Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with malware and spyware


  • This topic is locked This topic is locked
6 replies to this topic

#1 Ashank123

Ashank123

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 04 June 2018 - 08:26 PM

Hi All,

 

I have been infected by malware while I was browsing the internet the other day. It was a Fileshare virus that added bunch of trojans, malware and chrome extensions. I have since then used RKill to first kill the processes and do a full scan through Malwarebytes, HitmanPro and AdwCleaner. They all detected the viruses and seemed that they successfully removed it as well. 

 

I am since then noticing my chrome running slow. There is a "CampaignNotifier" extension that has been added to Chrome. I understand that this is a malware, but haven't found any way to remove it. I suspect there are some left over traces of the trojan. 

 

Can you please advise on step(s) to take to successfully clean out my system. I am running windows 10 - 64 bit.

 

Kind regards,

 

Ashank



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:42 AM

Posted 05 June 2018 - 09:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.
Wait for further instructions.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:42 AM

Posted 11 June 2018 - 07:30 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#4 Ashank123

Ashank123
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 13 June 2018 - 08:02 PM

Hi Nasdaq,

 

Thank you for your response. Please find the attached 2 files requested by you. 

 

Please advise on the next step(s).

 

Kind regards,

 

Ashank 

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:42 AM

Posted 14 June 2018 - 08:21 AM

Hi,

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Remove this program in bold via the Control Panel > Programs > Programs and Features.
RevServicesX (HKLM\...\{D40DB1B9-77C6-4C5C-89BE-8F7250DFC3BB}) (Version: 4.0.5 - SystemaRev) Hidden
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
CHR HKU\S-1-5-21-2894285844-1511269298-3846055840-1001\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
SearchScopes: HKU\S-1-5-21-2894285844-1511269298-3846055840-1001 -> {C0C3A6C6-03BC-4195-8FCB-AEA091301353} URL =
CHR DefaultSearchURL: Default -> hxxps://defaultsearch.co/?q={searchTerms}
CHR DefaultSearchKeyword: Default -> Default Search
CHR HKLM-x32\...\Chrome\Extension: [nladljmabboanhihfkjacnnkgjhnokhj] - hxxps://clients2.google.com/service/update2/crx

Task: {1C100FAD-0A3A-400E-B260-D53C492415E0} - System32\Tasks\costanza => C:\Program Files (x86)\harrelson\harrelson.exe
Task: {3366360D-DC26-4801-86C7-C3C8EF161C1A} - System32\Tasks\kah => C:\Program Files (x86)\Brubaker\karajan.exe
Task: {35079F0A-9775-4DBE-B1D8-B82402C969C0} - System32\Tasks\kahkah => C:\Program Files (x86)\Brubaker\karajan.exe
Task: {88A6BFAD-42B4-4CB0-BFD5-04A4FD5F01FD} - System32\Tasks\ProcessMaker Plus Portable => C:\WINDOWS\system32\rundll32.exe "C:\Program Files\ProcessMaker Plus Portable\ProcessMaker Plus Portable.dll",jHyvyKUT <==== ATTENTION
Task: {CC56D71A-AA22-467B-A820-957EFEF52E8D} - System32\Tasks\costanzacostanza => C:\Program Files (x86)\harrelson\harrelson.exe
Task: {CF3DDBAA-73AE-42DD-9F29-5E065C4DF84C} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe

C:\Windows\System32\Tasks\costanza
C:\Program Files (x86)\harrelson
C:\Windows\System32\Tasks\kah
C:\Program Files (x86)\Brubaker
C:\Windows\System32\Tasks\kahkah
C:\Windows\System32\Tasks\ProcessMaker Plus Portable
C:\Program Files\ProcessMaker Plus Portable
C:\Windows\System32\Tasks\costanzacostanza
C:\Windows\System32\Tasks\AutoKMS
C:\WINDOWS\AutoKMS

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#6 Ashank123

Ashank123
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 14 June 2018 - 09:58 PM

Hi,


Remove this program in bold via the Control Panel > Programs > Programs and Features.
RevServicesX (HKLM\...\{D40DB1B9-77C6-4C5C-89BE-8F7250DFC3BB}) (Version: 4.0.5 - SystemaRev) Hidden
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
CHR HKU\S-1-5-21-2894285844-1511269298-3846055840-1001\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
SearchScopes: HKU\S-1-5-21-2894285844-1511269298-3846055840-1001 -> {C0C3A6C6-03BC-4195-8FCB-AEA091301353} URL =
CHR DefaultSearchURL: Default -> hxxps://defaultsearch.co/?q={searchTerms}
CHR DefaultSearchKeyword: Default -> Default Search
CHR HKLM-x32\...\Chrome\Extension: [nladljmabboanhihfkjacnnkgjhnokhj] - hxxps://clients2.google.com/service/update2/crx

Task: {1C100FAD-0A3A-400E-B260-D53C492415E0} - System32\Tasks\costanza => C:\Program Files (x86)\harrelson\harrelson.exe
Task: {3366360D-DC26-4801-86C7-C3C8EF161C1A} - System32\Tasks\kah => C:\Program Files (x86)\Brubaker\karajan.exe
Task: {35079F0A-9775-4DBE-B1D8-B82402C969C0} - System32\Tasks\kahkah => C:\Program Files (x86)\Brubaker\karajan.exe
Task: {88A6BFAD-42B4-4CB0-BFD5-04A4FD5F01FD} - System32\Tasks\ProcessMaker Plus Portable => C:\WINDOWS\system32\rundll32.exe "C:\Program Files\ProcessMaker Plus Portable\ProcessMaker Plus Portable.dll",jHyvyKUT <==== ATTENTION
Task: {CC56D71A-AA22-467B-A820-957EFEF52E8D} - System32\Tasks\costanzacostanza => C:\Program Files (x86)\harrelson\harrelson.exe
Task: {CF3DDBAA-73AE-42DD-9F29-5E065C4DF84C} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe

C:\Windows\System32\Tasks\costanza
C:\Program Files (x86)\harrelson
C:\Windows\System32\Tasks\kah
C:\Program Files (x86)\Brubaker
C:\Windows\System32\Tasks\kahkah
C:\Windows\System32\Tasks\ProcessMaker Plus Portable
C:\Program Files\ProcessMaker Plus Portable
C:\Windows\System32\Tasks\costanzacostanza
C:\Windows\System32\Tasks\AutoKMS
C:\WINDOWS\AutoKMS

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

 

 

Hi Nasdaq,

 

Thank you for the response. I have turned on the system restore for windows and driver drive.

 

Regarding removing, "RevServicesX" I did not find it in control panel-Programs-Programs and Features. Did you mean to remove it via FRST and the above script?

 

Please find the attached script from running the "FIX" option on FRST.

 

I haven't had any future malware or spyware threats for few days. I suppose the traces are gone, but looking for your concurrence from the reports reviewed thus far.

 

Kind regards,

 

Ashank

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:42 AM

Posted 15 June 2018 - 07:21 AM

Hi,

That was the only trace of that malware.
RevServicesX (HKLM\...\{D40DB1B9-77C6-4C5C-89BE-8F7250DFC3BB}) (Version: 4.0.5 - SystemaRev) Hidden

I suspect it's a remnant of an old infetions that was removed.
The entry in the Registry is still around but not doing any harm.

It's probably listed in this registry key.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

If you want to delete it follow the instructions one this page.
https://support.microsoft.com/en-ca/help/247501/how-to-manually-remove-programs-from-the-add-remove-programs-list

Make sure you export the key before proceeding.
===

Hi,

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users