2

Recently I installed KMSPico, after that many unwanted softwares were installed on my system, later I uninstalled all of them and removed related folders. But strangely from my system I couldn’t open anti-virus software provider websites like norton.com, avast.com, avg.com. Other websites like Quora, Google, FB are working fine. Also sometimes automatically random websites are opening on chrome. I suspect some virus infected my system.

Did anyone faced similar issue, if so how did you resolved it?

techraf
  • 9,149
  • 11
  • 44
  • 62
Anil Tallam
  • 121
  • 3
  • 1
    http://meta.security.stackexchange.com/questions/880/the-memes-of-information-security/1118#1118 – techraf Jun 24 '16 at 10:15
  • Shamelessly using this question for this: http://meta.security.stackexchange.com/questions/2382/do-we-need-a-canonical-question-as-dupe-target-for-help-my-computer-has-a-viru – hamena314 Jun 24 '16 at 10:24

3 Answers3

4

Nuke from orbit ... your system has been compromised and should not be trusted anymore. Wipe everything and start with a new, fresh system.

The virus / malware probably plays with your hosts-file and disables anti-virus or security websites (this one is doing a lazy job, since you seem to be able to surf here...).

But as you dont know, where the virus sits or even where exactly it entered your system, you cant remove a virus with 100% certainty.

After you've created a new, fresh system, make sure install all updates and use the latest virus-scanner.

hamena314
  • 2,017
  • 1
  • 16
  • 23
2

According to bitdefender blog a malware is included in modified installers for well-known programs, such as KMSPICO , winrar ... Once installed on a computer, Redirector.Paco modifies its Internet Settings to use a Web proxy server specified by the attackers in a PAC (Proxy auto-config) file.

The malicious infection chain starts with a modified MSI file. The installation files usually belong to known benign programs such as “WinRAR 5.2 msi”, “WinRAR 5.11”, “YouTube Downloader 1.0.1”, “WinRAR 5.11 Final”, “”Connectify 1.0.1”, “Stardock Start8 1.0.1”, “KMSPico 9.3.3”. The installation files are modified using Advanced Installer1 .[3]

How it works

The malware’s objective is to redirect all traffic performed when using a popular search engine (such as Google, Yahoo or Bing) and replace the results with others obtained from a Google custom search. The goal is to help cyber-criminals earn money from the AdSense program.

Google’s AdSense for Search program places contextually relevant ads on Custom Search Engine’s search results pages and shares a portion of its advertising revenue with AdSense partners.

To redirect the traffic the malware performs a few simple registry tweaks. It modifies the “AutoConfigURL” and “AutoConfigProxy” values from the “Internet Settings” registry key so that for every request that a user makes, a PAC (Proxy auto-config) file will be queried. This file tells the browser to redirect the traffic to a different address.

The malware tries to make the search results look authentic. However, there are some markers that would normally raise suspicions.

In the status bar of the browser, messages like “Waiting for proxy tunnel” or “Downloading proxy script” may be displayed. Secondly, the Google page takes abnormally long to load. Furthermore, the malware doesn’t show the typical yellow ‘o’ characters above the page numbers.

Download minitoolbox and run it.

Checkmark the following checkboxes:

Flush DNS

Report IE Proxy Settings

Reset IE Proxy Settings

Report FF Proxy Settings

Reset FF Proxy Settings

List content of Hosts

List IP configuration

List Winsock Entries

List last 10 Event Viewer log

List Installed Programs

List Users, Partitions and Memory size.

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

To repair your system , download AdwCleaner and scan your pc for malwares.

GAD3R
  • 2,211
  • 3
  • 17
  • 38
  • minitoolbox looks like it hasn't been updated in 4 years, This needs to be updated with more general advice. – schroeder Jan 28 '22 at 09:34
2

The best way to eliminate viruses is to completely wipe the operating system. (backup your personal files first!)

If you have been using a non-administrative user account on your computer, it is possible the virus is contained in that account and you can simply switch to a new account. However, this is not the default setup for most people.

A less thorough approach is use an anti-virus program. However (unlike a complete wipe of the OS) an anti-virus program cannot guarantee complete & successful removal of the virus.

As I said, it is best to wipe the computer. However, if you decide to try Anti-Virus (and risk an incomplete cleanup, which could do other things like breach your privacy), then these options may work:

  • Load an anti-virus installer from a flash drive.

    • If it will not execute, look for the default handler for the .exe file type and try to correct it. This is a simple trick some viruses use to prevent installation of new (anti-virus) software.
  • Set up an OS on a separate drive (i.e. Flash Drive), and then scan the original (infected) drive for viruses in order to clean up. How to do this would be a subject of a separate question.

Did I mention you should wipe the OS instead. :-)

When you are all over with this, feel free to come back looking for suggestions to mitigate the risk. A good first step is to operate out of a non-admin account to contain any potential breaches.

700 Software
  • 13,897
  • 3
  • 53
  • 82