hoxton Posted November 26, 2023 ID:1601808 Share Posted November 26, 2023 (edited) Hi, Malwarebytes found some infections and they were successfully removed but I am unable to remove a trojan that keeps trying to access a website. RegAsm.exe is constantly trying to make the connection and Malwarebyes is blocking it but I want to remove it / make sure there are no additional threats. By reading some of other similar threads I've already attacched the Gather Logs of MALWAREBYTES MBST Support Tool. Thank you in advance! mbst-grab-results.zip Edited November 26, 2023 by AdvancedSetup Corrected font issue Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 26, 2023 Root Admin ID:1601817 Share Posted November 26, 2023 Hello @hoxton and ATTENTION: System Restore is disabled (Total:474.48 GB) (Free:343.35 GB) (72%) Please enable System Protection and create a NEW System Restore Point Turn On or Off System Protection for Drives in Windows 11 https://www.elevenforum.com/t/turn-on-or-off-system-protection-for-drives-in-windows-11.3598/ Create System Restore Point in Windows 11 https://www.elevenforum.com/t/create-system-restore-point-in-windows-11.3602/ I'll be back in a few minutes with some other steps to run Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 26, 2023 Root Admin ID:1601818 Share Posted November 26, 2023 Also, please empty your Recycle Bin. Windows Defender is finding a Trojan in there Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 26, 2023 Root Admin ID:1601821 Share Posted November 26, 2023 Please run the following fix NOTE: Please read all of the information below before running this fix. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply Farbar program: FRSTEnglish.exe Save the attached file: FIXLIST.TXT to this folder C:\Users\andry\Downloads\ NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it. Run the Farbar program with Admin rights and press the Fix button just once and wait. The fix may possibly take up to 60 minutes to complete If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply. NOTE: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Discord cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Thanks Link to post Share on other sites More sharing options...
hoxton Posted November 26, 2023 Author ID:1601834 Share Posted November 26, 2023 Hi, thanks! I've run the fix and this is the log produced by Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 26, 2023 Root Admin ID:1601838 Share Posted November 26, 2023 Thank you for the log. Please run the following Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop. (Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021) Download: Kaspersky Virus Removal Tool https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe How to run a scan with Kaspersky Virus Removal Tool 2020 https://support.kaspersky.com/15674 How to run Kaspersky Virus Removal Tool 2020 in the advanced mode https://support.kaspersky.com/15680 How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan https://support.kaspersky.com/15681 Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box. That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed... Thank you Link to post Share on other sites More sharing options...
hoxton Posted November 27, 2023 Author ID:1601861 Share Posted November 27, 2023 Done! I have to report that after the previous stage with your fixlist file some RTP Detections where still found unfortunately. report_2023.11.27_07.25.48.klr.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 27, 2023 Root Admin ID:1601865 Share Posted November 27, 2023 It did not find anything that was live, active. Just older stuff from the system. You will need to send Sophos an email to obtain the download link. Please do so. The interface may have changed some from the instructions below, but please try to run it and post back the log when done. Sophos Scan & Clean Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Attach the results in your next reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Please attach that log on your next reply Thank you Link to post Share on other sites More sharing options...
hoxton Posted November 27, 2023 Author ID:1601994 Share Posted November 27, 2023 Thank you SophosScanAndClean_20231128_0019.log Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 27, 2023 Root Admin ID:1601999 Share Posted November 27, 2023 Thank you for the log. Sophos was not certain. Please find and upload the following file to https://virustotal.com and have them scan it, please. Then post back the URL link for the detection C:\WINDOWS\system32\esimtool.exe Link to post Share on other sites More sharing options...
hoxton Posted November 28, 2023 Author ID:1602123 Share Posted November 28, 2023 https://www.virustotal.com/gui/file/5fa4f78f01d6b4de79fe03dc18ab70dcbe095f04b044ad720385e4a83ecf62e2 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 29, 2023 Root Admin ID:1602261 Share Posted November 29, 2023 Thank you. That shows as safe. Please run the following @hoxton SecurityCheck by glax24 I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications. CheckSecurity is a utility for quickly checking for the presence of vulnerable applications Temporarily disable Microsoft SmartScreen to download the software Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe If SmartScreen blocks the file from running click on More info and Run anyway This tool is safe. Smartscreen is overly sensitive. You can check the VirusTotal scan of the tool from here Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Items checked: User Account Control (UAC). Service pack. IE version. Automatic OS update. Sets of critical KB patches when updating is disabled. Antivirus, firewall, other security utilities. Versions of Java, Oracle Virtualbox. Version of Adobe Flash Player, Adobe AIR. Versions of Adobe Reader, Acrobat Reader DC, Foxit Reader. Versions of media players (iTunes, AIMP, foobar2000). Versions of messengers (Skype, Pidgin). Versions of installed browsers (Chrome, Opera, Firefox, Yandex, SeaMonkey). Versions of mail programs (The Bat, Thunderbird). Checking running processes and security program services Searching for installed Adware programs and optimizer programs (More than 5000). Thank you Link to post Share on other sites More sharing options...
hoxton Posted November 29, 2023 Author ID:1602264 Share Posted November 29, 2023 SecurityCheck.txt Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted November 29, 2023 Root Admin Solution ID:1602308 Share Posted November 29, 2023 Please uninstall, update, or otherwise address the following as appropriate for your computer. Google Drive v.1.0 Warning! Download Update Telegram Desktop v.4.10.2 Warning! Download Update VLC media player v.3.0.18 Warning! Download Update Are you still getting the Alert or seeing Regasm running on the system anymore? Link to post Share on other sites More sharing options...
hoxton Posted November 30, 2023 Author ID:1602397 Share Posted November 30, 2023 No, I'm not seeing any activity anymore Link to post Share on other sites More sharing options...
hoxton Posted November 30, 2023 Author ID:1602404 Share Posted November 30, 2023 I'm sorry, From the logs you've seen so far is it possible that throught this hacking they stolen credentials for the access to PayPal, Amazon and so on? Because from the sites that I mention they try to buy things and services and for Paypal for example the transaction cames from my hacked pc but I have not done anything. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 30, 2023 Root Admin ID:1602531 Share Posted November 30, 2023 (edited) Yes, unfortunately that is the fall out of such an attack. How To Recover Your Hacked Email or Social Media Account https://consumer.ftc.gov/articles/how-recover-your-hacked-email-or-social-media-account PayPal support https://www.paypal.com/us/cshelp/personal Amazon support https://www.amazon.com/gp/help/customer/display.html For a paid password manager 1Password is one of the best https://1password.com/ For a free password manager Bitwarden is considered one of the better ones https://bitwarden.com/ For more advanced users Keepass is one of the best password managers but does not offer the same Cloud conveniences as others https://keepass.info/ Help prevent Identity Theft in the future Malwarebytes does offer Identity Theft Protection https://www.malwarebytes.com/identity-theft-protection Tips to help protect from infection https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ Edited November 30, 2023 by AdvancedSetup Updated information Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 30, 2023 Root Admin ID:1602532 Share Posted November 30, 2023 Let's go ahead and do some clean-up work and remove the tools and logs we've run. Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. Please attach that file to your next reply. (not compulsory) Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site. https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/ Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/ Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2 Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security Malwarebytes Browser Guard Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/ uBlock Origin Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog https://blog.malwarebytes.com/ Hopefully, we've been able to assist you with correcting your system issues. Thank you for using Malwarebytes Link to post Share on other sites More sharing options...
hoxton Posted December 3, 2023 Author ID:1602970 Share Posted December 3, 2023 kprm-20231203180538.txt Hi, sorry for the late replay and thank you so much for the help so far and for the tips. Last question, It's possible that all the password that I have saved in my Google Account have been violated? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 3, 2023 Root Admin ID:1603010 Share Posted December 3, 2023 Yes, it's possible. There are numerous methods of attack on browsers to exfiltrate the passwords. I do not know if they were or not. Consider switching to Firefox browser or Brave browser To be safe I would stop using the Browser to store passwords. When it asks say no, and start using a dedicated Password Manager and use 2FA/MFA (Multi Factor Authentication) when possible. Unless there is something else I can assist you with we should be done here now and I'll close your topic soon. Take care and stay safe out there Cheers @hoxton Link to post Share on other sites More sharing options...
hoxton Posted December 3, 2023 Author ID:1603012 Share Posted December 3, 2023 Thank you so much for helping! Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 23, 2023 ID:1607066 Share Posted December 23, 2023 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts