thattalla Posted December 10, 2020 ID:1426396 Share Posted December 10, 2020 I currently am dealing with what I believe to be persistent RAT issue thats scans are not detecting. They are able to take control of both keyboard and mouse input even after doing a full clean windows install on a new drive(windows iso file on a clean device) that had never been connected to other drives. When they do take control no obvious applications are running within task manager and cannot find where the payload is being delivered from. Any help for next steps? Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 10, 2020 ID:1426446 Share Posted December 10, 2020 Hello. @thattalla My name is Maurice. I will be helping and guiding you, going forward on this case. Let me know what first name you prefer to go by. Please follow my directions as we go along. Please do not do any changes on your own without first checking with me. Please only just attach all report files, etc that I ask for as we go along. I would appreciate getting some key details from this machine in order to help you forward. NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system. Do have patience while the report tool runs. It may take several minutes. Just let it run & take its time. You may want to close your other open windows so that there is a clear field of view.Download Malwarebytes Support Tool Once the file is downloaded, open your Downloads folder/location of the downloaded file Double-click mb-support-1.80.848.exe to run the report Once it starts, you will see a first screen with 2 buttons. Click the one on the left marked "I don't have an open support ticket". You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent. Place a checkmark next to Accept License Agreement and click Next Now click the left-hand side pane "I do not have an open support ticket" You will be presented with a page stating, "Get Started!" Do NOT use the button “Start repair” ! But look instead at the far-left options list in black. Click the Advanced tab on the left column Click the Gather Logs button A progress bar will appear and the program will proceed with getting logs from your computer. Please do have patience. It takes several minutes to gather. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK. Then Exit the tool. Please attach the ZIP file in your next reply. Please know I help here as a volunteer. and that I am not on 24 x 7. I am not employed by Malwarebytes. Help on this forum is one to one. Again, please be sure to ONLY attach report files with your reply (s) as we go along. Do not do a copy / paste into main body. Thank you, Sincerely. Link to post Share on other sites More sharing options...
thattalla Posted December 10, 2020 Author ID:1426451 Share Posted December 10, 2020 Hi @Maurice Naggar, Thanks for your swift response, im Alex. Please find attached the requested logs Alex mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 10, 2020 ID:1426457 Share Posted December 10, 2020 Hi, Alex. I notice this pc has Kaspersky Total Security AV. Have you done a recent scan with the Kaspersky ? if so, what did it report ? Kindly let me know. The following are the first next step. The Malwarebytes for Windows version needs to be updated to the very latest Component & version. Lets have you get updated to the very latest. All program upgrades are at no charge. Start Malwarebytes. Click Settings ( gear ) icon. Now, click the tab marked GENERAL. Look for the button marked "Check for Updates" and click it. Be sure to follow all prompts. Lets be sure it is up-to-date. That will hopefully insure that the program has the very latest Component Update. [ 2 ] In Malwarebytes , we want to do a special scan. Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window. Then click the Security tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color . Then scroll down to the section Potentially Unwanted items. We need the next 2 lines ( for P U P & for P U M) to be set to "Always ( Recommended) ". You can make the change by clicking on the down-arrow selection list-control. We want all P U P & P U M to be marked for removal. Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). 👈 🔻 Then click on Quarantine selected. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Link to post Share on other sites More sharing options...
thattalla Posted December 10, 2020 Author ID:1426459 Share Posted December 10, 2020 Thanks Maurice, Indeed alongside scans with MWB and Kaspersky both returning no issues found I have also used Zemana, Spyhunter and ESET to try and identify anything. All come back with results showing nothing found, however have still observed the pc being taken control. I have also looked into start/boot applications and have found no obvious anomalies. Too note I already had the settings mentioned above enabled both Rootkit and PUP+PUM. But MWB did need patching so have run scan since with all of those features enabled attached below. Thanks Alex scan10122020.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 10, 2020 ID:1426463 Share Posted December 10, 2020 Please do not do any other scans on your own. I suspect we are looking at a case where there is no malware, given you have run so many other scans. I am glad that the pc now has the very latest Malwarebytes for Windows Version: 4.3.0.98 Components Version: 1.0.1130 and, that the scan result reports no malware. Let's do this. Be sure you close all web browsers before you click on the "Scan" button on this next procedure. I would suggest to download, Save, and then run Malwarebytes ADWCLEANER. Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan. Adwcleaner detects factory Preinstalled applications too! Please download Malwarebytes AdwCleaner https://downloads.malwarebytes.com/file/adwcleaner Be sure to Save the file first, to your system. Saving to the Downloads folder should be the default on your system. Go to the folder where you saved Adwcleaner. Double click Adwcleaner to start it. At the prompt for license agreement, review and then click on I agree. You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner). Then click on Dashboard button. Click the blue button "Scan Now". allow it a few minutes to finish the Scan. Let it remove what it finds. NOTE: When it comes to the section " Pre-installed applications You can skip that. Please find and send the Adwcleaner "C" clean report. In Adwcleaner, click the "Reports" button. Look at the list of reports for the latest date & type "Clean". Double Click that line & it will open in Notepad. Save the file to your system and then Attach that with your reply. That C clean report will be the one with the most recent Date and time at folder C:\AdwCleaner\Logs Thanks. Keep me advised. Link to post Share on other sites More sharing options...
