Jump to content

Reinfestation even after secure erase of hdd and replacing router.


Recommended Posts

So,  I foolishly tried a hacked piece of software.  I have some kind of terrible problem.  I did everything I can think of,  even booting to a USB with Parted Magic distro and choosing "Secure Erase"  option for my entire hdd. It took 3hours to complete. When finished, I installed Win10, a different os than before (Win7 originally). I also replaced my router with another I had.  

All seemed well until I tried to install Chrome. 

The install didn't fully complete because the Google home page never opened.  Instead I saw a "security alert" pop up and multiple things appear in Task Manager. 

 

The computer makes noises too,  from the speakers,  a kind of ticking. 

 

I'm afraid everything on my home network is ruined. 

 

The person behind this already tried to withdraw money from my bank. 

Please take a bit of pity on me and help me,  I can't even figure out what I'm dealing with.... 

Link to post
Share on other sites

Hello Gn2 and welcome to Malwarebytes,

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

Kevin: Thanks for the reply.  I don't have Windows installed any more, I've nuked the hdd for the second time.  

When I did,  I couldn't get to the desktop even before dozens of instances of weird programs would start and use all the resources. 

I could boot in safe mode but nothing I tried in safe mode "stuck" after a reboot. 

Link to post
Share on other sites

I'm going to try a *second *fresh install in 9 hours after the nuke is complete,  but I am really at my wits end.  I've already done a fresh install of Win10,  after Parted Magic "secure erase" using hdpharm (sp ?), and I had all the signs of an attack as soon as I tried to install Chrome.  

I don't even have a clue what I'm dealing with... Is it something some how left even after a secure erase?  Is it in my Google account?  My cable modem?  

Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/27/18
Scan Time: 4:59 PM
Log File: f2b0a45c-7a4c-11e8-8c23-001d7d0d9ec0.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.374
Update Package Version: 1.0.5657
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: SERVER-PC\SERVER

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 263772
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 4 min, 36 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
This is on  a second computer, done in Safe Mode. I *think* its infected too, but I'm not completely sure.

Addition.txt

FRST.txt

Link to post
Share on other sites

What is happening with the initial PC you listed...?

For the second PC run the following, make intial FRST Fix from Safemode with NW:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Boot to Normal mode and run this:

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.


Next,

Again from Normal mode:

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Let me see those logs from the second PC, also give me an update on the first PC...

Thank you,

Kevin..

 

fixlist.txt

Link to post
Share on other sites

Ok, done all you asked, but the last one needed a reboot to clean and I forgot to get the log before I did, so they're backwards in order.

 

I'm becoming convinced this was malware installed to Google/Chrome backups. I deleted all of my Chrome auto save stuff, and I'm going to abandon my old Gmail/Google account too. I can't believe Google would make such a vicious infection possible, I don't need any of their data gathering "features" and only ever really used them just because I was too lazy to turn them off...

All the stuff found on my "second" computer  has been there for years, as the files shown are all old stuff that I know I made myself.

SophosVirusRemovalTool.log

2018.06.28-07.31.47-i0-t92-d3.txt

Fixlog.txt

Edited by Gn2
Link to post
Share on other sites

I'm going to cautiously say, yes, they're both recovered. 

 

I wish now I hadn't panicked so badly and totally wiped the hdd of my first computer. I'm convinced it was all Google/Chrome based issue infection/re-infection.

I'm on my second reinstall of a whole different OS on this first computer, and so far, without Chrome installed, there are no signs of any re-infection. 
I'm still dumbfounded at Google/Chrome.

Last question, is there any way to know for sure what I was attacked with ? 

There were dozens of instances of a program identifying itself as Impersario.exe  in my TaskManager while the attack was taking place, that's the only thing I can clearly remember about it. 

Link to post
Share on other sites

Hiya Gn2,

Going off your explanation of what happened I believe your Chrome Browser was the problem, a nuke and repave of your hard drive with a fresh windows 10 install would not carry over the infection. Unfortunately reinstalling Chrome and resyncing has been seen many times to reintroduce an exploited account.

If you want to use Chrome again you will have to sign into your Google account from a different Browser and delete your "Synced" data. To me that is the only option that will ensure all exploitations are cleared. Personally I never use Chrome, I use Firefox and have done so for several years

Go to this link from different Browser: https://chrome.google.com/sync  and sign into your Google account. In the new window scroll "Reset Sync" that will remove all of your synced data from Googles servers...

For the second PC you can do the following to remove programs we may have used and reset system settings that may have been changed by Malware...

Uninstall Sophos AV and Zemana http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Also delete this folder if still present: C:\ProgramData\Sophos

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

 

Edited by kevinf80
Changed link for Google sync data removal
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.