Kidiron Posted July 20, 2023 ID:1578642 Share Posted July 20, 2023 i have a rat on my pc idk what to do i sent my farbar recovery scan files please help me FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 20, 2023 ID:1578664 Share Posted July 20, 2023 Hello I will guide you along on looking for actual malware. Lets keep these principles as we go along. We will be running trusted known scanning tools to look for malwares. Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578665 Share Posted July 20, 2023 Alright Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 20, 2023 ID:1578666 Share Posted July 20, 2023 (edited) Take these actions so that Windows 11 is set to show all hidden files and folders. Open File Explorer from the taskbar. Select View > Show > Hidden items. Select View → Show → File name extensions Malwarebytes can detect and remove most malware with no further actions required for free. Please download, install, update Malwarebyteshttps://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows and do a Threat Scan with Malwarebytes https://support.malwarebytes.com/hc/en-us/articles/360038984773 and post back the log as shown below. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 This is ony just round 1. We will do much more later. Edited July 20, 2023 by Maurice Naggar amended to have proper links 1 Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578667 Share Posted July 20, 2023 I’m scanning rn but I have these two processes open and they look suspicious I looked it up and it said it was a Trojan Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 20, 2023 ID:1578669 Share Posted July 20, 2023 If that is Task Manager screen or other look-see application, please EXIT all such apps. Let the Malwarebytes do its scan. We use known trusted scanners to look for infectious malware. Have much patience. Kindly follow my leads. Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578670 Share Posted July 20, 2023 Yessir Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578671 Share Posted July 20, 2023 SCAN.txt Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578672 Share Posted July 20, 2023 My scan finished I sent it Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 20, 2023 ID:1578673 Share Posted July 20, 2023 Continue to have patience. I am doing a full review of your reports. Do not do anything on your own without asking me first. I will be working up a custom-run. 1 Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578674 Share Posted July 20, 2023 My windows defender actually works now it’s not saying it admin has limited access Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 20, 2023 ID:1578675 Share Posted July 20, 2023 Please run the following custom script. Read all of this before you start. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It removes a VBS file which is the most likely source of problem. It removes the Process Hacker 2 which is flagged as a Riskware. It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers. It will attempt to clear temporary file areas. Depending on the speed of your computer this fix may take 50-55 minutes or more. Please Close all open work before you actually do begin this run. Farbar FRST64 program location: Downloads folder. The tool is already on system. That is what we will use. Please download the attached fixlist.txt file and save it to Downloads Fixlist.txt <- < - - - - NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. Right-click with your mouse on FRST64 and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important. next, press the Fix button just once and wait. You will see a green-color scroll display while FRST is running. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. NOTICE: For potential outside readers, This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm. Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578676 Share Posted July 20, 2023 done i dont think it was proccess hacker though Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 20, 2023 ID:1578678 Share Posted July 20, 2023 The main thing that seems to have been a suspected threat was C:\ProgramData\LaunchOSDonce.vbs, which has been removed. Now we do some scanning with known antivirus checking tools. As a next step, I suggest the following: This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on CUSTOM scan and select C drive to be scanned Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours. At screen "Detections occurred and resolved" click on blue button "View detected results" On next screen, at lower left, click on blue "Save scan log" View where file is to be saved. Provide a meaningful name for the "File name:" On last screen, set to Off (left) the option for Periodic scanning Click "save and continue" Please attach the report file so I can review Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578681 Share Posted July 20, 2023 UHMMMMM IS THIS BAD Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578682 Share Posted July 20, 2023 So many of those alerts Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 20, 2023 ID:1578686 Share Posted July 20, 2023 Did you start the ESET Online scan? If not, please do so. Disregard those messages about that driver. Do the ESET scan. Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578687 Share Posted July 20, 2023 Yep it’s done scanning now Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 20, 2023 ID:1578689 Share Posted July 20, 2023 Did you save a report from ESET ? What was its result ? Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578690 Share Posted July 20, 2023 Oh I didn’t save it it said no virus detected your safe I can run it again and save the log if you need Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578694 Share Posted July 20, 2023 done eset.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 20, 2023 ID:1578699 Share Posted July 20, 2023 That did not take a whole of time. The Eset result is good. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand. This link is for the 64-bit version of MSERT.exe . Be sure you save the file firsthttps://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan. That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well Launch MSERT.exe Accept the agreement terms of Microsoft Select CUSTOM scan Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned. Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection. That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not. Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578702 Share Posted July 20, 2023 Btw if you need to know I was ratted and then I reset windows twice+ deleted everything and I think I was still ratted cause command prompt kept opening every time I restarted my computer Link to post Share on other sites More sharing options...
Kidiron Posted July 20, 2023 Author ID:1578706 Share Posted July 20, 2023 finished msert.log Link to post Share on other sites More sharing options...
Kidiron Posted July 21, 2023 Author ID:1578708 Share Posted July 21, 2023 Many hours it only took 30mins? Link to post Share on other sites More sharing options...
Recommended Posts