Solved PC infected with Backdoor

Wraith

Wraith

Level 13
Thread author
Verified
Top Poster
Well-known
Aug 15, 2018
634
I am normally a very careful user and don't download unknown things from the Internet. This morning when I started up my PC, it booted straight into minimal SAFE MODE and after a few moments restarted automatically in NORMAL MODE. Everything seemed to be fine except for the fact that ESET INTERNET SECURITY refused to start. I had to uninstall using the ESET Removal Tool and then install ESET IS again. I made sure to update it and run a full scan and it found this threat and deleted it.(LINK BELOW). I ran Norton Power Eraser and it detected a change in Powershell policy. I fixed that. Malwarebytes detected disabled security center and a fake trojan. I removed the trojan. But even after all this I still feel that my PC is not fully clean since Farbar found two disabled limited user accounts with funny names. I don't know how the malware got there but I will be extremely grateful if someone could help me out with this.

Here is the VT link for the malwares which infected my PC

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
VirusTotal
 

Attachments

  • FRST.txt
    152.3 KB · Views: 13
  • Addition.txt
    18.8 KB · Views: 7
  • MBAM.txt
    1.4 KB · Views: 6
  • NPE.JPG
    NPE.JPG
    41.1 KB · Views: 22
Last edited:
  • Like
Reactions: AriDfoix, CyberTech and oldschool
Wraith

Wraith

Level 13
Thread author
Verified
Top Poster
Well-known
Aug 15, 2018
634
Andy Ful said:
It resembles the coin miner via the scheduled task. Have you the task in Application Experience section named StartupCheckLibrary?
Click to expand...
You are spot on. As far as I remember a scheduled task was created and maybe that's the reason why the PC rebooted in safe mode, to delete some ESET files and then the PC rebooted in Normal mode. Maybe if I had OSArmor and WinPatrol, I would have got notified.
 
  • Like
Reactions: oldschool and Andy Ful
Wraith

Wraith

Level 13
Thread author
Verified
Top Poster
Well-known
Aug 15, 2018
634
Mahesh Sudula said:
Hey! User account creation is something deep driven and a scheduled task may be a rootkit i guess.
Automatic reboot / safe mode is a definite root kit signal, since it is driver driven and scheduled task.
Try with free rootkit scanners from Avast, NPE both in normal and safe mode.

Most of AV out there are useless against root kits, since it hides and replicate via . Sys (driver)
Click to expand...
I already run a scan with Norton Power Eraser. I also ran a scan with Malwarebytes with detection of rootkits enabled. ESET does have a module called Anti-Stealth that is supposed to protect from rootkits but I don't know how effective it is.
 
  • Like
Reactions: oldschool
Wraith

Wraith

Level 13
Thread author
Verified
Top Poster
Well-known
Aug 15, 2018
634
Lobito Punky said:
I only see this in your logs. Wait for the specialist's answer. Regards.

Code: 
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
U2 diagtrack; no ImagePath
U2 dusmsvc; no ImagePath
ContextMenuHandlers4: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File
ContextMenuHandlers6: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File

:unsure:
Click to expand...
I'm sorry but I don't understand these logs. Do the above entries show any sign that the PC is still infected?
 
  • Like
Reactions: oldschool
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Yes, those users are really suspicious. See if you can delete them.


FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.
 

Attachments

  • fixlist.txt
    840 bytes · Views: 6
  • Like
Reactions: robin hood, Gandalf_The_Grey and oldschool

Similar threads

tracker
  • Locked
I am infected with a hijack loader that has never been detected by any antivirus software, and I cannot remove it.
Replies
7
Views
832
Windows Malware Removal Help & Support
nasdaq
nasdaq
gfgtkitkat34
    • Like
    • Wow
    • Sad
Kaspersky detected trojan win 32 generic. Should I full format my pc?
Replies
21
Views
1,171
Kaspersky
gfgtkitkat34
gfgtkitkat34
Coop
  • Locked
Chrome extension installed by administrator?
Replies
2
Views
412
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top