hijackthis icon indicating copy to clipboard operation
hijackthis copied to clipboard

Published 20 hours ago verified publisher icon dragokas

Help with compromised system

Open Lookems opened this issue 6 months ago • 12 comments

Hi there, never used this site before but seems I have to so sorry for any ineptitude in advance.

My Discord had sent out messages to all my friends list and servers I'm on directing them to a Steam card scam, and some messages on Facebook resulting in my suspension. I believe there's a keylogger on my system of some sort and numerous scans with ESET, Malwarebytes, Hitman and Rogue have failed to find or remove this thing. So I used your lovely Hijackthis to see if it could help. Can anyone help me with this please?

HiJackThis.log

Lookems avatar May 25 '25 21:05 Lookems

Hi, If you need our assistance:

Please, note that only members of VIRUSNET-Association are allowed to respond to PC cure topics. Ignore any recommendations given by other users, including PM !!!

Assistance is provided free of charge in our free time. If you found our help useful, you can thank us with any amount using this form or you can leave feedback in Guestbook.

Sandor-Helper avatar May 26 '25 08:05 Sandor-Helper

I guess I didn't use Autologger, just Hijackthis, my apologies. I'll attach it here.

CollectionLog-2025.05.26-10.16.zip

Lookems avatar May 26 '25 09:05 Lookems

Thanks for the logs and sorry for delay with reply. I didn't see any obvious signs of infection so far. Lets get another couple of logs.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce logs called FRST.txt and Addition.txt in the same directory the tool is run from.
  • Please attach the logs back here.

Sandor-Helper avatar May 27 '25 07:05 Sandor-Helper

Thanks for getting to me! Here they are:

Addition.txt

FRST.txt

Lookems avatar May 27 '25 10:05 Lookems

Temporarily turn off any antivirus. Highlight following code:

Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
HKU\S-1-5-21-1242433909-1029065536-3682095691-1001\...\MountPoints2: {d49b36d2-d094-11ee-82db-f89e9479138b} - "D:\SETUP.exe" 
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {52DF81D2-A351-4CB5-9644-C9081E98F909} - \BraveSoftwareUpdateTaskMachineCore{D432A00F-8137-4BE8-9AA5-79E8E9B49B5B} -> No File <==== ATTENTION
Task: {94B2F57D-AC7C-4D26-8AC2-0EA6146AEA02} - \BraveSoftwareUpdateTaskMachineUA{33A34AC3-89BD-46F3-8968-308E2FFA5136} -> No File <==== ATTENTION
C:\Users\Nine\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jcpgbnbdnakoblgfkbgggankeidkfcdl
Edge HKU\S-1-5-21-1242433909-1029065536-3682095691-1001\SOFTWARE\Microsoft\Edge\Extensions\...\Edge\Extension: [jcpgbnbdnakoblgfkbgggankeidkfcdl]
Edge HKLM-x32\...\Edge\Extension: [jcpgbnbdnakoblgfkbgggankeidkfcdl]
AV: Bitdefender Antivirus (Disabled - Up to date) {0E17DB7D-A20F-62CE-B95B-17DB0CDFE318}
FW: Bitdefender Firewall (Disabled) {362C5A58-E860-6396-9204-BEEEF20CA463}
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [8912]
FirewallRules: [{6078F9CA-243A-4F08-A7FE-CB2B88BA2E05}] => (Allow) LPort=1688
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
EmptyTemp:
Reboot:
End::

Copy highlighted text (right click - Copy). Run FRST (FRST64) as Administrator. Press Fix button once and wait. Program will create (Fixlog.txt). Attach it to the next post.

PC will reboot.

Sandor-Helper avatar May 27 '25 14:05 Sandor-Helper

I assume you meant to copy the text and paste it in the text box in FRST. Here's the log.

Fixlog.txt

Lookems avatar May 27 '25 14:05 Lookems

You don't have to paste it anywhere, but nevermind, FRST got script strait from the clipboard and it ran well.

Using pirated soft (was seen in logs) - is bad idea. And it leads to many problems usually. As for compromised accounts - you should sign out everywhere on every devices and then change your passwords. Use 2FA where it is possible.

Sandor-Helper avatar May 28 '25 08:05 Sandor-Helper

Yeah, I will do that. So does that mean there's nothing on my system now?

Lookems avatar May 28 '25 08:05 Lookems

Yes it is, nothing suspisious. At last in Windows Defender you have several dangerous Path Exclusions like whole disk C and D. Please delete them. Rename FRST.exe (FRST64.exe) to uninstall.exe and run it. PC will reboot. This will delete all of FRST files and folders. All other cureing tools can be simply deleted.

Sandor-Helper avatar May 28 '25 12:05 Sandor-Helper

I will take those actions you've recommended. Thank you very much for your help. :3

Lookems avatar May 29 '25 01:05 Lookems

Well, I'm not so sure about that, as my Steam account page was changed with no outside influence. If there was still something on my system, hypothetically, what would you recommend?

Lookems avatar May 30 '25 17:05 Lookems

We can additionally check your system by several different anti virus tools. Lets start from DoesNotBelong Download it, run as administrator and get me resulting log, please.

Sandor-Helper avatar May 31 '25 05:05 Sandor-Helper

Closed. Reason: no answer for 10 days. If you still need our help, please, execute the last steps, requested by a helper. Also, download again AutoLogger, prepare new CollectionLog, and write what problems remained.

dragokas avatar Aug 21 '25 13:08 dragokas