Followup To Malware Post In Non-specialist Thread

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DarkPhoenixM, Apr 9, 2017.

  1. DarkPhoenixM

    DarkPhoenixM Private E-2

    Hi Guys,

    First I want to thank all of you for helping me in the past. I've implemented lots of basic computer safety features that you all have suggested except for being on a restricted account. I will take this seriously from now on and will look through the updated procedures for what I should be doing to stay safe.

    Would you all please take a look at my logs and the following screenshots?

    Screenshots:

    https://gyazo.com/e526870e5999e5c9da6c72037c9feb08
    https://gyazo.com/bf4df7cd7c78a9da1bfff09a263398b0
    https://gyazo.com/cba84f0c8c2d0069a481bac7031a6098
    https://gyazo.com/9778fdfe50edf0bea07b90fd7c9b4582
    https://gyazo.com/94e770c4dc5f6c88f1af18bd37cd4e32

    The final screenshot shows a txt log, which has text saying "Polled" in it with dates and times. Strange to say the least. Then again, I don't know much about software or why it would be there. The other screenshots show that Malware Bytes was hung up on a thread. It literally stopped executing so there is something preventing it from working.

    Here is the original post I made in the other section of the forum:

    http://forums.majorgeeks.com/index....om-skype-queued-download.316208/#post-1990013

    Problems:

    1. Flashplayer.hta file tried to drive by download
    2. Router may have been breach/pwnd
    3. May have viruses

    Solutions I would like:

    1. "Hardened" windows 10 OS
    2. "Hardened" router because of said issues
    3. Reliable VPN
    4. Scan and clean cellphones
    5. Remove Skype, EverNote, and BusinessPlan Pro
    6. Customized/hardened rules for PrivateFirewall

    https://gyazo.com/83025b68504d3d4d2d6336fb8012ea5d
    https://gyazo.com/36cf335f9d04ce5cfdd2acbffcfdf715
    https://gyazo.com/1b07f713ead04e76447e3ac96d78a8dc

    Those arrows are on all three programs. I know my Skype was hacked for sure. I clicked this link called Baidu something, which was sent from a person I trusted. We had been talking recently so I thought he sent me a link to help me with learning how to "code" for iOS and Mac.

    I'm so annoyed that I have half a mind to start learning how to be a CyberSecurity researcher / Hacker. All "technical" work is tedious, and no one wants to help you get to a baseline of knowledge, which is why I stopped for a while among other financial reasons.

    The logs are attached.

    If you guys can't help me with hardening my computer and router will you please help point me to some guides? AT&T was very unhelpful and told me I would have to pay like $49 or some subscription etc to get custom firewall rules and make it reject traffic.

    I've run tests on the router with various programs. The router has a baseline of security, but I feel like someone has targeted me now that I've found threats on my computer. Maybe I'm being paranoid.

    Questions:

    Would you tell me what some of the files mean (i.e. what level of pwned I am)?
    Also a second time asking, would you please point me to guides for the section titled: Solutions I would like (see top 1/3rd of post).

    P.S. MalwareBytes hung so I couldn't get logs for it.

    Best,

    Phoenix
     

    Attached Files:

    DarkPhoenixM, Apr 9, 2017
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rerun RogueKiller and have it remove these items:

    ¤¤¤ Registry : 3 ¤¤¤
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {8FA5A8E8-F435-411F-9902-2086A00AD3A5} : v2.25|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\remmi\AppData\Local\Temp\7zS4E6E\setup\hpznui40.exe|Name=hpznui40.exe|Desc=C:\Users\remmi\AppData\Local\Temp\7zS4E6E\setup\hpznui40.exe| [x] -> Found

    ¤¤¤ Files : 1 ¤¤¤
    [File.Forged][File] C:\Windows\System32\drivers\agilevpn.sys -> Found

    Reboot and rescan with RogueKiller and attach the new log.
     
    TimW, Apr 10, 2017
    #2
  3. DarkPhoenixM

    DarkPhoenixM Private E-2

    Done exactly as stated. I didn't attempt removing new stuff.

    How pwned am I? Could you help me with my other questions too?
     

    Attached Files:

    • RK2.txt
      File size:
      3.7 KB
      Views:
      1
    DarkPhoenixM, Apr 10, 2017
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you have it remove this file:

    ¤¤¤ Files : 1 ¤¤¤
    [File.Forged][File] C:\Windows\System32\drivers\agilevpn.sys -> Found
     
    TimW, Apr 10, 2017
    #4
  5. DarkPhoenixM

    DarkPhoenixM Private E-2

    DarkPhoenixM, Apr 10, 2017
    #5
  6. DarkPhoenixM

    DarkPhoenixM Private E-2

    Yes, I sure did have it remove both suggested files, and I rebooted. I followed everything to a T.
     
    DarkPhoenixM, Apr 10, 2017
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member


    MGTools makes hidden file show.

    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista,Seven,Eight or 10, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
     
    TimW, Apr 10, 2017
    #7
  8. DarkPhoenixM

    DarkPhoenixM Private E-2

    Hi guys,

    here's the new log.
     

    Attached Files:

    • JRT.txt
      File size:
      1.4 KB
      Views:
      1
    DarkPhoenixM, Apr 11, 2017
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. I suggest you pursue the other issues you have in the software forum.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8 or 10, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    TimW, Apr 11, 2017
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds