Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Suspected RAT.
#1
I was talking to a friend via an IM client and stuff was randomly getting typed and sent. Also, Windows Defender cannot be turned on.

HJT Log: http://fixee.org/view_raw/s7twbtt

MBAM Log: http://fixee.org/view_raw/tsczjf4

DDS Log: http://fixee.org/view_raw/ggu5f60

Attach Log: http://fixee.org/view_raw/56o6662
Reply
#2
Greetings,

Whilst I am in the process of scrutinizing your complete set of provided logs for any possible infections or problems, I ask for your forbearance. Understand that the process of analysis requires time and careful examination hence the need for a cautious response. Accuracy is of the essence. Once I come across infections, I shall present the finest methods of removal for your convenience.

In return for this service, I propose to you two conditions:
  1. You are not to create any new threads regarding the similar topic as it will waste another helper's time.
  2. You are not to install any new software in your system, as it may hinder our process thus making this futile.
In accordance to my terms, I also ask of you six things, stated below:
  1. You are not to modify the logs in any way. Failure to do so will instantly deprive you of this service.
  2. You are to paste each log separately at PasteBin as it is. That is correct, no syntax highlighting, no editing - just the log purely. Post back the links for each log. You shall not hide them under spoiler codes.
  3. You are to provide the complete set of requested logs.
  4. You are to keep all your trusted tools that the scanners may detect in a password protected archive. This is to prevent them from being deleted as we've had complaints or refusal to use the scanner for this reason.
  5. You are to respond to every step I ask you to do using the format provided at the end of my post.
  6. You agree that I have the right to discontinue the analysis at any time, upon a violation of a single rule.
Provided that you will continue with this service, you hereby agree to the above statements. If you deem the conditions are portraying equality, I will willingly perform the analysis without further delay. Should you have any concerns or problems with the above conditions, or if you feel that I have overlooked your log, do inform me through a Private Message by clicking 'this'.

Thank you.

Genuinely yours,
Quintus
  • Optional Pre-Step

    With regard to my fourth condition, here are the steps on how to password protect your trusted tools momentarily. Do note that I would advise you to remove all the infections present in your system as I am not certain of the sources of these programs thereby I will not be able to verify whether they are backdoored or not.

    You are doing this at your own risk.
    • Create a new folder with the name of your choice.
    • Gather all of your tools into that folder.
    • If you do not have a file compressor, download '7-Zip' and install it.
    • After doing so, navigate to the said folder and right-click.
      • You are now presented with options.
      • Please chose 7-Zip > Add to Archive.
      • Under the Archive Name, enter any name you wish.
      • Set the Archive Format to 7z.
      • Set the Compression Level to Ultra.
      • Under Encryption fill in the Password field twice. You can tick Show Password if you desire.
      • When everything is done, click OK.
    • Wait for some time. The waiting time is determined by the size of your files.
    • 7-Zip will have produced the file for you.
    • Now we test the file by Right-click > 7-Zip > Extract Here.
    • A prompt asking you for the password should appear.
    • Select Cancel as this is for testing purposes only.
    • Now delete the other folder, empty your Recycle Bin and proceed with the instructions.
Note: After I have declared you ALL CLEAN, you may extract your files and dispose of the protected archive.
  • Pre-Step

    Click 'here' to download Temp File Cleaner by OldTimer. Save it to your Desktop.
    • Close any open windows.
    • Double-click TFC.exe and select 'Run' when prompted to execute the program. It will close all open programs itself in order to run.
    • Click the Start button to begin the cleaning process.
    • Please let the program run uninterruptedly.
    • Once the cleaning has been done, your computer should automatically reboot. Otherwise, please do so when it does not.
  • Prerequisite

    If you are having a problem running HijackThis as Administrator, please follow the steps below.
    • Go to My Computer and navigate to your default disc drive (C: is the most common).
    • Go to Program Files > Trend Micro > HijackThis.
    • Right-click HiJackThis.exe and run it as Administrator.
  • Step 1

    Please run a free online scan with ESET Online Scanner by downloading ESET Smart Installer 'here'. Save it to your Desktop.
    • Double-click esetsmartinstaller_enu.exe to execute the program.
    • Tick 'YES, I accept the Terms of Use'.
    • Click 'Start'.
    • If this is your first time installing the scanner, allow the 'ActiveX Control' to install.
    • Database download may take some time.
    • When done, make sure that the option 'Remove found threats' is ticked. Under the and 'Advanced Settings', please put a check on the following options:
      • Scan for potentially unwanted applications
      • Enable Anti-Stealth Technology
    • Click 'Start'.
    • Wait for the scan to finish.
    • Once it is finished, use Notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt.
    • Copy and paste that log as a reply to this topic.
  • Step 2

    Please set Windows 7 to show both hidden and system files and folders so that you can find specific files to delete.
    1. Click Start and navigate to Control Panel.
    2. On Appearance and Personalization > Folder Options > Show hidden files and folders.
    3. On the View tab, uncheck the following:
      • Hide file extensions for known file types
      • Hide protected operating system files (Recommended)
    4. Click Yes on the warning message.
    5. Under Hidden files and folders, check Show hidden files, folders, and drives.
    6. Click Apply to All Folders.
    7. Click OK.
    Note: I will give you instructions for hiding them again once your system seems clean.
  • Step 3

    We need to do a quick check.
    • Go to 'VirusTotal'.
    • Click Choose File.
    • Copy and paste the exact file name(s) in bold (if there are more than one file listed, please open multiple tabs):
      • C:\Windows\vVX1000.exe
        C:\Windows\V0640Mon.exe
    • Click Send.
    • Copy and paste back the link(s) to the result(s) once VirusTotal has finished scanning the file.
  • In your next post, please provide the following:
    • A Fresh HijackThis (HJT) Log
    • Deckard's System Scanner (DDS) Logs
      • DDS.txt
      • Attach.txt
    • ESET Scan Log
    • VirusTotal Links
  • Format of Response

    As part of my service terms, you are to fill this up everytime you respond to your log. Copy and paste the content inside the code box and write directly after the closing tags. Do not add spaces as they are already provided. An exception applies to the numbers, as they are to be written after the # sign.

    Step #1: Change the number accordingly.
    Problems Encountered: Put N/A if the operation went smoothly.

    Link To Requested Logs: Post the links to the logs I have asked you to produce.

  • Code:
    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Link To Requested Logs:[/b][/color]
Reply
#3
Quintus your post looks very helpful. Thanks bro.
[Image: linksig.png]
AIM: Link0207 | MSN: Link0207@Link0207.com | YIM: Link0207
Reply
#4
(01-04-2011, 08:42 AM)Quintus Wrote: Greetings,

Whilst I am in the process of scrutinizing your complete set of provided logs for any possible infections or problems, I ask for your forbearance. Understand that the process of analysis requires time and careful examination hence the need for a cautious response. Accuracy is of the essence. Once I come across infections, I shall present the finest methods of removal for your convenience.

In return for this service, I propose to you two conditions:
  1. You are not to create any new threads regarding the similar topic as it will waste another helper's time.
  2. You are not to install any new software in your system, as it may hinder our process thus making this futile.
In accordance to my terms, I also ask of you six things, stated below:
  1. You are not to modify the logs in any way. Failure to do so will instantly deprive you of this service.
  2. You are to paste each log separately at PasteBin as it is. That is correct, no syntax highlighting, no editing - just the log purely. Post back the links for each log. You shall not hide them under spoiler codes.
  3. You are to provide the complete set of requested logs.
  4. You are to keep all your trusted tools that the scanners may detect in a password protected archive. This is to prevent them from being deleted as we've had complaints or refusal to use the scanner for this reason.
  5. You are to respond to every step I ask you to do using the format provided at the end of my post.
  6. You agree that I have the right to discontinue the analysis at any time, upon a violation of a single rule.
Provided that you will continue with this service, you hereby agree to the above statements. If you deem the conditions are portraying equality, I will willingly perform the analysis without further delay. Should you have any concerns or problems with the above conditions, or if you feel that I have overlooked your log, do inform me through a Private Message by clicking 'this'.

Thank you.

Genuinely yours,
Quintus
  • Optional Pre-Step

    With regard to my fourth condition, here are the steps on how to password protect your trusted tools momentarily. Do note that I would advise you to remove all the infections present in your system as I am not certain of the sources of these programs thereby I will not be able to verify whether they are backdoored or not.

    You are doing this at your own risk.
    • Create a new folder with the name of your choice.
    • Gather all of your tools into that folder.
    • If you do not have a file compressor, download '7-Zip' and install it.
    • After doing so, navigate to the said folder and right-click.
      • You are now presented with options.
      • Please chose 7-Zip > Add to Archive.
      • Under the Archive Name, enter any name you wish.
      • Set the Archive Format to 7z.
      • Set the Compression Level to Ultra.
      • Under Encryption fill in the Password field twice. You can tick Show Password if you desire.
      • When everything is done, click OK.
    • Wait for some time. The waiting time is determined by the size of your files.
    • 7-Zip will have produced the file for you.
    • Now we test the file by Right-click > 7-Zip > Extract Here.
    • A prompt asking you for the password should appear.
    • Select Cancel as this is for testing purposes only.
    • Now delete the other folder, empty your Recycle Bin and proceed with the instructions.
Note: After I have declared you ALL CLEAN, you may extract your files and dispose of the protected archive.
  • Pre-Step

    Click 'here' to download Temp File Cleaner by OldTimer. Save it to your Desktop.
    • Close any open windows.
    • Double-click TFC.exe and select 'Run' when prompted to execute the program. It will close all open programs itself in order to run.
    • Click the Start button to begin the cleaning process.
    • Please let the program run uninterruptedly.
    • Once the cleaning has been done, your computer should automatically reboot. Otherwise, please do so when it does not.
  • Prerequisite

    If you are having a problem running HijackThis as Administrator, please follow the steps below.
    • Go to My Computer and navigate to your default disc drive (C: is the most common).
    • Go to Program Files > Trend Micro > HijackThis.
    • Right-click HiJackThis.exe and run it as Administrator.
  • Step 1

    Please run a free online scan with ESET Online Scanner by downloading ESET Smart Installer 'here'. Save it to your Desktop.
    • Double-click esetsmartinstaller_enu.exe to execute the program.
    • Tick 'YES, I accept the Terms of Use'.
    • Click 'Start'.
    • If this is your first time installing the scanner, allow the 'ActiveX Control' to install.
    • Database download may take some time.
    • When done, make sure that the option 'Remove found threats' is ticked. Under the and 'Advanced Settings', please put a check on the following options:
      • Scan for potentially unwanted applications
      • Enable Anti-Stealth Technology
    • Click 'Start'.
    • Wait for the scan to finish.
    • Once it is finished, use Notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt.
    • Copy and paste that log as a reply to this topic.
  • Step 2

    Please set Windows 7 to show both hidden and system files and folders so that you can find specific files to delete.
    1. Click Start and navigate to Control Panel.
    2. On Appearance and Personalization > Folder Options > Show hidden files and folders.
    3. On the View tab, uncheck the following:
      • Hide file extensions for known file types
      • Hide protected operating system files (Recommended)
    4. Click Yes on the warning message.
    5. Under Hidden files and folders, check Show hidden files, folders, and drives.
    6. Click Apply to All Folders.
    7. Click OK.
    Note: I will give you instructions for hiding them again once your system seems clean.
  • Step 3

    We need to do a quick check.
    • Go to 'VirusTotal'.
    • Click Choose File.
    • Copy and paste the exact file name(s) in bold (if there are more than one file listed, please open multiple tabs):
      • C:\Windows\vVX1000.exe
        C:\Windows\V0640Mon.exe
    • Click Send.
    • Copy and paste back the link(s) to the result(s) once VirusTotal has finished scanning the file.
  • In your next post, please provide the following:
    • A Fresh HijackThis (HJT) Log
    • Deckard's System Scanner (DDS) Logs
      • DDS.txt
      • Attach.txt
    • ESET Scan Log
    • VirusTotal Links
  • Format of Response

    As part of my service terms, you are to fill this up everytime you respond to your log. Copy and paste the content inside the code box and write directly after the closing tags. Do not add spaces as they are already provided. An exception applies to the numbers, as they are to be written after the # sign.

    Step #1: Change the number accordingly.
    Problems Encountered: Put N/A if the operation went smoothly.

    Link To Requested Logs: Post the links to the logs I have asked you to produce.

  • Code:
    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Link To Requested Logs:[/b][/color]

nice post!, i learned something here!
Reply
#5
Thank you Quintus
Reply
#6
(01-04-2011, 08:42 AM)Quintus Wrote: Greetings,

Whilst I am in the process of scrutinizing your complete set of provided logs for any possible infections or problems, I ask for your forbearance. Understand that the process of analysis requires time and careful examination hence the need for a cautious response. Accuracy is of the essence. Once I come across infections, I shall present the finest methods of removal for your convenience.

In return for this service, I propose to you two conditions:
  1. You are not to create any new threads regarding the similar topic as it will waste another helper's time.
  2. You are not to install any new software in your system, as it may hinder our process thus making this futile.
In accordance to my terms, I also ask of you six things, stated below:
  1. You are not to modify the logs in any way. Failure to do so will instantly deprive you of this service.
  2. You are to paste each log separately at PasteBin as it is. That is correct, no syntax highlighting, no editing - just the log purely. Post back the links for each log. You shall not hide them under spoiler codes.
  3. You are to provide the complete set of requested logs.
  4. You are to keep all your trusted tools that the scanners may detect in a password protected archive. This is to prevent them from being deleted as we've had complaints or refusal to use the scanner for this reason.
  5. You are to respond to every step I ask you to do using the format provided at the end of my post.
  6. You agree that I have the right to discontinue the analysis at any time, upon a violation of a single rule.
Provided that you will continue with this service, you hereby agree to the above statements. If you deem the conditions are portraying equality, I will willingly perform the analysis without further delay. Should you have any concerns or problems with the above conditions, or if you feel that I have overlooked your log, do inform me through a Private Message by clicking 'this'.

Thank you.

Genuinely yours,
Quintus
  • Optional Pre-Step

    With regard to my fourth condition, here are the steps on how to password protect your trusted tools momentarily. Do note that I would advise you to remove all the infections present in your system as I am not certain of the sources of these programs thereby I will not be able to verify whether they are backdoored or not.

    You are doing this at your own risk.
    • Create a new folder with the name of your choice.
    • Gather all of your tools into that folder.
    • If you do not have a file compressor, download '7-Zip' and install it.
    • After doing so, navigate to the said folder and right-click.
      • You are now presented with options.
      • Please chose 7-Zip > Add to Archive.
      • Under the Archive Name, enter any name you wish.
      • Set the Archive Format to 7z.
      • Set the Compression Level to Ultra.
      • Under Encryption fill in the Password field twice. You can tick Show Password if you desire.
      • When everything is done, click OK.
    • Wait for some time. The waiting time is determined by the size of your files.
    • 7-Zip will have produced the file for you.
    • Now we test the file by Right-click > 7-Zip > Extract Here.
    • A prompt asking you for the password should appear.
    • Select Cancel as this is for testing purposes only.
    • Now delete the other folder, empty your Recycle Bin and proceed with the instructions.
Note: After I have declared you ALL CLEAN, you may extract your files and dispose of the protected archive.
  • Pre-Step

    Click 'here' to download Temp File Cleaner by OldTimer. Save it to your Desktop.
    • Close any open windows.
    • Double-click TFC.exe and select 'Run' when prompted to execute the program. It will close all open programs itself in order to run.
    • Click the Start button to begin the cleaning process.
    • Please let the program run uninterruptedly.
    • Once the cleaning has been done, your computer should automatically reboot. Otherwise, please do so when it does not.
  • Prerequisite

    If you are having a problem running HijackThis as Administrator, please follow the steps below.
    • Go to My Computer and navigate to your default disc drive (C: is the most common).
    • Go to Program Files > Trend Micro > HijackThis.
    • Right-click HiJackThis.exe and run it as Administrator.
  • Step 1

    Please run a free online scan with ESET Online Scanner by downloading ESET Smart Installer 'here'. Save it to your Desktop.
    • Double-click esetsmartinstaller_enu.exe to execute the program.
    • Tick 'YES, I accept the Terms of Use'.
    • Click 'Start'.
    • If this is your first time installing the scanner, allow the 'ActiveX Control' to install.
    • Database download may take some time.
    • When done, make sure that the option 'Remove found threats' is ticked. Under the and 'Advanced Settings', please put a check on the following options:
      • Scan for potentially unwanted applications
      • Enable Anti-Stealth Technology
    • Click 'Start'.
    • Wait for the scan to finish.
    • Once it is finished, use Notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt.
    • Copy and paste that log as a reply to this topic.
  • Step 2

    Please set Windows 7 to show both hidden and system files and folders so that you can find specific files to delete.
    1. Click Start and navigate to Control Panel.
    2. On Appearance and Personalization > Folder Options > Show hidden files and folders.
    3. On the View tab, uncheck the following:
      • Hide file extensions for known file types
      • Hide protected operating system files (Recommended)
    4. Click Yes on the warning message.
    5. Under Hidden files and folders, check Show hidden files, folders, and drives.
    6. Click Apply to All Folders.
    7. Click OK.
    Note: I will give you instructions for hiding them again once your system seems clean.
  • Step 3

    We need to do a quick check.
    • Go to 'VirusTotal'.
    • Click Choose File.
    • Copy and paste the exact file name(s) in bold (if there are more than one file listed, please open multiple tabs):
      • C:\Windows\vVX1000.exe
        C:\Windows\V0640Mon.exe
    • Click Send.
    • Copy and paste back the link(s) to the result(s) once VirusTotal has finished scanning the file.
  • In your next post, please provide the following:
    • A Fresh HijackThis (HJT) Log
    • Deckard's System Scanner (DDS) Logs
      • DDS.txt
      • Attach.txt
    • ESET Scan Log
    • VirusTotal Links
  • Format of Response

    As part of my service terms, you are to fill this up everytime you respond to your log. Copy and paste the content inside the code box and write directly after the closing tags. Do not add spaces as they are already provided. An exception applies to the numbers, as they are to be written after the # sign.

    Step #1: Change the number accordingly.
    Problems Encountered: Put N/A if the operation went smoothly.

    Link To Requested Logs: Post the links to the logs I have asked you to produce.

  • Code:
    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Link To Requested Logs:[/b][/color]

Very nice post man, like what you're doing here. It's nice to see others help when people are in need.

HJT to the rescue 24/7.
Again, thanks, I learned something here also Smile
Legitimate Marketer | Exchanger | Middle Man | RAT Expert
Reply
#7
I remember... The post of Quintus is from HF
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  im being told im rat'd? ๖ۣۜDunsparth 20 9,663 07-17-2011, 07:02 PM
Last Post: Pedo bear
  Think I have a RAT on my comp Brandenx781 34 10,156 06-07-2011, 06:17 AM
Last Post: Quintus
  Suspected..everything..? Swift Swim 4 1,775 03-18-2011, 04:46 AM
Last Post: Quintus
  [HJT Log] Suspected virus. TheGeniusism 7 4,987 11-21-2010, 02:34 AM
Last Post: Quintus

Forum Jump:


Users browsing this thread: 1 Guest(s)