Jump to content

Malware bytes kept blocking k6027.eu, removed the thing doing it, what now?


Recommended Posts

Hi,

 

So I've been a fool by recklessly downloading cracked software I quickly needed. Soon after the installation malwarebytes kept blocking a windows powershell connection to k6027.eu. I did some research and saw that previously people were recommended to run the Malwarebytes adware remover. I did that, and now it has stopped giving the pop ups. But it was an iso file and the ''dvd station'' is still active and I'm wondering if it managed to do anything to my system even thought the connection was blocked. I uninstalled the apps it installed too, but not sure what to do now. Should I delete the iso file, or should i keep it there for inspection by someone else?

Link to post
Share on other sites

Hello @dadoda and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file in your next reply to this topic.

Thank you.

Link to post
Share on other sites

  • Root Admin

Please run the following fix

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program location:   C:\Users\Danim\Downloads\FRSTEnglish.exe

 

Please download the attached fixlist.txt file and save it to C:\Users\Danim\Downloads folder
NOTE. It's important that both files, C:\Users\Danim\Downloads\FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run the Farbar program with Admin rights.  C:\Users\Danim\Downloads\FRSTEnglish.exe  Then click on the FIX button and wait for the clean up to complete. It may take up to an hour.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named (Fixlog.txt) in the folder C:\Users\Danim\Downloads  Please attach the file on your next reply

 

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

Thank you for the log. It found and fix a few issues

Windows Resource Protection found corrupt files and successfully repaired them.

 

Please go ahead and run the following 3rd party AV

 

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

Link to post
Share on other sites

  • Root Admin

Please run the following

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

One other thing I noticed yesterday when removing the installed apps and sorting by install date was that window said Onedrive was installed on that day. I find that weird because it was installed a long time ago. Makes me wonder if the virus did something to it.

image.png

Link to post
Share on other sites

  • Root Admin

Microsoft updates and re-installs OneDrive often. You need to uninstall all references to it if you don't want it.

You can provide me the link to VirusTotal though not needed.

 

Please uninstall, update, or otherwise address the following as appropriate for your system.

 

Discord v.1.0.9006 Warning! Download Update
GNU Privacy Guard v.2.3.8 Warning! Download Update
Git v.2.38.1 Warning! Download Update
Gpg4win (4.0.4) v.4.0.4 Warning! Download Update
Java 8 Update 311 (64-bit) v.8.0.3110.11 Warning! Download Update  Uninstall old version and install new one (jre-8u351-windows-x64.exe).
Mozilla Firefox (x64 en-US) v.108.0.1 Warning! Download Update
NVIDIA GeForce Experience 3.26.0.154 v.3.26.0.154 Warning! Download Update
Notepad++ (64-bit x64) v.8.4.6 Warning! Download Update
Python 3.10.8 (64-bit) v.3.10.8150.0 Warning! Download Update
Python 3.8.10 (64-bit) v.3.8.10150.0 Warning! Download Update
REAPER (x64) v.6.66 Warning! Download Update
qBittorrent 4.4.0 v.4.4.0 Warning! Download Update

---------------------------- [ UnwantedApps ] -----------------------------
reMarkable v.2.12.1 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it

 

Once that has completed, please restart the computer. Then check for Windows Updates and install any security updates found.

 

 

Link to post
Share on other sites

https://www.virustotal.com/gui/file/4460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31/details

https://www.virustotal.com/gui/file/4d1ef869c4bddeccc318939ea2651ce5a3fc2e369ba44a2e24cb9b102ef2be19/detection

 

These are the 2 thing I ran from the Iso file. They show up clean on the initial scan but in relations and behavior the malware shows up. Okay will do!

Link to post
Share on other sites

I did some research and checked the behavior and its not that the initial file is infected, but it goes through many steps before getting the final payload. One of the comments on virus total on the file mentioned it contained remcos rat. I googled a bit for that and what happened was indeed what was described. It was described as a first file not being infected, but after that going through many steps via powershell to eventually get the rat in the final step. Malwarebytes was constantly blocking a connection from powershell to a site so it makes sense. 

Also check the relations, comments and behaviour tabs on virus total and the VM results, theres more info there.

 

Link to post
Share on other sites

It was also almost definitely this file because its the first times in years I have downloaded something not from a official developer. It was minutes after the installation of those files that malware bytes started blocking that connection so it can't really be anything else. It seems like they just have very sophisticated defence evasion. 

Link to post
Share on other sites

Also in execution parents there is a file called viottobinder, turns out that is a piece of software sold by the same people that sell remcos rat, so that would also make sense 

 

Just installed the updates, will now restart and check windows update

image.png

Link to post
Share on other sites

  • Root Admin

Great, please run the following

 

Please download the following tool

Farbar Service Scanner and run it on the computer with the issue
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

 

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click "Scan"

It will create a log (FSS.txt) in the same directory the tool is run.
Please attach the log to your next reply.

 

Link to post
Share on other sites

  • Root Admin

Unless there is something else, or you're still seeing signs of an infection we look to be all clean here now.

If you are still seeing an issue, please let me know, otherwise, please run the following

 

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

One more question before I do that, a friend of mine recommended that I ran Rkill and see if it terminated any suspicious processes. It gave me this back:

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 

and

 

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\ProgramData\Jackett\JackettService.exe (PID: 7860) [AU-HEUR]
 * C:\ProgramData\Jackett\JackettConsole.exe (PID: 11156) [AU-HEUR]
 * C:\Users\Danim\AppData\Local\Programs\restart-manager\Restart Manager.exe (PID: 22220) [UP-HEUR]
 * C:\Users\Danim\Downloads\FSS.exe (PID: 9628) [UP-HEUR]

 

The one I marked red is unknown to me, and is the windows defender check suspicious? 

Link to post
Share on other sites

I would also prefer to keep the logs just in case, maybe if some weird things happen soon it might be interesting to have them. Is there also anyway you could shortly describe to me what was done/undone? Or would that take to much of your time. I think it would be valuable and educational for me to know.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.