Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Major Infection Malware/Adware/Rootkit Please Help!


  • This topic is locked This topic is locked
5 replies to this topic

#1 mattcosta95

mattcosta95

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 05 January 2017 - 03:19 AM

(inserted updates to the original post)

 

Hello Friends at Bleeping Computer! This is Matt from Brazil.

I've been looking around your forums and I know that you are good guys and that you can help me. After downloading a movie via torrent, I was prompted to download a certain codec in order to play the movie. I accidentally clicked it, tried to stop it and even rebooted, but that was enough to infect my system. There is a browser adware in place that has rendered Chrome and all other browsers almost unusable, opening tabs, redirecting to useless websites and causing overall slow web browsing. The virus/malware also did something to Windows as the Firewall is down and cannot be enabled (a prompt says something like "It was not possible to start Windows Safety Central). I used AVG and it found several trojans, an file named xvidcodexfix.exe wich was the bait in the first place(not sure if that is the file name, but it is something close to that). Even though AVG claims to fix it, the problem persists. While I am browsing, AVG will sometimes pop up saying that it found a Trojan and i click to fix, but the problem persists. Another symptom is that every once in a while a Black DOS Window will appear for just a second and then close very fast (it does not seem to show any text, or it may show too fast for me to read). I have also used SpyBot and it only works if I run as Admin. The spybot scan will find some malware explicitly named Disable Windows Security Central (again, that or something close to that), but clicking to fix it does not solve the Problem.

 

Please note that I am a regular user with no tech knowledge, I use this laptop only for College and simple web browsing, so please bear with me. Also, our exchange of logs my include some text in Portuguese (my native language) but I believe it will not impair your understanding. I will attach my FRST scan logs below. FRST is running on Portuguese and I cannot seem to change it to English, but I believe it will not cause any major problems.

 

I know I screwed up in downloading movies, but please help me guys, I don't know what to do!

 

UPDATE 1: While browsing files in the infected laptop I came across a file called 'xxx'.manifest (xxx being something I cant recall) and a bunch of out of place dll files(if I remember correctly I spotted those upon clicking my C: unit on Explorer). I google it, and found the description of the exact same method that infected my system. Link:

http://www.pandasecurity.com/homeusers/security-info/37945/information/Manifest

 

UPDATE 2: Rebooted the system and was not able to use the internet. I also could not find the above mentioned manifest file or the odd looking register keys and dll's upon exploring the C: drive unit. To clarify: first I had a browser hijacking situation (redirecting, websearch, new tab, hidden extensions etc.) and now none of the browsers are connecting to the web (it claims to be a proxy problem). Firewall and Windows Security still disabled, and when I try to activate and error states "Could not start Windows Security".

 

UPDATE 3: Looked at the FRST log, I still don't feel your understanding will be impaired because of the Portuguese, but feel free to ask me about any translation problem (but google translate shoud work fine).

 

Regards,

Matt

 

 Attached File  FRST.txt   47.71KB   9 downloadsAttached File  Addition.txt   41.31KB   4 downloads


Edited by mattcosta95, 05 January 2017 - 01:18 PM.


BC AdBot (Login to Remove)

 


#2 mattcosta95

mattcosta95
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 05 January 2017 - 07:00 AM

(edited this many times with lots of updates, this is my last update)

 

I tried AdwCleaner, JRT, RKill + CCleaner many times over and this is where I am at right now: Notebook seems to be fine, Firewall and Defender up again, no more flashing DOS Window, no more browser hijacking. However, whenever I restart and run a AdwCleaner scan, there is always a adware/malwere there (unwanted search engines,home pages, extensions and whatnot) in the user/AppData folder which I cannot find. Other scans come clean and those threats found don't seem to be doing anything. So I tried using HitmanPro and it found many things. The original trojans and  malwere scaped detection and although are not causing the same trouble as when I started the post, they keep bringing back these adware/malwere. I will list the stuff HitmanPro found and wait for your help. Please come in guys!

 

HitmanPro found: (all in the C:\user\moises\AppData\Local\Temp

 

XvidCod.exe - Trojan (the one I clicked and started this nightmare)

nsiAA14.tmp - Trojan

XvidCodec.exe - Trojan (in a different location than the first one)

ic-0.a14c4bfc2cdba.exe - Malwere

 

It also found 2 files listed as riskware that adwCleaner put on quarantine:

Interface.dll

sysnetwk.exe

Attached Files


Edited by mattcosta95, 05 January 2017 - 09:02 PM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:27 AM

Posted 06 January 2017 - 11:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR Extension: (Pagamentos da Chrome Web Store) - C:\Users\moises\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-05]
CHR Extension: (Chrome Media Router) - C:\Users\moises\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-05]
S3 dbx; system32\DRIVERS\dbx.sys [X]
FirewallRules: [TCP Query User{0BFACC29-27C3-4109-A6AA-78C28B96335C}C:\windows\kmsemulator.exe] => C:\windows\kmsemulator.exe
FirewallRules: [UDP Query User{9736B710-D748-4DB7-BA10-3F2E3AA9C1CE}C:\windows\kmsemulator.exe] => C:\windows\kmsemulator.exe
C:\windows\kmsemulator.exe
\Users\moises\AppData\Local\Temp\XvidCod.exe

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please let me know what problem persists with this computer.

p.s.
If AdwCleaner still find some items please post the log for my review.
Do not delete them just yet.

#4 mattcosta95

mattcosta95
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 06 January 2017 - 12:15 PM

Nasdaq, I salute you.

 

Laptop seems to be working flawlessly, including all browsers. adwCleaner, JRT, HitmanPro and RKill logs clean. 

Thanks a lot man. Could you recommend any AV software? Removed AVG in order to perfom the fix. Fixlog follows:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by Matheus Costa (06-01-2017 15:03:00) Run:1
Running from C:\Users\moises\Desktop
Loaded Profiles: Matheus Costa (Available Profiles: Matheus Costa)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
CHR Extension: (Pagamentos da Chrome Web Store) - C:\Users\moises\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-05]
CHR Extension: (Chrome Media Router) - C:\Users\moises\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-05]
S3 dbx; system32\DRIVERS\dbx.sys [X]
FirewallRules: [TCP Query User{0BFACC29-27C3-4109-A6AA-78C28B96335C}C:\windows\kmsemulator.exe] => C:\windows\kmsemulator.exe
FirewallRules: [UDP Query User{9736B710-D748-4DB7-BA10-3F2E3AA9C1CE}C:\windows\kmsemulator.exe] => C:\windows\kmsemulator.exe
C:\windows\kmsemulator.exe
\Users\moises\AppData\Local\Temp\XvidCod.exe
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Users\moises\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\moises\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\System\CurrentControlSet\Services\dbx => key removed successfully
dbx => service removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{0BFACC29-27C3-4109-A6AA-78C28B96335C}C:\windows\kmsemulator.exe => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{9736B710-D748-4DB7-BA10-3F2E3AA9C1CE}C:\windows\kmsemulator.exe => value not found.
"C:\windows\kmsemulator.exe" => not found.
\Users\moises\AppData\Local\Temp\XvidCod.exe => Error: No automatic fix found for this entry.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 20754575 B
Java, Flash, Steam htmlcache => 492 B
Windows/system/drivers => 53825253 B
Edge => 0 B
Chrome => 43302378 B
Firefox => 5432336 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 443037 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 29682 B
moises => 439966805 B
 
RecycleBin => 4815 B
EmptyTemp: => 545.6 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 15:03:10 ====


#5 mattcosta95

mattcosta95
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 06 January 2017 - 02:16 PM

I must say that looking at the fix log, some of the "file not found" messages may be due to a HitmanPro clean I did before your first reply. Laptop still running whithout apparent problems

Matt

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:27 AM

Posted 07 January 2017 - 09:32 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

p.s.
Make sure you read the instructions on the AV programs.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users