Jump to content

HELP!!! 15 REINSTALLS COUNTLESS VIRUS SCANS STILL HACKED MITRE ATT&K 1059


Recommended Posts

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I will need to review your set of reports before I make a next reply. Thanks for your patience, in advance. Just do not make changes on your own.

Link to post
Share on other sites

A ) When was ESET first installed ?

B ) Did this pc have MCAFEE before installing ESET ?

C ) What is the stuff about with the output of registry entries regarding McProxy.DLL ??
presuming ( ? ) that that DLL is a leftover from McAfee.

D ) Gotta have a copy of this log from the Microsoft Safety Scanner run. Please find it and then attach it for my review.
Windows\debug\msert.log

Please attach that log with your reply. 

Link to post
Share on other sites

also ran sfc\ * (all tests)

DISM (ALL)

CHKDSK /F/R/X

ON ALL DRIVES ENCLUDING X:

BOOT/FIXBOOT

DISKPART CLEAN ---TOTALL SYSTEM 

DISKPART PARTITIONS 

INSTALL UBUNTU - KALI ON NONE NAME PARTITIONS- THEY CRASHED

INSTALL DIFFERENT WINDOW OS'S DOWNLOADED FROM OTHER COMPUTERS AND AN MANUFACTURERS COPY

RAN TAILS OS TO TRY TRHAT.

WIPED BOOTDRIVE

WROTE ZEROS TO HD, CHANGE TO FATEX (FAT32), GP

INSTALL NEW WINDOW RE

*******NOTE******

POWERSHELL, CMD AND RECOVERY CMD.   DO NOT LOAD AS ADMIN, IT SAYS ADMINISTRATOR pOWERSHELL OR CMD BUT LOADS TO C:/USERS--USERNAME--

 

WGOAMI COMMAND PRINTS OUT THE USERS NAME.

 

HOPE THIS HELPS

Link to post
Share on other sites

Mcafee was install ion the system from manufacturer,  I had a very hard time uninstalling today, as it would not ever allow me to shut mcafee core down in the services.msc, eset I tried today as malwarebytes would not turn on at all over the past few days.  Yet today it found issues,,  

Anything that is installed onto the system that is "anti virus"  as soon as they are run a copy of them are installed into a appdata/local/remote/admin/windows/appdata/ then bunch of numbers///  e websites "beepingcomputers" well no even load.  I have the json files of "htlm" scripts that it run for edge, and watched it mutate for brave, firefox, opera...

I have been going at this for days and picking it apart and gaining ground each day but I am wiped  been 70 hours at this in the past week,  as for  Microsoft Safety Scanner run it will not load run,  it it not in services.msc and stats in the windows sescurity console it requires n an app to run this program....(that is new)

Link to post
Share on other sites

@--reset--  IF that thread on Bleepingcomputer is by you, be sure to tell me so & I will have to close it there.  One must not have 2 different forums working on the same machine !!!

and do NOT do anything more on your own as far as this machine.  You have done way too much on your own.

WAIT for my next reply.

Link to post
Share on other sites

This machine has a "restriction" such that there is no Windows Update. That will be cleared by this next custom-script-run.
The major items flagged by the Microsoft Safety scanner were some contents of the Cache for the Brave browser.
This run will clear the Cache for Brave and for EDGE browsers.
This will rebuild the Winsock and do some rechecking with SFC & DISM.
This will remove 2 scheduled tasks for "McAfee" and remove some leftover "McAfee" folders.
Other tnan those, I am not seeing real, or actual "malicious malware" !!
 
 
 

This custom script is for  --reset--  machine  only / for this machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   DESKTOP   folder

Fixlist.txt<<< - - - - -

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRST64.exe  on the DESKTOP  folder   to run a custom script .    The system will be rebooted after the script has run. 

Start the Windows Explorer and then, go  to the DESKTOP    folder.


RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

PLEASE have patience when this starts. You will see a green progress bar start. Lots of patience.  Please attach the Fixlog.txt with your next reply. 

Edited by Maurice Naggar
Link to post
Share on other sites

Thanks for sending the Fixlog. That run is good. This here is what needs to be done next.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

  Do a custom scan with Microsoft Defender Antivirus 

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

Edited by Maurice Naggar
Link to post
Share on other sites

I can send you the Trusted installer not installed, or the firewall that will not run, I can also send the Azure back down that is being used to access my system useing Business Hello Face, and even the program that started the reinstall of over 76 programs that it as embedded itself into over the past 12 hours.  I do not know much about RDP but I was able to capture some traffic via Wireshark and wimrm in cmd I just no know know how to log onto a "server" 

I have all the info but never done it and can not find any walk thoughts. If possible I would like to assess the IIS and if running to Azure this way I can put a stop to this..  

I do apologize if I am coming off rude, I do not mean to in any way.  I am thankful for all you help, and hopefully can share this information with others, I had already completed the sets that you request during my week of fighting this beast, and was really hopping your script would work :(.  

Remote log ins started and and have not stopped no matter what I try,... I have sand boxed well map blocked every file and folder that I can find and the virus and back doors keep coming in..  Some program will nto allow me to even clink on them like Calculator, but if I go to the location of the file, I can items like this (about_Calculated_Properties.help.txt) full of scripts I can run... I am not sure if that is normal I never noticed before.

Would you like to see the logs again I will re run them if so.

 

Thank you 

 

|--RESET-->

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.