Jump to content

My kid caused multiple devices to be infected by visiting pornhub.


Recommended Posts

I'm really frustrated right now. My son's foolishness has introduced some kind of malware into our network from Pornhub, which I didn't know he visited. It's affecting his home PC and school Chromebook, and my daughter's home computer if not her school Chromebook, as well, and seems to have started from the Android phone he used to access the porn. I once cleaned a PC-hopping malware off of about a dozen computers (I was the IT admin), but that was a long time ago and I didn't have to deal with wifi devices.

 

I'm not sure what info you need. My PC and phone are, thus far, unaffected. I have no idea when or if it will. If it is affected, I will no longer be able to access Malwarebytes, Bleeping Computer, ESET Free Online Scanner and several other places. My son's Chromebook can't do anything after logging in because the Internet is blocked. His home PC still has some Internet access, but MB4.5 is unable to update, we cannot browse to this website, BC, download the ESET scanner, etc. YouTube is unaffected. I told them to take their Chromebooks and give them to the schools to make sure the malware isn't on them.

Her PC is an HP Pavilion laptop. His PC is the same one you helped him with in December, and it uses an ethernet cable to the router, as does mine, which you helped me with (possible keylogger - and it seems to be gone). His PC is now completely off  - even the PSU. The Chromebooks and my daughter's laptop use wifi, as do the 2 Android and 1 Apple 6 phones. Only the Android phone that he used to access PornHub seems affected. There is an Android tablet, but I don't know where it is.

He and I still have our old laptops; they have been off the past 3 months.

Both his and his sister's PCs have MB4.5. I ran a full scan, including rootkits, on his PC but it found nothing.

Questions:

  1. What data do you need about the computers and phones?
  2. I have a 6TB backup HDD installed in my PC, with a substantial amount of irreplacable data. Should I disconnect it in case my PC gets infected?
  3. I have no idea how to make sure that the malware isn't on the router and modem. Should I call Spectrum? I own the router, but the modem comes with the Internet service. I will turn them off tonight. I have free access to their antimalware offering, but that would obviously mean uninstalling MB, which doesn't seem safe given the infection.

Please advise. Thanks!

 

Link to post
Share on other sites

Hello @GlennM2 and welcome back:

Although your helper may wish to go in a different direction, I recommend you begin with your son's HP laptop.

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file in your next reply to this topic.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Link to post
Share on other sites

Good day, and thank you for the prompt response.

As stated previously: I own the router. The modem was provided by my ISP, so I guess Spectrum owns that.

In order to run MBST on the affected devices, I need to know the safest way to get them onto those devices, since I cannot browse to your website on them because it's blocked. Please advise on what to do to prevent carrying the malware from an affected device back to mine.

 

Edit: I ran speedtest.net and the download speed was 93Mbps, but it couldn't test the upload speed. On my son's Chromebook, which has already been repaired at school, it was 91 and 11.

mbst-grab-results.zip

Edited by GlennM2
  • Thanks 1
Link to post
Share on other sites

  • Root Admin

It can be difficult to safely transfer from one computer to another. You're reliant on the antivirus of the system seeing and blocking any type of infection that may be on the USB disk

You may be able try resetting the HOSTS file back to default to try and stop blocking access to security websites. But, depending on the threat you may want to keep the computer isolated from the Internet to prevent exfiltration of possible user data.

How to reset the Hosts file back to the default
https://support.microsoft.com/en-us/topic/how-to-reset-the-hosts-file-back-to-the-default-c2a43f9d-e176-c6f3-e4ef-3500277a6dae

You would want to ensure you have AutoRun and AutoPlay disabled so that inserting a USB does not automatically come up.

How to Disable AutoRun and AutoPlay for External Devices
https://www.lifewire.com/disable-autorun-on-a-pc-153344

 

The logs from this computer GAMII does not show any obvious signs of an infection

It does show that all the networking is VMware. Is this a virtual installation of Windows on VMware?

 

I also see ESET was run on the system. Was that recent? Did it find anything?

 

What symptoms of an issue are you seeing on this computer?

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

4 hours ago, AdvancedSetup said:

It can be difficult to safely transfer from one computer to another. You're reliant on the antivirus of the system seeing and blocking any type of infection that may be on the USB disk

You may be able try resetting the HOSTS file back to default to try and stop blocking access to security websites. But, depending on the threat you may want to keep the computer isolated from the Internet to prevent exfiltration of possible user data.

How to reset the Hosts file back to the default
https://support.microsoft.com/en-us/topic/how-to-reset-the-hosts-file-back-to-the-default-c2a43f9d-e176-c6f3-e4ef-3500277a6dae

You would want to ensure you have AutoRun and AutoPlay disabled so that inserting a USB does not automatically come up.

How to Disable AutoRun and AutoPlay for External Devices
https://www.lifewire.com/disable-autorun-on-a-pc-153344

[/quote]

The logs from this computer GAMII does not show any obvious signs of an infection

It does show that all the networking is VMware. Is this a virtual installation of Windows on VMware?

 

I also see ESET was run on the system. Was that recent? Did it find anything?

 

What symptoms of an issue are you seeing on this computer?

 

  • I am not running VMWare, and have not since you were helping me to get rid of the apparent keylogger. Should I uninstall it?
  • All devices, except the tablet I misplaced, were turned off overnight, including the router and modem.
  • ESET was run at your request during that same time period. It found nothing at that time.
  • As I said before, I do not have any problems on my system. I needed a starting point and, since it seemed like this computer was safe and could be used to disinfect other devices on my home network, I chose it.
  • My son justed reported that about an hour after he got home his school Chromebook again started to have problems.
  • HOSTS is still in its default condition - I forgot to replace it with one of the ones recommended by experts - so there's nothing to do with it.
  • I was unable to download ESET on his computer - the malware is blocking it, and blocked parts of the ESET website.
  • As I said last night, MB 4.5 found nothing on his PC.
  • I forgot to mention last night that I ran SpywareBlaster. It said that some protections were disabled. I was able to get it to download updates, but getting it to apply the updates and turn on all protections required 3 attempts - this has never happened before.
  • I turned off autorun and autoplay on his PC and mine. I then copied MBST to my flashdisk, moved it to his PC, ran it, copied the zip folder to the flashdisk, moved it back to my PC, scanned the flaskdisk with MB and checked the report with VirusTotal.com. The zipped folder is attached here.

mbst-grab-results.zip

Link to post
Share on other sites

Unfortunately, somehow my answers to your questions, as well as further information, became embedded in the quote of your previous message to me. Here it is again.

  • I am not running VMWare, and have not since you were helping me to get rid of the apparent keylogger. Should I uninstall it?
  • All devices, except the tablet I misplaced, were turned off overnight, including the router and modem.
  • ESET was run at your request during that same time period. It found nothing at that time.
  • As I said before, I do not have any problems on my system. I needed a starting point and, since it seemed like this computer was safe and could be used to disinfect other devices on my home network, I chose it.
  • My son justed reported that about an hour after he got home his school Chromebook again started to have problems.
  • HOSTS is still in its default condition - I forgot to replace it with one of the ones recommended by experts - so there's nothing to do with it.
  • I was unable to download ESET on his computer - the malware is blocking it, and blocked parts of the ESET website.
  • As I said last night, MB 4.5 found nothing on his PC.
  • I forgot to mention last night that I ran SpywareBlaster. It said that some protections were disabled. I was able to get it to download updates, but getting it to apply the updates and turn on all protections required 3 attempts - this has never happened before.
  • I turned off autorun and autoplay on his PC and mine. I then copied MBST to my flashdisk, moved it to his PC, ran it, copied the zip folder to the flashdisk, moved it back to my PC, scanned the flaskdisk with MB and checked the report with VirusTotal.com. The zipped folder is attached here.

 

The attached log, as you can now see, is from my son's PC.

Edit: I just uninstalled VMWare.

Edit: Over the past several days, there have been several incoming attacks on Acronis, all blocked by MB as far as I know.

Edited by GlennM2
Link to post
Share on other sites

  • Root Admin

Sorry about that. I didn't get an alert from the forum that you had replied.

Let me get a new set of Farbar logs for your system if it's unable to download ESET as you say - let's see if we can figure out why.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

You have some Alternate Data Streams - rarely actually from infection, but can be.

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [136]
AlternateDataStreams: C:\Users\iregi\AppData\Local\Temp:$DATA [16]

 

This computer IDRM  has multiple device drivers that are not installed that should be installed so that the computer functions properly.

 

 

==================== Faulty Device Manager Devices ============

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Device
Description: PCI Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Device
Description: PCI Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Network Controller
Description: Network Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: RAID Controller
Description: RAID Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Device
Description: PCI Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Device
Description: PCI Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

 

Otherwise, no obvious signs of infection

 

 

Link to post
Share on other sites

FYI, the malware is using the network to jump from one computer to another. It has tried to get on mine but apparently not succeeded as I haven't yet had trouble.  My kids home PCs and Chromebooks sometimes work, sometimes have problems.

How can I isolate the malware so it can be removed? If it keeps jumping around, we won't be able to deal with it.

I'm unable to update my son's drivers because the Internet is blocked. Armoury Crate won't open, either, although Corsair iCUE was able to update...?!

Link to post
Share on other sites

  • Root Admin

Need logs from one of them. It very well could be Google itself if they've not cleaned and cleared the Google Sync

 

Please follow the directions from the following topic for a more extensive article on cleaning Google Chrome

Resetting Google Chrome to clear unexpected issues
 

Thank you

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.