• Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Solved Malware

Status
Not open for further replies.
gettingmad

gettingmad

PCHF Member
Jan 15, 2024
20
0
35
#1
Hi,

I have been sent here from a previous thread https://pchelpforum.net/t/pc-shut-down-when-starting-a-game.88173/.

The malware mentioned from this thread and the containing folder has been removed at the time of the scan, but the log that highlighted it did not specify that part.

Screenshot of proof of removal and fresh full scan from this morning:


wdscan.jpg
 
#4
@gettingmad

Please post FRST and Addition.txt logs. Instructions below.

Information - [Prework] Please Read Before Posting

You must be Registered and Logged in to Follow this Procedure. Welcome to the PCHF Malware Removal Forums Please review the PCHF Security team Disclaimer prior to beginning your adventure through malware removal. Additionally, please read the Security Forum Guidelines before posting. Please...
pchelpforum.net pchelpforum.net
 
#5
Once the logs are posted, if I see any illegal software installed, you will be asked to remove it. So if you are aware of any such programs then please remove prior to running FRST.

I personally do not care what you choose to do after you have completed the process with me, I just ask that anything downloaded that was not paid for you by you be removed while we check your machine for malware.
 
#10
@gettingmad Do you use Google remote desktop? There are exceptions in your firewall for it.
FirewallRules: [{779C1081-13E4-4CDD-B5A1-9CF590562509}] => (Allow) C:\Program Files (x86)\Google\Chrome Remote Desktop

Copy the content of the code box below.
Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.


Code: 
Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
HKU\S-1-5-21-4039316842-3286948053-4252116158-1001\...\Run: [MicrosoftEdgeAutoLaunch_D22E4B5F304EE6D7FD0FD88330F2D2C3] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start [3854376 2024-01-17] (Microsoft Corporation -> Microsoft Corporation)
HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] -> 
HKU\S-1-5-21-4039316842-3286948053-4252116158-1001\...\Run: [BingSvc] => C:\Users\gagar\AppData\Local\Microsoft\BingSvc\BingSvc.exe [6669856 2024-01-02] (Microsoft Corporation -> Microsoft Corporation)
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {3D1B6979-87CA-4F32-B839-F238C3388723} - System32\Tasks\GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem122.0.6253.0{D14E4DA2-27E8-41D1-BE6C-2AD4B49E6D98} => C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe [4652320 2024-01-17] (Google LLC -> Google LLC) <==== ATTENTION
Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe  (No File)
Task: {8EB6C1E2-06A7-4957-838D-88E8E4839F64} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults => %systemroot%\system32\MusNotification.exe  LogonUpdateResults (No File)
Task: {78E5E9D9-D485-4F15-A0D4-B9E1D9FDAB44} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe  /RunOnAC RebootDialog (No File)
Task: {E843971A-4D66-452F-B7C1-585CD1649D4D} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe  /RunOnBattery RebootDialog (No File)
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (No File)
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{105db705-7a70-441b-8c0b-c22b44369aff}: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{36a3e9be-5099-4004-9675-4cd8bbf028b7}: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{38bff250-fd5e-4c92-a049-24ade1186f10}: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{94494728-4c2d-4373-8e07-58d5f50b4310}: [DhcpNameServer] 194.168.4.100 194.168.8.100
S2 GoogleUpdaterInternalService122.0.6253.0; C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe [4652320 2024-01-17] (Google LLC -> Google LLC) <==== ATTENTION
S2 GoogleUpdaterService122.0.6253.0; C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe [4652320 2024-01-17] (Google LLC -> Google LLC) <==== ATTENTION
S3 aswTap; C:\WINDOWS\System32\drivers\aswTap.sys [53904 2021-02-18] (AVAST Software s.r.o. -> The OpenVPN Project)
C:\WINDOWS\System32\drivers\aswTap.sys
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
C:\WINDOWS\system32\Tasks\GoogleSystem
C:\ProgramData\Avast Software
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=mpnpojknpmmopombnjdcgaaiekajbnjb
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=fmgjjmmmlfnkbppncabfkddbjimcfncm
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=aghbiahbpaijignceidepookljebhfak
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=fhihpiojkbmbpdjeoajapmgkhlnakfjf
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=kefjledonklijopmnomlcbpllchaibag
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=agimnkijcaahngcdmfeangaknmldooml
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\69639df789022856\Nik - Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google LLC) -> --profile-directory="Profile 1"
HKLM\...\StartupApproved\StartupFolder: => "Avast SecureLine VPN.lnk"
FirewallRules: [{779C1081-13E4-4CDD-B5A1-9CF590562509}] => (Allow) C:\Program Files (x86)\Google\Chrome Remote Desktop\121.0.6167.13\remoting_host.exe (Google LLC -> Google LLC)
FirewallRules: [{17473B01-8E97-4B3E-B657-A6E47D94E6AC}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\DARK SOULS III\Game\DarkSoulsIII.exe => No File
FirewallRules: [{02F72279-553A-4A31-8BF5-4229E71DDF3F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\DARK SOULS III\Game\DarkSoulsIII.exe => No File
FirewallRules: [{CA6D9CA6-DB9D-4B08-9E05-D6D956357C98}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x64\3DMark.exe => No File
FirewallRules: [{BC754E56-745A-4DDB-ADD7-90C54255D08D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x64\3DMark.exe => No File
FirewallRules: [{2C10B115-FC54-4EAE-BD7F-8A36D11C237D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x86\3DMark.exe => No File
FirewallRules: [{4705AE43-9DEC-4B05-A577-80CAE78F2B7E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x86\3DMark.exe => No File
FirewallRules: [{87ADF9E7-7ECF-4754-A4A1-9AC57E98165F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wolcen\win_x64\Wolcen.exe => No File
FirewallRules: [{312E655C-A435-4FB0-BB06-FEEA44759107}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wolcen\win_x64\Wolcen.exe => No File
FirewallRules: [{17EF5417-7893-4678-964D-27638DF3A040}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x64\3DMark.exe => No File
FirewallRules: [{455FE6C9-58A2-49F3-B442-21BDDB0A81DA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x64\3DMark.exe => No File
FirewallRules: [{1303FA3C-E03A-42A8-99D0-E451C19EF997}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x86\3DMark.exe => No File
FirewallRules: [{0FE80D5C-203A-422C-B98E-587BF1809B2E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x86\3DMark.exe => No File
FirewallRules: [{A556DCA5-60C0-4003-AD9A-1ABDBB320480}] => (Allow) LPort=33060
FirewallRules: [{409360E4-F804-4E56-B055-FF8107874BE4}] => (Allow) LPort=3306
FirewallRules: [{33EC5039-B548-4569-9B31-A34F0836B199}] => (Allow) C:\GOG Games\Diablo\Diablo.exe => No File
FirewallRules: [{F4468CA5-D427-4B30-BC38-4E13312EA6C7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wolcen\win_x64\Wolcen.exe => No File
FirewallRules: [{BFAE61FC-C688-48B2-AC17-0FF96E7CE777}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wolcen\win_x64\Wolcen.exe => No File
FirewallRules: [{C09A3EF7-F9F4-4C0B-9EE7-AD80755C4BE0}] => (Allow) C:\Users\gagar\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{79A136E5-021C-4113-916C-CA9002B6211C}] => (Allow) C:\Users\gagar\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{282416C2-88AF-4472-8A51-FEA47ABFA6D3}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [{61BB7226-A3A4-431C-9128-16C6756269EA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [{3C3679B1-CB68-47CE-9B0F-537B5663B1C4}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [{A69BA849-F761-402A-B8F9-8CBF0C283E84}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [TCP Query User{0CD16E40-6792-46CA-A8BE-2251F9254FF4}C:\jdk-17.0.6+10\bin\java.exe] => (Allow) C:\jdk-17.0.6+10\bin\java.exe
FirewallRules: [UDP Query User{126BEA2F-EF77-4E5B-B552-57558A0AC908}C:\jdk-17.0.6+10\bin\java.exe] => (Allow) C:\jdk-17.0.6+10\bin\java.exe
File: C:\totalcmd
File: C:\Users\gagar\Downloads\7C95v2J.zip
File: C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe 
Folder: C:\Program Files (x86)\Google\GoogleUpdater
Folder: C:\totalcmd
VirusTotal: C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe 
C:\WINDOWS\system32\drivers\etc\hosts
Hosts:
cmd: net stop bits
Move: C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db.old
cmd: net start bits
cmd:  bitsadmin /list /allusers
CMD: del /f /s /q %windir%\prefetch\*.*
CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
CMD: ipconfig /flushdns
C:\Windows\Temp\*.*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
emptytemp:
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
Reboot:
End::

Download Malwarebytes v.4 . Install and run.



  • Once the MBAM dashboard opens, click on Settings (gear icon).
  • Click on Security tab and make sure that all four Scan options are enabled.
  • Close Settings and click on the Scan button on the dashboard.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.
  • If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and include that log on your next reply.
 
#12
I have used remote desktop some time ago to do some stuff from my phone when I was not at home.

FYI Malwarebytes only had 3 scan options, had all enabled.
 

Attachments

  • Fixlog.txt
    77.9 KB · Views: 0
  • malwarebytes_report.txt
    5.8 KB · Views: 0
#13

Adware Cleaner


  • Download AdwCleaner and save it to your Desktop
  • Right-click on AdwCleaner.exeand select, Run as Administrator
  • Accept the EULA (I accept), then click on Scan Now
  • Let the scan complete
  • Once the scan completes, make sure that every item listed in the different tabs is checked and click on the Quarantine and delete.
  • Once the cleaning process is complete, AdwCleaner will ask you to restart your computer
  • Close all other open windows and allow it to restart
  • After the restart, Notepad will open with the AdwCleaner cleaning log
  • Please Attach the contents of that log into your next reply to me


  • Next please re run FRST and post the two logs fresh, after running adware cleaner and rebooting.

Let me know if any issues remain, I will have to check the logs you posted when I get home.
 
#15
Your computer appears clean to me, are there any issues that indicate malware?

Copy the content of the code box below.
Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.


Code: 
Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
AlternateDataStreams: C:\Users\gagar\OneDrive\Desktop\adwcleaner.exe:MBAM.Zone.Identifier [136]
CHR StartupUrls: Default -> "hxxps://ncore.cc/torrents.php","chrome://downloads/"
S3 GPUZ-v2; \??\C:\WINDOWS\TEMP\GPUZ-v2.sys [X] <==== ATTENTION
emptytemp:
Reboot:
End::
 
#16
No, had no issues that would indicate it. Only been sent here from the other thread and been told that they wont be able to help me while someone here does not give the green light.

I have ran the command above.
 
Status
Not open for further replies.
Top Bottom
Back
Forums
Resources
Menu