RAT help

LocalThreats · December 22, 2021

Hello,

I'm fairly sure I've been infected by a RAT, and I have some questions - is there anyway to see if this was installed by a family member on the same network with physical access to the computer? I dread to think it was my brother but I'm fairly certain. Is this system still infected?

I have also found Malwarebytes antivirus scans with no action taken and things added to my exception list. I have added those logs alongside the log this advice - Thanks in advance.

Addition.txt FRST.txt AdwCleaner[C00].txt MostRecentPostADW.txt Previous1.txt Previous2.txt Previous3.txt Previous4.txt

LocalThreats · December 22, 2021

I've just had this error while trying to scan some files.

Kind regards,

AdvancedSetup · December 22, 2021

Hello @LocalThreats

Please run the following and post back the requested logs

Thanks

LocalThreats · December 22, 2021

1 hour ago, AdvancedSetup said:

-snip-

Hello, Hope you are well.

Thanks

mbar-log-2021-12-22 (21-36-06).txt system-log.txt

AdvancedSetup · December 23, 2021

Thank you, you too. Let me have you run the following please.

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones. Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on the screen display. The only things that count are the End result at the end of the run.
The scan will take several hours. Leave it alone. It will remove any other remaining threats as it goes along. Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

Thank you

LocalThreats · December 23, 2021

Thanks,

msert.log

AdvancedSetup · December 23, 2021

Good, Microsoft was able to find some items and remove them. Let's go ahead and run an ESET antivirus scan.

Please temporarily exit out of Malwarebytes if it's running. Then follow the procedure below and I'll check back on you tomorrow.

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.
Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan
Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on the Start scan button.
Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.
If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at the bottom).
Press Continue when all done. You should click off the offer for “periodic scanning”.

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

Thanks, @LocalThreats

LocalThreats · December 23, 2021

Thanks @AdvancedSetup

ESET2.txt

AdvancedSetup · December 23, 2021

Great, as you saw ESET found nothing. Let me have you run the following for me please.

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

STEP 01

If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
If you don't have Malwarebytes installed yet please download it from here and install it.
Once installed then open Malwarebytes and select Scan and let it run.
Once the scan is completed make sure you have it quarantine any detections it finds.
If no detections were found click on the Save results drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

Double-click to run the program
Accept the End User License Agreement.
Wait until the database is updated.
Click Scan Now.
When finished, if items are found please click Quarantine.
Your PC should reboot now if any items were found.
After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

Double-click to run it. When the tool opens, click Yes to disclaimer.
Press the Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
Please attach the Additions.txt log to your reply as well.
On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

Thanks

AdvancedSetup · December 23, 2021

Please post back the new logs when ready @LocalThreats

Cheers

LocalThreats · December 23, 2021

Thanks, I'll update with the logs when they're done. I've found these System overrides in my Windows Exploit Protection settings and I don't remember ever setting these, are they suspicious? Thanks so much for the help

<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
  <AppConfig Executable="ExtExport.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ie4uinit.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ieinstal.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ielowutil.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ieUnatt.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="iexplore.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="mscorsvw.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="msfeedssync.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="mshta.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="MsSense.exe">
    <StrictHandle Enable="true" />
    <SEHOP Enable="true" TelemetryOnly="false" />
  </AppConfig>
  <AppConfig Executable="ngen.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="ngentask.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="PresentationHost.exe">
    <DEP Enable="true" EmulateAtlThunks="false" />
    <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="true" />
    <SEHOP Enable="true" TelemetryOnly="false" />
    <Heap TerminateOnError="true" />
  </AppConfig>
  <AppConfig Executable="PrintDialog.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="runtimebroker.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="SystemSettings.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
</MitigationPolicy>

LocalThreats · December 23, 2021

Please find attached logs - Thanks.

AdwCleaner[S04].txt MalwareBytesLog.txt Addition.txt FRST.txt

LocalThreats · December 23, 2021

It's not allowFRST.txt Addition.txting me to edit my previous post - I forgot to restart my PC before running FRST, my apologies. Please find the new logs below. Thanks in advance

AdvancedSetup · December 24, 2021

Yes, the exploit settings look good. That is for a very specific layer of protection that monitors programs and processes

Let me have you run the following please.

SecurityCheck by glax24

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
If Microsoft SmartScreen blocks the download, click through to save the file
This tool is safe. Smartscreen is overly sensitive.
If SmartScreen blocks the file from running click on More info and Run anyway
Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward
Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Thank you

AdvancedSetup · December 24, 2021

Also, please uninstall the following

Bonjour

LocalThreats · December 24, 2021

Thank you for the continued speedy help. I have uninstalled Bonjour.

SecurityCheck.txt

AdvancedSetup · December 24, 2021

Thanks

Please uninstall, update, or otherwise address the following as appropriate for your system.
Unless you need the older versions of Python you may want to consider removing the old versions

--------------------------- [ OtherUtilities ] ----------------------------

Git v.2.34.0 Warning! Download Update

Python 3.9.6 (64-bit) v.3.9.6150.0 Warning! Download Update

Python 3.9.0 (32-bit) v.3.9.150.0 Warning! Download Update

Python 3.7.8 (64-bit) v.3.7.8150.0 Warning! Download Update

Notepad++ (32-bit x86) v.8.1.3 Warning! Download Update
Steam v.2.10.91.91

-------------------------- [ IMAndCollaborate ] ---------------------------

Discord v.1.0.9002 Warning! Download Update

------------------------------- [ Browser ] -------------------------------

Mozilla Firefox (x64 en-GB) v.95.0 Warning! Download Update

Opera Stable 82.0.4227.33 v.82.0.4227.33 Warning! Download Update

LocalThreats · December 24, 2021

Thanks, I have removed older versions of Python and updated the rest, regards,

AdvancedSetup · December 24, 2021

Unless there are other signs of an issue the system appears to be clean at this time.

Is there anything else I can assist you with @LocalThreats

LocalThreats · December 24, 2021

Thanks so much for your help. Could I ask what antivirus/anti-rootkit software you use? I'm slightly paranoid about reinfection - Thanks.

AdvancedSetup · December 25, 2021

I use Malwarebytes myself.

Having a good solid back up of all your data to an external USB drive and potentially for very important data a secondary USB drive is the #1 thing you can do to ensure that even if hit by an infection you can recover.

Backup Software
https://forums.malwarebytes.org/index.php?/topic/136226-backup-software

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

right-click kprm_(version).exe and select Run as Administrator.
Read and accept the disclaimer.
When the tool opens, ensure all boxes under Actions are checked.
Under Delete Quarantines select Delete Now, then click Run.
Once complete, click OK.
A log will open in Notepad titled kprm-(date).txt.
Please attach that file to your next reply. (not compulsory)

Below are more things to consider to help ensure your privacy and your data are more secure.

Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
Install a content blocker for your browser. Malwarebytes Browser Guard (Free)
Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/
Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes and Happy Holidays

AdvancedSetup · April 6, 2022

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

RAT help

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information