Tw0d33 Posted April 11 ID:1629265 Share Posted April 11 Hey MWB, I had a distant relation message me about a game project, which required opening a RAR file. Upon clicking it I was logged out of Discord and charged $100 for a fraudulent Discord Nitro subscription. I've gone down my password manager and reset every password that comes with a billing option (although I was an idiot and did some of them on the same computer) as well as enabling 2FA everywhere I could. Norton, Malwarebytes, and Kapersky all turned up nothing (I'm currently running a full scan of Microsoft Safety Scanner, and will update with its findings). Where do I go from here? Link to post Share on other sites More sharing options...
JSntgRvr Posted April 11 ID:1629267 Share Posted April 11 Please download Farbar Recovery Scan Tool and save it to your desktop. Please rename FRST.EXE or FRST64.EXE to FRSTEnglish.exe Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply. The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well. Thank you Link to post Share on other sites More sharing options...
Tw0d33 Posted April 11 Author ID:1629272 Share Posted April 11 9 minutes ago, JSntgRvr said: Please download Farbar Recovery Scan Tool and save it to your desktop. Please rename FRST.EXE or FRST64.EXE to FRSTEnglish.exe Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply. The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well. Thank you Thanks for the prompt response! They're here:Addition.txtFRST.txt Link to post Share on other sites More sharing options...
JSntgRvr Posted April 11 ID:1629273 Share Posted April 11 The FRST report is incomplete. Please scan again. Link to post Share on other sites More sharing options...
Tw0d33 Posted April 11 Author ID:1629276 Share Posted April 11 8 minutes ago, JSntgRvr said: The FRST report is incomplete. Please scan again. I ran it a second time after the first scan and got these: Addition.txt FRST.txt Link to post Share on other sites More sharing options...
JSntgRvr Posted April 11 ID:1629279 Share Posted April 11 There is nothing of interest in those logs. Download the enclosed file Fixlist.txt Save it in the same location FRST64.exe is saved (FRSTEnglish.exe) Start FRST (FRST64) with Administrator privileges This time around Press the Fix button and wait When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from. Please attach this file in your next reply. Update your software: SecurityCheck by glax24 I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications. Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe If Microsoft SmartScreen blocks the download, click through to save the file This tool is safe. Smartscreen is overly sensitive. If SmartScreen blocks the file from running click on More info and Run anyway Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Thank you. Link to post Share on other sites More sharing options...
Tw0d33 Posted April 11 Author ID:1629285 Share Posted April 11 13 minutes ago, JSntgRvr said: There is nothing of interest in those logs. Download the enclosed file Fixlist.txt Save it in the same location FRST64.exe is saved (FRSTEnglish.exe) Start FRST (FRST64) with Administrator privileges This time around Press the Fix button and wait When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from. Please attach this file in your next reply. Update your software: SecurityCheck by glax24 I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications. Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe If Microsoft SmartScreen blocks the download, click through to save the file This tool is safe. Smartscreen is overly sensitive. If SmartScreen blocks the file from running click on More info and Run anyway Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Thank you. The FixList is still working, but here are my security check logs: SecurityCheck.txt Link to post Share on other sites More sharing options...
Tw0d33 Posted April 11 Author ID:1629286 Share Posted April 11 16 minutes ago, JSntgRvr said: There is nothing of interest in those logs. Download the enclosed file Fixlist.txt Save it in the same location FRST64.exe is saved (FRSTEnglish.exe) Start FRST (FRST64) with Administrator privileges This time around Press the Fix button and wait When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from. Please attach this file in your next reply. Update your software: SecurityCheck by glax24 I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications. Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe If Microsoft SmartScreen blocks the download, click through to save the file This tool is safe. Smartscreen is overly sensitive. If SmartScreen blocks the file from running click on More info and Run anyway Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Thank you. Here we go, reran as Administrator Fixlog.txt Link to post Share on other sites More sharing options...
JSntgRvr Posted April 11 ID:1629293 Share Posted April 11 Proceed as indicated. --------------------------- [ OtherUtilities ] ---------------------------- Microsoft 365 - en-us v.16.0.17425.20146 Warning! Download Update How Install Office updates? NVIDIA GeForce Experience 3.27.0.112 v.3.27.0.112 Warning! Download Update Microsoft Visual Studio Code (User) v.1.84.2 Warning! Download Update Notepad++ (32-bit x86) v.8.4.8 Warning! Download Update Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.34.31938 v.14.34.31938.0 Warning! Download Update OpenOffice 4.1.13 v.4.113.9810 Warning! Download Update Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.34.31938 v.14.34.31938.0 Warning! Download Update ------------------------------ [ ArchAndFM ] ------------------------------ 7-Zip 22.01 (x64) v.22.01 Warning! Download Update Uninstall old version and install new one. ------------------------------- [ Imaging ] ------------------------------- GIMP 2.10.30 v.2.10.30 Warning! Download Update IrfanView 4.58 (64-bit) v.4.58 Warning! Download Update -------------------------- [ IMAndCollaborate ] --------------------------- Discord v.0.0.309 Warning! Download Update Zoom v.5.16.2 (22807) Warning! Download Update ---------------------------- [ UnwantedApps ] ----------------------------- Driver Easy 5.7.0 v.5.7.0 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program. Bonjour v.2.0.2.0 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering. AppNHost 1.0.5.1 v.1.0.5.1 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware and Malwarebytes AdwCleaner. Before uninstallation and scanning it is necessary to consult in the forum where cure is provided for you!!! ----------------------------- [ End of Log ] ------------------------------ How is the computer doings afterwards? Link to post Share on other sites More sharing options...
Tw0d33 Posted April 11 Author ID:1629298 Share Posted April 11 26 minutes ago, JSntgRvr said: Proceed as indicated. --------------------------- [ OtherUtilities ] ---------------------------- Microsoft 365 - en-us v.16.0.17425.20146 Warning! Download Update How Install Office updates? NVIDIA GeForce Experience 3.27.0.112 v.3.27.0.112 Warning! Download Update Microsoft Visual Studio Code (User) v.1.84.2 Warning! Download Update Notepad++ (32-bit x86) v.8.4.8 Warning! Download Update Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.34.31938 v.14.34.31938.0 Warning! Download Update OpenOffice 4.1.13 v.4.113.9810 Warning! Download Update Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.34.31938 v.14.34.31938.0 Warning! Download Update ------------------------------ [ ArchAndFM ] ------------------------------ 7-Zip 22.01 (x64) v.22.01 Warning! Download Update Uninstall old version and install new one. ------------------------------- [ Imaging ] ------------------------------- GIMP 2.10.30 v.2.10.30 Warning! Download Update IrfanView 4.58 (64-bit) v.4.58 Warning! Download Update -------------------------- [ IMAndCollaborate ] --------------------------- Discord v.0.0.309 Warning! Download Update Zoom v.5.16.2 (22807) Warning! Download Update ---------------------------- [ UnwantedApps ] ----------------------------- Driver Easy 5.7.0 v.5.7.0 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program. Bonjour v.2.0.2.0 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering. AppNHost 1.0.5.1 v.1.0.5.1 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware and Malwarebytes AdwCleaner. Before uninstallation and scanning it is necessary to consult in the forum where cure is provided for you!!! ----------------------------- [ End of Log ] ------------------------------ How is the computer doings afterwards? I've followed all these instructions. I've noticed my computer doing things like opening some windows and closing others, but I suspect this may be Microsoft Safety Scanner, which was shut down by the Fixlog program and which I just set to work again. It does seem to be noticing a ton of infected files, however: I plan on letting it finish its scan, then I'm going to restart with all those updates pending. Link to post Share on other sites More sharing options...
Tw0d33 Posted April 11 Author ID:1629311 Share Posted April 11 The system seems to be running reasonably smoothly upon a fresh restart. Nothing terribly out of the ordinary. I did get login attempts to some of my passwords, so it looks like the spree of changing passwords and enabling 2FA was well-warranted, however. Is it safe to log back into Discord et al on my main computer? Link to post Share on other sites More sharing options...
JSntgRvr Posted April 11 ID:1629382 Share Posted April 11 Re-scan with FRST64 and post new logs. Link to post Share on other sites More sharing options...
Tw0d33 Posted April 11 Author ID:1629403 Share Posted April 11 1 hour ago, JSntgRvr said: Re-scan with FRST64 and post new logs. They're attached here: FRST.txtAddition.txt I received a Discord message from the hacker trying to extort me for more money, though I'm not sure that there's actually anything left that he can do. Link to post Share on other sites More sharing options...
Tw0d33 Posted April 11 Author ID:1629404 Share Posted April 11 Link to post Share on other sites More sharing options...
Tw0d33 Posted April 11 Author ID:1629408 Share Posted April 11 And Fixlog.txthere's the fresh fixlog: Link to post Share on other sites More sharing options...
JSntgRvr Posted April 11 ID:1629477 Share Posted April 11 Download the enclosed file Fixlist.txt Save it in the same location FRST64.exe is saved (FRSTEnglish.exe) Start FRST (FRST64) with Administrator privileges This time around Press the Fix button and wait When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from. Please attach this file in your next reply. Attach the resulting reports as requested. Link to post Share on other sites More sharing options...
Tw0d33 Posted April 11 Author ID:1629520 Share Posted April 11 Just an update that it’s been “fix in progress” for about an hour. The progress bar is moving, though, so it’s working. Link to post Share on other sites More sharing options...
Tw0d33 Posted April 11 Author ID:1629545 Share Posted April 11 It looks like the process terminated because it took more than 60 minutes? At least I'm seeing that in the log.Fixlog.txt Link to post Share on other sites More sharing options...
Tw0d33 Posted April 11 Author ID:1629548 Share Posted April 11 Here we go, I got all the way through to the restart now. Fixlog_2.txt Fixlog_2.txt Link to post Share on other sites More sharing options...
JSntgRvr Posted April 12 ID:1629560 Share Posted April 12 My fault. Download the enclosed file Fixlist.txt Save it in the same location FRST64.exe is saved (FRSTEnglish.exe) Start FRST (FRST64) with Administrator privileges This time around Press the Fix button and wait When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from. Please attach this file in your next reply. I guess you will need to rename your screen-name, or close the account. He already have your account name. Fixlist.txt Link to post Share on other sites More sharing options...
Tw0d33 Posted April 12 Author ID:1629570 Share Posted April 12 32 minutes ago, JSntgRvr said: My fault. Download the enclosed file Fixlist.txt Save it in the same location FRST64.exe is saved (FRSTEnglish.exe) Start FRST (FRST64) with Administrator privileges This time around Press the Fix button and wait When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from. Please attach this file in your next reply. I guess you will need to rename your screen-name, or close the account. He already have your account name. Fixlist.txt 1.14 kB · 0 downloads To clarify, this is the account name for my Windows computer, Microsoft, Discord? Link to post Share on other sites More sharing options...
JSntgRvr Posted April 12 ID:1629571 Share Posted April 12 No, that is for a Boo Boo I did on my previous fix. Link to post Share on other sites More sharing options...
JSntgRvr Posted April 12 ID:1629572 Share Posted April 12 The rename for the account is for Discord. Link to post Share on other sites More sharing options...
Tw0d33 Posted April 12 Author ID:1629574 Share Posted April 12 1 minute ago, JSntgRvr said: The rename for the account is for Discord. Okay, thank you -- I have already changed my passwords from another device and enabled two-factor, which should have reset access from all devices after he webhooked me. I haven't had any more crazy purchases on Discord, but I'll ask for an account rename to be safe. I accidentally just ran the fix without the new list, rerunning it now. Link to post Share on other sites More sharing options...
Tw0d33 Posted April 12 Author ID:1629576 Share Posted April 12 9 minutes ago, JSntgRvr said: No, that is for a Boo Boo I did on my previous fix. Here's the latest fixlog. :) Fixlog.txt Link to post Share on other sites More sharing options...
Recommended Posts