Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Very Sophisticated Spyware On Windows PC

Started by MHJJ , Apr 30 2024 12:43 PM

  • Please log in to reply

#16
MHJJ
Posted 33 minutes ago

MHJJ

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Hi,

 

 

 

I think that proxy set was my free VPN (Psiphon).

 

 

 

 

 

 

1)

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 19.04.2024 01
Ran by jama2 (03-05-2024 15:10:41) Run:3
Running from C:\Users\jama2\Desktop
Loaded Profiles: jama2
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start::
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-1026589745-2252998717-1832492364-1001\...\Run: [Surfshark] => C:\Program Files (x86)\Surfshark\Surfshark.exe  (No File)
S2 WirelessBackupService; C:\Program Files (x86)\Wondershare\Dr.Fone Data Recovery\Addins\Recovery\WirelessBackupService.exe [X]
S3 2442D4E7; C:\Windows\system32\drivers\2442D4E7.sys [255928 2024-04-30] (Malwarebytes Corporation -> Malwarebytes)
2024-05-02 20:33 - 2024-05-02 20:33 - 000001226 _____ C:\Users\jama2\Downloads\Malwarebytes Scan Report 2024-05-02 203208.txt
2024-05-02 12:28 - 2024-05-02 12:28 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\65256111.sys
2024-05-01 20:54 - 2024-05-01 20:54 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\3514826A.sys
2024-05-01 17:17 - 2024-05-01 17:17 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\1F226483.sys
2024-05-01 16:02 - 2024-05-01 16:02 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\2513B41E.sys
2024-04-30 23:17 - 2024-04-30 23:17 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\717662E5.sys
2024-04-30 23:12 - 2024-04-30 23:12 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\62634545.sys
2024-04-30 22:25 - 2024-04-30 22:25 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\761701B4.sys
2024-04-30 19:11 - 2024-04-30 19:11 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\3264512A.sys
2024-04-30 14:07 - 2024-04-30 14:07 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\7342815D.sys
2024-04-30 13:42 - 2024-04-30 13:42 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\38314686.sys
2024-04-30 11:10 - 2024-04-30 11:10 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\6231B3BA.sys
2024-04-30 00:02 - 2024-04-30 00:02 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\2442D4E7.sys
2024-04-29 23:00 - 2024-04-29 23:00 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\13637557.sys
2024-04-29 22:40 - 2024-04-29 22:40 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\116484D8.sys
2024-04-29 22:27 - 2024-04-29 22:27 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\2456612F.sys
2024-04-29 22:26 - 2024-05-02 12:36 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2024-04-29 22:25 - 2024-04-29 22:26 - 014178840 _____ (Malwarebytes Corp.) C:\Users\jama2\Downloads\mbar-1.10.3.1001.exe
2024-04-29 22:20 - 2024-05-02 20:37 - 000000000 ____D C:\ProgramData\Malwarebytes
2024-04-29 22:20 - 2024-04-29 22:20 - 002589624 _____ (Malwarebytes) C:\Users\jama2\Desktop\MBSetup.exe
2024-05-01 16:02 - 2024-05-02 12:36 - 000000000 ____D C:\Users\jama2\Desktop\mbar
2024-04-30 22:16 - 2024-05-02 20:40 - 000000000 ____D C:\ProgramData\HitmanPro.Alert
2024-04-30 22:16 - 2024-05-01 18:51 - 000000000 ____D C:\Program Files (x86)\HitmanPro.Alert
AlternateDataStreams: C:\Users\jama2\Downloads\AdwCleaner.exe:MBAM.Zone.Identifier [229]
AlternateDataStreams: C:\Users\jama2\Downloads\HitmanPro_x64.exe:MBAM.Zone.Identifier [138]
AlternateDataStreams: C:\Users\jama2\Downloads\mbar-1.10.3.1001.exe:MBAM.Zone.Identifier [244]
AlternateDataStreams: C:\Users\jama2\Downloads\tdsskiller.exe:MBAM.Zone.Identifier [212]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\13464238.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\30725930.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\49333647.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\54173153.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\13464238.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\30725930.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\49333647.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\54173153.sys => ""="Driver"
C:\Windows\system32\drivers\2442D4E7.sys
RemoveProxy:
Powershell: wevtutil el | Foreach-Object {wevtutil cl "$_"}
EmptyTemp:
End::
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-1026589745-2252998717-1832492364-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Surfshark" => removed successfully
HKLM\System\CurrentControlSet\Services\WirelessBackupService => removed successfully
WirelessBackupService => service removed successfully
HKLM\System\CurrentControlSet\Services\2442D4E7 => removed successfully
2442D4E7 => service removed successfully
C:\Users\jama2\Downloads\Malwarebytes Scan Report 2024-05-02 203208.txt => moved successfully
C:\Windows\system32\Drivers\65256111.sys => moved successfully
C:\Windows\system32\Drivers\3514826A.sys => moved successfully
C:\Windows\system32\Drivers\1F226483.sys => moved successfully
C:\Windows\system32\Drivers\2513B41E.sys => moved successfully
C:\Windows\system32\Drivers\717662E5.sys => moved successfully
C:\Windows\system32\Drivers\62634545.sys => moved successfully
C:\Windows\system32\Drivers\761701B4.sys => moved successfully
C:\Windows\system32\Drivers\3264512A.sys => moved successfully
C:\Windows\system32\Drivers\7342815D.sys => moved successfully
C:\Windows\system32\Drivers\38314686.sys => moved successfully
C:\Windows\system32\Drivers\6231B3BA.sys => moved successfully
C:\Windows\system32\Drivers\2442D4E7.sys => moved successfully
C:\Windows\system32\Drivers\13637557.sys => moved successfully
C:\Windows\system32\Drivers\116484D8.sys => moved successfully
C:\Windows\system32\Drivers\2456612F.sys => moved successfully
 
"C:\ProgramData\Malwarebytes' Anti-Malware (portable)" Folder move:
 
C:\ProgramData\Malwarebytes' Anti-Malware (portable) => moved successfully
C:\Users\jama2\Downloads\mbar-1.10.3.1001.exe => moved successfully
 
"C:\ProgramData\Malwarebytes" Folder move:
 
C:\ProgramData\Malwarebytes => moved successfully
C:\Users\jama2\Desktop\MBSetup.exe => moved successfully
 
"C:\Users\jama2\Desktop\mbar" Folder move:
 
C:\Users\jama2\Desktop\mbar => moved successfully
 
"C:\ProgramData\HitmanPro.Alert" Folder move:
 
Could not move "C:\ProgramData\HitmanPro.Alert" => Scheduled to move on reboot.
 
 
"C:\Program Files (x86)\HitmanPro.Alert" Folder move:
 
Could not move "C:\Program Files (x86)\HitmanPro.Alert" => Scheduled to move on reboot.
 
C:\Users\jama2\Downloads\AdwCleaner.exe => ":MBAM.Zone.Identifier" ADS removed successfully
C:\Users\jama2\Downloads\HitmanPro_x64.exe => ":MBAM.Zone.Identifier" ADS removed successfully
"C:\Users\jama2\Downloads\mbar-1.10.3.1001.exe" => ":MBAM.Zone.Identifier" ADS not found.
C:\Users\jama2\Downloads\tdsskiller.exe => ":MBAM.Zone.Identifier" ADS removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\13464238.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\30725930.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\49333647.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\54173153.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\13464238.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\30725930.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\49333647.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\54173153.sys => removed successfully
"C:\Windows\system32\drivers\2442D4E7.sys" => not found
 
========= RemoveProxy: =========
 
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
"HKU\S-1-5-21-1026589745-2252998717-1832492364-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer" => removed successfully
"HKU\S-1-5-21-1026589745-2252998717-1832492364-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\S-1-5-21-1026589745-2252998717-1832492364-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
 
 
========= End of RemoveProxy: =========
 
 
========= wevtutil el | Foreach-Object {wevtutil cl "$_"} =========
 
wevtutil : Failed to clear log Microsoft-Windows-LiveId/Analytic.
At C:\FRST\tmp.ps1:1 char:31
+ wevtutil el | Foreach-Object {wevtutil cl "$_"}
+                               ~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Failed to clear...iveId/Analytic.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
Access is denied.
wevtutil : Failed to clear log Microsoft-Windows-LiveId/Operational.
At C:\FRST\tmp.ps1:1 char:31
+ wevtutil el | Foreach-Object {wevtutil cl "$_"}
+                               ~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Failed to clear...Id/Operational.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
Access is denied.
 
========= End of Powershell: =========
 
 
=========== EmptyTemp: ==========
 
FlushDNS => completed
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 8559870 B
Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 35193585 B
Windows/system/drivers => 2072343 B
Edge => 0 B
Chrome => 315583821 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 27698 B
NetworkService => 27698 B
jama2 => 166328274 B
 
RecycleBin => 0 B
EmptyTemp: => 503.3 MB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 03-05-2024 15:13:03)
 
C:\ProgramData\HitmanPro.Alert => Could not move
C:\Program Files (x86)\HitmanPro.Alert => Could not move
 
==== End of Fixlog 15:13:03 ====
 
 
 
 
 
 
 
 
 
 
 
 
2)
 
Malwarebytes with requested settings found no detections (This time rootkit scan enabled) below is the report;
 
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 5/3/2024
Scan Time: 3:19 PM
Log File: 289cb24a-0958-11ef-9fef-2cf05d714632.json
 
-Software Information-
Version: 5.1.3.110
Components Version: 1.0.1219
Update Package Version: 1.0.84203
License: Trial
 
-System Information-
OS: Windows 11 (Build 22000.2538)
CPU: x64
File System: NTFS
User: Mohamed\jama2
 
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 219563
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 1 min, 48 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
File system: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
WMI: 0
(No malicious items detected)
 
 
(end)
 
 
 
 
 
 
 
 
 
 
But I must say, something interesting happened when I tried to open up my fixlog.txt in my documents. A message popped up saying something a long the lines of `Unable to open as user does not have required authorization`. But it opened without any message on the second attempt.
 
 
 
 
 
 
 

 


  • 0

Advertisements

#17
DR M
Posted 10 minutes ago

DR M

    The Grecian Geek

  • Malware Removal
  • 4,155 posts

OK, you can set your VPN as you like, after we finish from here. I'm not a fan of free VPNs, but if you think that it fits to your need, it's fine.

 

There is one last concerning thing related to your system. You are still running Windows 11 version 21H2, which reached its end of life last October. Your system is vulnerable without getting security updates, and the importance of upgrading it as soon as you can is critical.

 

This is from your logs:

 

Platform: Microsoft Windows 11 Home Version 21H2 22000.2538 (X64) Language: English (United States)
 
I recommend an in-place upgrade using the ISO file. This will reinstall and update the operating system and fix any corruptions, without removing any file or program.
 
 
Let me know if you have any questions during the procedure. 

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

17 user(s) are reading this topic

0 members, 17 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP