Jump to content

malware- could not be diagnosed at bleepingcomputer.com


Recommended Posts

hi, my laptop has been infected through skype. i sought help at BLEEPINGCOMPUTER.COM and i was helped, yet he could not solve the issue fully. for a detailed overview of what my issue is and what had happened after that, please take a look at (many thanks for your patience) :

http://www.bleepingcomputer.com/forums/t/630794/got-infected-through-skype/

http://www.bleepingcomputer.com/forums/t/631260/logs-got-infected-through-skype/

since the topics had been locked, and the person who was helping me was out of options (which he conveyed directly), i tried to investigate further as to what type of infection it could be. i installed system explorer from systemexplorer.net. from that, i found out that whenever google chrome starts, 2 cmd.exe processes load into memory - one piggybacked onto my AV's browser extension for chrome "360 Internet Protection" and the other cmd loads through "lastpass for chrome". if i disable these 2 extensions, the cmd processes stop running and if i enable these 2 extensions, the 2 cmd processes start running. one of them has the following parameter:

C:\Windows\system32\DllHost.exe /Processid:{53362C64-A296-4F2D-A2F8-FD984D08340B}

other has this parameter:

C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\LastPass\nplastpass.exe" --parent-window=0 chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/ < \\.\pipe\chrome.nativeMessaging.in.c399b4121a0bed8f > \\.\pipe\chrome.nativeMessaging.out.c399b4121a0bed8f

where the random string of characters varies from one browsing session to another. so my hunch is that the hacker is trying to record my online activity using the trusted file - cmd.exe.the module-details of the 2nd cmd process is attached as screenshot.

i tried to clean the infection by installing immunet-5, but it did not detect it too. i ran SFC to know if the infection has corrupted any system files. it returned that some files had been corrupted but were successfully repaired. 

i am even ready to re-install windows, PROVIDED, the malware WON'T re-infect the new windows installation. what should i do now? or should i try to scan my laptop using any AV's recovery disc USB? or use combofix under guidance? somebody please help me. :'(

please find attached the FRST.TXT and ADDITION.TXT

Untitled3.png

Addition.txt

FRST.txt

Link to post
Share on other sites
  • Root Admin

Since it appears to only be on Chrome (not my favorite browser) let's do a 100% clean removal of Chrome. Then once we're certain things are okay we'll reinstall Chrome.

You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed.

Then I need you to go to >> Google Sync << and sign into your account.

  1. Open your Google Dashboard. Make sure you are signed in to your Google Account.
  2. Click Reset sync to stop syncing and clear all of your synced data.
  3. Click OK.

At the prompt click on Ok.

.
Reset Your Browser Settings
.

  1. In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines)
  2. Select Settings.
  3. At the bottom, click Show advanced settings…
  4. Scroll down until you see “Reset settings”, Then click on the button Reset Settings.
  5. In the dialog that appears, click Reset.

.
Close Chrome

 

Next,

On your computer, close all Chrome windows and tabs.

  1. Open the Control Panel:
    • Windows 7 & Vista: Click the Start menu Start menu and thenControl Panel.
  2. Click Uninstall a program or Programs and Features.
  3. Double-click Google Chrome.
  4. To delete your profile information, like bookmarks and history, check "Also delete your browsing data."
  5. Click Uninstall.

 

DO NOT reinstall Chrome until I ask you to.

Please restart your computer.

Next,

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

Now restart the computer one more time and run FRST again and post back the new logs as attachments. Make sure you place a check mark in the Additions.txt check box.

Thanks

 

Link to post
Share on other sites

i did as per your instructions. TFC did not ask for a reboot, but i rebooted to be on the safer side. i have not re-installed chrome. i have attached the logs of TFC and FRST. after uninstalling chrome, IE opened automatically asking for google's feedback. at that time IE displayed a message: Untitled4.png

i clicked on "fix settings for me" but i did not respond. i then closed IE. now i am posting here using cyberfox

tfc.txt

Addition.txt

FRST.txt

Link to post
Share on other sites
  • Root Admin


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Link to post
Share on other sites
  • Root Admin

Please run the following scan and post back the log.


Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below, please see the following:
MBAM Clean Removal Process 2x
When reinstalling the program, please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

Link to post
Share on other sites

the full system scan is over. it found some PUPs and removed them. but there are some problems still:

1. i cant remove the USB drives using the safely remove method coz windows shows that the disk is in use, even though they are not. so i have to shut down the PC every-time before unplugging them. so i tried the software from http://safelyremove.com/  but even that cant stop whatever process that is running and shows the following screen:usb cant remove.png

Link to post
Share on other sites
  • Root Admin

Well, those are other issues, not related to what we were working on. USB drives not disconnecting properly is the bane of Windows. There are probably 1/2 million posts on the Web about such behavior.

