Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Home Network breached on multiple devices

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Home Network breached on multiple devices

Unread postby bluebits » February 27th, 2018, 9:39 pm

Hi,
My home network was breached. I began first noticing by strange behavior on the desktop:
=> Password of admin appeared to have been changed as I could not login with it (login only worked with PIN)
=> After login on Windows with PIN I only got the "Black Screen of Death"
=> I could not login in Safe Mode with the admin PIN
=> I could not restore, reset, install anything without the admin password, PIN was not an option
=> Essentially I was blocked out of Windows and without means to regain control

I was able to login in Safe Mode on a limited user account. I inspected more closely and found suspicious entries:
=> Windows System Event Log showed errors for DCOM
=> Windows Device Manager showed that ALL devices were configured and initiated on 15/Feb/2018 (as if a new installation)
=> Windows Device Manager showed yellow exclamation marks on Kaspersky devices
=> Windows Device Manager showed Kaspersky devices were deleted on 20/Feb/2018 (device ROOT\NET\0000 deleted)
=> Windows Device Manager showed Kaspersky devices were reinstalled after deletion
=> Google Sign in showed a Linux device had logged into the Google Account (I don't knowingly use any Linux based device)

All other wifi devices of the Home Network showed nothing in particular but a consistent dropping of the wifi connection.

Desperate, I clean installed Windows (deleting all the smaller system partitions, they remained as unallocated space, and formatting the main partition) and Factory Reset all wifi devices. I was careful to disconnect the internet and reset them one by one with all others turned off (to avoid reinfections).
I STILL HAVE SUSPICIOUS BEHAVIOR AFTER REINSTALLATION:
=> Google activity shows wifi device1 has logged access to hxxp:com.iu.ad_phase_0 multiple times on periods of no or low device activity
=> Wifi device1 opened a window with an alarming message that "this phone has a dangerous trojan!" from
Code: Select all
hxxp://launchacross.bid/ferbirthidcoms/hicahdxgams?b6b97525010e4a2db3e7cd3418da6b08bd7742280df55d2da9fbb81f9257d914240551fa4b77936d19d61dc0094c3c53f5acc6b4a93ff185b06540d50e369eb052ed54165525b3f607c4dd5572687a0cbe68ac68a822e19a8b79120bf36ab6ca0ea79e5c5cdea0569dae4eed692306cc37d5b0c2b5d40d113eb368fc4933399cc6ca2008081acfb131f11c4799546810f35d0c422515b62e2c802b57a4aa217cfb6ac2ebce86521554069edc5bcb5b9678a9830fb54b1a03ed58b5ee7bee7b5f8253113ced4ebb7259d19af3d70f432ab3f57c8f383db5a2ccccd443988982addb340d3f48e6d24ae61fcc2ab2ef81e1b77f207770535341a7bd9244a946337b885146795487da60f51d363ab0cc9202#
hxxp://launchacross.bid/ferbirthidcoms/hicahdxgams?b6b97525010e4a2db3e7cd3418da6b08bd7742280df55d2da9fbb81f9257d914240551fa4b77936d19d61dc0094c3c53f5acc6b4a93ff185b06540d50e369eb052ed54165525b3f607c4dd5572687a0cbe68ac68a822e19a8b79120bf36ab6ca0ea79e5c5cdea0569dae4eed692306cc37d5b0c2b5d40d113eb368fc4933399cc6ca2008081acfb131f11c4799546810f35d0c422515b62e2c802b57a4aa217cfb6ac2ebce86521554069edc5bcb5b9678a9830fb54b1a03ed58b5ee7bee7b5f8253113ced4ebb7259d19af3d70f432ab3f57c8f383db5a215879b16b6daaff4130660295a5f2803bb377894e229a6344d544ee58c1b69d14aa103633a6ca0f5b8f39df9cd0cec3377b1e89c11a6a8ab
hxxp://launchacross.bid/ferbirthidcoms/hicahdxgams?b6b97525010e4a2db3e7cd3418da6b08bd7742280df55d2da9fbb81f9257d914240551fa4b77936d19d61dc0094c3c53f5acc6b4a93ff185b06540d50e369eb052ed54165525b3f607c4dd5572687a0cbe68ac68a822e19a8b79120bf36ab6ca0ea79e5c5cdea0569dae4eed692306cc37d5b0c2b5d40d113eb368fc4933399cc6ca2008081acfb131f11c4799546810f35d0c422515b62e2c802b57a4aa217cfb6ac2ebce86521554069edc5bcb5b9678a9830fb54b1a03ed58b5ee7bee7b5f8253113ced4ebb7259d19af3d70f432ab3f57c8f383db5a27b2ed1cb0fd26de0cd9c6d00dba2c83ba50512010a41dc342a6ff126372a02b59f1535cb11ca24703168a22fa2d16033183c8cbf3b062f0d
hxxp://launchacross.bid/ferbirthidcoms/hicahdxgams?b6b97525010e4a2db3e7cd3418da6b08bd7742280df55d2da9fbb81f9257d914240551fa4b77936d19d61dc0094c3c53f5acc6b4a93ff185b06540d50e369eb052ed54165525b3f607c4dd5572687a0cbe68ac68a822e19a8b79120bf36ab6ca0ea79e5c5cdea0569dae4eed692306cc37d5b0c2b5d40d113eb368fc4933399cc6ca2008081acfb131f11c4799546810f35d0c422515b62e2c802b57a4aa217cfb6ac2ebce86521554069edc5bcb5b9678a9830fb54b1a03ed58b5ee7bee7b5f8253113ced4ebb7259d19af3d70f432ab3f57c8f383db5a27b2ed1cb0fd26de0cd9c6d00dba2c83ba50512010a41dc342a6ff126372a02b59f1535cb11ca24703168a22fa2d16033183c8cbf3b062f0d

=> The message above apeared by only clicking on the Chrome app. The phone was immediately turned off without any action on the window.
=> Wifi device2 can not open Google Play Store for reinstallation of apps. The error message is "Unfortunately, Google Play has stopped working"
=> Desktop still shows error messages for DCOM

Please advise.
You do not have the required permissions to view the files attached to this post.
bluebits
Active Member
 
Posts: 6
Joined: February 27th, 2018, 8:04 pm
Advertisement
Register to Remove

Re: Home Network breached on multiple devices

Unread postby capnkrunch » February 27th, 2018, 11:23 pm

Warning!
The steps presented in these posts are for this person and machine ONLY. Do not apply these steps to your own system, without the guidance of a trained malware removal helper. Doing so, may possibly damage your system, preventing it from starting.

Hello and welcome to the Malware Removal Forums :)

My name is capnkrunch and I will be helping you with your malware problems.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  • The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  • You must have Administrator rights, permissions for this computer.
  • DO NOT run any other fix or removal tools unless instructed to do so.
  • DO NOT install any other software (or hardware) during the cleaning process.
  • Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  • Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
  • Only reply to this thread, do not start another ... Please, continue responding, until I give you the "All Clean".
    Remember, absence of symptoms does mean the infection is all gone.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Failure to respond for 3 days, will result in your topic being closed.

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care, not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


For your safety and protection, I would advise backing up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. The safest practice is not to backup any files with the following file extensions:
exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Home Network breached on multiple devices

Unread postby capnkrunch » February 27th, 2018, 11:23 pm

Reviewing your logs. Please wait for the next instructions.
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Home Network breached on multiple devices

Unread postby capnkrunch » February 28th, 2018, 12:36 am

Hello bluebits :)

Step one...

Please answer the following questions:
  • Is this computer used for business including home or small business?
  • Is this computer ever connected to an educational network, for example at a university?

Step two..

CKScanner
Please download CKScanner and save it to your Desktop.
This program should only be run once!
Make sure that CKScanner.exe is on the your desktop before running the application!

  • Right click on the CKScanner.exe icon and select Run as administrator.
  • Click the Search For Files button.
  • When the scan is finished (the cursor hourglass disappears) click the Save List To File button.
    A text file will be created on your desktop named "ckfiles.txt"
  • Click OK at the file saved message box. Double-click on the ckfiles.txt icon on your desktop.
  • Please copy/paste the contents of ckfiles.txt in your next reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

In your next reply please include:
  • Did you have any problems with the instructions?
  • Answers to my questions
  • ckfiles.txt
  • Are there any changes in computer behavior?
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Home Network breached on multiple devices

Unread postby bluebits » February 28th, 2018, 7:31 am

Thanks for the reply,

Here are the answers to your questions:
=> This computer and home network is not used for business of any kind
=> This computer was never connected to an educational network
=> I have read all your instructions, there were no doubts
=> There are no changes to computer behavior at this time

CKScanner result
CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.AGNAWZ
----- EOF -----
bluebits
Active Member
 
Posts: 6
Joined: February 27th, 2018, 8:04 pm

Re: Home Network breached on multiple devices

Unread postby capnkrunch » February 28th, 2018, 10:27 pm

Hello bluebits :)

Thanks for answering my questions. Please run the following scans so we can get a closer look at you computer.

Step one...

AdwCleaner - Scan Only
  • Please download AdwCleaner by Xplode save it to your Desktop.
  • Close all open programs and windows so that you are at your Desktop.
  • Right click on adwcleaner.exe and click Run as administrator.
  • Click on the Scan button.
    When the scan finishes, you'll see a message in the AdwCleaner window: "Waiting for action. Please uncheck elements you want to keep."
  • Do not attempt to clean anything at this point.
  • Click on the Logfile button.
  • This will open a file, AdwCleaner[Sx].txt where x is the number of times the scan a
    has been run. Copy and paste the contents of that logfile in your reply.

Step two...

Malwarebytes Anti-Malware (MBAM) Scan
Note: you need to be connected to the internet so that MBAM can download any updates it needs to.
  • Please download Malwarebytes Anti-Malware.
  • Double-click the mbam-setup-*version*.exe file and follow any prompts to install MBAM. Before you click Finish ensure that Lauch Malwarebytes Anti-Malware is checked.
  • When MBAM launches allow it to update its databases if prompted.
  • Please close all open programs and windows so that you are at your Desktop.
  • Press the Start button.
  • Type Malwarebytes into the search box and select it from the results.
  • Allow MBAM to update if it asks you to.
  • Click Scan Now. MBAM will update its databases and proceed to scan your computer.
  • If any threats are found, ensure that all of them are checked and click Remove Selected.
  • If prompted to allow a reboot please do so.
    Failing to reboot when asked can prevent MBAM from removing all the malware it finds.
  • Once the scan is finished click Export Summary in the bottom right corner and select Text File (*.txt).
  • Save it on your Desktop as mbam.txt. Copy and paste the contents of mbam.txt in your reply.
  • If MBAM required a reboot please do the following to get the report:
    • On reboot reopen MBAM.
    • Click Reports and then click the most recent Scan Report and click View Report.
    • Click Export and then click Text File (*.txt).
    • Save it on your Desktop as mbam.txt. Copy and paste the contents of mbam.txt in your reply.

Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections... In your next reply please include:
  • Did you have any problems with the instructions?
  • AdwCleaner[Sx].txt
  • mbam.txt
  • Are there any changes in computer behavior?
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Home Network breached on multiple devices

Unread postby bluebits » March 1st, 2018, 8:02 am

No problems following the instructions. Here is the AdwCleaner log:

# AdwCleaner 7.0.8.0 - Logfile created on Thu Mar 01 11:55:07 2018
# Updated on 2018/08/02 by Malwarebytes
# Database: 02-27-2018.1
# Running on Windows 10 Home (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************



########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########
bluebits
Active Member
 
Posts: 6
Joined: February 27th, 2018, 8:04 pm

Re: Home Network breached on multiple devices

Unread postby bluebits » March 1st, 2018, 8:03 am

Here is the Malwarebytes log

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/1/18
Scan Time: 8:59 AM
Log File: f68a040e-1d47-11e8-8d84-50e549411090.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.4156
License: Trial

-System Information-
OS: Windows 10 (Build 16299.248)
CPU: x64
File System: NTFS
User: DESKTOP-03SA8BU\ctrim

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 303635
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 0 min, 40 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)
bluebits
Active Member
 
Posts: 6
Joined: February 27th, 2018, 8:04 pm

Re: Home Network breached on multiple devices

Unread postby bluebits » March 1st, 2018, 9:04 am

I forgot to mention that I did not see any new behavior.
I did learn just recently that there was an unauthorized charge to my credit card on 24/Feb/2018 11:40:06. This card was associated to Google Play Store. I believe it was on the same day I reinstalled the OS on all devices but I'm unsure if the time was before or after.

Thank you Captain! :)
bluebits
Active Member
 
Posts: 6
Joined: February 27th, 2018, 8:04 pm

Re: Home Network breached on multiple devices

Unread postby capnkrunch » March 2nd, 2018, 2:15 am

Hello bluebits :)

Thanks for running those scans. The good news is that I have seen nothing that suggests that your computer is currently infected in any of your logs. This is what I would since you recently reimaged this computer. In fact, you've already taken all the steps that I would have suggested after experiencing a major infection.

First, let's clean up the tools that we have used and then we can talk about what to do next.

Step one...

AdwCleaner - Uninstall
  • You should still have adwcleaner.exe in your Downloads folder. If not please download it HERE.
  • Right click on adwcleaner.exe and select Run as administrator.
  • Click on File and then select Uninstall
  • Click Yes.
  • AdwCleaner will uninstall and automatically close itself.

Step two...

DelFix
  • Please download DelFix by Xplode and save it to your Desktop.
  • Right click on delfix_*version*.exe and select Run as administrator.
  • Check the following boxes and then click Run:
    • Activate UAC
    • Remove disinfection tools
    • Purge system restore
  • If any logs or programs remain, you may delete them now.

As far as your credit card goes, if you haven't already you should contact your credit card company and bank and tell them what has happened. They may be able to provide you with additional assistance.

