(win 7) downloaded a possible rat, help :(

Started by wzynge, February 16, 2021, 05:06:56 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

wzynge

here's a scan of the files that were having fun on my pc https://www.hybrid-analysis.com/sample/8072e21d2d48c739e7537144820e4985e815e7c1b29fb83f5ba17fc6272f0fc1 not sure if they're actually malware or not, but it's lookin like it. i just want to mention that i was using that program to get an extra day out of trial software from 2001 that isn't available for purchase anymore.

i'm using windows 7 (yes) and microsoft security essentials (yes), i generally don't need to use my antivirus because i don't tend to download random things and run them, but i haven't had the best judgement lately. mse told me three whole days later that it found and stopped 2 trojans (Skeeyah and Dynamer), i had no idea but malwarebytes didn't really pick up anything related to it.

i dont think ive noticed anything too weird happening on my pc although the other day my pc hardcore lagged and took its sweet time signing me in, and it messed my desktop icons up in the process

i attached the logs to this post, i'm putting the original malwarebytes log i did last night although i ran malwarebytes a second time afterwards with rootkits enabled but it didn't find anything.

SuperDave

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download AdwareCleaner onto your Desktop. AdwCleaner

Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.



If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
When the AdwCleaner program will open, click on the Scan button as shown below.



AdwCleaner will now start to search for malicious files that may be installed on your computer.
To remove the files that were detected in the previous step, please click on the Clean button.



AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.
*********************************************
Download and install: Please download Malwarebytes' scanner to your desktop.
Double Click mbam-setup.exe to install the application.

  • It should update automatically if the computer is connected to the internet.
  • Click on Threat Scan and click on Scan Now.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete make sure all the infections have "quarantine" selected in the Action box.
  • Click on "Apply actions" You may be asked to Restart your computer to completely remove the infections.
  • When disinfection is completed you can click on "Copy to Clipboard".
  • Paste the log in you next reply (CTRL+ V)
*************************************************
Download Security Check by screen317 from the following link and save it to your desktop.

Security Check

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
Windows 8 and Windows 10 dual boot with two SSD's

wzynge

Quote from: SuperDave on February 17, 2021, 04:04:58 PM
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

hi and thank you for replying, i had already ran all three of those and uploaded them as attachments but it looks like they never got approved. i'll paste those attachments below, but i want to add a few things that might help give more info since i think this might be a rootkit, which i've never dealt with before. i'm hoping my files can be saved if that's the case.

first off, between the time i posted this and now, i had installed kaspersky internet cloud on my infected computer and it found that the remote registry service was enabled, but i dont know if thats a normal thing. i had also checked through my chrome extensions since antivirus programs were flagging my chrome folder despite never before doing so, and i found 'google docs offline' had been added by a third party with the permissions to read and modify all data that i copy and paste. i am certain i did not have this extension in the past but i'm not able to see the date it was added, though it's possible that could be unrelated to this specifically, the id is ghbmnnjooekpmoecnnnilnnbdlolhkhi.

i also ran it through app.any.run and noticed under events that it had accessed files in system directories, and read their attributes before overwriting them, which you can see here if you click on process 2212 https://app.any.run/tasks/f87cff4b-f529-4d4a-80cc-b37faa33daba/. i then went through my pc to collect a couple of these files to upload it to virustotal, and while virustotal would claim they're whitelisted by microsoft, all of the related files would be malware. i then went onto a clean windows 7 virtual machine and collected the same files, which then gave me conflicting info.
the file from my infected machine: https://www.virustotal.com/gui/file/83dfd0c119b20aedb07114c9d1cf9ce2dfa938d0f1070256b0591a9e2c3997fa/relations
the file from the virtual machine: https://www.virustotal.com/gui/file/099177552db8cf6fd0997fa4f5eaa670c3305967feee2b6f0d160c611202a99b/detection

anyways, here's the logs. sorry they never uploaded in my original post. adwcleaner had also claimed the chrome extension under "djflhoibgkdhkhhcedjiklpkjnoahfmg" was potentially unwanted, although i removed it at a different time.

# -------------------------------
# Malwarebytes AdwCleaner 8.1.0.0
# -------------------------------
# Build:    02-15-2021
# Database: 2021-01-11.1 (Local)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    02-16-2021
# Duration: 00:00:00
# OS:       Windows 7 Professional
# Cleaned:  1
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted       HKCU\Software\APN PIP

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

  • Delete Tracing Keys
  • Reset Winsock

    *************************

    AdwCleaner[S00].txt - [1490 octets] - [16/02/2021 15:07:26]

    ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

    --

    Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Scan Date: 2/15/21
    Scan Time: 10:51 PM
    Log File: 6d2f37c4-7023-11eb-9959-00ff423707da.json

    -Software Information-
    Version: 4.3.0.98
    Components Version: 1.0.1157
    Update Package Version: 1.0.36559
    License: Free

    -System Information-
    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: asdfghjkl\user

    -Scan Summary-
    Scan Type: Threat Scan
    Scan Initiated By: Manual
    Result: Completed
    Objects Scanned: 348206
    Threats Detected: 22
    Threats Quarantined: 22
    Time Elapsed: 5 min, 5 sec

    -Scan Options-
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Detect
    PUM: Detect

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 0
    (No malicious items detected)

    Registry Value: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Data Stream: 0
    (No malicious items detected)

    Folder: 6
    PUP.Optional.PushNotifications.Generic, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, Quarantined, 15847, 838845, , , , , ,
    PUP.Optional.PushNotifications.Generic, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, Quarantined, 15847, 838845, , , , , ,
    PUP.Optional.PushNotifications.Generic, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, Quarantined, 15847, 838845, , , , , ,
    PUP.Optional.PushNotifications.Generic, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, Quarantined, 15847, 838845, , , , , ,
    PUP.Optional.PushNotifications.Generic, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, Quarantined, 15847, 838845, , , , , ,
    PUP.Optional.PushNotifications.Generic, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, Quarantined, 15847, 838845, , , , , ,

    File: 16
    Malware.AI.2780758606, C:\$RECYCLE.BIN\S-1-5-21-2990143310-1962791021-3746467091-1000\$RBFOM69\TRIAL-RESET.EXE, Quarantined, 1000000, 0, 1.0.36559, 0CE2AADC9311EE44A5BF024E, dds, 01097663, E7F45A987AA7BBA0034ACAC76AE64C32, 60721C4D087E2AE9B6167C5F1D574C8297B9C9AEEEE9FD3F456BEFFB4FB896C5
    PUP.Optional.GameHack, C:\PROGRAM FILES\CHEAT ENGINE 7.2\STANDALONEPHASE1.DAT, Quarantined, 477, 393793, 1.0.36559, , ame, , EB339EECEC8AA8C0FD3B08D39799D4D8, 88BB94C3CE727DB13B77ABDBDB75A4C878E91D651692F3618178DEC5BBB7080C
    PUP.Optional.PushNotifications.Generic, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, Quarantined, 15847, 838845, , , , , 41965B23AF95A8B614EAFB55A854DE85, ED001FE6A89E4355A86396799E1D1B8C9BD6E909E4F7F108793BC948C01B309B
    PUP.Optional.PushNotifications.Generic, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\014922.log, Quarantined, 15847, 838845, , , , , 6C8EA5DC0D1A85D3203BA196C7D70008, D78E0878F0A07DF985C21AE5B4584999F4DA6594537589E2A89DF548E6825E23
    PUP.Optional.PushNotifications.Generic, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\014924.ldb, Quarantined, 15847, 838845, , , , , 91D479CD3A5BDF3965EFC8FC224BED98, B6DED8B66C60C2ADFB50738C46CCA973C2A7005D9E8FF6B5F55B7859F632DE0E
    PUP.Optional.PushNotifications.Generic, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, Quarantined, 15847, 838845, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
    PUP.Optional.PushNotifications.Generic, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, Quarantined, 15847, 838845, , , , , ,
    PUP.Optional.PushNotifications.Generic, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, Quarantined, 15847, 838845, , , , , A190444A2050AE7FDB01D7733B9B783D, 9C28A3E309694339BB05D4B29B14E0BEDB62F11E5A870E8CFD0E375B6584FEE3
    PUP.Optional.PushNotifications.Generic, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, Quarantined, 15847, 838845, , , , , 922E3CB0D00CA66E1655794EF57608E4, DDE1578BFF4C18B19F15FDB83F953890CAC6C2171045170D15404B3606FDDBD0
    PUP.Optional.PushNotifications.Generic, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, Quarantined, 15847, 838845, , , , , 08F974EFE9415AECC03FE72572716AE7, 57B912D64E4909F8F74358A15DD9ABC8DF9A2D5488139233439DDB9641D2FB3D
    PUP.Optional.PushNotifications.Generic, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 15847, 838845, 1.0.36559, , ame, , 8C96FDACEE4EB85836CF8914045D3D84, A9C02A20B0374BC4DEEE16F7B0CA56396679F3E7B01A04A13389A6FC989C2128
    PUP.Optional.PushNotifications.Generic, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 15847, 838845, 1.0.36559, , ame, , 8C96FDACEE4EB85836CF8914045D3D84, A9C02A20B0374BC4DEEE16F7B0CA56396679F3E7B01A04A13389A6FC989C2128
    PUP.Optional.PushNotifications.Generic, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 15847, 838845, 1.0.36559, , ame, , 8C96FDACEE4EB85836CF8914045D3D84, A9C02A20B0374BC4DEEE16F7B0CA56396679F3E7B01A04A13389A6FC989C2128
    PUP.Optional.PushNotifications.Generic, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 15847, 838845, 1.0.36559, , ame, , 8C96FDACEE4EB85836CF8914045D3D84, A9C02A20B0374BC4DEEE16F7B0CA56396679F3E7B01A04A13389A6FC989C2128
    PUP.Optional.PushNotifications.Generic, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 15847, 838845, 1.0.36559, , ame, , 8C96FDACEE4EB85836CF8914045D3D84, A9C02A20B0374BC4DEEE16F7B0CA56396679F3E7B01A04A13389A6FC989C2128
    PUP.Optional.PushNotifications.Generic, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 15847, 838845, 1.0.36559, , ame, , 8C96FDACEE4EB85836CF8914045D3D84, A9C02A20B0374BC4DEEE16F7B0CA56396679F3E7B01A04A13389A6FC989C2128

    Physical Sector: 0
    (No malicious items detected)

    WMI: 0
    (No malicious items detected)


    (end)

    --

    Results of screen317's Security Check version 1.014 --- 12/23/15 
    Windows 7 Service Pack 1 x64 (UAC is enabled) 
    Internet Explorer 11 
    ``````````````Antivirus/Firewall Check:``````````````[/u]
    Windows Firewall Enabled! 
    Microsoft Security Essentials   
    Antivirus up to date! 
    `````````Anti-malware/Other Utilities Check:`````````[/u]
    Java version 32-bit out of Date!
    Google Chrome (88.0.4324.150)
    Google Chrome (SetupMetrics...)
    ````````Process Check: objlist.exe by Laurent````````[/u] 
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    Malwarebytes Anti-Malware mbamservice.exe 
    Malwarebytes Anti-Malware mbamtray.exe 
    `````````````````System Health check`````````````````[/u]
    Total Fragmentation on Drive C: 30% Defragment your hard drive soon! (Do NOT defrag if SSD!)
    ````````````````````End of Log``````````````````````[/u]

wzynge

quick update since i was feeling unsure if i really had an issue or not, after poking around a bit i figured some things looked out of place, a lot of remote desktop/procedure services running and remote desktop/procedure dlls were injected into nearly, if not all processes. i checked wireshark and saw something was repeatedly attempting to establish and request something to transfer to a server on ftp related ports, so i checked my ports and among a slew of shady ports being open, i also find 1337 and 13337, although i guess whats especially telling is one shows its foreign address as ingreslock, which is on the same port that keeps requesting a reply in wireshark.

i had also tested more files on my computer vs known good ones, the scan i linked in my last post as the "clean" was a slight mistake however its the same scenario with a valid signed file. other things i've found had changed were files like notepad, dism, etc. sfc seems to have been tampered with, on a virtual machine it refused to work at all and on my pc it claims things are fine.

at this point i know there is a definite infection and every scanner i have previously tried has been unable to detect a thing. i'm not sure exactly what data it's been trying to get and what it mightve possibly gotten already in the span of 3 days, not sure what i should do or if i should even bother doing anything. i haven't been in a situation like this since i was a small kid lol

SuperDave

There is no evidence that your computer is infected. Can you please run a scan with MSE?
Windows 8 and Windows 10 dual boot with two SSD's

Lisa_maree

Research how the software you downloaded to reset the trial works, it does open ports on the computer to allow their server to make changes each time you run the software.

So if you have already un installed the program and the ports are still open. Then I would use system  restore to take the computer  back before you installed the program.

Then do another test with wire shark or Gibsons research "shields up" and check those ports are closed.
You have not lived today until you have done something for someone who can never repay you."
― John Bunyan