Infected with Remote Access Trojan (or Banking trojan) – Virus, Trojan, Spyware, and

[ad_1]

Hello, I believe I have been infected with a remote access trojan. Here is a timeline of events:

 

  • 8/10: Installing music software. Run a Malwarebytes scan afterwards, which finds and quarantines the following, including a “Remote Admin” (see log below description).
  • 8/16: Financial transaction attempted through my online banking. Luckily my bank flags the transaction. They say that the transaction request was made with my typical IP address.
  • 8/18: Notice that there have been Gmail filters created to automatically delete messages mentioning my bank, credit card, or Paypal. Gmail session history also shows that it was accessed from unfamiliar IP addresses. Also find and uninstall an .exe that was installed on 8/10 and had an unfamiliar name. Best Buy remote malware technician also runs scans/cleaning, but doesn’t find a trojan.
  • Then use a separate computer to sign out of sessions on the infected PC and reset passwords. Since then, I haven’t seen any more foreign activity on my Gmail, so I am hopeful that my Google account is no longer compromised.

 

 

I have tried using a HIDS to understand whether there is still a trojan intrusion in my PC, but I wasn’t able to glean much from it. I am willing to wipe the computer if it seems that the trojan is unremovable or undetectable. I have backed up important files to a cloud storage account since the infection, but I worry that those might pass the infection to the computer once it is wiped. I appreciate any advice or suggestions you might have!

 

 

 

 

 

Malwarebytes Log 8/10

 

 

 

-Log Details-

Scan Date: 8/10/21

Scan Time: 2:26 PM

Log File: 499130f8-fa19-11eb-be8a-a8a159290ff9.json

 

-Software Information-

Version: 4.4.4.126

Components Version: 1.0.1413

Update Package Version: 1.0.44020

License: Trial

 

-System Information-

OS: Windows 10 (Build 19043.1110)

CPU: x64

File System: NTFS

User: DESKTOP-23GE2STName

 

-Scan Summary-

Scan Type: Threat Scan

Scan Initiated By: Manual

Result: Completed

Objects Scanned: 415893

Threats Detected: 22

Threats Quarantined: 22

Time Elapsed: 2 min, 27 sec

 

-Scan Options-

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Detect

PUM: Detect

 

-Scan Details-

Process: 0

(No malicious items detected)

 

Module: 0

(No malicious items detected)

 

Registry Key: 0

(No malicious items detected)

 

Registry Value: 1

RiskWare.RemoteAdmin, HKUS-1-5-21-1406798724-3633723718-1280623058-1001ENVIRONMENT|USERINITMPRLOGONSCRIPT, Quarantined, 1820, 956516, 1.0.44020, , ame, , ,

 

Registry Data: 0

(No malicious items detected)

 

Data Stream: 0

(No malicious items detected)

 

Folder: 4

PUP.Optional.Funmoods, C:USERSNAMEAPPDATALOCALGOOGLECHROMEUSER DATADefaultSync DataLevelDB, Quarantined, 340, 455240, , , , , ,

PUP.Optional.Babylon, C:USERSNAMEAPPDATALOCALGOOGLECHROMEUSER DATADefaultSync DataLevelDB, Quarantined, 408, 455059, , , , , ,

PUP.Optional.Funmoods, C:USERSNAMEAPPDATALOCALGOOGLECHROMEUSER DATADefaultSync DataLevelDB, Quarantined, 340, 455240, , , , , ,

PUP.Optional.Funmoods, C:USERSNAMEAPPDATALOCALGOOGLECHROMEUSER DATADefaultSync DataLevelDB, Quarantined, 340, 455240, , , , , ,

 

File: 17

CrackTool.Agent.Keygen, C:$RECYCLE.BINS-1-5-21-1406798724-3633723718-1280623058-1001$R1TEQ7I.EXE, Quarantined, 7915, 917189, 1.0.44020, 0223A293F79CBB917CE6682D, dds, 01371964, 5137F6C1B6FEC54E3C4FCE6261905DD6, 72C96F7E2F4823BB9F28944C96AA1B737BE20EDD52CA97B699085D3498E4AB74

Malware.AI.3207808083, C:PROGRAM FILES (X86)ABLETON LIVE SUITEIBINSTALLER_98220.EXE, Quarantined, 1000000, 0, 1.0.44020, 116B0C98B536C9B9BF334453, dds, 01371964, 8748384A5A009E5C1E405AF0796124C7, F5BF4FB6C0582FE634A22214662B8A598D1F27B00277256ACA140F99C36CB9EA

CrackTool.Agent.Keygen, C:$RECYCLE.BINS-1-5-21-1406798724-3633723718-1280623058-1001$RGRXSZG.EXE, Quarantined, 7915, 917189, 1.0.44020, 0223A293F79CBB917CE6682D, dds, 01371964, 5137F6C1B6FEC54E3C4FCE6261905DD6, 72C96F7E2F4823BB9F28944C96AA1B737BE20EDD52CA97B699085D3498E4AB74

PUP.Optional.Funmoods, C:UsersNameAppDataLocalGoogleChromeUser DataDefaultSync DataLevelDB00005.ldb, Quarantined, 340, 455240, , , , , E532DBC2773B3EA8D47FB3C522D25A57, B23E07719BBC5C04619B2B3D872A1B9883F610CF6A1DB0E6F22FFFF459FA8497

PUP.Optional.Funmoods, C:UsersNameAppDataLocalGoogleChromeUser DataDefaultSync DataLevelDB23001.ldb, Quarantined, 340, 455240, , , , , E867610393F0F20409C87D798666DF26, 70776CAC1DA89A2A52FFB069D9DE2366986F43BB1589DB097E902DEFB19DBE09

PUP.Optional.Funmoods, C:UsersNameAppDataLocalGoogleChromeUser DataDefaultSync DataLevelDB23003.ldb, Quarantined, 340, 455240, , , , , 65067A1DFC1036FB13042F6BDB6B73BA, DB44276DFBD00372AB044981E4B44EC213B3AD822164A6E8BFDAB07775B0CF8C

PUP.Optional.Funmoods, C:UsersNameAppDataLocalGoogleChromeUser DataDefaultSync DataLevelDB23004.log, Quarantined, 340, 455240, , , , , A3782128393B41D36BBD509D37076A72, FFFCFA837187B7CE3DC170173B0C1ED6226A41DE012FF9CE9747D9554ABED313

PUP.Optional.Funmoods, C:UsersNameAppDataLocalGoogleChromeUser DataDefaultSync DataLevelDB23005.ldb, Quarantined, 340, 455240, , , , , 16F5FA11B4273299B92036158F54FE13, 496EA3E468BD648F6A83EC9E0CB897E0E18168779CC203B1F0FBF80B6534CB02

PUP.Optional.Funmoods, C:UsersNameAppDataLocalGoogleChromeUser DataDefaultSync DataLevelDBCURRENT, Quarantined, 340, 455240, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443

PUP.Optional.Funmoods, C:UsersNameAppDataLocalGoogleChromeUser DataDefaultSync DataLevelDBLOCK, Quarantined, 340, 455240, , , , , ,

PUP.Optional.Funmoods, C:UsersNameAppDataLocalGoogleChromeUser DataDefaultSync DataLevelDBLOG, Quarantined, 340, 455240, , , , , A5DD4710818F48968B2566813647A2EB, C47EA7286019897B4C4C3DA28E722AE1198B5DD1677FB12C71FE4C4ACB855D09

PUP.Optional.Funmoods, C:UsersNameAppDataLocalGoogleChromeUser DataDefaultSync DataLevelDBLOG.old, Quarantined, 340, 455240, , , , , C2F7EE44D6055F0162CAF2E67C7245F5, 4767A8AAAE1DEAE45FE9B78716EF841A7D436E598CDCA866B38E91C8B233F02F

PUP.Optional.Funmoods, C:UsersNameAppDataLocalGoogleChromeUser DataDefaultSync DataLevelDBMANIFEST-000001, Quarantined, 340, 455240, , , , , 873FBED70D56B3AE11EEAAB1BD73B59F, 521C9666391AE8597560B92BB33F4360C09CC696D4EFDD09981695818E28967F

PUP.Optional.Funmoods, C:USERSNAMEAPPDATALOCALGOOGLECHROMEUSER DATADefaultWeb Data, Replaced, 340, 455240, 1.0.44020, , ame, , 0164AA74FEA1842C909CE543EF60E347, 111123B596E34A02E4A83921E79EA29EB69ADBBCF0F86D8E4B292081B80A6AE3

PUP.Optional.Babylon, C:USERSNAMEAPPDATALOCALGOOGLECHROMEUSER DATADefaultWeb Data, Replaced, 408, 455059, 1.0.44020, , ame, , 0164AA74FEA1842C909CE543EF60E347, 111123B596E34A02E4A83921E79EA29EB69ADBBCF0F86D8E4B292081B80A6AE3

PUP.Optional.Funmoods, C:USERSNAMEAPPDATALOCALGOOGLECHROMEUSER DATADefaultWeb Data, Replaced, 340, 455240, 1.0.44020, , ame, , 0164AA74FEA1842C909CE543EF60E347, 111123B596E34A02E4A83921E79EA29EB69ADBBCF0F86D8E4B292081B80A6AE3

PUP.Optional.Funmoods, C:USERSNAMEAPPDATALOCALGOOGLECHROMEUSER DATADefaultWeb Data, Replaced, 340, 455240, 1.0.44020, , ame, , 0164AA74FEA1842C909CE543EF60E347, 111123B596E34A02E4A83921E79EA29EB69ADBBCF0F86D8E4B292081B80A6AE3

 

Physical Sector: 0

(No malicious items detected)

 

WMI: 0

(No malicious items detected)

 

 

(end)

 

 

 

 

 

 

 

FRST.txt

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-08-2021

Ran by Name (administrator) on DESKTOP-23GE2ST (19-08-2021 12:12:19)

Running from C:UsersNameDownloads

Loaded Profiles: Name

Platform: Windows 10 Home Version 21H1 19043.1165 (X64) Language: English (United States)

Default browser: Edge

Boot Mode: Normal

 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

() [File not signed] C:MAMPbinmysqlbinmysqld.exe

(Adobe Inc. -> Adobe Inc.) C:Program Files (x86)Common FilesAdobeAdobe Desktop CommonElevationManagerAdobeUpdateService.exe

(Adobe Inc. -> Adobe Inc.) C:Program Files (x86)Common FilesAdobeARM1.0armsvc.exe

(Adobe Inc. -> Adobe Systems Inc.) C:Program Files (x86)AdobeAcrobat DCAcrobatacrotray.exe

(Adobe Inc. -> Adobe Systems, Incorporated) C:Program Files (x86)Common FilesAdobeAdobeGCClientAGMService.exe

(Adobe Inc. -> Adobe…

[ad_2]

Read More:Infected with Remote Access Trojan (or Banking trojan) – Virus, Trojan, Spyware, and