Please take a look at this link for additional information on handling fraud and identity theft: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

I would not worry about what you see in the logs. The Windows Event logs are notoriously useless and fresh installs of Windows begin generating errors immediately. Android has the same problem. Unless you are a sysadmin or developer trying to fix a specific problem I recommend simply not looking at them.

This particular DCOM error is well known and Microsoft even issued recommendations that it be ignored as there are no adverse effects but trying to fix it can cause serious problems. This is the reason I generally recommend avoiding logs; the potential to cause problems trying to fix errors that don't matter is just too great.

I have actually seen the redirect issue in Chrome on my own phone before, it can be caused if a site displays a bad advertisement that gets stuck in the cache. If that is the case if can be fixed by force closing the app and clearing the cache.

For the remaining Android issues, unfortunately this forum only provides assistance for Windows systems. For additional help you can try creating a thread at one of the following sites:

Otherwise, you might try contacting your carrier or device manufacturer or posting in their help forums.

If you have any additional questions please don't be afraid to ask. Otherwise, I have some final final instructions to clean up the tools we have used.

Regards,
-capnkrunch
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Home Network breached on multiple devices

Unread postby bluebits » March 2nd, 2018, 10:04 am

That's great news! :cheers: Thank you for gifting me with peace of mind.

I have some follow up questions
1. At the moment, I consider the wifi devices untrusted. How do I protect the desktop from being attacked within the LAN? Currently Windows 10 Network configuration is setup as “Public”, is this enough? What is the best practice for connecting untrusted devices to the LAN? Should I allow wifi connections to the LAN at all at this point?
2. I have reason to believe the attacker got hand of the router password (they were saved under the Google account with Chrome’s Smart Lock feature). I have changed those passwords already; should additional action be taken? Reseting the device to factory default, for example?
3. There is a Samsung smartv connected to the home network via cat6. Could it be of any concern? Is there even a procedure to “reset” a smartv? How can I consider it “trusted” again?

Thank you for the links on the Android devices, those are much needed. If you allow me a constructive comment I would have much appreciated that information earlier. It’s been a stressful event with the whole family on lockdown, the sooner things can be normal again the better. At least make it more explicit on the “Read This First” about what you do not help with.

cheers
bluebits
Active Member
 
Posts: 6
Joined: February 27th, 2018, 8:04 pm

Re: Home Network breached on multiple devices

Unread postby capnkrunch » March 3rd, 2018, 4:54 pm

Hello bluebits :)

That's great news! :cheers: Thank you for gifting me with peace of mind.

You're very welcome. I'm glad we were able to help.

As to your follow up questions, I am not a network security expert but I can give you some general suggestions. Anything more is beyond the scope of what this forum handles.

1. At the moment, I consider the wifi devices untrusted. How do I protect the desktop from being attacked within the LAN? Currently Windows 10 Network configuration is setup as “Public”, is this enough? What is the best practice for connecting untrusted devices to the LAN? Should I allow wifi connections to the LAN at all at this point?

If you have your firewall enabled, your system and software up to date, and a strong Windows password, cross infections generally won't happen. Setting the network as public will disable sharing features and so is not a bad idea if you think other devices on your network might be compromised.

You might also be able to use your router to segregate untrusted devices. Many routers can create a separate guest network and dual-band routers usually allow you to create separate 2.4 and 5 GHz networks.

2. I have reason to believe the attacker got hand of the router password (they were saved under the Google account with Chrome’s Smart Lock feature). I have changed those passwords already; should additional action be taken? Reseting the device to factory default, for example?

Some malware can affect routers so doing a factory reset is not a bad idea. Afterwards, make sure to change the admin password and enable WPA or WPA2 security with a strong password.

3. There is a Samsung smartv connected to the home network via cat6. Could it be of any concern? Is there even a procedure to “reset” a smartv? How can I consider it “trusted” again?

I use the guest network functionality on my home router to separate internet of things (IoT) devices. Things like smart TVs, lightbulbs, refrigerators, etc. are notoriously insecure.

You can try the networking forums on Tech Support Guy or BleepingComputer if you need help configuring any of these settings.

If you allow me a constructive comment I would have much appreciated that information earlier. It’s been a stressful event with the whole family on lockdown, the sooner things can be normal again the better.

I will definitely keep that in mind in the future. I hope that you can get the rest of your issues resolved as quickly as possible.

For more information on securing your computer please read COMPUTER SECURITY - a short guide to staying safer online.

Regards,
-capnkrunch
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Home Network breached on multiple devices

Unread postby pgmigg » March 3rd, 2018, 5:06 pm

As the problems seem to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see
Feedback for Our Helpers - Say "Thanks" Here.
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 297 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware