Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by rootkit komodia/malware/adware/Hijack


  • This topic is locked This topic is locked
7 replies to this topic

#1 Pinfox

Pinfox

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 25 March 2017 - 10:54 PM

Around 3 days ago, I was on my administrator account and went on a shaddy blogspot and download what they toldme to to get Microsoft office 2016 and crack it using kmsauto or something like that,

 

I got warning from chrome and defender to not download those but I did anyway, Then shortly after chrome was hijacked trying to get extensions, ads were popping all over my screen and popups saying to upgrade antivirus or get virus help etc, my computer was going crazy. I could scan with Malwarebytes premium that I just downloaded while having the virus and I scanned, and tried to get rid of the virus by deleting the downloads and trying to uninstall anything that seemed shady.

 

In malware bytes the logs said something like Hijack 50 times and Rootkit.Komodia or something like that. There was like 100-200 detections in total and many viruses and malware/adware. I tried to clean it with Malwarebytes and I think the popups stopped and chrome reset losing my bookmarks, extensions, etc.

I shutdown my computer and went to sleep.

 

Then I woke up next day and tried going in safe mode, using Rkill, then using Malwarebytes, then scanning with Avira, HitmanPro, TDSSkiller and It seemed I was fine. I reset my pc ( delete files and start over) and then I also tried to do a clean reinstall of windows using a usb. The thing is when I got the virus and malware I had the usb plugged in so I don't know if it was infected and after that I also plugged in the usb to 2 other computers. After reinstalling windows 10, I did all the steps again, using Rkill, Malwarebytes, Avira,Hitmanpro, and TDSSkiller. They didn't seem to find any threats.

 

I also then used Malwarebytes anti rootkit, Sophos Virus removal tool, Junkware removal tool, and adwcleaner. adwcleaner keeps finding Chrome things, 4 things that keep coming even after I clean and restart, I scan again and they are not cleaned The values are 2 search providers, ask.com and aol.com which are web data and a weird extension whos data is fkjlohfdjcjhmfcabomglnciodlnplhk which is secure preferences and 4th one is homepage they are all in users/pinfo/appdata/local/google/chrome/User Data/Default. I will have a picture of it attached.

 

If I had reinstalled windows, is it possible I still have malware and how is it possible that adwcleaner is finding malicious things that aren't being cleaned and are still there after restarting?

I think I have a rootkit and adware/malware still on my computer.

I will also have attached  FRST.txt and Addition.txt

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:46 AM

Posted 27 March 2017 - 09:07 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
U1 aswbdisk; no ImagePath

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Adwcleaner is reporting some unwanted search items in Chrome.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please post the Fixldog.txt and let me know what problem persists.

#3 Pinfox

Pinfox
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 27 March 2017 - 04:07 PM

Hi, when I uninstalled chrome and deleted %localappdata% Google folder and reinstalled chrome, 2 extensions from Avira automatically added themselves aswell as ask.com and aol.com were default search engines. When i Reset browser setting ask.com and aol.com are back in the default search engines.

 

What does this mean? I've searched around and ive seen someone say ask.com and aol.com are browser hijackers which seems to relate how chrome got hijacked before I reinstalled windows. Is it possible the rootkit is hiding in bootsector or motherboard or gpu? I was thinking to get a new harddrive to fix my problems but ive read online that some rootkits hide in your motherboard and stuff like that...

 

 

Currently adwcleaner doesnt find any threats since I removed the 2 extensions that automatically came with chrome from Avira (I uninstalled Avira a while ago and am unsure why they automatically added themselves) and I also removed ask.com and aol.com from default search engines.

I used the Fixlist.txt only after removing them but here it is anyways:

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Pinfo (27-03-2017 15:45:59) Run:1
Running from C:\Users\Pinfo\Downloads
Loaded Profiles: Pinfo (Available Profiles: defaultuser0 & Pinfo)
Boot Mode: Normal
==============================================
fixlist content:
*****************
start
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
U1 aswbdisk; no ImagePath
End
*****************
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => key removed successfully
HKLM\System\CurrentControlSet\Services\aswbdisk => key removed successfully
aswbdisk => service removed successfully
=========== EmptyTemp: ==========
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 14083474 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 8840284 B
Edge => 293825315 B
Chrome => 120832 B
Firefox => 0 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 36062 B
NetworkService => 0 B
defaultuser0 => 615937 B
Pinfo => 50004860 B
RecycleBin => 0 B
EmptyTemp: => 350.5 MB temporary data Removed.
================================

The system needed a reboot.
==== End of Fixlog 15:46:53 ====


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:46 AM

Posted 28 March 2017 - 07:26 AM



Currently adwcleaner doesnt find any threats since I removed the 2 extensions that automatically came with chrome from Avira (I uninstalled Avira a while ago and am unsure why they automatically added themselves) and I also removed ask.com and aol.com from default search engines.
I used the Fixlist.txt only after removing them but here it is anyways:


These 2 entries found by AdwCleaner are always reported.

It's come from remnant items in the registry and and not causing any problems.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

I will leave this topic open for 6 days. It you have any problems with your Chrome searches or redirects let me know.

#5 Pinfox

Pinfox
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 28 March 2017 - 02:54 PM

Just a few questions that maybe you might know about before I go,

 

1. When I got the virus i had a usb plugged in, and then i also plugged that usb into 2 other computers. Is it possible those 2 other computers could be infected in anyway?

 

2.When I created the bootable usb I did it on my other computer using the usb that I'm thinking could have been infected, am I just being paranoid or is it possible the bootable usb which I reinstalled windows with was actually infected?

 

3. Ive also heard some rootkits hide in your motherboard or some section in your harddrive that even if you reinstall windows that they can still be there. Is this true and do you think it could have been the same for me?



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:46 AM

Posted 29 March 2017 - 07:06 AM

1. When I got the virus i had a usb plugged in, and then i also plugged that usb into 2 other computers. Is it possible those 2 other computers could be infected in anyway?

Run the AdwCleaner and the Malwarebytes on both computers. If anything abnormal then you will have to create new topic for each computer. We only service one computer by topic.
You can understand that the Fix may not be the same.

===
 

2.When I created the bootable usb I did it on my other computer using the usb that I'm thinking could have been infected, am I just being paranoid or is it possible the bootable usb which I reinstalled windows with was actually infected?


Run this program.

Download and Run FlashDisinfector

You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
===


3. Ive also heard some rootkits hide in your motherboard or some section in your harddrive that even if you reinstall windows that they can still be there. Is this true and do you think it could have been the same for me?


The rootkit will on occasion hide in the BIOS. This will make it such that each time your computer is started the virus will re-spawn.
If you do not experience this activity the there is no rootkit.

#7 Pinfox

Pinfox
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 29 March 2017 - 04:11 PM

Thanks a lot! Youve really helped me to understand what to do and stop being paranoid and get back on track studying and doing work :)

 

I hope good karma goes your way my friend :D

 

Thank you and goodbye for now



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:46 AM

Posted 30 March 2017 - 08:06 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users