modified by a rootkit. ( I had uninstalled steam just before opening GMER). On another note  last full scans on GMER were unsuccessful as GMER simply quit mid scan, and I had a BSOD while I was running it in safe mode, read about it a bit and came to understand that it might be its own drivers, and it is difficult to get it running. ( sorry if I tried to self diagnose the issue).

I never owned or downloaded Ring of Elysium game from Steam, funny it even showed up! I might have visited its store page before the scan accidentally via steam, but never tried to install it ever. This is my laptop and I do (did) have some games along with my work. I work on the go as I shuffle between two cities, but always connect to a known router and never any public wi-fi.

Now it seems to me that playing games on a work laptop isn't such a good idea! I have uninstalled spotify, steam and it's games, and nahimic too, which is an audio booster software, that worked in tandem with MSI audio driver.

I had enabled folder access after the suspected infection. I will disable it now and run a threat scan now. Will post the logs next.

Share this post


Link to post
Share on other sites

Yes, GMER is a powerful tool but due to how it operates it can be very problematic on some hardware and can contain false positives.

Again, the biggest issue I'm seeing is the Tasks without paths.

Please restart the computer one more time since you've done those other removals. Then run FRST again and make sure you get both new logs and attach them on your next reply and we'll run some other checks based on those logs

 

 

Share this post


Link to post
Share on other sites

Thank you, I updated MB and ran it again. It had already removed the above file from quarantine and restored it back. I forgot to mention that I am blocking inbound and outbound for ports 4889 used by Radmin, port 3389 used by Microsoft remote desktop and inbound for port 443. Ports 443 and 3389 were open when I checked it here https://www.yougetsignal.com/tools/open-ports/

Proton VPN was running at the time, i am not sure it it had anything to do with the open ports. Should I remove all rules set in defender and run FRTS?

attached is the MB report after update.

MB threat scan log 200211.txt

Share this post


Link to post
Share on other sites

When using VPN you're accessing their network system to originate the call. So depending on what you do it may be a resource on the VPN server that they simply forward back to you or possibly discard. It would take a lot more work to analyze what all is happening which is beyond the scope of malware removal here.

You will need to manually open Task Scheduler and review them. There may be nothing wrong with them but you need to check yourself and see what they do

Let's go ahead and enable  your System Restore and then create a new Restore Point

ATTENTION: System Restore is disabled (Total:118.61 GB) (Free:68.59 GB) (58%)

https://www.thewindowsclub.com/system-restore-disabled-turn-on-system-restore-windows

 

 

The fix below will check and verify the operating system files are valid and also do a disk check and clean up temp file and reset your network. Once done you may want to review any network settings you want to use that are not default.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Share this post


Link to post
Share on other sites

I started using the VPN only after the suspected malware, anyways, what do I have to check manually ? The tasks without paths or the ports opening up because of the VPN?

I did what you asked for, and attached is the log.

Fixlog.txt

Share this post


Link to post
Share on other sites

I meant you'd need to manually check your Scheduled Tasks - you can access that in the Control Panel

The log looks good: 

Windows Resource Protection did not find any integrity violations.

All seems okay with the system. Unless there is something else you need we should be about done here. I'll leave you with some other information to help better protect your privacy and your data.

 

 

If you're not backing up your data and you're still using Google Chrome then you're just not serious about Privacy, Safety, and protecting your data. Malwarebytes is a fantastic program but you still need to back up your data and you still need to block scripts and Ads in your browser. 
If you're still using Google Chrome I would highly suggest you consider using Firefox instead. For more advanced users you might consider installing NoScript as well (it does have a higher learning curve though)

PrivacyTools - Encryption, and tools to protect against global mass surveillance - https://www.privacytools.io

Help Secure your browsers
 
You may be interested in using our new Malwarebytes Browser Guard to help protect your browser from items that uBlock or others don't target.

Please install uBlock Origin for your browsers to better protect your system.

FireFox, ChromeOpera , SafariMicrosoft Edge
AdBlock Plus for Internet Explorer

How to use uBlock Origin to protect your online privacy and security | uBlock Origin tutorial 2018
This video tutorial above explains how to use uBlock Origin in advanced user mode and all the advanced settings to protect your online privacy and help prevent unwanted sites from changing your browser settings

Delete Cookies Automatically

Cookie AutoDelete plugin
Chrome  | Firefox 

Browser push notifications: a feature asking to be abused
HTTPS Everywhere
NOTHING TO HIDE documentary

Review your email and Office choices

Quit Gmail for free encrypted email - Tutanota
Why ProtonMail Is More Secure Than Gmail
LibreOffice - Free and open source office suite

Use Password Management software

Bitwarden
KeePass Password Safe

Make sure you use a strong master password
Then set the key transformation settings (the link below helps provide information on how to choose good settings)
https://pthree.org/2016/06/29/further-investigation-into-scrypt-and-argon2-password-hashing
KeePass Password Manager: Full Detailed Setup (good YouTube video on setup and using Keepass but choose the Argon2 method for Key transformation)

Encrypted Instant Messenger and Voice Calls

Please review the following site for a breakdown of features of different Messenger applications.

SafeSwiss
Riot
Signal
Wire     
NOTE: Recent news of Wire having new investors and moving to the United States.
Wickr Me

Follow-up Reading

Everything you need to know about cybercrime
10 easy ways to prevent malware infection 
Keep your data backed up

Thank you for choosing Malwarebytes as your preferred security protection software and tell your friends and family too. We're here to help.


 

 

Share this post


Link to post
Share on other sites

Thank you for taking so much time to respond and sort this issue, for writing the custom fix and looking through all the logs. I don't have anything else to be worried about, I am assuming that this means, my PC is free of spyware or Malware, and that I don't need to flash the BIOS and Firmware. I will go through all the links and secure my privacy. Hats off to you guys for genuinely fighting against malwares and spywares. I really cannot thank you enough! After Radmin was installed I was wondering if this laptop was fit to be used for work, now I can really sleep in peace. 

Share this post


Link to post
Share on other sites

Great, glad all worked out well and good to see the Tasks are all known as well.

Take care and have a great week.

It was my pleasure helping you with your concerns

 

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.