Jump to content

Both HijackAutoConfig and Backdoor.Farfli keep popping out.


Maestro

Recommended Posts

  • Root Admin

Great, Microsoft was able to find and remove a threat.

Please open Malwarebytes and check for updates.

Then do a new Threat scan and post back the finished log

 

Then run AdwCleaner again

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

Then RESTART the computer and run Farbar with Admin rights and click on SCAN and get me new logs

FRST.TXT
ADDITION.TXT


Thanks

 

Link to post
Share on other sites

  • Root Admin

Please run the following fix.

Once the fix has completed, please attach the file FIXLOG.TXT to your next reply. @Maestro

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

Great, that looks pretty good. The fake service was removed.

Please run the following @Maestro

 

 

Please download the following tool

Farbar Service Scanner and run it on the computer with the issue
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

 

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click "Scan"

It will create a log (FSS.txt) in the same directory the tool is run.
Please attach the log to your next reply.

 

Link to post
Share on other sites

  • Root Admin

Please save the attached file to your system.

Then extract the Registry file to a new folder such as C:\FIX

Then restart the computer into Safe Mode and try to import it into the Registry by double-clicking on it.

How to Start Windows 10 into Safe Mode or Normal Mode
https://www.tenforums.com/tutorials/2304-boot-into-safe-mode-windows-10-a.html

win10_wuauserv.zip

Please pay close attention to any errors and let me know if you see any and write them down.

Then restart the computer into Normal Mode and run the FSS program again and get me a new log.

Thanks @Maestro

 

 

Link to post
Share on other sites

Good Morning @AdvancedSetup
Scan Completed. Log Attached.

- Well first of all, when I entered safe mode, the screen is black saying a text about safe mode on top. 
Didn't see my usual anime bg, but I think it's part of it. When I double-clicked the registry entry, it didn't work.
So I clicked it again and it worked. Asked me if im sure to put it in the registry and clicked yes. Restarted the PC again
into normal mode and ran the scan. Surprisingly, it only lasted a few minutes compared to 40 minutes last time.
(Didn't have time to take a short nap). Everything ran good. Files still here, games are okay, the sh*tty 
processing speed of my pc still the same..., Some slight changes occurred.

FSS.txt

Link to post
Share on other sites

  • Root Admin

Good morning @Maestro

Well, the good news is that the Windows Update service is now operational again.

I'm not sure we can do much about the speed of the computer, but let me get a new set of logs from Farbar again now that Windows Updates are enabled again.

FRST.TXT
ADDITION.TXT

 

Thank you

 

Link to post
Share on other sites

  • Root Admin

Let me have you run another updated FIXLIST

Once the fix has been completed, please attach the FIXLOG.TXT file as well as new Farbar logs  FRST.TXT & ADDITION.TXT

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

  • Root Admin

 

Your DNS Servers: 192.168.254.254

 

Please consider changing your default DNS Server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

  • Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

Link to post
Share on other sites

  • Root Admin

Do you own your own ROUTER?

 

Please ensure that you have the user manual for your router. Then perform a factory reset IF you own your own router.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
  • Document passwords created and store them in a safe but accessible location.

 

 

Link to post
Share on other sites

  • Root Admin

Something continues to change your AutoConfig settings and we've not found it.

We remove it, but on reboot it comes back.

Let me have you run the following antivirus scan and see if they can find it.

 

You will need to send them an email for the download link, please do so.

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

Please save the attached file FIXLIST.TXT to the same folder as the Farbar program.

Then run Farbar with Admin rights and click on the FIX button @Maestro

When the fix is done (it should be very quick) it will create a new log called FIXLOG.TXT, please attach that file to your next reply.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

I think we're going to need to use SYSMON from Microsoft to try to locate what is calling this.

You can download SYSMON from Microsoft
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

 

This may possibly be a bit over your head, but you can download it too for possible reference.

The Windows Sysmon Logging Cheat Sheet - Jan 2020.pdf

https://www.malwarearchaeology.com/s/Windows-Sysmon-Logging-Cheat-Sheet_Jan_2020-g7sl.pdf

 


Please visit this site

https://github.com/olafhartong/sysmon-modular

Then download this file. You can right-click and Save-As from this link below too. Clicking the link will open the raw file.

https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml

image.png

 

 

 

Then I would personally create a new folder to place these items in so that they're in their own new folder such as C:\Monitor

Then you'll want to increase the size of your Security Event Log to  512MB. If you need help with that, let me know.
The entry would be 512000

image.png

 

 

 

Once that is all set and all the files in place in C:\Monitor you'd start an elevated admin command prompt and run the following command.

CD C:\Monitor
sysmon.exe  -accepteula -c sysmonconfig.xml

 

 

Please give that a try or if you have questions, please ask

 

Thanks

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.