thattalla Posted December 10, 2020 Author ID:1426464 Share Posted December 10, 2020 Hi Maurice, My only confusion would be that even after these reports come back clean, if someone is able to remote control my PC it would indicate a RAT still exists? I have attached the adwcleaner report. Thanks Alex AdwCleaner[S00].txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 10, 2020 ID:1426468 Share Posted December 10, 2020 Thanks for the Adwcleaner report. All good there. No adwares & no P U P. I notice this Windows logged event ( in the FRST report ) Application errors: ================== Error: (12/09/2020 06:10:45 PM) (Source: Application Hang) (EventID: 1002) (User: ) Description: The program dota2.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel. Process ID: 34e8 Start Time: 01d6ce54c2f119ab Termination Time: 4294967295 Application Path: C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exe . I would like to see you Uninstall this "dota 2". And also, lets not run any games, or any instant message apps for the duration of this case. Link to post Share on other sites More sharing options...
thattalla Posted December 10, 2020 Author ID:1426470 Share Posted December 10, 2020 Thanks Maurice, I have now uninstalled this Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 10, 2020 ID:1426471 Share Posted December 10, 2020 Tell me, about Zemana and the spyhunter. Were those one time use ? or, did you pay for licenses ( intending to run those permanently? ) ? I am reviewing the reports showing the running processes. Link to post Share on other sites More sharing options...
thattalla Posted December 10, 2020 Author ID:1426473 Share Posted December 10, 2020 Thanks Maurice, I haven’t paid for these it was on a suggestion just to see if they showed anything on a scan. Have only usually had just one platform running MWB on this PC and Kasper on a different device. alex Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 10, 2020 ID:1426492 Share Posted December 10, 2020 OK, thanks for that, we just do not need them auto-starting & running all the time. The following is a custom script. The main goal is to run the Windows System File Checker applet & the DISM applet of Windows 10. It will also insure that Zemana & spyhunter do not auto-start. This will reduce the load for the system at startup time. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. The system will be rebooted after the script has run. . This custom script is for Thattalla only / for this machine only. Close and save any open work files before starting this procedure. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. The custom Fix script is going to be used by the FRSTENGLISH tool. They will both work together as a pair. Please save the (attached file named) FIXLIST.txt to the Downloads folder The tool named FRSTENGLISH .exe tool is already on the Downloads Start the Windows Explorer and then, to the Downloads folder. RIGHT click on FRSTENGLISH and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity Please know this will do a Windows Restart. Just let it do its thing. Do let me know how things are overall, after all this. Fixlist.txt 1 Link to post Share on other sites More sharing options...
thattalla Posted December 10, 2020 Author ID:1426494 Share Posted December 10, 2020 Thanks Maurice, Please find the attached file after completion Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 10, 2020 ID:1426497 Share Posted December 10, 2020 The Windows System File Checker Windows Resource Protection found corrupt files and successfully repaired them. The DISM tool found no issue. You should find that the system is a bit faster at startup. There has been no finding of any trojan or malware. This next run is intended as a one-time only check. Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please. Please download Malwarebytes Anti-Rootkit (MBAR) from this link here and save it to your desktop. Doubleclick on the MBAR file and allow it to run. •Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar. •mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open. •After reading the Introduction, click 'Next' if you agree. •On the Update Database screen, click on the 'Update' button. •Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button. With some infections, you may see two messages boxes: 1.'Could not load protection driver'. Click 'OK'. 2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions. •If malware is found, press the Cleanup button when the scan completes. . Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply. 1 Link to post Share on other sites More sharing options...
thattalla Posted December 10, 2020 Author ID:1426503 Share Posted December 10, 2020 Hi Maurice, Please find attached log, no malware detected Thanks Alex mbar-log-2020-12-10 (19-15-56).txt Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted December 10, 2020 Solution ID:1426506 Share Posted December 10, 2020 Thanks. OK. This re-confirms there is no malware here. Your system is good to go. To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe . Then run that ( double click on it) to begin the cleanup process. Delete MBAR.exe Delete mbst-grab-results.zip on the Desktop Delete mb-support-1.80.848.exe Any other download file I had you save, you may delete. 1 Link to post Share on other sites More sharing options...
thattalla Posted December 10, 2020 Author ID:1426509 Share Posted December 10, 2020 Thanks for your help Maurice, if the rat does take control again is it best to comment on this thread? Thanks Alex Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 10, 2020 ID:1426512 Share Posted December 10, 2020 None of the reports & none of the scans showed any sort of trojan. That is important to emphasize. Also, you ran a few scans of your own prior to even creating the case. Thus I would not be saying there is any trojan. Further to that, I believe your pc has the Premium Malwarebytes for Windows, which has multiple real-time protections. I do wish you well. Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 10, 2020 ID:1426513 Share Posted December 10, 2020 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts