Cleaned up a scammed computer and a weird command prompt window showed up

[Sky-Knight]

Format C: isn't good enough anymore: https://www.bleepingcomputer.com/ne...n-drop-persistent-malware-in-hidden-ssd-area/

The firmware risk extends to the EFI as well. Persistence via firmware is a very real thing, though for the moment mercifully rare. My SOC has found ONE in our history as a company.

 

[HCHTech]

Just curious whether you've ever seen anything malicious "implanted" in the user data that gets picked up when scanned?

Not that I recall. Not uncommon to find something in the downloads folder, though - that's just because the user's pattern of behavior makes this predictable.

 

[xrobwx71]

If you've got the time to learn a new tool, and you can't N&P, this is the tool.

Download Farbar Recovery Scan Tool

Farbar Recovery Scan Tool, or FRST, is a portable application designed to run on Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 10 in normal or safe mode to diagnose malware issues.

www.bleepingcomputer.com

How to: https://www.bleepingcomputer.com/forums/t/781976/frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

[britechguy]

Not uncommon to find something in the downloads folder, though - that's just because the user's pattern of behavior makes this predictable.

I have to report that I have not seen this in some years. Once "scan upon download" was instituted as virtually universal practice, questionable material has generally been blocked before an actual save can occur.

I still get the occasional false positive for things such as a number of the NirSoft tools which "have the appearance of malware" but are not such, but those are seldom downloaded by the average end user.

 

[xrobwx71]

NirSoft tools

I get those too, on just about every update of his software. I promptly whitelist them. If I can't trust him, I might as well unplug and crawl into a closet.
The other side of that coin is not him, but if the server storing his files were compromised...
After downloading his files and updates for files countless times since 2004 without ever an issue, I feel my trust level is around 99.9%

 

[britechguy]

After downloading his files and updates for files countless times since 2004 without ever an issue, I feel my trust level is around 99.9%

Same here. There are sources I trust implicitly, and NirSoft is one of those.

The fact is that when it comes to "clever developer/administrator tools" many of them do things that would give most scanners the impression they are malicious, because the techniques that one must use to get the result "dig where you generally shouldn't." But those of us who use them should know that and recognize false positives when those occur (and, of course, strategically use whitelisting, which I do).

 

[Markverhyden]

care to share what tools and techniques you're using to scan the data?

It's nothing really special. If it's basically a browser hijack issue I'll see if there's any plugins installed. Most the time they are not so Ill start by clearing recent history. If that doesn't work then a reset has always fixed the browser. Typically I'll use a couple of different anti-malware scanning tools. Almost always online one's like house call. I will make sure it scans the entire drive and I'll save the report to end to the bank or underwriter just in case. I'll also sort files by creation date and last modified. That used to help but hasn't done anything major in years.

Even if they didn't let a hacker connect I'll still run an anti-maware. Many times I'll find the search engine has been modified to use one of those ad generators.