Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit and trojan infection, I am really desperate... please help.


  • Please log in to reply
27 replies to this topic

#1 cenekis

cenekis

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 31 October 2017 - 06:18 PM

Hello I hope there is somebody that can help me I really tried everything even your tips and advices from others post to try get this fixed but nothing seems to help me.

 

I reformat everytime but the infection is still there. What I did was reformat and install an antivirus instanly wich seems to detect threats on my downloads even if is from a safe place like Microsoft official page.

 

If I need to post some logs just tell me. I will wait response and steps to procced.

 

I'm using Windows 10 64 bits. I'm sorry if I did this post incorrectly.


Edited by cenekis, 31 October 2017 - 06:30 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:07 AM

Posted 01 November 2017 - 11:24 AM

Reformatting the hdd and reinstalling a legit Windows OS would remove any malware that was present before doing that on the hdd.

Other sources not affected by reformatting the internal hdd would be those connected externally, flash drives and routers.

 

What security programs have you installed?

 

  • Please download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 cenekis

cenekis
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 01 November 2017 - 07:16 PM

Hello buddy215, thank you for your response.

 

I think is something from my router that is not secure at all. Tried using it's firewall but seems worthless it doesnt block anything and when I make a exception from the WAN to block all connections it gets deleted everytime I restart the router to clean the ip's connected.

What I noticed is that there was some adware even on clean install (probably coming from the router) wich I got ride of it following some steps from other post, like cleaning temps before scanning but it does come back all the time or I think so. 

Perhaps all these ads are coming from a infected dns I'm not sure.

 

Also I had a trojan infection in the memory ram aswell some months ago wich I cure it with kaspersky virus removal tool. (this infection survived reformating I think)

 

Right now as you can see in the log I have comodo internet security free.

 

Here is the log:

 

SecurityCheck by glax24 & Severnyj v.1.4.0.53 [27.10.17]
WebSite: www.safezone.cc
DateLog: 02.11.2017 01:03:01
Path starting: C:\Users\cnxbm\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: cnxbm
VersionXML: 4.73is-27.10.2017
___________________________________________________________________________
 
Windows 10(6.3.16299) (x64) Core Release: 1709 Lang: Spanish(0C0A)
Installation date OS: 31.10.2017 06:14:21
LicenseStatus: Windows®, Core edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: Microsoft Edge (C:\Windows\system32\LaunchWinApp.exe)
SystemDrive: C: FS: [NTFS] Capacity: [111.3 Gb] Used: [29.3 Gb] Free: [82 Gb]
---------------------- [ AntiVirusFirewallInstall ] -----------------------
COMODO Internet Security Premium v.10.0.1.6294
Internet Security Essentials v.1.2.422025.92
Sophos Virus Removal Tool v.2.6.1
------------------------------- [ Browser ] -------------------------------
Comodo Dragon v.58.0.3029.115
Google Chrome v.62.0.3202.75
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe v.62.0.3202.75
------------------ [ AntivirusFirewallProcessServices ] -------------------
COMODO Internet Security Helper Service (CmdAgent) - The service is running
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe v.10.0.1.6294
COMODO Virtual Service Manager (cmdvirth) - The service has stopped
C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe v.10.0.1.6294
C:\Program Files\COMODO\COMODO Internet Security\cis.exe v.10.0.1.6294
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe v.10.0.1.6294
Servicio de Antivirus de Windows Defender (WinDefend) - The service has stopped
Servicio de inspección de red de Antivirus de Windows Defender (WdNisSvc) - The service has stopped
----------------------------- [ End of Log ] ------------------------------

Edited by cenekis, 01 November 2017 - 07:29 PM.


#4 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:07 AM

Posted 01 November 2017 - 07:42 PM

Resetting the router will remove any problems. Just be sure to change the default password to one of your own. Check to be sure the router's

firewall is activated and disable remote connection to the router.

 

Uninstall Comodo Dragon v.58.0.3029.115

 

Look in your list of installed programs for Geek Buddy and uninstall if found.

 

Run a scan using AdwCleaner. If nothing is found you are good to go.

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

If you don't have an ad blocker installed in Chrome I suggest doing that and using Adblock Plus. Once installed, click on the

ABP icon and choose Filter preferences. Then UNcheck the box next to Accept some non-intrusive advertisements.

Adblock Plus - Chrome Web Store

 

You can block the ad and advertising cookies...also known as Third Party cookies from installing. Once blocked...run CCleaner to

remove the existing ones. How to disable third-party cookies in all major web browsers

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 cenekis

cenekis
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 01 November 2017 - 08:30 PM

Thank you for such quick response.

 

I have done all of the above and will tell how it goes. 

I'm not really worried about the ads (even they are very intrusive) the thing is I play online and it affects my internet connection (causes a huge latency spike when I'm listening to YouTube while playing, this wasn't happening before).

 

Adwcleaner came back clean.



#6 cenekis

cenekis
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 02 November 2017 - 03:04 AM

Hello again and sorry for double post.

 

The ads and latency spikes are gone. However I noticed that using edge to post here causes spacebar to don't work, chrome works fine.

Do you know why does this happens?

Also these ads I had were really dangerous They were still there even after many clean installs. It is safe? Is there other way than to block them?

 

Anyways big thanks to you and to this forum. Really great work.


Edited by cenekis, 02 November 2017 - 03:14 AM.


#7 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:07 AM

Posted 02 November 2017 - 04:42 AM

I'm not a Windows 10 user so if you are having a problem with Edge...which many do...I suggest you ask about it in the

Windows 10 Forum....Windows 10 Support

 

Best I can advise is to give Adblock Plus a try and block the Third party cookies. You can always disable Adblock Plus for any reason. You

can easily allow ads on a game if that is necessary to play the game by clicking on the ABP icon and choosing to Disable.

 

You're welcome....happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 cenekis

cenekis
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 02 November 2017 - 05:50 PM

Hello again. I'm gonna bother you with one more thing.

 

Should I make another post about these ads if they keep appearing? Where do I post it?

For now the ads are gone but I feel they can comeback. Since infections I'm not sure at all about my security.

Also no more threats on my downloads.

 

Thank you.

 

Edit: The ads came back after a while.

Ccleaner skips the cleaning of cookies so I ran antispyware and it detected a bunch of adware tracking cookies, after that I ran adwcleaner and it detected a pup, now the problems with edge are gone but these cookies always come back.

Hope you can help me with this and sorry for taking your time.


Edited by cenekis, 02 November 2017 - 10:30 PM.


#9 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:07 AM

Posted 03 November 2017 - 04:17 AM

I gave you a link to How to Disable Third Party Cookies. You need to do that in both Edge and Chrome browsers.

Here it is again. Edge is the browser mentioned in this link: How to disable third-party cookies in all major web browsers

 

You can install Adblock Plus in Edge. Adblock Plus for Edge browser

 

What was the PUP that AdwCleaner removed?

 

You must of UNchecked the box next to Cookies in CCleaner because it will remove cookies. But until you block the install

of those Third Party cookies they will come back as soon as you go to a website.

 

PUPs get installed when downloading free stuff such as games, movies, music, browser extensions, apps and free programs.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 cenekis

cenekis
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 03 November 2017 - 05:30 PM

Hello again and sorry for late reply.

 

I did what you say about third party cookies and installed adblock plus however when I disable adblock plus the malicious ads are still there. Even when I clean all the cookies.

I want healthy ads they can be useful.

 

The pup adwcleaner removed was this, taken from the log:

This pup seems persistent its always located in that place but with different webpages names.

 
***** [ Registry ] *****
 
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\azlyrics.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.azlyrics.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\azlyrics.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.azlyrics.com
 
Btw, I have some items on adwcleaner quarantine(probably cookies, with names like "6gHKj6J9kl"), what do I do with them? Delete them?
 
Again sorry If I wasn't clear at all, I need to improve my english.
 
Edit: I went directly to the registry from where adwcleaner detected the pup and deleted suspicious and unknown entries adwcleaner wasn't detecting. Is that alright?
So far edge works fast again.
Will tell if these ads are still there after a while.
 
Again thank you for your tips.
 
Edit 2: The ads are still there, jesus... atleast edge works fine now...

Edited by cenekis, 03 November 2017 - 06:12 PM.


#11 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:07 AM

Posted 03 November 2017 - 06:19 PM

Adblock Plus will block ads from known legitimate ad purveyors. So, you need to keep it on unless a game or some other

site won't show content without allowing ads. I tend to stay away from sites that insist on showing a LOT of ads.

 

Rerun AdwCleaner and when scan finishes be sure to click on Clean. Reboot if it asks you to in order to delete or quarantine what it finds.

 

I suggest you run a scan using Malwarebytes, too.

 

  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 cenekis

cenekis
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 03 November 2017 - 07:27 PM

Hello.

 

So you telling me these ads are normal? Even on google search results?

The ads I'm worried of are coming from twitter and it's the same ads over and over.

When I restart the router it's gone for a while but they come back.

 

I rerun adwcleaner and pressed clean.

 

Malwarebytes was clean. The log was on spanish but it was clean.

 

This makes me think maybe my router doesn't have security and I need a stronger one.

Weeks ago I installed avg antivirus and it detected a vulnerability on my router, could this be the cause?


Edited by cenekis, 03 November 2017 - 07:29 PM.


#13 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:07 AM

Posted 03 November 2017 - 07:36 PM

If Adblock Plus is blocking the ads when active...then yes...the ads are legit and not from adware or malware.

 

Do you reset the router every day? If so, are you securing the router as I described earlier?

QUOTE earlier post:

Resetting the router will remove any problems. Just be sure to change the default password to one of your own. Check to be sure the router's

firewall is activated and disable remote connection to the router.

 

If you want to...give me a link to a website that you are seeing ads on that you think are suspicious...bad ads. I will check to

compare the ads I see to the ones you see.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#14 cenekis

cenekis
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 03 November 2017 - 07:46 PM

Yes, the ads are being blocked with adblock plus however I find some of these ads malicious(scam or so).

 

I reset the router everytime I see the same ad.

And yes, I make sure firewall is on, changed password and user and remote management is not listed in my router configuration.

 

Do I post here the links of the ads? Or privately?

 

Will do when they appear again.

 

Edit: Just to let you know after pressing clean in adwcleaner and resetting internet explorer settings to default,  malicious ads seems to be gone.

 

But could you leave this topic open? Just in case something happens.


Edited by cenekis, 03 November 2017 - 08:07 PM.


#15 cenekis

cenekis
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 03 November 2017 - 08:34 PM

Hello buddy215.

 

I've sent to you the ad link.

 

Some more info I could give is when I ran autoruns it detected a trojan (win32:trojan.wisdomeyes) on kaspersky installation also and some others infected files as virustotal.com says.

 

Thats why I stated at first it could be a rootkit. Because that trojan stays there even on a installation from a original windows C/D and it takes control over windows update.

 

I'm gonna try to reinstall again from the CD.

 

I can't paste the link of virustotal here and also can't install chrome after reinstallation of windows.


Edited by cenekis, 03 November 2017 - 10:27 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users