Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

RMS rat, rootkit, or Keylogger on my system, please help


Go to solution Solved by Maurice Naggar,

Recommended Posts

Do not create new topics. Someone will be along to assist. While you are waiting do the following

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

Edited by Porthos
Link to post
Share on other sites

Hello @Help_pleaseMy name is Maurice. I look forward to your providing the Farbar FRST reports for review.
Please tell me, What have you seen or observed that leads you to suspect a infection?
What security scans have you run ? What were the results ?
Have you scanned this pc with Microsoft Defender antivirus ?
What version of Windows is this ?
Why do you mention "rms rat" ? Have you seen a oddly-named Process?
What other sites are you looking at?  Are you getting or looking for help at some other site?
Please run the Farbar FRST as suggested before by Porthos.  That way I can review & guide you.

 

Edited by Maurice Naggar
added notes
Link to post
Share on other sites

1, i accidentaly downloaded trojan and got all my saved passwords and logged into my discord and sent messegs and i ran malwarebytes detected 20 and deleted it, but then all my saved Gmails needed to be Re Verified and months later someone tried to sign into one of said saved Gmails from a location far away from me so i suspect theres a rootkit or hidden spyware left over 

 

2. I ran Malwarebytes, 20 detections deleted it, Malwarebytes 2nd scan after 2 Months nothing, TDSSkiller - Nothing, MSERT - nothing

 

3.Yes, Nothing came up

 

4. Windows 11

 

5.No but i suspect it's still hidden

 

6.Nothing but this forum website

Addition.txt

7FRST.txt

FRST.txt

Link to post
Share on other sites

Let me know what name you prefer to go by. I will review your FRST reports and then later, make a new reply here. Please do not run special tools, such as TDSSKILLER, on your own. That tool is a specialized one and is not a general-malware diagnostic. Let me do the guiding on the hunt for potential infection. Know that is potentially possible that no infection will be found.

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • ...things can go very wrong!
  • Backup
  • any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a USB-storage drive or flash/thumb drive
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Please stick with me until I give you the "all clear".

Your topic will be closed if you haven't replied within 4 days!
If I have not replied to your last post after 36 hours, please then send me a P M.

This ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.

get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.

Disregard the title subject of the topic.

Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

 

when done, I need the MBAR logs.

Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.

 

Both files can be found in the extracted MBAR folder on your Desktop.

Please attach both files in your next reply.  This is just round 1. We will do more scans later.

Link to post
Share on other sites

Hello. You did not attach the log named

mbar-log.txt

. On the next run, I must also have that one.
The system-log from this run indicates that the run was interrupted.
Please Restart Windows. Then, do not start any apps.  But proceed to start a new scam with MBAR tool.
Find where you have MBAR.exe. Start a new run.
After completion,
attach 

mbar-log.txt and system-log.txt

.
Also let me know, if you have a different Windows machine that is known to be clean. We could use it to do special task.

 

Edited by Maurice Naggar
Link to post
Share on other sites

Hello. Thank you for that run of MBAR & the logs. This last run of Malwarebytes anti-rootkit indicates NO rootkit on this machine; NO malware.
It is good that you have another Windows machine that is clean. You can use that clean machine to go to your Gmail account and change the account password to a strong one. See the how-to tips below.
I am starting out here with a focus about GMAIL. You had described a potential compromise of your Gmail account. That compromise could have been due to some leaks at one or another company you did use. Or it may have been a possible data leak at a credit bureau or some other company. That is all to say, a data compromise not of your own making.
Or else, if you have a weak password currently or before, on the Gmail account, that would have made it easy for the thieves.
OR, else, if you left your email address on a public website, or even Facebook, or a message board of some sort, or on a social media, the knowlege in public of your email address would have been a point of compromise.
A strong password is a must.
Further to that, you may consider getting a whole new Gmail account and only using that new one.
OR, you may consider getting a new email account at like Microsoft Outlook.
In any event, step one for now is to use your clean machine to switch the password for Gmail to a strong one.
Use STRONG passwords.

Link to Google Gmail support to change password https://support.google.com/mail/answer/41078

Tips  on that:

Lastpass site can generate a strong one for you on-demand     https://www.lastpass.com/password-generator

also see at Microsoft    https://support.microsoft.com/en-us/help/4026406/microsoft-account-how-to-create-a-strong-password

and   https://www.microsoft.com/en-us/p/strong-password-generator/9nblggh0gr9l

[ 2 ]
After Gmail account has been set. I need for you to uninstall Discord. Discord has been known in the past to have been mis-used & lead to compromise.
At least for the duration of the case, Uninstall Discord from this machine.  { After we finish this case, you can later on re-install as you wish. Just be sure you get it from the legitimate source.}

[ 3 ]
Please do not play any online games on this machine. Do not go onto social media sites on this machine. Only use this machine to get tools I guide you to & to use this help forum here.

[ 4 ] This pc is running Windows 11.
Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.
When done, exit File Explorer.

[ 5 ]
I would very much like for you to do one new special scan with Malwarebytes for Windows. Then follow that by gathering a fresh set of reports that include all history of Malwarebytes scans.

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.954dd31097351eba2c305a1321a445d6.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.99b8d9b73d90d347577ae0826ac406b1.jpg

 


Then,  after that scan has been all completed & dealt with, Exit out of Malwarebytes.  Then do the next steps.

[6]

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply
Edited by Maurice Naggar
Link to post
Share on other sites

Thank you. This here is a custom run with a custom script.  Read over all of this before taking action. 

We will use FRSTENGLISH.exe  on  Downloads    folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Help_please only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also run the Windows 10 DISM to check the system integruty. It will rebuild the Winsock. It will rebuild the Hosts file (which has been tagged by Microsoft Defender).

NOTE-2:  It will attempt to list the contents of 5 suspicious sub-folders of windows\system32 & remove them.

It will also attempt to run a batch mode Quick scan of Microsoft Defender antivirus. As part of this fix it will also reset the network to default settings including the firewall. We want to minimize all auto-started apps, so it will remove the lively wallpaper from automatically starting at Windows startup. It will remove Process Hacker 2 which has been repeatedly tagged by Malwarebytes as riskware.

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Fixlist.txt   < < <  -  -  - -


Start the Windows  File Explorer and then, to the Downloads  folder


RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
                                            IF Windows prompts you about running this, select YES to allow it to proceed.

                                             IF you get a block message from Windows about this tool......
                                                      click line More info information on that screen
                                                      and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it run and finish.   I will look forward to getting the log. Stick with me.

Link to post
Share on other sites

Hello. Good day to you. I did get the Fixlog. Thank you that is a good run overall. But since it shows that the Windows Microsoft Defender settings have 2 Paths excluded from being scanned, plus in addition, there are exclusions to also ( effectively) not scan EXE & Dll file types , we will need a followup run to get those all removed. This was a huge security gap in the ability or rather severe limitaion on Microsoft Defender.  I have to add a remark.  I am baffled why you made 2 earlier posts ( above). This forum is safe indeed.

I will be providing a new followup script.  Please do not do any games, online games, or shopping, or web surfing.  Just only use this system to go to this forum until we close the case.

Link to post
Share on other sites

The last custom script run revealed that the Microsoft Defender antivirus' preferences were set to exclude all EXE files & all Dll files from monitoring or scanning by the Microsoft Defender. That is a major security hole and major risk exposure.
Cannot tell how long that has been so. Cannot tell how much time elapsed before you went and ran these other scanners:
Sophos
Esest Online scanner
HitmanPro
Kaspersky KVRT
Kaspersky TDSSKILLER
Roguekiller

You may want to pause at this time and consider to wipe/erase this system and do a brand new Windows O S install. That would be the safest thing to do for the long term.
or, perhaps, to do a Windows RESET and keep nothing of the old apps or user files.
or, something like that.
So take some time, consider, and let me know.

I have not heard from you, I believe, whether you have all your user files backed up on external removable backup devices.  or maybe even, backup on the cloud.

If and only IF you choose to keep going with this system as it is, then these are what to do.
As I wrote above, a major security hole is apparent at this point.
This system's settings / preferences on Microsoft Defender were excluding from any scanning 2 paths & 2 major file-types.
EXE + Dll were excluded
plus 2 paths were excluded fom monitoring or scanning %userprofile%\AppData\Local\Temp + %userprofile%\appdata\roaming
The goal here is to remove all exclusions settings from Microsoft Defender + to run some scans with Microsoft Defender, after getting definitions updates from Microsoft.

You would first, Delete the old file named Fixlist.txt  that I had you save before on Downloads.

 

We will use FRSTENGLISH.exe  on  Downloads    folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Help_please only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will remove all exclusions settings from Microsoft Defender + to run some scans with Microsoft Defender, after getting definitions updates from Microsoft.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Fixlist.txt   < < <  -  -  - -


Start the Windows  File Explorer and then, to the Downloads  folder


RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
                                            IF Windows prompts you about running this, select YES to allow it to proceed.

                                             IF you get a block message from Windows about this tool......
                                                      click line More info information on that screen
                                                      and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it run and finish.   I will look forward to getting the log. Stick with me.

Fixlist.txt

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

The good news is: that now, all exclusions that had been on Microsoft Defender are now gone. I also see that at least some time in November 2021 thru to December ( at least) 'some' thing had set windows defender real-time  protection Behavior Monitoring to off. Which would have been yet an additional method to cripple the protection of this system.
By the way, also, I see a history log entry by Defender that there is or was a file named D:\Adamx Windows 10 Optimization Pack + Powerrun.exe
What is that ?  Where did you possibly get it ?
I would like to suggest that you make sure it is no longer present.

This is message 1 of at least 2. I will post another post so that you do a whole new system scan.
All the exclusions that I listed before on Microsoft Defender are gone.
The Microsoft Defender definitions are up-to-date.
The real-time monitor ability of Microsoft Defender antivirus are on.

Link to post
Share on other sites

You can use the built-in Microsoft Antivirus which is Windows Defender to scan the system.  A good way to do that is by using its Offline scan option. First exit out of any on-going work or opened apps. This type scan will involve a windows Restart. This is a special though limited scan.

  • Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
  • In Windows Settings  >>> click on Windows Security from the left side list.
  • Next, In Windows Security section:  Click on the grey button Open Windows Security
  • Now, click on the shield Virus and threat protection
  • next click on the line in   blue Scan options
  • Look down the options list.  Tick on Microsoft Defender Offline scan
  • Then next,  click the grey "Scan now" button.   and let it scan the system.

When it reboots the system, please just login with your regular login-account.

Have patience during the scan run.

Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.

This is message 2 of at least 2. There will be more to do later. Stick with me. Reply back when you hae completed. 

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.