Jump to content

Virus makes browser crash when you search some words and blocks antivirus.


Go to solution Solved by doctorwhatag,

Recommended Posts

I have a very unpleasant problem - there is a virus on my computer that makes the browser crash when you search for words like hosts, etc., and also blocks the installation and launch of antiviruses (including Malwarebytes and many others). I read on your same forum that someone had the same problem. I rebooted into safe mode and ran Farbar Recovery Scan Tool. After the scan, I found very unpleasant results, which confirm that the virus exists. This virus has been giving me nightmares for over six months now, it prevents me from using apps and obviously poses a potential threat to my passwords/data. I am attaching the log

FRST Log.txt

Link to post
Share on other sites

@doctorwhatag

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Link to post
Share on other sites

Hello @doctorwhatag  and  :welcome:

 

My name is MKDB and I will assist you.

 

 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow the steps in the given order and post back the log files.
  • Please copy and paste all log files into your post.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • As English is not my native language, please do not use slang or idioms. It may be hard for me to understand.
  • If you do not respond within 4 days, your topic will be closed.
  • Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also a big source of current trojan infections. If you are running any kin of illegal software on your system, please uninstall them now, before we start the cleaning procedure.

 

 

Please note:

Your version of FRST is outdated. Please remove the old version and download and run the newest version in English, please.

Moreover, please try to run FRST in normal mode first.

 

 

Step 1

Please download the suitable version of Farbar Recovery Scan Tool (FRST) and save it to your desktop: 32bit | 64bit

 

 

 

Link to post
Share on other sites

  • Solution

I solved the problem by myself. I read the log file and saw the following:

2023-03-25 16:06 - 2023-06-18 21:47 - 000000000 __SHD C:\FRST
2023-03-25 16:06 - 2023-03-25 16:57 - 000000000 ____D C:\Program Files (x86)\IObit
2023-03-25 16:06 - 2023-03-25 16:06 - 000037376 _____ (Microsoft Corporation) C:\WINDOWS\system32\rfxvmt.dll
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\WavePad
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\RobotDemo
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\PuzzleMedia
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\Norton
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\McAfee
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\MB3Install
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\Kaspersky Lab Setup Files
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\Kaspersky Lab
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\grizzly
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\FingerPrint
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\Evernote
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\ESET
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\Doctor Web
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\BookManager
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\AVAST Software
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\ProgramData\360safe
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\SpyHunter
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\Ravantivirus
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\Rainmeter
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\Process Lasso
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\Loaris Trojan Remover
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\Kaspersky Lab
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\ESET
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\Enigma Software Group
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\DrWeb
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\COMODO
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\Common Files\McAfee
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\Common Files\Doctor Web
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\Common Files\AV
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\Cezurity
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\ByteFence
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\Bitdefender Agent
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\AVG
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files\AVAST Software
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files (x86)\Transmission
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files (x86)\SpyHunter
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files (x86)\Panda Security
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files (x86)\Microsoft JDX
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files (x86)\Kaspersky Lab
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files (x86)\GRIZZLY Antivirus
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files (x86)\Cezurity
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files (x86)\AVG
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files (x86)\AVAST Software
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\Program Files (x86)\360
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\KVRT2020_Data
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 __SHD C:\KVRT_Data
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 ___HD C:\ProgramData\Windows Tasks Service
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 ___HD C:\Program Files\RDP Wrapper
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 ____D C:\WINDOWS\speechstracing
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 ____D C:\Users\testr\AppData\Roaming\RMS_settings
2023-03-25 16:06 - 2023-03-25 16:06 - 000000000 ____D C:\ProgramData\Avira
2023-03-25 16:05 - 2023-06-18 20:08 - 000000000 __SHD C:\ProgramData\WindowsTask
2023-03-25 16:05 - 2023-06-18 20:08 - 000000000 __SHD C:\ProgramData\Setup
2023-03-25 16:05 - 2023-06-18 15:50 - 000000000 __SHD C:\ProgramData\ReaItekHD
2023-03-25 16:05 - 2023-03-25 16:07 - 000000000 __SHD C:\ProgramData\Install
2023-03-25 16:05 - 2023-03-25 16:05 - 000000000 ____D C:\ProgramData\System32
2023-03-25 16:05 - 2023-03-25 16:05 - 000000000 ____D C:\ProgramData\RunDLL
2023-03-25 15:21 - 2023-03-25 15:21 - 000024822 _____ C:\Users\testr\Downloads\counter-strike-2.torrent

This happened because of its own human factor, namely piracy. I removed the executables from this list (to do this I rebooted into Linux), the browser stopped crashing and I was able to install Malwarebytes. According to the results of the Malwarebytes scan, I only saw remnants in the Windows registry. Fortunately, this pirated software was not used. For future people who run into this problem -- don't pirate. Thank you for help. Later I will show what kind of virus it was.

Link to post
Share on other sites

The first picture shows the log of the virus itself, which was used by the "Tektonit" software to carry out fraud. It seems that the virus failed to connect to the server. I punched the IP in the database and it shows the location of Warsaw/Wroclaw (from different databases) and LLC Majorcore. I checked the executable itself in virustotal, where it was determined to be truly malicious.

hacker_pan2el.png

virus_signature.png

Link to post
Share on other sites

1 minute ago, doctorwhatag said:

The first picture shows the log of the virus itself, which was used by the "Tektonit" software to carry out fraud. It seems that the virus failed to connect to the server. I punched the IP in the database and it shows the location of Warsaw/Wroclaw (from different databases) and LLC Majorcore. I checked the executable itself in virustotal, where it was determined to be truly malicious.

hacker_pan2el.png

virus_signature.png

So, this is a remote control virus, which, according to the idea, was supposed to steal passwords or execute commands from the server using a script. Files with passwords were encrypted by built-in means of Windows and browsers. Passwords have been changed

Link to post
Share on other sites

So I will describe the strategy of this virus:
1. blocking antivirus software
2. Integration
3. Blocking the launch of portable antivirus utilities
4. Blocking the ability to download antiviruses.
5. Attempt to steal data
6. Continuation of existence on the computer until a new data theft request is created or until the virus is removed

Link to post
Share on other sites

Brief instructions for removing the virus:
1. Burn Ubuntu or any other Linux distribution to a USB stick.
2. Download FRST in Windows
3. Reboot into safe mode
4. Run the program as mentioned above. Next, start reading into the logs or ask someone else to do it. If you know when the infection started, it will make the task easier.
5. Delete files from the list that appeared due to infection. You may get "Access Denied" errors, so run Linux and delete files through it, there are no restrictions. Also delete the antivirus folders, because then you won't be able to run them because of the access denial.
6. Clean the basket
7. Reboot back to Windows and install Malwarebytes again
8. Run a final scan with this antivirus
9. Check the browser, just enter the word "hosts", if it pops up, then you did not remove the virus well, if not - then you have cured the computer from it.
10. Change your passwords to prevent tragedy.
11. Do not download files from the site where you caught this virus. Do not pirate, it will be for the best.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.