I have extremely dangerous and complicated malware on my PC, I want to remo

[ivanmatutes]

I will try to explain this in the best possible way. The road to reach today's date has been long. My personal information was leaked through a password stealer to a Telegram group. This happened on April 7. There were massive attempts to access my account. Ok, I formatted the main computer and the laptop I have (which was the one I ran the virus on). All this is now history, I have access to all my accounts again, and I changed all the passwords. It wasn't until May 24, when everything seemed to be fine, that they suddenly had remote access to my computer and hacked into my YouTube channel. They broadcast a direct promoting cryptocurrencies. Firewall settings were changed and a custom one was added (or a custom input was leveraged, I don't know). What was recorded is how a guy, from russia (or a VPN), accessed my youtube channel allegedly using my equipment. I reset the Firewall and closed services that could perform remote service / servers. I want it to be understood, my main computer was the cause this time. The password stealer was run on my laptop, another computer, and both were formatted. Reset IPs. Well, having given a context of what happened, I am every day attentive to disturbances in my computer. Today I did a low level format on my laptop, and will soon do it on my main computer. I even ran a program called JRT and it removed a few things for me, though I don't know if that will help. What I find disturbing, and I've already seen reason enough to open a post, is that Windows Defender detected this mysterious HackTool on "my" system. What has left me stunned is the path of this alleged malware. I don't have a G: partition! Which makes me suspect that the virus lives in the EFI, security partition, or elsewhere on the system. I mounted my EFI to check but I didn't find anything, I still did an update to my BIOS. This entry is what scares me the most, I think this malware is serious and whoever has gained access has an interest in my personal information and accounts. What could you do in these cases? Thanks.

[AdvancedSetup]

Hello @ivanmatutes

We'll scan and see what we can find and then provide further advice as we go along. Note that it may take several days so please be patient and follow direction along the way.

Do you own your own router or is it rented from your ISP?

 

 

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.
 

Spoiler

 

 

 

 

Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

 

STEP 01

• If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Double-click to run the program
• Accept the End User License Agreement.
• Wait until the database is updated.
• Click Scan Now.
• When finished, if items are found please click Quarantine.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
• Please attach the Additions.txt log to your reply as well.
• On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

[ivanmatutes]

On 6/16/2022 at 8:13 AM, AdvancedSetup said:

Hello @ivanmatutes

We'll scan and see what we can find and then provide further advice as we go along. Note that it may take several days so please be patient and follow direction along the way.

Do you own your own router or is it rented from your ISP?

 

 

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.
 

  Reveal hidden contents

 

 

 

 

Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

 

STEP 01

• If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Double-click to run the program
• Accept the End User License Agreement.
• Wait until the database is updated.
• Click Scan Now.
• When finished, if items are found please click Quarantine.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
• Please attach the Additions.txt log to your reply as well.
• On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Hi! Sorry for the late response. By the way, I formatted my computer a few days ago. Still, I remain convinced that there is still something. AdwCleaner detected something, having recently formatted my computer. I attach the files. My youtube account changed language, from Spanish to English. That was after using CCleaner and reinstalling Firefox. I don't know if it has anything to do with it.

ivanmatutesmalwarebytes.txt AdwCleaner[C00].txt Addition_20-06-2022 05.55.05.txt FRST_20-06-2022 05.55.05.txt

[ivanmatutes]

1 minute ago, ivanmatutes said:

Hi! Sorry for the late response. By the way, I formatted my computer a few days ago. Still, I remain convinced that there is still something. AdwCleaner detected something, having recently formatted my computer. I attach the files. My youtube account changed language, from Spanish to English. That was after using CCleaner and reinstalling Firefox. I don't know if it has anything to do with it.

ivanmatutesmalwarebytes.txt 1.5 kB · 0 downloads AdwCleaner[C00].txt 1.61 kB · 0 downloads Addition_20-06-2022 05.55.05.txt 29.62 kB · 0 downloads FRST_20-06-2022 05.55.05.txt 70.75 kB · 0 downloads

And yes, I have full access on my router. It's my own router. Only Ethernet connected is my desktop computer.

[AdvancedSetup]

Let me ask you the following.

Is this a business computer?

Adobe Audition 2022 is $21 a month or $252 a year recurring charge
The Creative Cloud All Apps which included Adobe Premiere Pro 2021 but does not include Adobe Audition 2022 is $85 a month or $1,020 a year.

That means with just Adobe software alone you'd be paying over $1,200 a year. Then I notice many other graphics programs which often are also subscriptions.

If this is not a business computer that just seems unlikely that most home consumers are willing to pay $1,200+ every year for Adobe software.

The point I'm trying to get to is asking if this software was from Peer2Peer uTorrent file sharing? If you're paying and these are legit applications then no concern. If they're from file sharing then it rather obvious how and why a computer even freshly built could be infected.

 

Your DNS Servers: 192.168.1.1

Please consider changing your default DNS Server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

• Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
• Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
• OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
• DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed <----

 

 

It looks like you attempted to install an old Windows 7 version of Windows Defender on Windows 10 which is not supported.

Errores de aplicación:
==================
Error: (06/19/2022 10:25:54 AM) (Source: Microsoft Security Client Setup) (EventID: 100) (User: HOXY)
Description: HRESULT:0x8004FF6F
Description:You don’t need to install Microsoft Security Essentials. Your version of Windows includes an updated version of Windows Defender that provides the same level of protection as Microsoft Security Essentials, along with other significant improvements.  <a>For more information on the differences and improvements, see online Help</a>. Error code:0x8004FF6F.

 

Please go to Control Panel, Programs, Programs and Features and uninstall the following

• CCleaner

 

 

 

The logs do not indicate any real signs of an infection, but we'll go ahead and run another antivirus scanner to double-check.

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started. 
• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes 
• When prompted for scan type, Click on Full scan 
• Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
• Have patience.  The entire process may take an hour or more. There is an initial update download.
• There is a progress window display.
• You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.
• If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

 

When done with the ESET antivirus scan you can look at doing a factory reset of your Router to ensure it's secure.

 

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

• Disable acceptance of ICMP Pings
• Change the Default Router password using a Strong Password
• Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
• Disable Remote Management
• Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
• Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
• Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
• Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
• Document passwords created and store them in a safe but accessible location.

 

 

[ivanmatutes]

7 minutes ago, AdvancedSetup said:

Déjame preguntarte lo siguiente.

¿Es esta una computadora de negocios?

Adobe Audition 2022 tiene un costo recurrente de $21 al mes o $252 al año
Creative Cloud All Apps, que incluye Adobe Premiere Pro 2021 pero no incluye Adobe Audition 2022, cuesta $85 al mes o $1020 al año.

Eso significa que solo con el software de Adobe estaría pagando más de $1200 al año. Luego me doy cuenta de muchos otros programas de gráficos que a menudo también son suscripciones.

Si esta no es una computadora comercial, parece poco probable que la mayoría de los consumidores domésticos estén dispuestos a pagar más de $ 1,200 cada año por el software de Adobe.

El punto al que estoy tratando de llegar es preguntar si este software era del intercambio de archivos Peer2Peer uTorrent. Si está pagando y estas son aplicaciones legítimas, no se preocupe. Si son de intercambio de archivos, entonces es bastante obvio cómo y por qué una computadora, incluso recién construida, podría infectarse.

 

Sus servidores DNS: 192.168.1.1

Considere cambiar la configuración predeterminada del servidor DNS . Por favor, elija un solo proveedor

DNS es lo que permite a los usuarios conectarse a sitios web utilizando nombres de dominio en lugar de direcciones IP

• DNS público de Google : IPv4    8.8.8.8 y 8.8.4.4    IPv6    2001:4860:4860::8888 y 2001:4860:4860::8844
• Cloudflare : IPv4    1.1.1.1 y 1.0.0.1    IPv6    2606:4700:4700::1111 y 2606:4700:4700::1001
• OpenDNS : IPv4 208.67.222.222 y 208.67.220.220   IPv6   2620:119:35::35 y 2620:119:53::53
• DNSWATCH : IPv4    84.200.69.80 y 84.200.70.40    IPv6   2001:1608:10:25::1c04:b12f y 2001:1608:10:25::9249:d69b

La guía definitiva para cambiar su servidor DNS
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Aquí hay un YouTube sobre cómo cambiar la configuración de DNS si es necesario <----

 

 

Parece que intentó instalar una versión antigua de Windows 7 de Windows Defender en Windows 10 que no es compatible.

Errores de aplicación:
==================
Error: (19/06/2022 10:25:54 a. m.) (Origen: Configuración del cliente de seguridad de Microsoft) (EventID: 100) (Usuario: HOXY)
Descripción: HRESULTADO:0x8004FF6F
Descripción:No necesita instalar Microsoft Security Essentials. Su versión de Windows incluye una versión actualizada de Windows Defender que brinda el mismo nivel de protección que Microsoft Security Essentials, junto con otras mejoras significativas. <a>Para obtener más información sobre las diferencias y mejoras, consulte la Ayuda en línea</a>. Código de error: 0x8004FF6F.

 

Vaya a Panel de control, Programas, Programas y características y desinstale lo siguiente

• CClimpiador

 

 

 

Los registros no indican ningún signo real de infección, pero seguiremos adelante y ejecutaremos otro escáner antivirus para verificarlo dos veces.

 

 

Déjame que ejecutes un escáner diferente para verificar dos veces. No espero que encuentre nada, pero no hay daño en la comprobación.

Sugeriría un escaneo gratuito con ESET Online Scanner

Vaya a https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• Comenzará una descarga de " esetonlinescanner.exe "
• Guarde el archivo en su sistema, como la carpeta Descargas, o bien en el Escritorio.
• Vaya al archivo guardado y haga doble clic en él para comenzar. 
• Cuando se le presenten las opciones iniciales de ESET, haga clic en " Análisis del equipo ".
• A continuación, cuando Windows se lo solicite, permita que se inicie haciendo clic en Sí 
• Cuando se le solicite el tipo de escaneo, haga clic en Escaneo completo
• Mire y marque   (seleccione)    la selección de radio "Habilitar ESET para detectar y poner en cuarentena aplicaciones potencialmente no deseadas"    y haga clic en el Iniciar análisis .
• Tener paciencia.   Todo el proceso puede tardar una hora o más. Hay una descarga de actualización inicial.
• Hay una ventana de progreso.
• Debe ignorar todas las indicaciones para obtener el programa de software antivirus ESET.    (por ejemplo , su programa estándar).    No necesita comprar, obtener o instalar nada más.
• Cuando se complete el escaneo, si se encontró algo, mostrará una pantalla con la cantidad de elementos detectados.   Si es así, haga clic en el botón marcado como "Ver resultados detectados".
• Haga clic en el azul " Guardar registro de escaneo " para guardar el registro.
• Si se eliminó algo y sabe que es un hallazgo falso, puede hacer clic en el botón azul "Restaurar archivos limpios"   (en azul, en la parte inferior).
• Presiona Continuar cuando todo esté listo.   Debe hacer clic para desactivar la oferta de "escaneo periódico".

 

Nota: si necesita realizar una restauración de archivos desde ESET, siga las instrucciones a continuación

[KB2915] Restaurar archivos en cuarentena por ESET Online Scanner versión 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

 

Cuando termine con el análisis antivirus de ESET, puede considerar hacer un restablecimiento de fábrica de su enrutador para asegurarse de que sea seguro.

 

Asegúrese de tener el manual de usuario de su enrutador. Luego realice un restablecimiento de fábrica.

Cómo restablecer su enrutador
https://setuprouter.com/networking/how-to-reset-your-router/

 

Dependiendo de las preferencias de cada uno y de las capacidades del enrutador, tenga en cuenta lo siguiente.

• Deshabilitar la aceptación de ICMP pings
• Cambie la contraseña del enrutador predeterminado usando una contraseña segura
• Use una WPA3 contraseña WiFi segura en usando encriptación AES o habilite WPA2 si es una opción.
• Deshabilitar la administración remota
• Cree redes Wi-Fi separadas para grupos de dispositivos con propósitos similares para evitar que toda una red de dispositivos se vea comprometida si un actor malintencionado puede obtener acceso no autorizado a un dispositivo o red. Ejemplo: mantenga IoT en una red y los dispositivos móviles en otra.
• Cambie el nombre de la red ( SSID ). No use su; Nombre, dirección postal u otra información personal. Hágalo único o caprichoso y conocido por su familia/grupo.
• ¿Está actualizado el firmware del enrutador? La actualización del firmware mitiga las vulnerabilidades explotables.
• Configure específicamente las reglas del cortafuegos para BLOQUEAR; Puertos TCP y UDP 135 ~ 139, 445, 1234, 3389 y 5555
• Documente las contraseñas creadas y guárdelas en un lugar seguro pero accesible.

 

 

Hi! Thank you for the response. Yes, the Adobe package is legit and I use it to create videos. Also in desperation for more security I clumsily tried to install Windows Security Essentials. I'm glad to hear that the computer doesn't seem to have any signs of viruses. I will use ESET to finish. I formatted the computer. May 24 was when my YouTube channel was hacked and they promoted Cryptocurrencies (I didn't download anything or run anything). April 7th (even before that) was when I ran a password stealer on my laptop (another computer) and a lot of my personal information was leaked. From that event to the present I have formatted my computers twice, I did a low level format on my laptop. Even so, I think that even after formatting, access to my YouTube account was achieved almost two months later (one of the most valuable things and that was not stolen in April, since I changed passwords, added 2step and everything that has to do with security).

[AdvancedSetup]

You may want to do an extensive cleanup of Google Chrome if the account was hacked.

Please review the following. Then once you've cleaned up Google Chrome go ahead and do the ESET scan.

 

 

 

[ivanmatutes]

5 minutes ago, AdvancedSetup said:

You may want to do an extensive cleanup of Google Chrome if the account was hacked.

Please review the following. Then once you've cleaned up Google Chrome go ahead and do the ESET scan.

 

 

 

Hi. When I formatted my computer few days ago I didn't install Google Chrome. Now I'm using Mozilla Firefox. I don't have installed Google Chrome. Now I'm reseting that DNS stuff, maybe is the problem. Also I had virtualization actived om mi BIOS. I turned off it. 

[AdvancedSetup]

What specifically makes you think the computer is infected?

 

[ivanmatutes]

Just now, AdvancedSetup said:

What specifically makes you think the computer is infected?

 

Well, my youtube channel was hacked on May 24, I didn't do anything to remedy it other than reset the Firewall (which had modified options). There it stopped, I wanted to know if this malware / trojan / RAT is still on my computer even if I formatted it. A team of Google specialists reviewed the case and perceived unwanted access. The method was to access my YouTube account as if he were on my computer. I don't know if that could be due to a Trojan, or if it cloned my system, virtualized it... The truth is, I've read a lot about it. What I would like is to prevent this from happening again. For example, today I saw my YouTube dashboard being switched to English (that was a possible symptom of the last time I got hacked). Still, this happened after I used CCleaner and reinstalled Mozilla Firefox. Ultimately, I don't have conclusive evidence that I'm infected right now, but I was and I wanted to protect myself from future fraudulent access to my accounts.

[ivanmatutes]

6 minutes ago, ivanmatutes said:

Well, my youtube channel was hacked on May 24, I didn't do anything to remedy it other than reset the Firewall (which had modified options). There it stopped, I wanted to know if this malware / trojan / RAT is still on my computer even if I formatted it. A team of Google specialists reviewed the case and perceived unwanted access. The method was to access my YouTube account as if he were on my computer. I don't know if that could be due to a Trojan, or if it cloned my system, virtualized it... The truth is, I've read a lot about it. What I would like is to prevent this from happening again. For example, today I saw my YouTube dashboard being switched to English (that was a possible symptom of the last time I got hacked). Still, this happened after I used CCleaner and reinstalled Mozilla Firefox. Ultimately, I don't have conclusive evidence that I'm infected right now, but I was and I wanted to protect myself from future fraudulent access to my accounts.

Ok I put all this ports

[AdvancedSetup]

I would most definitely perform the ESET scan. Then do the Firewall reset. Then make sure you change your Google password for YouTube and enable two-factor authentication (2FA) on the account. Make sure the password is a minimum of 16 characters and use a password manager for it. Not auto login.

Do not use any plugins that ask or require your credentials to operate on your behalf.

 

 

 

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

• Disable acceptance of ICMP Pings
• Change the Default Router password using a Strong Password
• Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
• Disable Remote Management
• Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
• Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
• Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
• Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
• Document passwords created and store them in a safe but accessible location.

