Might have Virus?

[RagingBigDog]

Hey,

I know it is not the most descriptive title, but I will go into more detail here. Definitely got a virus as Bitdefender (BD from here on in) popped up quickly after it detected it, and removed that one, but after that, I noticed some things that were off, one being that whenever I logged into my account on my PC, the touch keyboard also appeared and wanted me to use the 'easy' sign in (I think Windows Hello). I have never had that appear since getting Windows and do not have that setup. I tried to do a scan with BD and it stopped midway through (said due to user stopping it, which I did not). Had a few more problems with that so I removed Bitdefender and reinstalled it, thinking that the library of threats had been modified. Then I booted into safe mode (no network) and figured out how to run a scan using BD while in safe mode which came back clean. Then I booted back in, let things be, and a couple days later, noticed my Facebook was hacked on the 11th (I noticed on the 12th). In addition to this, my Gmail had a login from an IP in another state.

Once I got FB back under my control and changed my Gmail password, I reset my PC (keeping my personal files) in hopes that would get rid of whatever may or may not be there. Since then, I have run a full scan and an on boot scan with both BD and Avast, while also doing a scan with Malwarebytes. All came back clean. Finally, I used Wireshark to see if there were any suspicious packets, which based on my semi limited knowledge on it, nothing super suspicious came back. I checked DNS, HTTP, and TLS protocols. I had a few HTTP/XML POSTs that were...interesting, but seemed legit (source was AsusTekC and Destination was SeikoEps). I checked all the TLS client hello ones, and ran through the JA3 hashes, but didn't find anything there, used a site that had malware hashes, but could produce false positives. I downloaded and ran FRST and have attached them per the preparation guide. I think my PC is clean, but would like a second opinion. Also if the malware compromised my accounts, is it likely that other accounts would be compromised? I use 1Password for everything, so I only type that password when logging into things (and most things on my PC are just remembered) and I use 2FA/MFA if able.

Sorry for the short story and appreciate any assistance!
RBD

 

[nasdaq]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Unfortunately the Farbar logs are not attached.

Can you please try again.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "Upload file" button.
Do this for both files. Then press the Post reply button.

 

[RagingBigDog]

Hello,

Sorry about that. Let's try it again, if this doesn't work, I'll follow up with another post with the contents of them in the post.

Appreciate it,
RBD

 

[RagingBigDog]

Won't let me upload them. When I try to copy paste, it says something went wrong and the dev tools provides a ray ID (screenshots attached). Also an update, had a malicious login into my Gmail this morning while I was asleep. Gmail signed me out of that device(and all devices) and I had to change my password. Google won't let me google anything and I get an err_connection_closed. When running in safe mode (network) I am able to google stuff.

I was able to copy paste the txt file contents into a GitHub repo but even creating new text files on my laptop and pasting the contents from GitHub into them still shows the upload as empty (same as when I attempted to upload them the first two times. I also get the same error when trying to copy paste the text file content on my laptop, though the Ray Id is different (similar though in that it starts the same). Not sure how to proceed at this point; could either make the git repo public and sharing the link, try downloading it as a zip and uploading it, or invite you as a collaborator, whichever you prefer.

Appreciate it,
RBD

 

[nasdaq]

Hi,

Try to post the compete text from the logs.

Use copy and paste the complete FRST.TXT log and paste it in your next reply.

You should also do the same with the Attention.txt into a second post in case both logs are to long from on post.

 

[RagingBigDog]

Hey,

I am still unable to copy and paste the text here from either log. I get the same error I've been getting (the first attachment in my last post) all with similar Ray IDs. I have tried multiple browsers (Chrome, Firefox, Edge, Safari), different devices (my PC, laptop, iPhone) copying and pasting the text from the GitHub repo on the latter two devices rather than transferring the files, and have even tried pasting only half of one of the files at a time, in case one of the logs was to long for one post. Not sure why I am unable to upload them, but definitely frustrating.

Appreciate it,
Storm

 

[nasdaq]

Hi,

What are the extensions on the FRST and Addition logs. Are they anything other then TXT?

What is hour default Text Editor? Notepad, Nopade++ of other?

p.s.

The logs must end with .TXT

 

[nasdaq]

Are you still with me?