Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Installed KMS.pico, many trojans followed after - how to remove properly?


  • This topic is locked This topic is locked
14 replies to this topic

#1 thelegend66

thelegend66

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 20 August 2017 - 05:43 AM

Hey there, one of my relatives' laptops came with KMS.spico installed so that Office 2016 would be activated, her laptop didn't show any sign of being infected. A few hours ago I installed the files, and immediately after I experienced many ads, the computer lagging etc. I am aware there was another thread with the same problem back in April, that thread is long closed. I am currently following the same procedure ( however I had already deleted some things manually using Malwarebytes, Windows Defender, Adware before seeing that specific thread.) I believe all the three scanners have already found more than 120 malicious files....

 

My laptop has definitely calmed down with some of the files removed, however I still keep getting detection warnings and quite obviously it still affects chrome on its startup ( no more adware... yet tho there as I've seen)

 

After I finish this scan by malwarebytes rootkit.. What should I do to make sure my PC is clean?.....

 

Really desperate now....

 

Thanks everyone!!! :/


Edited by thelegend66, 20 August 2017 - 05:45 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 20 August 2017 - 09:43 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

:step2: Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

:step3: Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.
==============================

#3 thelegend66

thelegend66
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 20 August 2017 - 10:01 AM

Thanks for responding fast than I imagined :D , this is the log from adwcleaner. It's detected some other thing than I've seen last time. Hopefully that means that the crimsonSun and windefender.exe are finally gone. Unsure though.
 
 
-----------------------------------------------------------------------------------------------
 
# AdwCleaner 7.0.1.0 - Logfile created on Sun Aug 20 14:59:20 2017
# Updated on 2017/05/08 by Malwarebytes 
# Database: 08-17-2017.2
# Running on Windows 10 Home Single Language (X64)
# Mode: scan
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
PUP.Optional.Glupteba, C:\Users\DELL NBK\AppData\Roaming\EpicNet Inc
PUP.Optional.Glupteba, C:\Users\DELL NBK\AppData\Roaming\EpicNet Inc.
 
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
PUP.Optional.Glupteba, [Key] - HKU\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\EpicNet Inc.
PUP.Optional.Glupteba, [Key] - HKCU\Software\EpicNet Inc.
PUP.Optional.Glupteba, [Value] - HKU\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\Windows\CurrentVersion\Run | cloudnet
PUP.Optional.Glupteba, [Value] - HKCU\Software\Microsoft\Windows\CurrentVersion\Run | cloudnet
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
 
 
No malicious Chromium entries.
 
*************************
 
C:/AdwCleaner/AdwCleaner[C0].txt - [5566 B] - [2017/8/20 9:54:25]
C:/AdwCleaner/AdwCleaner[C1].txt - [1611 B] - [2017/8/20 10:12:37]
C:/AdwCleaner/AdwCleaner[S0].txt - [6126 B] - [2017/8/20 9:53:55]
C:/AdwCleaner/AdwCleaner[S1].txt - [1486 B] - [2017/8/20 10:12:9]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt ##########


#4 thelegend66

thelegend66
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 20 August 2017 - 10:08 AM

Hello again,

I've completed the FRST step, those files are rather huge so I'll attach them instead. Thanks for your help :))

Attached Files



#5 thelegend66

thelegend66
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 20 August 2017 - 10:24 AM

Rebooted my computer and got another log from Adwcleaner:

 

# AdwCleaner 7.0.1.0 - Logfile created on Sun Aug 20 15:08:43 2017
# Updated on 2017/05/08 by Malwarebytes 
# Running on Windows 10 Home Single Language (X64)
# Mode: clean
 
***** [ Services ] *****
 
No malicious services deleted.
 
***** [ Folders ] *****
 
Deleted: C:\Users\DELL NBK\AppData\Roaming\EpicNet Inc
Deleted: C:\Users\DELL NBK\AppData\Roaming\EpicNet Inc.
 
 
***** [ Files ] *****
 
No malicious files deleted.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
No malicious tasks deleted.
 
***** [ Registry ] *****
 
Deleted: [Key] - HKU\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\EpicNet Inc.
Deleted: [Key] - HKCU\Software\EpicNet Inc.
Deleted: [Value] - HKU\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\Windows\CurrentVersion\Run|cloudnet
Deleted: [Value] - HKCU\Software\Microsoft\Windows\CurrentVersion\Run|cloudnet
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries deleted.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries deleted.
 
*************************
 
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 
 
 
*************************
 
C:/AdwCleaner/AdwCleaner[C0].txt - [5566 B] - [2017/8/20 9:54:25]
C:/AdwCleaner/AdwCleaner[C1].txt - [1611 B] - [2017/8/20 10:12:37]
C:/AdwCleaner/AdwCleaner[S0].txt - [6126 B] - [2017/8/20 9:53:55]
C:/AdwCleaner/AdwCleaner[S1].txt - [1486 B] - [2017/8/20 10:12:9]
C:/AdwCleaner/AdwCleaner[S2].txt - [1710 B] - [2017/8/20 14:59:20]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt ##########
 
 
 
 
PS: Does crimsonsun/epic.net/windefender/UNP ring any bells?


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 20 August 2017 - 12:46 PM



Hi,

Remove this program in bold via the Control Panel > Programs > Programs and Features.
CloudNet (HKU\S-1-5-21-4275108569-2750339717-1956626530-1001\...\CloudNet) (Version: - EpicNet Inc) <==== ATTENTION
I just want to make sure all has been removed.
===


Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [FAStartup] => [X]
HKU\S-1-5-21-4275108569-2750339717-1956626530-1001\...\Run: [çnjA9T8Tmw.exe] => C:\Program Files\Windows Sidebar\9BC7X1PMW4JD2K3IAP5PJ5V0RODSIJAL3A\çnjA9T8Tmw.exe
HKU\S-1-5-21-4275108569-2750339717-1956626530-1001\...\Run: [CrimsonSun] => "C:\Users\DELL NBK\AppData\Roaming\CrimsonSun\crimsonsun.exe" -startup
HKU\S-1-5-21-4275108569-2750339717-1956626530-1001\...\Run: [cloudnet] => "C:\Users\DELL NBK\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe"
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll No File
FF user.js: detected! => C:\Users\DELL NBK\AppData\Roaming\Mozilla\Firefox\Profiles\dvpjkcp3.default\user.js [2017-06-29]
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\DELL NBK\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Chrome Media Router) - C:\Users\DELL NBK\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-08-05]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [njpedbdniajflhgfoipnjkednnlkngbj] - hxxps://clients2.google.com/service/update2/crx
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 McNaiAnn; "C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
R2 WinDivert1.2; C:\WINDOWS\system32\drivers\WinDivert64.sys [37552 2017-08-20] (Basil)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Task: {B4922F53-8C4C-45B6-B091-2A1A9AEFB280} - System32\Tasks\FreeAntiVirus => C:\WINDOWS\explorer.exe "hxxp://destyy.com/qNHR3u" <==== ATTENTION
Task: {DF16F1D5-A32F-425C-82FA-274811A0ED50} - System32\Tasks\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 => C:\Windows\TEMP\DeleteFolderTask.exe <==== ATTENTION
Shortcut: C:\Users\DELL NBK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Int?rn?t ???l?r?r.lnk -> C:\Program Files (x86)\HPWhale\WhaleStarter.exe (No File) <==== Cyrillic
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\HPWhale\WhaleStarter.exe (No File) <==== Cyrillic
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk -> C:\Program Files (x86)\HPWhale\WhaleStarter.exe (No File) <==== Cyrillic
C:\Program Files\Windows Sidebar\9BC7X1PMW4JD2K3IAP5PJ5V0RODSIJAL3A\çnjA9T8Tmw.exe
C:\Users\DELL NBK\AppData\Roaming\CrimsonSun
C:\WINDOWS\system32\drivers\WinDivert64.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please let me know what problem persists with this computer.

#7 thelegend66

thelegend66
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 21 August 2017 - 06:08 AM

Hello, it appears CloudNet was already removed however it is still listed in my ''Add or remove programs'' tab.

