Malware

**veeg** · 01-19-2024, 12:13 PM

Hello

Let me tag our expert..

@Malnutrition

**xrobwx71** · 01-19-2024, 12:35 PM

Until Malnutrition gets here, regarding the torrents and game cracks. These are some of the quickest vectors to obtain an infection.

That being said, don’t make any changes yet, please wait for @Malnutrition 's instruction.

**Malnutrition** · 01-21-2024, 06:51 PM

@gettingmad

Please post FRST and Addition.txt logs. Instructions below.

Forums - PC Help Forum

https://pchelpforum.net/t/prework-please-read-before-posting.11235/post-11788

PCHF Forums

**Malnutrition** · 01-21-2024, 06:58 PM

Once the logs are posted, if I see any illegal software installed, you will be asked to remove it. So if you are aware of any such programs then please remove prior to running FRST.

I personally do not care what you choose to do after you have completed the process with me, I just ask that anything downloaded that was not paid for you by you be removed while we check your machine for malware.

**gettingmad** · 01-22-2024, 09:39 AM

Logs attached

TIA

**Thisismal** · 01-22-2024, 07:42 PM

I am having an issue with two factor identification on my account, once that is sorted I will have a reply for you. This is @Malnutrition i am just having some minor problems logging in. The forum is giving me a bit of trouble. ???

**gettingmad** · 01-22-2024, 08:15 PM

No worries, thanks.

**Thisismal** · 01-22-2024, 08:51 PM

One of the forum admins will need to log in, so they can rectify the issue. Should not be too long. ???

**Thisismal** · 01-23-2024, 12:34 AM

@gettingmad Do you use Google remote desktop? There are exceptions in your firewall for it.
FirewallRules: [{779C1081-13E4-4CDD-B5A1-9CF590562509}] => (Allow) C:\Program Files (x86)\Google\Chrome Remote Desktop

Copy the content of the code box below.
[COLOR=rgb(184, 49, 47)]Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.

Code:

Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
HKU\S-1-5-21-4039316842-3286948053-4252116158-1001\...\Run: [MicrosoftEdgeAutoLaunch_D22E4B5F304EE6D7FD0FD88330F2D2C3] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start [3854376 2024-01-17] (Microsoft Corporation -> Microsoft Corporation)
HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] -> 
HKU\S-1-5-21-4039316842-3286948053-4252116158-1001\...\Run: [BingSvc] => C:\Users\gagar\AppData\Local\Microsoft\BingSvc\BingSvc.exe [6669856 2024-01-02] (Microsoft Corporation -> Microsoft Corporation)
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {3D1B6979-87CA-4F32-B839-F238C3388723} - System32\Tasks\GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem122.0.6253.0{D14E4DA2-27E8-41D1-BE6C-2AD4B49E6D98} => C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe [4652320 2024-01-17] (Google LLC -> Google LLC) <==== ATTENTION
Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe  (No File)
Task: {8EB6C1E2-06A7-4957-838D-88E8E4839F64} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults => %systemroot%\system32\MusNotification.exe  LogonUpdateResults (No File)
Task: {78E5E9D9-D485-4F15-A0D4-B9E1D9FDAB44} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe  /RunOnAC RebootDialog (No File)
Task: {E843971A-4D66-452F-B7C1-585CD1649D4D} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe  /RunOnBattery RebootDialog (No File)
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (No File)
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{105db705-7a70-441b-8c0b-c22b44369aff}: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{36a3e9be-5099-4004-9675-4cd8bbf028b7}: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{38bff250-fd5e-4c92-a049-24ade1186f10}: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{94494728-4c2d-4373-8e07-58d5f50b4310}: [DhcpNameServer] 194.168.4.100 194.168.8.100
S2 GoogleUpdaterInternalService122.0.6253.0; C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe [4652320 2024-01-17] (Google LLC -> Google LLC) <==== ATTENTION
S2 GoogleUpdaterService122.0.6253.0; C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe [4652320 2024-01-17] (Google LLC -> Google LLC) <==== ATTENTION
S3 aswTap; C:\WINDOWS\System32\drivers\aswTap.sys [53904 2021-02-18] (AVAST Software s.r.o. -> The OpenVPN Project)
C:\WINDOWS\System32\drivers\aswTap.sys
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
C:\WINDOWS\system32\Tasks\GoogleSystem
C:\ProgramData\Avast Software
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=mpnpojknpmmopombnjdcgaaiekajbnjb
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=fmgjjmmmlfnkbppncabfkddbjimcfncm
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=aghbiahbpaijignceidepookljebhfak
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=fhihpiojkbmbpdjeoajapmgkhlnakfjf
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=kefjledonklijopmnomlcbpllchaibag
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=agimnkijcaahngcdmfeangaknmldooml
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\69639df789022856\Nik - Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google LLC) -> --profile-directory="Profile 1"
HKLM\...\StartupApproved\StartupFolder: => "Avast SecureLine VPN.lnk"
FirewallRules: [{779C1081-13E4-4CDD-B5A1-9CF590562509}] => (Allow) C:\Program Files (x86)\Google\Chrome Remote Desktop\121.0.6167.13\remoting_host.exe (Google LLC -> Google LLC)
FirewallRules: [{17473B01-8E97-4B3E-B657-A6E47D94E6AC}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\DARK SOULS III\Game\DarkSoulsIII.exe => No File
FirewallRules: [{02F72279-553A-4A31-8BF5-4229E71DDF3F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\DARK SOULS III\Game\DarkSoulsIII.exe => No File
FirewallRules: [{CA6D9CA6-DB9D-4B08-9E05-D6D956357C98}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x64\3DMark.exe => No File
FirewallRules: [{BC754E56-745A-4DDB-ADD7-90C54255D08D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x64\3DMark.exe => No File
FirewallRules: [{2C10B115-FC54-4EAE-BD7F-8A36D11C237D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x86\3DMark.exe => No File
FirewallRules: [{4705AE43-9DEC-4B05-A577-80CAE78F2B7E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x86\3DMark.exe => No File
FirewallRules: [{87ADF9E7-7ECF-4754-A4A1-9AC57E98165F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wolcen\win_x64\Wolcen.exe => No File
FirewallRules: [{312E655C-A435-4FB0-BB06-FEEA44759107}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wolcen\win_x64\Wolcen.exe => No File
FirewallRules: [{17EF5417-7893-4678-964D-27638DF3A040}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x64\3DMark.exe => No File
FirewallRules: [{455FE6C9-58A2-49F3-B442-21BDDB0A81DA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x64\3DMark.exe => No File
FirewallRules: [{1303FA3C-E03A-42A8-99D0-E451C19EF997}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x86\3DMark.exe => No File
FirewallRules: [{0FE80D5C-203A-422C-B98E-587BF1809B2E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x86\3DMark.exe => No File
FirewallRules: [{A556DCA5-60C0-4003-AD9A-1ABDBB320480}] => (Allow) LPort=33060
FirewallRules: [{409360E4-F804-4E56-B055-FF8107874BE4}] => (Allow) LPort=3306
FirewallRules: [{33EC5039-B548-4569-9B31-A34F0836B199}] => (Allow) C:\GOG Games\Diablo\Diablo.exe => No File
FirewallRules: [{F4468CA5-D427-4B30-BC38-4E13312EA6C7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wolcen\win_x64\Wolcen.exe => No File
FirewallRules: [{BFAE61FC-C688-48B2-AC17-0FF96E7CE777}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wolcen\win_x64\Wolcen.exe => No File
FirewallRules: [{C09A3EF7-F9F4-4C0B-9EE7-AD80755C4BE0}] => (Allow) C:\Users\gagar\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{79A136E5-021C-4113-916C-CA9002B6211C}] => (Allow) C:\Users\gagar\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{282416C2-88AF-4472-8A51-FEA47ABFA6D3}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [{61BB7226-A3A4-431C-9128-16C6756269EA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [{3C3679B1-CB68-47CE-9B0F-537B5663B1C4}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [{A69BA849-F761-402A-B8F9-8CBF0C283E84}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [TCP Query User{0CD16E40-6792-46CA-A8BE-2251F9254FF4}C:\jdk-17.0.6+10\bin\java.exe] => (Allow) C:\jdk-17.0.6+10\bin\java.exe
FirewallRules: [UDP Query User{126BEA2F-EF77-4E5B-B552-57558A0AC908}C:\jdk-17.0.6+10\bin\java.exe] => (Allow) C:\jdk-17.0.6+10\bin\java.exe
File: C:\totalcmd
File: C:\Users\gagar\Downloads\7C95v2J.zip
File: C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe 
Folder: C:\Program Files (x86)\Google\GoogleUpdater
Folder: C:\totalcmd
VirusTotal: C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe 
C:\WINDOWS\system32\drivers\etc\hosts
Hosts:
cmd: net stop bits
Move: C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db.old
cmd: net start bits
cmd:  bitsadmin /list /allusers
CMD: del /f /s /q %windir%\prefetch\*.*
CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
CMD: ipconfig /flushdns
C:\Windows\Temp\*.*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
emptytemp:
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
Reboot:
End::