 

 

 

Recommendations to help keep the computer and accounts safe.

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

[ivanmatutes]

3 minutes ago, AdvancedSetup said:

I would most definitely perform the ESET scan. Then do the Firewall reset. Then make sure you change your Google password for YouTube and enable two-factor authentication (2FA) on the account. Make sure the password is a minimum of 16 characters and use a password manager for it. Not auto login.

Do not use any plugins that ask or require your credentials to operate on your behalf.

 

 

 

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

• Disable acceptance of ICMP Pings
• Change the Default Router password using a Strong Password
• Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
• Disable Remote Management
• Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
• Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
• Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
• Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
• Document passwords created and store them in a safe but accessible location.

 

 

 

Recommendations to help keep the computer and accounts safe.

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Thank you very much for the reply. A few hours ago I did a factory reset of the router, although I haven't done the other options yet. The Firewall I reset a long time ago on the old windows, was what apparently stopped the hacker's access. I'm still doing the ESET scanner, as soon as I have the result I'll send it to you. I also have folder access control enabled for now. I don't think most of the alerts that come out are harmful, but I'm watching to see if something bad comes out. For example, now I got this notification about Au_.exe

[ivanmatutes]

A doubt I have. When in April I ran the password stealer and they stole my credentials, Google Chrome identifiers among other things... Could these persist to this day? After everything I did, I formatted, I reset the Firewall, I updated the bios, etc...

[AdvancedSetup]

If you did not change your password or did so with an infected computer then it's possible a remote attacker could have your new password.

No harm in changing it again now to a long, strong, and 2FA-controlled.

 

The idea of Controlled Folder Access is good, but often in practice, it can cause all types of conflicts. Keep an eye out in your Event Logs and Windows Defender logs and if you're seeing too many blocks of processes that should not be blocked you may want to adjust or potentially disable depending on what you're seeing.

https://www.tenforums.com/tutorials/113380-how-enable-disable-controlled-folder-access-windows-10-a.html

 

 

[ivanmatutes]

Yes. I'll do that for sure, a new password. I already have 2FA activated for that, with my phone number and even Google Authenticator. My idea is to buy a physical key to access my account through it. The ESET test is still running, it will take a while. When I have it I will share it here. Also any information of interest about the theft of cookies / remote access that steal the youtube channel I will contribute here to help.

[ivanmatutes]

13 minutes ago, AdvancedSetup said:

If you did not change your password or did so with an infected computer then it's possible a remote attacker could have your new password.

No harm in changing it again now to a long, strong, and 2FA-controlled.

 

The idea of Controlled Folder Access is good, but often in practice, it can cause all types of conflicts. Keep an eye out in your Event Logs and Windows Defender logs and if you're seeing too many blocks of processes that should not be blocked you may want to adjust or potentially disable depending on what you're seeing.

https://www.tenforums.com/tutorials/113380-how-enable-disable-controlled-folder-access-windows-10-a.html

 

 

In Event Viewer, there are a lot of errors (the same) saying that. "

The eapihdrv service failed to start due to the following error:
This driver has been blocked from downloading

"

 

And

 

Description id not found. Event ID 1060 on the Application Popup source. The component causing this event is not installed on the local computer, or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated from another computer, the information to be displayed had to have been saved with the event.

The following information was included with the event:
\??\C:\Users\HOXYY\AppData\Local\Temp\ehdrv.sys

The message resource is present, but the message is not found in the message table

Can be because I activated  Controlled Folder Access?

[ivanmatutes]

Ok I have ESET results. I think it's two false positives (3dp chip and lightshot are trusted apps)

eset.txt

[AdvancedSetup]

That is an ESET driver. It could be due to Controlled Folder Access. Normally though if it is it will say so in Event Logs

Please upload both of those files to https://virustotal.com and you can have them scanned by many antivirus vendors to see what they think.

You'd have to restore them from the ESET quarantine though, or just ignore it and let it go

 

[AdvancedSetup]

Bottom line. This computer does not show signs of a real infection at this time.

Highly recommend the strong password reset

The Yubi Key hardware solution is nice but you may end up being disappointed. I purchased a couple of them but most sites don't support the U2F, FIDO2 and only seem to support OTP. Though as I recall I think Google does support the higher end stuff which is good.

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you