 

''Windows cannot find the file 'C:\Users\DELLNBK\AppData\Roaming\CrimsonSun\crimsonsun.exe. Make sure you typed the name correctly, and then try again.''

 

I checked the actual file location and it does appear to be gone. If so, how do i remove it from my apps and programs list.

 

Should I continue with the next step? 


Edited by thelegend66, 21 August 2017 - 06:12 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 21 August 2017 - 08:57 AM

Hi,

This registry run key was removed. The file also.

HKU\S-1-5-21-4275108569-2750339717-1956626530-1001\...\Run: [CrimsonSun] => "C:\Users\DELL NBK\AppData\Roaming\CrimsonSun\crimsonsun.exe" -startup


===

Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
CloudNet;CrimsonSun 
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;


#9 thelegend66

thelegend66
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 21 August 2017 - 09:10 AM

Hey there, here's the log:

 

Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by DELL NBK (21-08-2017 21:09:30)
Running from C:\Users\DELL NBK\Downloads
Boot Mode: Normal
 
================== Search Registry: "CloudNet;CrimsonSun" ===========
 
 
===================== Search result for "CloudNet" ==========
 
[HKEY_USERS\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\TestApp]
"InstallCloudnet"="1"
 
[HKEY_USERS\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\TestApp]
 
[HKEY_USERS\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\CloudNet]
 
[HKEY_USERS\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\CloudNet]
"DisplayName"="CloudNet"
 
[HKEY_USERS\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\CloudNet]
"UninstallString"=""C:\Users\DELL NBK\AppData\Roaming\CrimsonSun\crimsonsun.exe" -uninstall"
 
 
===================== Search result for "CrimsonSun" ==========
 
[HKEY_USERS\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\TestApp]
"Name"="CrimsonSun"
 
[HKEY_USERS\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\Windows\CurrentVersion\Run]
"CrimsonSun"=""C:\Users\DELL NBK\AppData\Roaming\CrimsonSun\crimsonsun.exe" -startup"
 
[HKEY_USERS\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\CloudNet]
"UninstallString"=""C:\Users\DELL NBK\AppData\Roaming\CrimsonSun\crimsonsun.exe" -uninstall"
 
====== End of Search ======


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 21 August 2017 - 01:01 PM

Hi,

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\TestApp]
"InstallCloudnet"=-
[HKEY_USERS\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\TestApp]
"CloudnetSource"=-
[-HKEY_USERS\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\CloudNet]
[HKEY_USERS\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\TestApp]
"Name"=-
[HKEY_USERS\S-1-5-21-4275108569-2750339717-1956626530-1001\Software\Microsoft\Windows\CurrentVersion\Run]
"CrimsonSun"=-


Restart the computer when completed.

You can delete the fixme.reg file when done.

How is it now?

#11 thelegend66

thelegend66
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 21 August 2017 - 06:19 PM

Hello, sorry I was a bit unsure if you still wanted me to do the following step:

 

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key

 

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [FAStartup] => [X]

 

etc....

 

 

===============

 

Shall I do it, post the log it makes,  and then do the fixme.reg?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 22 August 2017 - 07:17 AM

Shall I do it, post the log it makes, and then do the fixme.reg?


Yes run do my fix first.

Then run the fixme.reg.

Let me know how the computer is running.

#13 thelegend66

thelegend66
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 22 August 2017 - 07:53 AM

Hey there, I did the fixlist.txt step and have attached the log produced in this reply.

Ill proceed with the fixme.reg now.

Attached Files



#14 thelegend66

thelegend66
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 22 August 2017 - 08:33 AM

Hey,

 

So far so good, the computer is back up to its usual performance, and I've done a scan on malwarebytes and windows defender and nothing has been detected at the moment. Ill do periodic checks for the next few days, and will note anything peculiar.

 

Thanks a million, for your help!

 

Honestly I'm very grateful to have found this useful website and to have accepted your support! :D :D :D

 

Cheers.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 22 August 2017 - 12:45 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
==




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users