Jump to content

ISRstealer botnet drone


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi Everyone, 

I have run into an issue provided by my ISP which detects one of my devices has a botnet drone on my system. They can't tell me which device it is on, but I decided to turn off most of IOT's and devices in my home and did a factory reset and updates to them. The last device is my main computer I use for work and use the most. I ran malwarebytes scan multiple times but nothing related to botnet drone has shown up. Attached below is my results from a scan I did this morning that came up clean. 

If I could get some help to potentially see if this computer is infected that would be great! 

Thanks! 

2020.08.26_report.txt

Link to post
Share on other sites

Hello.    :welcome:

Let me know what first name / handle you prefer to go by.  My name is Maurice.

This Malwarebytes scan report indicates there is no active on-board malware on this Windows system.

Tell me, were you in contact with the ISP by voice telephone ?  or else how ?

How would the ISP know that anything was amiss on your system ?

What precise information did they relay to you?     I very much would like to know about all that.

{   ISRStealer   is said to be a keylogger }

I would also suggest  you do all the following.

[    1    ]

Do all the steps in this pinned topic to get, to save, and then run the Farbar F R S T   reports   and attach them here.

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

 

Then attach the 2 log-reports   FRST.txt   &  Addition.txt

 

[      2     ]
The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
  
Let me know the result of this.
The log is named MSERT.log  
the log will be at   C:\Windows\debug\msert.log
Please attach that log with your reply.
 

Link to post
Share on other sites

Hi Maurice, 

My name is Wayne, Thanks for replying to my thread. 

I got this news from my ISP through the phone. Initially my internet had been suspended and I called my ISP. They told me that there was suspicious activity and that an automated system was tripped by my network for having an botnet drone. I tried to get more information such as the device or how they know, but all they told me is that is done by an automated system and there is no way for them to pull more specific information other than what the threat entailed. 

Sorry for the lack of information. I've attached the files below from the scans. 

Addition.txt msert.log FRST.txt

Link to post
Share on other sites

Hi Wayne,   Good to have you here & know your name.

I'm just struck by how any ISP would know that your computer has "some thing / some keylogger" when at best they could only know the traffic in & out of the router box.

The quick scan with the Microsoft Safety scanner finds no virus / no malware.   This is just a basic check.  Still a good sign.

.

Q:   This pc has has Avast Antivirus.   So, did you do a scan with Avast yesterday ?     today ?    If not, do so at your next chance.

 

Next, temporarily turn off the Avast real-time  & then do a scan with the ESET Online scan tool.

Right-click on the avast! icon in system tray. Select avast! shields control and there will be options to disable avast for until the computer is restarted or permanently.

 

 

 

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
 

Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan
 

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
 

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
 

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
 

Click The blue “Save scan log” to save the log.
If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 

Restart the system when all done.

Link to post
Share on other sites

Thanks for the ESET scan result, which is moxt excellent.

Quote

Files scanned: 1419460
Detected files: 0
Cleaned files: 0

Your machine runs on Woindows 10.  So if you uninstalled Avast antivirus, then the microsoft Defender Antivirus should be on.   You do not need to install a 3rd-party antivirus.

Windows Defender antivirus is built-in with Windows 10  and is a fine antivirus.

Since you have uninstalled Avast,  we need to follow up and run the cleanup tool for Avast to insure no remains are left behind.

Please get, save, & then run the Avast uninstall tool

https://support.avast.com/en-us/article/Uninstall-Antivirus-Utility/

.

Also, you need to remove another antivirus on this machine,  the McAfee Security Scan Plus .

Use the standard way to Uninstall.

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run command.

2. Type 

appwiz.cpl 

and tap Enter.
The Programs and Features window will appear.

3. Locate   McAfee Security Scan Plus   and click once to select it, then click the Uninstall button.

Once that is done, exit out of Control Panel.

.

This next procedure is to do a good scan for adwares on this system.   It will not take a great amount of time.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.
Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.
Adwcleaner  detects factory Preinstalled applications too! 

Please download  Malwarebytes AdwCleaner https://downloads.malwarebytes.com/file/adwcleaner

 
Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.
At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).
Then click on Dashboard button.
Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.
NOTE:  When it comes to the section "
Pre-installed applications

You can skip that.
Please find and send the Adwcleaner "C" clean report.
In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".
Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs
Thanks.  Keep me advised.
 

Link to post
Share on other sites

Thanks for the Adwcleaner report.  It found & removed one item on Chrome browser.

Lets go ahead & insure that Google Chrome is the very latest release version & then lets get it beefed up.

Start Chrome browser.  Click the settings icon at the top right corner  & then select  Help >>> About Google Chrome.

Let it check for updates.  Have patience.   It should be at version 85.0.4183.83

.

[   2   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   3   ]

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

image.png.bfcbff4c25a7a1a131de4b71555efd0c.png

 

Make real sure it is "NOT" set to "continue where you left off"

.

[   4   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[   5   ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

[    6    ]

Next a one-time special scan.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
 

Link to post
Share on other sites

  • Solution

Hello.   Thank you for the MBAR scan log.    The result is most excellent.  and it is good to know that you have made Chrome more secure.

Allow me to suggest one other scan.

TrendMicro HouseCall scan

https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher

 

Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

 

Next it will show the Disclosure window.

Click Next to proceed.

 

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

 

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

 

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

 

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.