Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I got phished, worried about a backdoor [Solved]


  • This topic is locked This topic is locked

#1
Captain Smee

Captain Smee

    New Member

  • Member
  • Pip
  • 6 posts

A very clever scam induced me to run an executable file I was tricked into thinking was a legitimate update for TeamSpeak 3 (the sound plugin scam, if any of you are familiar). I realized it was a scam attempting to steal my Steam account moments afterward and promptly ran a fast Malware Bytes scan and then rebooted in safe mode. MalwareBytes detected and deleted something, but I'm worried that it was merely the trojan executable and not what it downloaded onto my machine. I then used Comodo Cleaning Essentials, Avast, and Kaspersky's TDSSKiller kit. None of them detected anything.

 

As far as I'm aware, the trojan runs client32.exe and downloads a remote access program called Ammy Admin renamed to winsvchost. This is all stuff I've heard from other people who were phished.

 

I took care of my passwords, changing them from a separate, uninfected machine, but I'm worried that there might still be a backdoor on this machine. I'm afraid to relog from here. Is there anything more I can do?

 

EDIT: I'm now receiving random crashes in Firefox. I attempted a system restore to an earlier point but received an error message:

 

337cf9247b.png

 

 

Apparently it rewrote some files but didn't have permission to deal with system files for some reason. Firefox was fixed, though, and no longer seems to crash. I ran FRST again and the logs have been updated accordingly. I'm very sorry for the inconvenience.

 

FRST.txt:

 

[redacted by user after resolution]

 

Addition.txt:

 

[redacted by user after resolution]


Edited by Captain Smee, 30 September 2015 - 02:14 AM.

  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi sorry for the delay. Your system did restore it is just reporting that Avast would not let restore replace the virus defs... that is a quirk of Avast


As it stands I can see no apparent malware on the system related to a steam hijack

There are a few adware components that need to go. Are you experiencing any problems ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-3224555650-2440852018-732427347-1002\...\Run: [Pokki] => "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON
HKU\S-1-5-21-3224555650-2440852018-732427347-1002\...\Run: [AdobeBridge] => [X]
AlternateDataStreams: C:\Users\Syme\Local Settings:3bkVkS53R3XCBLqcVhm
AlternateDataStreams: C:\Users\Syme\Local Settings:itjq8D2SK96hIsmDRaYlwPc6VL
AlternateDataStreams: C:\Users\Syme\AppData\Local:3bkVkS53R3XCBLqcVhm
AlternateDataStreams: C:\Users\Syme\AppData\Local:itjq8D2SK96hIsmDRaYlwPc6VL
AlternateDataStreams: C:\Users\Syme\AppData\Local\Application Data:3bkVkS53R3XCBLqcVhm
AlternateDataStreams: C:\Users\Syme\AppData\Local\Application Data:itjq8D2SK96hIsmDRaYlwPc6VL
AlternateDataStreams: C:\Users\Syme\AppData\Local\fns4cP7c6uaeD:5rAgBS2iqMgESk9nWGGrDoyf
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[Cx].txt as well.

  • 1

#3
Captain Smee

Captain Smee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Thank you for your reply. I am not experiencing any issues at this time.

 

I've gone ahead and done the fixes you requested.

 

Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:23-09-2015
Ran by Syme (2015-09-27 17:00:13) Run:1
Running from C:\Users\Syme\Desktop
Loaded Profiles: Syme (Available Profiles: Syme)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
HKU\S-1-5-21-3224555650-2440852018-732427347-1002\...\Run: [Pokki] => "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON
HKU\S-1-5-21-3224555650-2440852018-732427347-1002\...\Run: [AdobeBridge] => [X]
AlternateDataStreams: C:\Users\Syme\Local Settings:3bkVkS53R3XCBLqcVhm
AlternateDataStreams: C:\Users\Syme\Local Settings:itjq8D2SK96hIsmDRaYlwPc6VL
AlternateDataStreams: C:\Users\Syme\AppData\Local:3bkVkS53R3XCBLqcVhm
AlternateDataStreams: C:\Users\Syme\AppData\Local:itjq8D2SK96hIsmDRaYlwPc6VL
AlternateDataStreams: C:\Users\Syme\AppData\Local\Application Data:3bkVkS53R3XCBLqcVhm
AlternateDataStreams: C:\Users\Syme\AppData\Local\Application Data:itjq8D2SK96hIsmDRaYlwPc6VL
AlternateDataStreams: C:\Users\Syme\AppData\Local\fns4cP7c6uaeD:5rAgBS2iqMgESk9nWGGrDoyf
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
*****************

Restore point was successfully created.
HKU\S-1-5-21-3224555650-2440852018-732427347-1002\Software\Microsoft\Windows\CurrentVersion\Run\\Pokki => value removed successfully
HKU\S-1-5-21-3224555650-2440852018-732427347-1002\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully
"C:\Users\Syme\Local Settings" => ":3bkVkS53R3XCBLqcVhm" ADS not found.
"C:\Users\Syme\Local Settings" => ":itjq8D2SK96hIsmDRaYlwPc6VL" ADS not found.
C:\Users\Syme\AppData\Local => ":3bkVkS53R3XCBLqcVhm" ADS removed successfully.
C:\Users\Syme\AppData\Local => ":itjq8D2SK96hIsmDRaYlwPc6VL" ADS removed successfully.
"C:\Users\Syme\AppData\Local\Application Data" => ":3bkVkS53R3XCBLqcVhm" ADS not found.
"C:\Users\Syme\AppData\Local\Application Data" => ":itjq8D2SK96hIsmDRaYlwPc6VL" ADS not found.
C:\Users\Syme\AppData\Local\fns4cP7c6uaeD => ":5rAgBS2iqMgESk9nWGGrDoyf" ADS removed successfully.

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-3224555650-2440852018-732427347-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-3224555650-2440852018-732427347-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========


=========  bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.8.10240 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 1 GB temporary data Removed.


The system needed a reboot..

==== End of Fixlog 17:01:06 ====

 

 

 

AdwCleaner session log:

 

# AdwCleaner v5.009 - Logfile created 27/09/2015 at 17:04:37
# Updated 27/09/2015 by Xplode
# Database : 2015-09-27.1 [Server]
# Operating system : Windows 10 Home  (x64)
# Username : Syme - DESKTOP-ML3I7V9
# Running from : C:\Users\Syme\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Users\Syme\AppData\Local\pokki

***** [ Files ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : Adobe Flash Player Updater

***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\Classes\AllFileSystemObjects\shell\pokki
[-] Key Deleted : HKCU\Software\Classes\Directory\shell\pokki
[-] Key Deleted : HKCU\Software\Classes\Drive\shell\pokki
[-] Key Deleted : HKCU\Software\Classes\lnkfile\shell\pokki
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki_Start_Menu
[-] Key Deleted : HKCU\Software\Pokki
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki
[!] Key Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki_Start_Menu
[!] Key Not Deleted : [x64] HKCU\Software\Pokki

***** [ Web browsers ] *****

[-] [C:\Users\Syme\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Syme\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1545 bytes] ##########
 


  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Do you have any apparent problems ?
  • 0

#5
Captain Smee

Captain Smee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Not at this time. My accounts appear to be safe and I'm no longer experiencing any crashes.


  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown
delfix.JPG
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

CryptoPrevent.JPG

Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme ;)

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:
  • 0

#7
Captain Smee

Captain Smee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Alright, thanks for your help. Would you consider this system secure now? Safe to use passwords on?


  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
As all passwords were changed you should be OK :)
  • 0

#9
Captain Smee

Captain Smee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Alright. Thank you so much for your time. I'll get back to you if I have any issues within the day, but I don't think I will.

 

Have a good Monday and a great rest of the week!


  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

My pleasure :)


  • 0

#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP