PHANTOM23455 Posted January 22, 2022 ID:1498572 Share Posted January 22, 2022 I've been infected with a virus that has access to all my socials and stuff on my device, please advice what i should do, my FRST, Additions, and Malwarebytes Threat Scan logs are as follows Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 22, 2022 ID:1498576 Share Posted January 22, 2022 Hello. My name is Maurice. I will guide you. I will guide you along on looking for potential malware. Lets keep these principles as we go along. Removing malware can be unpredictable ...things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a USB-storage drive or flash/thumb drive Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Please stick with me until I give you the "all clear". Your topic will be closed if you haven't replied within 4 days!If I have not replied to your last post after 36 hours, please then send me a P M. That is the first step. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html [ 2 ] Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save it https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner Then be sure to close all web browsers. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean Attach the clean log. Please always attach reports as we go along. Cheers. Link to post Share on other sites More sharing options...
PHANTOM23455 Posted January 22, 2022 Author ID:1498583 Share Posted January 22, 2022 I have scanned using Adwcleaner, heres the log AdwCleaner[S00].txt Link to post Share on other sites More sharing options...
PHANTOM23455 Posted January 22, 2022 Author ID:1498588 Share Posted January 22, 2022 Also, a scan i did earlier today gave me these reports, i deleted these files through malwarebytes after this, but after another scan later, this came upso basically, the virus reinstalls its files, and i can say that i have a virus confidently because all my socials have been hacked, i still have access to them but there have been changes on them. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 24, 2022 ID:1498932 Share Posted January 24, 2022 (edited) Good morning. My apologies for overlooking your Saturday replies. My bad. I had inadvertently overlooked them. Thanks for sending the PM. The items tagged by Malwarebytes have to do with 2 registry entries that are set to disable the use of the Microsoft MRT tool, Microsoft Malware Removal Tool from Windows Update. That will be cleared up; as well as any entry for "Restoro". I also noticed on review of old reports, that several branded antivirus apps have been recently added, like Avast + BitDefender. Please be sure you do not add any more such apps without letting me know. Stop making changes on your own. Check with me first. ^ We will use FRST64.exe on the Desktop folder to run a custom script. The system will be rebooted after the script has run. This custom script is for Phantom23455 only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. Hoping it will not exceed 60 minutes in execute time. NOTE-1: This script will run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. . It will run the Windows DISM tool to check the system. It will rebuild the Winsock. It will remove the 2 registry entries that are the source of the PUM.Optional.disableMRT. That is a "potentially unwanted Modification" and not classified as a virus. It will remove traces of AVAST antivirus files. It will remove references to BitDefender tasks or drivers. NOTE: your system is running Norton antivirus +Lifelock so it does not need other A-V apps. As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera & BRAVE caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the user Desktop folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Desktop folder. Double click on FRST64.exe and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. This here is not a one-shot-cure-all. There will be more to do later. Stick with me. Edited January 24, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
PHANTOM23455 Posted January 25, 2022 Author ID:1499028 Share Posted January 25, 2022 Hello, thank you for the reply, heres the FIXLOG.txt Also, one thing I have noticed is whenever i open gmail and go to details in the bottom right of my inbox, it shows me that unknown has accessed my acc and I don't know what, my insta acc had followed like 300 random ppl i don't know, my discord was sending scam messages to every dm and server, and there were videos being posted on my youtube without my knowledge, anything related to this? Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 25, 2022 ID:1499043 Share Posted January 25, 2022 (edited) Good morning. Thank you for the log report. The run did do as intended. Overall a good worthwhile run. We need to do more scans to do additional checks on this Windows machine, We will do different checks with other tools later. Our main focus is hunting for potential malware on this one Windows machine. I will guide you on that. ^ Tell me, do you have other devices or other Windows pcs that you have used to access Gmail? if more than one device, the wording of the message on your Gmail screen or notice matters a lot. It could simply be that you accessed Gmail yourself on a different device. In which case, the message is just advisory. But anyhow, you should provide the exact text of that notice on Gmail. If needed, and if you have another machine that you know is Clean, then you could consider changing the Gmail password to a new one using a "strong" passwword. see https://www.lastpass.com/features/password-generator You can close the ad-window there. That site can help to generate strong passwords which you can then Copy and use for your Gmail & others. Just be sure you do NOT use the same password on more than one account.Use different passwrords for each program. ^ On the other apps you mention: "Insta acc" , "Discord", "Youtube" and any other ....Please stay out of them while we are scanning for malware on this machine. Lets not play online games or do any web-surfing or social apps. ^ Later on, you could change the passwords on them once this machine has been cleared. ^ [ 2 ] Keep going and do these two following steps. The first one should be real quick. Please download Rkill from this link and save to your Desktop: http://download.bleepingcomputer.com/grinler/rkill.exe Double click on Rkill. A command window will open then disappear upon completion, this is normal. Please post the log if you can Just let me know if this did run. [ 3 ] The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on Scan Options & select FULL scan. Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply. This step is not a cure-all. We have much more work to do later. Stick with me. Edited January 25, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
PHANTOM23455 Posted January 26, 2022 Author ID:1499227 Share Posted January 26, 2022 Hello, I've done the scan and here's the log, and also an "authorized Application" accesses my account when I'm not on, I disabled all apps in "Third-party apps with account access" in account settings but nothing seems to change. msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 26, 2022 ID:1499252 Share Posted January 26, 2022 Thank you for that report from the Microsoft Safety Scanner. It detected an issue with the Windows Hosts file and reports that it replaced it. Let's get 2 different reports and also I need for you to clarify something you last wrote. [ 1 ] This next is just a report to check on some Windows services Download Farbar's Service Scanner utility and Save to your Desktop. Right-Click on fss.exe and select Run As Administrator. Answer Yes to ok when prompted. If your firewall then puts out a prompt, again, allow it to run. Once FSS is on-screen, be sure the following items are check-marked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender Other services Click on "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please attach that file. [ 2 ] A different report. Please download MiniToolBox save it to your desktop and run it. Checkmark the following check-boxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings Report FF Proxy Settings Reset FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Devices List Users, Partitions and Memory size. List Minidump Files Click Go and post the result (Result.txt). Attach copy of Result.txt will be saved in the same directory the tool is run. [ 3 ] Clarify for me the How you see & Where you see an "authorized Application" accesses my account I need specificity as we go along. We will continue to hunt for malware on this Windows machine. I am trying to delineate what is or maybe on this machine, as contrated to what is wholly outside of it. Link to post Share on other sites More sharing options...
PHANTOM23455 Posted January 26, 2022 Author ID:1499263 Share Posted January 26, 2022 (edited) Here are the logs from the scans, also i found that from the details section in gmail (bottom right of the page) which allows u to see the login activitywhen i click show details, this is what pops upThere is nothing in manage account access, so its probably an app on one of my devices, either my phone or my pc, i had scanned my phone which detected a malware and also removed it, but the problem still pursues. Google also gave me this notice a few days after the hack MTB.txt FSS.txt Edited January 27, 2022 by AdvancedSetup Removed images with email address in them Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 26, 2022 ID:1499275 Share Posted January 26, 2022 Thanks for the reports. This ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed. get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it. Disregard the title subject of the topic. Run the MBAR tool as listed here https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes when done, I need the MBAR logs. Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created. Both files can be found in the extracted MBAR folder on your Desktop. Please attach both files in your next reply. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 26, 2022 ID:1499279 Share Posted January 26, 2022 For after the MBAR run, since this pc has NortonSecurity ( version 22.21.11.46) I would highly suggest you make the time & insure to do a full Scan of this system with Norton Security. Link to post Share on other sites More sharing options...
PHANTOM23455 Posted January 27, 2022 Author ID:1499402 Share Posted January 27, 2022 Here are the logs from MBAR scan, also, I have done a full system scan with norton multiple times after the hack, I've also tried Norton Power Eraser but it freezes at 100% processing for some reason. mbar-log-2022-01-26 (19-29-29).txt system-log.txt Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted January 27, 2022 Solution ID:1499457 Share Posted January 27, 2022 Thank you; excellent result from Malwarebytes anti-rootkit MBAR: no malware / no rootkit. Please do not use the Norton Power eraser any further. I was just asking about the normal Norton Security scan. So you are saying that the Norton Security also reports no infection. ^ Next, get & run the latest ( current) Microsoft Malicious Software Removal tool for Windows. This is something normally a part of the quarterly Microsoft Update. Download & save MSRT from this link at Microsoft Download Center https://www.microsoft.com/en-us/download/details.aspx?id=9905 Disregard the top part with what look like ads / promos. Scroll down & see the Download button Be sure to first SAVE the file to the Downloads folder or else, to the DESKTOP When download completed, do a RIGHT-click with the mouse pointer & choose RUN AS ADMINISTRATOR & allow it to go forward. IF prompted about are you sure, Reply YES. Next select QUICK scan. If malicious software has modified (infected) files on your computer, the tool prompts you to remove the malicious software. The Malicious Software Removal Tool scan log is located at: C:\Windows\Debug\mrt.log. Please attach that log with your next Reply If no infections were found, you will see in your log ( at the very bottom ) Results Summary: ---------------- No infection found. Link to post Share on other sites More sharing options...
PHANTOM23455 Posted January 28, 2022 Author ID:1499582 Share Posted January 28, 2022 Hello, I had scanned with Norton full scan and power eraser on the first day of the hack, before i submitted a post on this forum, nothing was reported from the full scan and norton power eraser would freeze at 100% processing, after i submitted a post here and got your reply, i haven't touched any of that, also no infections were reported from the scan. mrt.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 28, 2022 ID:1499618 Share Posted January 28, 2022 Hello. Thank you for the MRT report. A re-assuring result: no infection detected by the MRT tool. I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Also, Be sure to let me know, How is the system overall at this point ? Link to post Share on other sites More sharing options...
PHANTOM23455 Posted January 28, 2022 Author ID:1499622 Share Posted January 28, 2022 Hello, The system still feels the same, no difference after the hack or after the scans The SecurityCheck.txt is attached below SecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 28, 2022 ID:1499652 Share Posted January 28, 2022 Hi. Per the SecurityCheck report, these apps need your follow-up action. NVIDIA GeForce Experience 3.23.0.74 v.3.23.0.74 Warning! Download Update WinRAR 5.91 (64-bit) v.5.91.0 Warning! Download Update Zoom v.5.4.6 (59296.1207) Warning! Download Update Java 8 Update 301 (64-bit) v.8.0.3010.9 Warning! Download UpdateUninstall old version and install new one (jre-8u321-windows-x64.exe). Java 8 Update 301 v.8.0.3010.9 Warning! Download UpdateUninstall old version and install new one (jre-8u321-windows-i586.exe). Spotify v.1.1.22.633.g1bab253a Warning! Download Update Mozilla Firefox (x64 en-US) v.91.0 Warning! Download Update Link to post Share on other sites More sharing options...
PHANTOM23455 Posted January 29, 2022 Author ID:1499789 Share Posted January 29, 2022 Hello, thanks for letting me know, I've updated the following apps. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 29, 2022 ID:1499805 Share Posted January 29, 2022 Hello. Good morning. I hope your weekend is going well. I do believe this system is good to go. This next part is to do a tools cleanup. Before we close the case. Let's go ahead and do some clean-up work and remove the tools and logs we've run. Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. You may attach that file to your next reply. (not compulsory) [ B } Do a new scan with Malwarebytes for Windows. Then, locate the Scan run report; export out a copy; & then attach in with your reply.See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 [ C ] Let me know if you need other help on this system. Sincerely. Link to post Share on other sites More sharing options...
PHANTOM23455 Posted January 30, 2022 Author ID:1499870 Share Posted January 30, 2022 Good afternoon, thank you for the reply, here are the kprm logs kprm-20220130143217.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 30, 2022 ID:1499883 Share Posted January 30, 2022 Thank you. A few other cleanups, in case they are still around. If you see FRST64 on the Desktop ....then ..To remove the FRST64 tool & its work files, do this. Go to your Desktop folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe . Then run that ( double click on it) to begin the cleanup process. ^ If these files are still around, go ahead & delete them: msert.exe fss.exe mbar.exe Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 5, 2022 ID:1500872 Share Posted February 5, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts