if anyone was or thing it may be hacked here is some of things i did, from reading and asking for help

run:
Rkill
malwarebytes
Roguekiller
TDSSkiller
autoruns
HitmanPro
Microsoft safety scanner (it's the same database as defender but is more accurate)
a scan with windows defender

in extreme case, nuke it by formating your drive

enter every website you were logged on at the time, and log out so their cookies are useless
activate 2fa on the email, if they get to the email then it's game over

good luck :/

more things:

check in task manager-startup i there is something weird that you don't recognise
the same in task scheduller
google it if you're unsure

and this what i think happened, watch the 2 videos to understand




i remember that rar had some file inside with a image extension like .png or .jpg (i think it was .png) and should be harmeless, but it was definetly not a image file and ran something and in that video you can understand how they disguised it as a .png file when it was an executable. I remember getting some error mgs, that was the executable, maybe i clicked on something there to close it, i don't remember, and it did it's thing or maybe the harm was already done when i tried to open the .png file.

I definetely didn't open anything else on the rar, i did not opened any of the files inside that folder. So it really was this the trick they used. So no file is really safe, you have to inspect the properties.

As far as i could search if you just use the disguised .ex4 or .mq4 and don't open it and just send it to the mt4 folder nothing will happen, you have to interact with it, double click on it.

This place deals with money so we are a prime target for these people so be careful, because i doubt they will give up this easily.

Also i remember checking the profile of the person that posted the rar the 2nd time and it seemed legit with lots of old msgs about trade, so that was probably a hacked acc just like mine and mr.tools was at forex factory, so you can't even go by the trust factor.

Netplwiz checks who is admin on computer in windows

Thats funny no hidden users
And guests viewing a private fault thread?

Im gonna put a little skit together of what i have done for my computer its really horrible right now because i have screenshots will post later

I think this site just needs just an anti spearfishing system
No downloads can run nonsense

Chickenspicy wrote: Mon Jul 03, 2023 9:46 am Thats funny no hidden users
And guests viewing a private fault thread?

I see no guests in the Private Vault section.. which is how it should be unless its those search bots / crawlers whatever they call them lol looks like the site is legit again but see what jim says i guess the only way to findout is put rar files back on and see if the goons reappear... man i wonder how many sites got smashed by this thing????? Blinking hell people are scum & desperate

Forexlearner wrote: Sun Jul 02, 2023 10:46 pm i don't believe in coincidences and it happened exactly after i opened the rar. If you want some absolute certainty i have none, i don't even know how they did it.
as far as i remember i just extracted that first file on the rar, not the folder, and tried to open it and got a weird error msg, that's what i recall.
i taught ESET was good, apparently not that good.

Yeah man I doubt it's got anything to do with the 2019 one. I've had my e-mail pwnd in the past too it's annoying as hell.

Did this infection manage to get control of other logins on your system apart from Forex Station and Forex Factory?

wordpad document

hope it helps for personal use

Chickenspicy wrote: Mon Jul 03, 2023 9:40 am Netplwiz checks who is admin on computer in windows

Code: Select all

1. First of all check if any rogue programs or services are running. Open a Run window (Windows Logo key+R), type msconfig and press Enter. On the Startup Tab, uncheck any entries that are unknown to you. Repeat this for the Services Tab. If you uncheck anything restart the computer and when it restarts, put a tick in ‘Don‘t show this again‘ as you‘re effectively doing a selective start up.
2. It’s probably not relevant these days but this only takes a few seconds to check. Open a Run window (Windows Logo key+R), type cmd and press Enter. Now type system.ini and press Enter. If under [drivers] there is an entry user=user.drv, you may have been hacked, so restart the computer and check again. An entry of timer=timer.drv is safe.
3. Now check the net statistics:
3A. Open a Run window (Windows Logo key+R), type cmd and press Enter. Now type netstat -ano and press Enter. If ‘Established’ is in the State column, make a note of the PID and the Addresses alongside it, as someone may be hacking you. If the IP Address begins with 192.168, you are safe as it’s part of your home network.
3B. To check if you are being hacked, open Task Manager by hitting Ctrl+Shift+Esc. Go to the Processes Tab > View > Select Columns and put a check in the PID box so that the column is displayed.
3C. If the PID that you noted in 3A appears and it is not a name that you recognise, right-click it and End the process. You can click the word PID at the top to sequence the numbers to make it easier to find. Restart the computer and check again.
(Can right click on names and search online if they are normal)
3D. If you didn’t find the PID, restart the computer and rerun the netstat –ano command. Open Google in a browser window and type the IP Address into the search box. If it’s a suspicious site, restart the computer and check again
4. Lastly, run your ‘anti’ programs to clear up any residual malware files that may be present, which you should be doing on a regular basis anyway.

this is really gold, thanks. The step to see if your machine is connecting to random IP's is very important

Chickenspicy wrote: Mon Jul 03, 2023 3:07 pm wordpad document

hope it helps for personal use

Thanks man it works, its handy and now i'm going to be checking it randomly until im not paranoid lol