There are many sites with ideas on how to deal with it. It happens to me from time to time as well and have a couple of pretty new systems. I know that nothing I'm doing on purpose is writing to the disks so I pull the cable out if it won't eject. I've never had an issue myself.

As for Immunet, sorry but I've never used the product so I don't know how it works or what it's flagging.

How is the main issue you came here for? Has it been removed?

 

Link to post
Share on other sites

hi sir, bad news: i installed chrome. then i installed the 360-AV's browser extension. immediately a cmd process started in the taskmanager and there was a popup from my AV asking whether to allow it. i did nothing so it got blocked by default. i closed chrome. next time i started chrome, the same thing happened.

cmd in chrome.png

to check whether the same behavior happens, i installed vivaldi, another browser based on chromium and my then installed my AV's browser extension. the same thing happened here too. so the inference is that it affects all chromium-based browsers. then when i disable the extension in chrome, the cmd process terminates. the funny thing is that when i re-enable the extension in CHROME, the cmd process again starts and tries to affect the 360-AV extension in VIVALDI too, even when VIVALDI is not running.

cmd in vivaldi.png

ie., everytime i enable the extension in CHROME (NOT VIVALDI), i get this warning that the cmd process is trying to infect VIVALDI:

cmd in vivaldi2.png

if the cmd process is blocked by my AV, the cmd process terminates in the taskmanager.

{sorry about the many screenshots (just coz a picture can speak much more than a thousand words).}

this was how things were too, the last time when i re-installed chrome. first this behavior was exhibited only with the 360-AV's extension. then after some days another cmd process that started running with lastpass's extension for chrome started appearing. that was when i sought help here. if the only option left is repaving my windows installation, i am ready to do that too, PROVIDED, the infection wont return back.

waiting for your guidance, thank you.

Link to post
Share on other sites

UPDATE: the cmd process occurs for LASTPASS too when its NATIVE MESSAGING feature in the binary component of LASTPASS is activated. i emailed LASTPASS.COM support about this as follows:

SUBJECT: cmd.exe runs with lastpass for chrome

hi,i am using windows 7 home-premium 64 bit edition. i have installed lastpass in my windows for managing passwords in all my browsers. but everytime i run my chrome 64 bit browser, a cmd.exe process runs. it does not run if the lastpass chrome extension is disabled. is this normal, ie., does lastpass extension for chrome use a cmd process to run everytime? if it is abnormal i should consult a malware removal expert. thanks in advance.

and here is what they replied:

Hello, Thank you for reaching LastPass Support! We are happy to assist you!

Please remove or uninstall your LastPass extension completely on your device (https://helpdesk.lastpass.com/uninstalling-deleting-lastpass/) and reinstall it again using our universal installer here https://lastpass.com/dl

Please test the issue again. Thank you. Regards.

Link to post
Share on other sites
  • Root Admin

Not really sure what to tell you Anniyan, aside from don't use 360-AV. There are dozens of other great antivirus applications out there. I'm just skeptical about their product myself, but your choice.

The computer is not infected, and runs fine without these other add-ons so it's obviously related to them and not the overall computer.

Unless there is something else I think we've proved the computer is not infected and that your use of specific products are the cause. Either switch products or contact their support departments to work on correcting.

Thanks

Ron

 

Link to post
Share on other sites

the main reason i use 360-AV is that it has 5 engines including bitdefender and avira unlike other AV products. anyways, this is not the right place for me to talk about it. i have been using 360-AV and lastpass for ages but never have had this issue. but i am really thankful to you for everything. :) the next option i have is to re-install windows and see if the symptom persists. any suggestion is most welcome :).

Link to post
Share on other sites
  • Root Admin

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot


Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.


 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.


If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

 

Link to post
Share on other sites
  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
  • Root Admin

Follow-up comment from user concerning the CMD.exe process from LastPass

 

Quote

i contacted lastpass support and they have replied that it is normal for cmd.exe to run when lastpass binary component for google chrome is running, so as to enable native messaging (see https://lastpass.com/my.php?token=LXJRVYY2NPTQ). i am hereby sharing this info with you, sir, so that it may help others. thanks a lot

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.