Jump to content

My kid caused multiple devices to be infected by visiting pornhub.


Recommended Posts

I'm really frustrated right now. My son's foolishness has introduced some kind of malware into our network from Pornhub, which I didn't know he visited. It's affecting his home PC and school Chromebook, and my daughter's home computer if not her school Chromebook, as well, and seems to have started from the Android phone he used to access the porn. I once cleaned a PC-hopping malware off of about a dozen computers (I was the IT admin), but that was a long time ago and I didn't have to deal with wifi devices.

 

I'm not sure what info you need. My PC and phone are, thus far, unaffected. I have no idea when or if it will. If it is affected, I will no longer be able to access Malwarebytes, Bleeping Computer, ESET Free Online Scanner and several other places. My son's Chromebook can't do anything after logging in because the Internet is blocked. His home PC still has some Internet access, but MB4.5 is unable to update, we cannot browse to this website, BC, download the ESET scanner, etc. YouTube is unaffected. I told them to take their Chromebooks and give them to the schools to make sure the malware isn't on them.

Her PC is an HP Pavilion laptop. His PC is the same one you helped him with in December, and it uses an ethernet cable to the router, as does mine, which you helped me with (possible keylogger - and it seems to be gone). His PC is now completely off  - even the PSU. The Chromebooks and my daughter's laptop use wifi, as do the 2 Android and 1 Apple 6 phones. Only the Android phone that he used to access PornHub seems affected. There is an Android tablet, but I don't know where it is.

He and I still have our old laptops; they have been off the past 3 months.

Both his and his sister's PCs have MB4.5. I ran a full scan, including rootkits, on his PC but it found nothing.

Questions:

  1. What data do you need about the computers and phones?
  2. I have a 6TB backup HDD installed in my PC, with a substantial amount of irreplacable data. Should I disconnect it in case my PC gets infected?
  3. I have no idea how to make sure that the malware isn't on the router and modem. Should I call Spectrum? I own the router, but the modem comes with the Internet service. I will turn them off tonight. I have free access to their antimalware offering, but that would obviously mean uninstalling MB, which doesn't seem safe given the infection.

Please advise. Thanks!

 

Link to post
Share on other sites

Hello @GlennM2 and welcome back:

Although your helper may wish to go in a different direction, I recommend you begin with your son's HP laptop.

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file in your next reply to this topic.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Link to post
Share on other sites

Good day, and thank you for the prompt response.

As stated previously: I own the router. The modem was provided by my ISP, so I guess Spectrum owns that.

In order to run MBST on the affected devices, I need to know the safest way to get them onto those devices, since I cannot browse to your website on them because it's blocked. Please advise on what to do to prevent carrying the malware from an affected device back to mine.

 

Edit: I ran speedtest.net and the download speed was 93Mbps, but it couldn't test the upload speed. On my son's Chromebook, which has already been repaired at school, it was 91 and 11.

mbst-grab-results.zip

Edited by GlennM2
  • Thanks 1
Link to post
Share on other sites

  • Root Admin

It can be difficult to safely transfer from one computer to another. You're reliant on the antivirus of the system seeing and blocking any type of infection that may be on the USB disk

You may be able try resetting the HOSTS file back to default to try and stop blocking access to security websites. But, depending on the threat you may want to keep the computer isolated from the Internet to prevent exfiltration of possible user data.

How to reset the Hosts file back to the default
https://support.microsoft.com/en-us/topic/how-to-reset-the-hosts-file-back-to-the-default-c2a43f9d-e176-c6f3-e4ef-3500277a6dae

You would want to ensure you have AutoRun and AutoPlay disabled so that inserting a USB does not automatically come up.

How to Disable AutoRun and AutoPlay for External Devices
https://www.lifewire.com/disable-autorun-on-a-pc-153344

 

The logs from this computer GAMII does not show any obvious signs of an infection

It does show that all the networking is VMware. Is this a virtual installation of Windows on VMware?

 

I also see ESET was run on the system. Was that recent? Did it find anything?

 

What symptoms of an issue are you seeing on this computer?

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

4 hours ago, AdvancedSetup said:

It can be difficult to safely transfer from one computer to another. You're reliant on the antivirus of the system seeing and blocking any type of infection that may be on the USB disk

You may be able try resetting the HOSTS file back to default to try and stop blocking access to security websites. But, depending on the threat you may want to keep the computer isolated from the Internet to prevent exfiltration of possible user data.

How to reset the Hosts file back to the default
https://support.microsoft.com/en-us/topic/how-to-reset-the-hosts-file-back-to-the-default-c2a43f9d-e176-c6f3-e4ef-3500277a6dae

You would want to ensure you have AutoRun and AutoPlay disabled so that inserting a USB does not automatically come up.

How to Disable AutoRun and AutoPlay for External Devices
https://www.lifewire.com/disable-autorun-on-a-pc-153344

[/quote]

The logs from this computer GAMII does not show any obvious signs of an infection

It does show that all the networking is VMware. Is this a virtual installation of Windows on VMware?

 

I also see ESET was run on the system. Was that recent? Did it find anything?

 

What symptoms of an issue are you seeing on this computer?

 

  • I am not running VMWare, and have not since you were helping me to get rid of the apparent keylogger. Should I uninstall it?
  • All devices, except the tablet I misplaced, were turned off overnight, including the router and modem.
  • ESET was run at your request during that same time period. It found nothing at that time.
  • As I said before, I do not have any problems on my system. I needed a starting point and, since it seemed like this computer was safe and could be used to disinfect other devices on my home network, I chose it.
  • My son justed reported that about an hour after he got home his school Chromebook again started to have problems.
  • HOSTS is still in its default condition - I forgot to replace it with one of the ones recommended by experts - so there's nothing to do with it.
  • I was unable to download ESET on his computer - the malware is blocking it, and blocked parts of the ESET website.
  • As I said last night, MB 4.5 found nothing on his PC.
  • I forgot to mention last night that I ran SpywareBlaster. It said that some protections were disabled. I was able to get it to download updates, but getting it to apply the updates and turn on all protections required 3 attempts - this has never happened before.
  • I turned off autorun and autoplay on his PC and mine. I then copied MBST to my flashdisk, moved it to his PC, ran it, copied the zip folder to the flashdisk, moved it back to my PC, scanned the flaskdisk with MB and checked the report with VirusTotal.com. The zipped folder is attached here.

mbst-grab-results.zip

Link to post
Share on other sites

Unfortunately, somehow my answers to your questions, as well as further information, became embedded in the quote of your previous message to me. Here it is again.

  • I am not running VMWare, and have not since you were helping me to get rid of the apparent keylogger. Should I uninstall it?
  • All devices, except the tablet I misplaced, were turned off overnight, including the router and modem.
  • ESET was run at your request during that same time period. It found nothing at that time.
  • As I said before, I do not have any problems on my system. I needed a starting point and, since it seemed like this computer was safe and could be used to disinfect other devices on my home network, I chose it.
  • My son justed reported that about an hour after he got home his school Chromebook again started to have problems.
  • HOSTS is still in its default condition - I forgot to replace it with one of the ones recommended by experts - so there's nothing to do with it.
  • I was unable to download ESET on his computer - the malware is blocking it, and blocked parts of the ESET website.
  • As I said last night, MB 4.5 found nothing on his PC.
  • I forgot to mention last night that I ran SpywareBlaster. It said that some protections were disabled. I was able to get it to download updates, but getting it to apply the updates and turn on all protections required 3 attempts - this has never happened before.
  • I turned off autorun and autoplay on his PC and mine. I then copied MBST to my flashdisk, moved it to his PC, ran it, copied the zip folder to the flashdisk, moved it back to my PC, scanned the flaskdisk with MB and checked the report with VirusTotal.com. The zipped folder is attached here.

 

The attached log, as you can now see, is from my son's PC.

Edit: I just uninstalled VMWare.

Edit: Over the past several days, there have been several incoming attacks on Acronis, all blocked by MB as far as I know.

Edited by GlennM2
Link to post
Share on other sites

  • Root Admin

Sorry about that. I didn't get an alert from the forum that you had replied.

Let me get a new set of Farbar logs for your system if it's unable to download ESET as you say - let's see if we can figure out why.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

You have some Alternate Data Streams - rarely actually from infection, but can be.

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [136]
AlternateDataStreams: C:\Users\iregi\AppData\Local\Temp:$DATA [16]

 

This computer IDRM  has multiple device drivers that are not installed that should be installed so that the computer functions properly.

 

 

==================== Faulty Device Manager Devices ============

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Device
Description: PCI Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Device
Description: PCI Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Network Controller
Description: Network Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: RAID Controller
Description: RAID Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Device
Description: PCI Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Device
Description: PCI Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

 

Otherwise, no obvious signs of infection

 

 

Link to post
Share on other sites

FYI, the malware is using the network to jump from one computer to another. It has tried to get on mine but apparently not succeeded as I haven't yet had trouble.  My kids home PCs and Chromebooks sometimes work, sometimes have problems.

How can I isolate the malware so it can be removed? If it keeps jumping around, we won't be able to deal with it.

I'm unable to update my son's drivers because the Internet is blocked. Armoury Crate won't open, either, although Corsair iCUE was able to update...?!

Link to post
Share on other sites

  • Root Admin

Need logs from one of them. It very well could be Google itself if they've not cleaned and cleared the Google Sync

 

Please follow the directions from the following topic for a more extensive article on cleaning Google Chrome

Resetting Google Chrome to clear unexpected issues
 

Thank you

 

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Yes, new Farbar logs. They will show if there are new Alternate Data Streams. They're typically easy to remove

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @GlennM2

[ 1 ]

I would recommend you consider uninstalling Bonjour see errors below.

What exactly is mDNSResponder.exe? (Bonjour)

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

Application errors:
==================
Error: (02/07/2023 03:58:48 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Local Hostname GAMII.local already in use; will try GAMII-2.local instead

Error: (02/07/2023 03:58:48 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: ProbeCount 2; will deregister    4 GAMII.local. Addr 192.168.1.140

Error: (02/07/2023 03:58:48 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Received from 192.168.1.140:5353   16 GAMII.local. AAAA 2603:6010:6E03:4C15:E025:F414:63C2:E4AC

 

[ 2 ]

It looks like the Sophos scanner was used on this system but perhaps was not fully uninstalled, removed when done? It has a main folder left over that can probably be removed.

C:\ProgramData\Sophos

 

[ 3 ]

Interesting in that a service for what appears to be a CAD data drawing program is blocked from loading, but I don't see the service listed or an installation entry.

Was there some type of CAD program installed on the system before?

 

Error: (02/06/2023 10:16:19 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The semav6msr64 service failed to start due to the following error:
A certificate was explicitly revoked by its issuer.

Error: (02/06/2023 10:16:19 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The semav6msr64 service failed to start due to the following error:
A certificate was explicitly revoked by its issuer.

 

[ 4 ]

Let's do another general Farbar script clean and check. This time I'll have it do a listing of all services and program installations

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRST64.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\reveu\Desktop\

NOTE. It's important that both files, FRST64.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed in most, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

  • Like 1
Link to post
Share on other sites

  • Root Admin

So, it looks like the following is actually from Intel

Error: (02/06/2023 10:16:19 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The semav6msr64 service failed to start due to the following error:
A certificate was explicitly revoked by its issuer.

Error: (02/06/2023 10:16:19 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The semav6msr64 service failed to start due to the following error:
A certificate was explicitly revoked by its issuer.

 

I found the following post from 2016 on this @GlennM2

https://www.tenforums.com/drivers-hardware/53785-what-semav6msr64-sys-post760995.html#post760995

 

  • Like 1
Link to post
Share on other sites

  • Root Admin

Great, looks good @GlennM2

Let's go ahead and get a couple of 3rd party AV scans done to ensure we haven't missed something.

 

[ 1 ]

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

[ 2 ]

Let's go ahead and also run an ESET scan too.

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

 

Thank you

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.