Self Replicating Virus

[Kryptico]

Hello,

 

I have seen a lot of good posts on here resolving the same type of issue but with older versions of Windows. I am using Windows 10 Pro and I just would like some help tailored for me.

I became infected while trying to download a serial to usb driver online. (sneaky viruses) I know because it was constantly running adware through the speakers and hijacking my browser for ads as well. I could tell as soon as it downloaded it was malicious. 

 

• I was not able to use windows defender so I went to regedit and reset the value for do not use antimalware.  Defender did not help.
• I attempted to download MBAM directly to infect laptop. Received an error, would not let me download
• Downloaded MBAM to usb drive and put on laptop, ran MBAM. Lots of malware, all deleted. Or so I thought. Still having issues.
• Tried emsisoft, problems persist.
• Ran RKill. Keeps shutting down a proxy server.

  • Active Proxy Server Detected

     * Proxy Disabled.
     * ProxyOverride value deleted.
     * ProxyServer value deleted.
     * AutoConfigURL value deleted.
     * Proxy settings were backed up to Registry file.

• Ran multiple programs multiple times, no malware detected, ads still running.

Hopefully this helps.

 

Thanks In Advance! Also I am starting to become really interested in cyber security after three days of trying to get at this virus so explanations and other reading materials are greatly appreciated.

 

R,

 

Cody

[TwinHeadedEagle]

Hello and

 

In order to help you and to see what is going on we need some reports from your computer.

 

If you're unable to download FRST tool from infected machine, you can download it and transfer from non-infected computer.

[Kryptico]

Attached are the FRST and Addition Files.

Addition.txt

FRST.txt

[TwinHeadedEagle]

 Fix with Farbar Recovery Scan Tool
 

 This fix was created for this user for use on that particular machine. 
 Running it on another one may cause damage and render the system unstable. 

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
 

• Right-click on  icon and select  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

[Kryptico]

Ok, Fixlog attached. Does this mean I am virus free? What was it?

Fixlog.txt

[TwinHeadedEagle]

It was malware called Dotdo --> https://blog.malwarebytes.org/cybercrime/2016/03/adware-pup-dotdo-fastinternet-blocks-security-related-domains/

Your PC should be clean now, but let's run MalwareBytes scan for non-active remnants cleanup.

 

 Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam and select update.
• Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
• In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware.
• Click the Scan tab, choose Threat Scan is checked and click Start Scan.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

[Kryptico]

Attached Log.

Scan Log MBAM.txt

[TwinHeadedEagle]

Very good. Is everything running fine now?

[Kryptico]

Yeah, so far so good. Thank you very much!! Is there anything else I need to do?

[TwinHeadedEagle]

No, this was everything:

 

Since there are no more problems, we can declare this PC clean

Now, we can proceed with post-cleanup procedures. Let's remove my tools and create a new, non infected restore point concurrently deleting old ones.

Step 1. - Creation of system restore point and tools removal.

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the icon and Run as administrator option.
• Make sure that these ones are checked:
  
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
    
  
  
• Push Run and wait until the tool completes his work.
• All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt). I don't need it for review.
  

Tool deletes old system restore points and creates a fresh system restore point after cleaning.

Step 2. - Tips and tricks to keep your computer clean, safe and in a good shape.

Security tips - highly recommended reading:

• Simple and easy ways to keep your computer safe and secure on the Internet
  

Maintenance tips:

• Optimize Windows for better performance
  

Additional software that I personally use and install on all my clients devices:

• Malwarebytes' Anti-Malware(paid version highly recommended) - to scan your system from time to time in search for malware.
• Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
• McShield - to prevent infections spread by removable media.
• Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
• CryptoPrevent - tool for protection against Cryptolocker and similar ransomware infections.
• Adblock - to surf the web without annoying ads!
• Qualys BrowserCheck - cloud service that scans your browsers and plugins to see if they’re all up-to-date.
  

My help is free for everybody.

If you're happy with the help provided and/or wish to show your appreciaton, please consider a donation:
Thank you!

Stay safe,
TwinHeadedEagle

[Kryptico]

New development, I am still having issues. I tried to download the link you supplied and I got a proxy server error. I did some searching and found a few things that I am unsure of.

The two files I found are called ceement and adxregistrator. I found the adxregistrator in my users>documents>add-in express. It looks suspicious because it elevates control and disables functions and enable some kind of stealth mode.

Also my chrome proxy settings are grayed out.

 

[TwinHeadedEagle]

Hmm, could be something left in registry that is locking down proxy settings.

Can you supply me with fresh FRST scan report?

[Kryptico]

Attached

FRST.txt

[Kryptico]

Also here is a copy of those suspicious files.

I know you know what you are doing but if anyone else is reading this, don't open the files attached please.

Copy of Ceement file.txt

Copy of adxregistrator.txt

[TwinHeadedEagle]

These files look legit. You can always scan them with VirusTotal to see if they are malicious.

 

 Fix with Farbar Recovery Scan Tool
 

 This fix was created for this user for use on that particular machine. 
 Running it on another one may cause damage and render the system unstable. 

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
 

• Right-click on  icon and select  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

[Kryptico]

Fixlog attached

Fixlog.txt

[TwinHeadedEagle]

Is should be fixed now? 

[Kryptico]

I still cannot go to bleepingcomputer to download the Delfix. I thought it could be that MBAM and Emsisoft were at odds so I uninstalled emsisoft. I will check for other virus programs but the ERR_PROXY_CONNECTION_FAILED is what keeps displaying on my chrome browser.

[TwinHeadedEagle]

Where are you starting Google Chrome from? This malware is creating Google Chrome shortcut with argument to apply proxy setting upon start.

 

Right click on Google Chrome shortcut, click Properties and make a picture of this window.

[Kryptico]

Think you are right

[TwinHeadedEagle]

Okay, please delete the part after " and press okay.

It should be like this now:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

 

[Kryptico]

Ok, done. I was able to download the Delfix program and ran it as instructed. Hopefully now I am safe? The computer is much faster and I haven't detected any more issues.

[TwinHeadedEagle]

Yes, you're good to go now.

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!