Twitter Compromised Repeatedly - Scanning To Double Check

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by VoiD, Mar 31, 2017.

  1. VoiD

    VoiD Corporal

    Hi Guys,

    Issue: So I've been having issues with twitter log ins from other parts of the world. I've enabled all security features on the site and changed my password but just thought I would scan in case. I'm not having problems elsewhere though. I don't get pop ups or errors of any kind.

    Scans: Scans all went OK, no issues running. They have however flagged up some detections I'd like reviewed! Logs are attached :)

    Thanks in advance, I really admire the knowledge & ability you all have!

    Curt
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The only questionable item in your logs is wtu-secure-search.xml plugin seen added to Firefox. Did you knowingly install this addon?
     
  3. VoiD

    VoiD Corporal

    No. I've had a quick look and it's not listed in the plugins.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay run RogueKiller again and have it fix the below shown on the Files tab:

    ¤¤¤ Files : 1 ¤¤¤
    [PUP.Gen3][File] C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml -> Found

    Now run AdwCleaner again and have it delete the below if they still show up:
    ***** [ Files ] *****

    File Found: C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml
    File Found: C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml
    File Found: C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml

    ***** [ Registry ] *****
    Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
    Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
    Key Found: HKU\S-1-5-21-3577686941-3932507594-3676124104-1002\Software\distromatic
    Key Found: HKCU\Software\distromatic
    Key Found: [x64] HKCU\Software\distromatic

    Then reboot your PC and run a new scan with AdwCleaner. Then attach the new log.
     
  5. VoiD

    VoiD Corporal

    Done with no issues:

    Rogue killer deleted:
    ¤¤¤ Files : 1 ¤¤¤
    [PUP.Gen3][File] C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml -> Found

    ADWCleaner deleted:
    ***** [ Registry ] *****
    Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
    Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}

    Scanned with ADWCleaner after reboot, log file attached.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's have AdwCleaner remove the below item unless you know what it is for.

    ***** [ Registry ] *****
    Value Found: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [vProt]
     
  7. VoiD

    VoiD Corporal

    No idea, I was going to question it but forgot.

    Key deleted, rebooted, scanned again and AdwCleaner found NO threats. :)
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Cool!

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    3. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your Windows version in this link: Disable And Enable System Restore
      • For Windows 8 and 8.1 system restore see this link: Win 8 System Restore - How to enable/disable
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    6. After doing the above, you should work thru the below link:
     
  9. VoiD

    VoiD Corporal

    Thanks for your help Chaslang! :)
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds