Hijack.AutoConfigURL.PrxySvrRST + Backdoor.Farfli

[Maurice Naggar]

Be real sure that the account you are logged into Windows has Administrator-level rights. That is a must. I would like you to run this next quick custom run with Farbar. This is a quick run to remove a un-needed/un-wanted account “defaultuser0”. This run DOES involve a reboot/restart.

Please Close all open work.

Farbar program location:   C:\Users\Vartotojas\Downloads\FRSTEnglish.exe

Please download the attached fixlist.txt file and save it to C:\Users\Vartotojas\Downloads

Fixlist.txt

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Right-click on  FRSTENGLISH and select

Run as Administrator

and reply YES to allow to go forward

and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

[Destro]

I have managed to do a clean boot as well as run the fixlist, the log is posted below.

Fixlog.txt

[Maurice Naggar]

Thank you for the log. Take a few minutes to do this new scan.

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

( 2 )

Temporarily disable Microsoft SmartScreen to download the next software below 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

( 3 )

 

I also would appreciate this report:

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

• Internet Services
  Windows Firewall
  System Restore
  Security Center/Action Center
  Windows Update
  Windows Defender
  Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

Edited February 5, 2023 by Maurice Naggar
modified to add 2 other reports

[Destro]

Malwarebytes was successfully updated, and the scans ran without any issues

Malwarebytes report.txt FSS.txt SecurityCheck.txt

[Maurice Naggar]

Thank you for these reports. There are 2 applications that need your attention.

WinRAR 6.02 (64-bit) v.6.02.0   Warning! Download Update

Discord v.1.0.9008   Warning! Download Update

[Destro]

I have updated both applications

[Maurice Naggar]

Thank you. Now a suggestion:

Your current DNS Servers: 192.168.1.254

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 4 providers. And be aware that you need to modify 1 time for IPv4 & a 2nd pass for IPv6

• Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
• Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
• OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
• DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

 

Edited February 8, 2023 by AdvancedSetup
Corrected font issue

[Destro]

I have previously done all of those steps, and going back to it shows that my IPv4 and IPv6 are still the ones provided by Cloudflare and that everything is in order.

[Maurice Naggar]

Hi. Thanks. I believe your system is all good-to-go. This here is to cleanup tools I had you use. 

Temporarily disable Microsoft SmartScreen to download the next software below Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• You may attach that file to your next reply. (not compulsory)

When all done, you may go back to turn ON the EDGE Smartscreen protection.

Let me know if you need other help.
Sincerely.

[Destro]

After downloading and putting the application to the desktop and running as administrator, the KpRm application does not seem to open or run at all

[Maurice Naggar]

Temporarily disable Microsoft SmartScreen 

Be sure you have done that. Then give it another try to run KPRM

[Destro]

I downloaded it whilst having SmartScreen disabled, it still does not work, even when I try to re-download the application from another browser.

[Maurice Naggar]

I am sorry for your trouble. Delete the kprm exe file.

We can proceed with cleanup of tools we used.

To remove the FRSTENGLISH tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select

RENAME

& then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

Delete mb-support-1.8.7.918.exe
Delete mbst-grab-results.zip on the Desktop.
Delete FSS.exe
Delete Securitycheck.exe
Delete MSERT.exe
Delete KVRT.exe
Delete Esetonlinescanner.exe

Adwcleaner you may keep and use as needed.
Any other download file I had you download, you may delete.
Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure. I am glad to have worked with you.
I wish you all the best. Stay safe.
Sincerely.

Maurice

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you