Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malicious Chrome Extensions/Infected MBR


  • Please log in to reply
4 replies to this topic

#1 Kiera9

Kiera9

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 16 August 2016 - 07:09 PM

I'm truly dealing with the malware from hell. It has been an intermittent problem over the last 5-6 years. I get rid of it for a year or so then it comes back and it is a nightmare to get rid of it every time. It is definately the same infection.

It has a rootkit component and a Trojan component. The trojan is now being detected as Trojan.Gen by numerous scanners. The rootkit is always just identified as "unknown rootkit" The rootkit component infects the MBR of any type of storage (HD, Flash drive, SD cards). Previously, Commodo Cleaning Essentials was the only thing that could get rid of the MBR infection. Now nothing will. Does anyone have any suggestions? I'm just thinking about throwing everything out at this point.

I tried overwriting the MBR of the flashdrives with dd but GParted cannot write a new partition table now and it sees the storage as only a few mb in size. I'm pretty sure that this worked in the past.

The malware also uses malicious Chrome Extensions to maintain persistence. I'm finding hidden extensions when I scan with FRST. They're random letter/number names. These just appear randomly within a few hours after re-installing Windows. I always re-install and rewrite the MBR because NOTHING can fully remove this. Lol, burning the HD doesn't seem too extreme at this point.

Is there any way to block Chrome from installing any extensions at all? I don't really need any extensions. It's just weird that they keep coming back - especially since I haven't logged in to Chrome.

I've already been hacking away at this so I'm going to wipe one more time. I'm sure that it will be back so I'll post logs in the help section when it does. But for now, if anyone has any suggestions I would appreciate it.

BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:08:11 PM

Posted 16 August 2016 - 08:10 PM

Your router may also be infected.

 

Take note of your ISP login information, disconnect from the internet and then hard reset your router. Before re-attaching it to the external network change the admin and network passwords (with your freshly installed Windows machine).

 

To be sure there aren't any hidden persistent partitions on your HDD before re-installing Windows you can "0 fill" it (completely erase) with Seatools for DOS. This will well and truly hose any information on it.



#3 Kiera9

Kiera9
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 17 August 2016 - 04:38 AM

Thanks. I forgot about the router. It's a Sagencomm from my ISP. I haven't heard anything about those getting infected but it can't hurt.

I've been using a Linux disk and the dd utility to wipe my drives. The flashdrives might be trash. There's a tiny partition in all of them and I can't figure out how to remove it.

I think that I'm going to post some logs. I've removed a lot of malware over the years but I've never seen anything this bad.

Thanks.

Edited by Kiera9, 17 August 2016 - 04:52 AM.


#4 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:08:11 PM

Posted 17 August 2016 - 04:14 PM

You can remove the partitions from all of the drives using the hparm command from a live Linux system.

 

 

To use HDPARM to clear the HPA

 

For x = device you're targeting, use the following HDPARM command to show if you have an HPA enabled.

# hdparm -N /dev/sdx

It will spit back something like the following if you have an HPA defined:

/dev/sdx:
max sectors   = 78125000/78165360, HPA is enabled

To remove the HPA and expand the visible area out to the full size of the drive use the denominator in the above report (visible area/max sectors):

# hdparm -N p78165360 /dev/sdx

It will spit back a report that the visible area is equal to the max sectors and that the HPA is disabled.

/dev/sdx:
setting max visible sectors to 78165360 (permanent)
max sectors   = 78165360/78165360, HPA is disabled

----------------

 

If you are going to create a removal log, rather than attempt yourself again, please mention these persistent partitions first (or even link this thread) as they are very relevant to getting your machine working correctly again.

 

Regards

 

TsVk!


Edited by TsVk!, 17 August 2016 - 04:17 PM.


#5 Kiera9

Kiera9
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 September 2016 - 07:40 PM

Thanks guys. I called my ISP and got the firmware for my router. I flashed it. All was good for a few days. Then the hidden Chrome extensions cane back along with the malware.

I'm going to try to remove the partitions and get in touch with Google support. They should know about those extensions.

I'll be back...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users