Download Malwarebytes v.4 . Install and run.

[ul]
[li]Once the MBAM dashboard opens, click on Settings (gear icon).[/li][li]Click on Security tab and make sure that all four Scan options are enabled.[/li][li]Close Settings and click on the Scan button on the dashboard.[/li][li]Once the scan is completed make sure you have it quarantine any detections it finds.[/li][li]If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.[/li][li]If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.[/li][li]If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and include that log on your next reply.[/li][/ul][/COLOR]

**Bruce** · 01-23-2024, 02:54 AM

@veeg - I undeleted the above post - I figured you may not have realised it from from @Malnutrition who is currently having issues logging into his regular account.
Hope that is the reason you deleted it???

**gettingmad** · 01-23-2024, 10:12 AM

I have used remote desktop some time ago to do some stuff from my phone when I was not at home.

FYI Malwarebytes only had 3 scan options, had all enabled.

**Thisismal** · 01-23-2024, 03:02 PM

Adware Cleaner

[ul]
[li]Download AdwCleaner and save it to your Desktop[/li][li]Right-click on AdwCleaner.exeand select, Run as Administrator[/li][li]Accept the EULA (I accept), then click on Scan Now[/li][li]Let the scan complete[/li][li]Once the scan completes, make sure that every item listed in the different tabs is checked and click on the Quarantine and delete.[/li][li]Once the cleaning process is complete, AdwCleaner will ask you to restart your computer[/li][li]Close all other open windows and allow it to restart[/li][li]After the restart, Notepad will open with the AdwCleaner cleaning log[/li][li]Please Attach the contents of that log into your next reply to me[/li]

[li]

[/li]

Next please re run FRST and post the two logs fresh, after running adware cleaner and rebooting.
[/ul]

Let me know if any issues remain, I will have to check the logs you posted when I get home.

**gettingmad** · 01-23-2024, 04:01 PM

Logs attached

**Thisismal** · 01-24-2024, 12:52 AM

Your computer appears clean to me, are there any issues that indicate malware?

Copy the content of the code box below.
[COLOR=rgb(184, 49, 47)]Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.

Code:

Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
AlternateDataStreams: C:\Users\gagar\OneDrive\Desktop\adwcleaner.exe:MBAM.Zone.Identifier [136]
CHR StartupUrls: Default -> "hxxps://ncore.cc/torrents.php","chrome://downloads/"
S3 GPUZ-v2; \??\C:\WINDOWS\TEMP\GPUZ-v2.sys [X] <==== ATTENTION
emptytemp:
Reboot:
End::

[/COLOR]

Malware

Malware

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment