Recent Posts

Pages: 1 [2] 3 4 ... 10
11
Malware removal help / Re: Possibly infected with a Bitcoin farmer malware
« Last post by Dyav on August 20, 2018, 04:27:50 pm »
Here they are
12
Malware removal help / Re: Possibly infected with a Bitcoin farmer malware
« Last post by Curson on August 20, 2018, 04:03:41 pm »
Hi Dyav,

Welcome to Adlice.com Forum.
If you do not use Teamviewer, please uninstall it.

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Regards.
13
Malware removal help / Possibly infected with a Bitcoin farmer malware
« Last post by Dyav on August 20, 2018, 09:58:58 am »
Hi!! So some days ago my computer started acting really weird, there was a constant use of the CPU in the task manager (30% more or less) and my internet just seemed to stopped working, or at least it worked for some minutes after start and then it just kept loading pages indefinitely, I thought it to be a internet problem, but on my other devices it was just fine.. So I did a quickscan with Malwarebytes and it detected ASKTOOLBARINSTALLER-ORJ-SPE[1].7Z and [2].7Z and MicrosoftRuntimeUpdate.vbe in Appdata/Roaming/libraries, looking it up I found people saying it was a bitcoin miner malware, which made sense for how my PC was behaving, anyway I quarantined it and restarted, but the problem was still there, CPU used without anything running and no internet (nothing was showing up in Task Manager either). There were also two processes that autoran on start called 'Microsoft Runtime' and 'Microsoft Runtime Update' starting from that file, that I found in CCleaner.
Anyway I started panicing and tried to use RogueKiller, ComboFix and AdwCleaner in that order, the problem seemed to be fixed after RogueKiller, but I ran the other ones too, I'll leave the logs

I'm asking here to know how I could have get infected and if there may be still something left on my PC, if it can help I think I had this for a long time and only recently it started to completely stop my internet connection, indeed I used to see a chrome.exe process using a lot of CPU in the background even tho I didn't even start it (I use Firefox), I thought it was Chrome trying to update and kept closing the process manually, eventually I tried uninstalling and reinstalling Chrome but nothing changed, after some time this stopped happening with chrome.exe and the same thing was happening with firefox.exe and if I tried to kill the process my Firefox would still run normally, which was really suspicious.
Let me know!! Bye (:
14
RogueKiller / Re: RK has found 6 Threats. How do I send them for analysis?
« Last post by Curson on August 18, 2018, 04:21:22 pm »
Hi Absolute Novice,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller JSON report with your next reply ?

To export a report, go to the "History" tab, then to the "Scan Reports" section.
There, do a double click on the first entry, then click on the "Export json" button and save it on your desktop.

To attach it with your message, click on the "Attachments and other options" link, then on the "Attach" button and select the JSON file.

Regards.

Note : This thread has been moved to the "RogueKiller" section for clarity.
15
RogueKiller / RK has found 6 Threats. How do I send them for analysis?
« Last post by Absolute Novice on August 17, 2018, 08:50:11 pm »
Please help.
16
Hi terpy,

We are going to check your system for rootkits.
  • Please download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.



  • Check Loaded Modules and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.



  • Click Start Scan and allow the scan process to run.
    If threats are detected select Skip for all of them unless I instruct you otherwise.
  • Click Continue



  • Click Reboot computer
Please attach the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.
17
Well, it seems my internet speeds are still pretty slow (19mpbs down, 29mpbs up wireless, whereas my phone gets 119 down and 64 up), which might be an issue with my ISP, last time I called them they didn't have any answers for me though. Also, for some reason my search feature still doesn't work - it doesn't search for applications but just folders and random files, but the computer itself seems to be running alright. It was never really that slow, I was just worried because my credit card had been compromised so I wanted to be sure my PC was clean.

Do you have any idea what could be causing my internet speeds to be so low on only my PC?

Thanks again for all the help.
18
Hi terpy,

Don't worry about it.
How is your system running now ?

