+- Sinisterly (https://sinister.ly)
+-- Forum: Computers (https://sinister.ly/Forum-Computers)
+--- Forum: Operating Systems (https://sinister.ly/Forum-Operating-Systems)
+--- Thread: (URGENT) Help Malware, Duplicates Infected. (/Thread-URGENT-Help-Malware-Duplicates-Infected)
Pages:
1
2
(URGENT) Help Malware, Duplicates Infected. - PythonRaze - 12-27-2017
Hey, members i am currently infected
My MBAM has scanned it got rid of it everytime i reboot my pc it duplicates and it keeps getting terminated
Report
Malwarebytes
www.malwarebytes.com
-Log Details-
Protection Event Date: 12/26/17
Protection Event Time: 9:46 PM
Log File: 008b7a6a-ea2a-11e7-a033-507b9d6086cd.json
Administrator: Yes
-Software Information-
Version: 3.2.2.2029
Components Version: 1.0.212
Update Package Version: 1.0.3562
License: Premium
-System Information-
OS: Windows 10 (Build 15063.786)
CPU: x64
File System: NTFS
User: System
-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0
-Website Data-
Domain: fzsification.bounceme.net
IP Address: 165.227.29.57
Port: [50590]
Type: Outbound
File: C:\Users\UB4R\AppData\Local\Temp\.exe
(end)
First it appears with a Trojan.Backdoor and then it keeps showing this website blocked for unlimited times any way to remove it?
I need urgent assistance.
RE: (URGENT) Help Malware, Duplicates Infected. - PythonRaze - 12-27-2017
The Ip changes, every 5-10M
RE: (URGENT) Help Malware, Duplicates Infected. - mothered - 12-27-2017
Rather than scanning for hours on end trying to Identify the cause, try this.
Provided the Infection Isn't embedded In the System Volume Information folder and you have restore points available, hit a System Restore obviously back to the date when everything was functioning correctly.
If that fails, navigate to the Advanced Startup Options until you see "Reset This PC" and select the "Keep my files" option. This restores the OS back to It's factory state without losing your personal files. Apps and settings will be lost though.
If the malware has affected your files hence Is still there after resetting the PC, hit a format and be done with It by selecting "Remove everything" (back In the Advanced Startup Options).
RE: (URGENT) Help Malware, Duplicates Infected. - reGEN - 12-27-2017
Have you considered the possibility that this malware is self-healing? There must be some persistence mechanism to have it restore nonfunctional components each reboot. Try checking common start up registry keys and look for another suspicious executable that could be the cause. It may also be worth to check your services too. It looks like your account is an administrator(?) so I wouldn't doubt that it may have attempted to use a public exploit to self-elevate to obtain SYSTEM privileges. In this case, you'll need to be very careful as it could potentially feed your system false information.
If you still cannot find it, perhaps booting in safe mode will reduce the search scope since only core files are loaded. If the malware has infected a system file, it will probably run in safe mode as well.
If you're not confident, I highly suggest you take it to a professional to attempt to fix it.
RE: (URGENT) Help Malware, Duplicates Infected. - PythonRaze - 12-28-2017
@mothered @reGEN
It seems that it does not reside in task manger, services
When my Mbam kills it and i reboot my system it is a Backdoor. here is the report.
Malwarebytes
www.malwarebytes.com
-Log Details-
Protection Event Date: 12/27/17
Protection Event Time: 10:21 PM
Log File: 279d7576-eaf8-11e7-9c81-507b9d6086cd.json
Administrator: Yes
-Software Information-
Version: 3.2.2.2029
Components Version: 1.0.212
Update Package Version: 1.0.3566
License: Premium
-System Information-
OS: Windows 10 (Build 15063.786)
CPU: x64
File System: NTFS
User: System
-Blocked Malware Details-
File: 1
Backdoor.Remcos, C:\Users\UB4R\AppData\Local\Temp\tmp.exe, Quarantined, [283], [461437],1.0.3566
(end)
When the backdoor is terminated
Domain: fzsification.bounceme.net
IP Address: 165.227.29.57
Port: [50590]
Type: Outbound
File: C:\Users\UB4R\AppData\Local\Temp\.exe
Appers and keeps getting terminated without actually stopping, it resides in chrome and it is a hosting website to my knowledge when i visited it.
Summary: Backdoor.remcos is created when rebooting pc, but is terminated by MBAM, once it is terminated Domain: fzsification.bounceme.net Keeps duplicating and being terminated by MBAM .
The Malware tool used is remcos
Remcos v1.9.7 – 13 december 2017
Update after update, Remcos large array of functions has increased longer and longer.
Remcos includes so many functions, that sometimes it was confusing to navigate among them all!
This new release features a new type of functions menu, where all the functions are grouped into Categories:
System Management
Surveillance
Network functions
Extra functions
Remcos Remote Agent Management
You are always able to switch to the classic, expanded menu in Local Settings -> Preferences.
The new release also features fixes and tweaks.
Any feedback and comment is appreciated as always!
Here is complete changelog:
[+] Added new “Categorized style” functions menu. It can be possible to switch to the classic, “expanded” menu via the local settings.
[*] Rearrangements and changes to menu GUI and some shortkeys
[*] File Manager: fixed bug in C&C code when downloading very small files (below 65 kb)
[*] Other minor tweaks
Video demo of new v1.9.7:
RE: (URGENT) Help Malware, Duplicates Infected. - PythonRaze - 12-28-2017
It is selling to 100-300$ i would say this is an advanced rat to my knowledge, and mbam is getting rid of it 100% no issue but its coming back.
RE: (URGENT) Help Malware, Duplicates Infected. - PythonRaze - 12-28-2017
I think i found the backdoor, it is executed in startup, in task manger its named "Windows" i checked the the file it resides in File: C:\Users\UB4R\AppData\Local\Temp\.exe The Same as Backdoor.remcos i am sure it is the malware here is an image that explained everything
https://imgur.com/a/yWIpO
RE: (URGENT) Help Malware, Duplicates Infected. - PythonRaze - 12-28-2017
Oh my lord i open the windows file in notepad++
[zoneTransfer]ZoneID = 2 Command Module\WCM.exe:Zone.Identifier
And Opened a file next to it with random letters:
==================================================
URL : http://192.168.1.1/
Web Browser : Chrome
User Name : (cant tell)
Password : (cant tell)
Password Strength : Strong
User Name Field : index_username
Password Field : (cant tell)
Created Time : 9/06/2016 6:28:54 AM
Modified Time :
==================================================
It shows all my logins for my browser etc, in this notepad
RE: (URGENT) Help Malware, Duplicates Infected. - mothered - 12-28-2017
If I may ask, why not format your system and be done with It? Literally In a space of an hour, the job's done.
Even If you remove all malicious files, It's not guaranteed that your PC will be free from viruses, malware and the like.
RE: (URGENT) Help Malware, Duplicates Infected. - Mom - 12-28-2017
(12-28-2017, 04:07 AM)mothered Wrote: If I may ask, why not format your system and be done with It? Literally In a space of an hour, the job's done.
Even If you remove all malicious files, It's not guaranteed that your PC will be free from viruses, malware and the like.
This. I'm someone's who freakishly archives every little thing I find in my computer, but even I'll call it quits once my passwords are compromised.
It's over. Time to format. It's for this reason that the big red button exists. It's a terrible solution to resort to, but it's not like you have many other safe ones and the stakes definitely got amped up.