Regards.
19
Hi Curson, thank you for the thorough response! Sorry it took me a while to get back, I had to leave unexpectedly for a day. I've run the fix command, which produced the following log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.08.2018
Ran by Shane (12-08-2018 11:33:20) Run:1
Running from C:\Users\Shane\Desktop\Security  Tools
Loaded Profiles: Shane (Available Profiles: Shane & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
S1 netfilter2; system32\drivers\netfilter2.sys [X]
AV: Avast Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Spybot - Search and Destroy (Disabled - Out of date) {A16C3F68-9280-E053-1818-342707FECF4D}
AS: Avast Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus (Disabled) {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
AlternateDataStreams: C:\ProgramData:482EE99B1E21CE8C [217]
AlternateDataStreams: C:\ProgramData:F92137B1307D3B14 [217]
AlternateDataStreams: C:\WINDOWS\SwUSB.exe:AGC

AlternateDataStreams: C:\Users\All Users:482EE99B1E21CE8C [217]
AlternateDataStreams: C:\Users\All Users:F92137B1307D3B14 [217]
AlternateDataStreams: C:\ProgramData\Application Data:482EE99B1E21CE8C [217]
AlternateDataStreams: C:\ProgramData\Application Data:F92137B1307D3B14 [217]
AlternateDataStreams: C:\ProgramData\TEMP:CB0AACC9 [286]
[-HKLM\SYSTEM\CurrentControlSet\Services\45837EB55DEAE840]
C:\WINDOWS\system32\drivers\45837EB55DEAE840.sys
CMD: net user 12FA1BE483FC47BA9482 /delete
EmptyTemp:
*****************

Processes closed successfully.
"HKLM\System\CurrentControlSet\Services\netfilter2" => removed successfully
netfilter2 => service removed successfully
"AV: Avast Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}" => removed successfully
"AS: Spybot - Search and Destroy (Disabled - Out of date) {A16C3F68-9280-E053-1818-342707FECF4D}" => removed successfully
"AS: Avast Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}" => removed successfully
"FW: avast! Antivirus (Disabled) {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}" => removed successfully
C:\ProgramData => ":482EE99B1E21CE8C" ADS removed successfully
C:\ProgramData => ":F92137B1307D3B14" ADS removed successfully
C:\WINDOWS\SwUSB.exe => ":AGC" ADS removed successfully
"C:\Users\All Users" => ":482EE99B1E21CE8C" ADS not found.
"C:\Users\All Users" => ":F92137B1307D3B14" ADS not found.
"C:\ProgramData\Application Data" => ":482EE99B1E21CE8C" ADS not found.
"C:\ProgramData\Application Data" => ":F92137B1307D3B14" ADS not found.
C:\ProgramData\TEMP => ":CB0AACC9" ADS removed successfully
HKLM\SYSTEM\CurrentControlSet\Services\45837EB55DEAE840 => not found
"C:\WINDOWS\system32\drivers\45837EB55DEAE840.sys" => not found

========= net user 12FA1BE483FC47BA9482 /delete =========

The command completed successfully.


========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 6053888 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 24446948 B
Java, Flash, Steam htmlcache => 156997395 B
Windows/system/drivers => 15769326 B
Edge => 1482240 B
Chrome => 415121840 B
Firefox => 8768464 B
Opera => 9691872 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 5438 B
LocalService => 0 B
NetworkService => 0 B
NetworkService => 0 B
Shane => 1133756826 B
Administrator => 140029 B

RecycleBin => 4684409710 B
EmptyTemp: => 6 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:59:13 ====
20
Hi terpy,

Welcome to Adlice.com Forum.
Let's begin by answering your questions.
Quote
Upon reviewing them myself, the last two entries in the installed programs section in the additions.txt seem pretty suspect, with them being in other characters.
These are Russian and Chinese Language Packs for Visual Studio. If you don't need them, you can uninstall them.

Quote
Any idea why Avast is still showing up in my security center, even though I uninstalled it quite a while ago? It's not listed in the installed programs section and Revo Uninstaller can't find it either, so I'm not sure what data is still on my PC from them.
It seems Avast Uninstaller did not remove all of Avast items. We will manually remove it with the fixlist below.

Quote
I'm unsure of what the first account listed under "accounts" on the additions.txt file is or when it was even created.
It seems it was generated randomly. It will also be taken care with the fixlist.

Quote
In the FRST.txt drivers section, I'm not entirely sure how the CYREN Inc. drivers got there.
They are part of Iolo System Mechanic.

Quote
Same as above but with the GrdKey (Aktiv Co.) and netfilter2 entries
The first one is an USB Dongle Device Driver, the second one is a leftover and will be removed.

Please uninstall Spybot - Search & Destroy 2.
It's not effective anymore and can conflit with BitDefender and/or ZAM.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Regards.
Pages: 1 [2] 3 4 ... 10