Solved Malware

  • Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  • Hello everyone We want to personally apologize to everyone for the downtime that we've experienced. We are working to get everything back up as quickly as possible. Due to the issues we've had, your password will need to be reset. Please click the button that says "Forgot Your Password" and change it. We are working to have things back to normal. Emails are fixed and should now send properly. Thank you all for your patience. Thanks, PCHF Management
Status
Not open for further replies.
gettingmad

gettingmad

PCHF Member
Jan 15, 2024
20
0
36
Hi,

I have been sent here from a previous thread https://pchelpforum.net/t/pc-shut-down-when-starting-a-game.88173/.

The malware mentioned from this thread and the containing folder has been removed at the time of the scan, but the log that highlighted it did not specify that part.

Screenshot of proof of removal and fresh full scan from this morning:


wdscan.jpg
 
@gettingmad

Please post FRST and Addition.txt logs. Instructions below.

Information - [Prework] Please Read Before Posting

You must be Registered and Logged in to Follow this Procedure. Welcome to the PCHF Malware Removal Forums Please review the PCHF Security team Disclaimer prior to beginning your adventure through malware removal. Additionally, please read the Security Forum Guidelines before posting. Please...
pchelpforum.net pchelpforum.net
 
Once the logs are posted, if I see any illegal software installed, you will be asked to remove it. So if you are aware of any such programs then please remove prior to running FRST.

I personally do not care what you choose to do after you have completed the process with me, I just ask that anything downloaded that was not paid for you by you be removed while we check your machine for malware.
 
I am having an issue with two factor identification on my account, once that is sorted I will have a reply for you. This is @Malnutrition i am just having some minor problems logging in. The forum is giving me a bit of trouble. 😃
 
One of the forum admins will need to log in, so they can rectify the issue. Should not be too long. 👌
 
@gettingmad Do you use Google remote desktop? There are exceptions in your firewall for it.
FirewallRules: [{779C1081-13E4-4CDD-B5A1-9CF590562509}] => (Allow) C:\Program Files (x86)\Google\Chrome Remote Desktop

Copy the content of the code box below.
Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.


Code: 
Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
HKU\S-1-5-21-4039316842-3286948053-4252116158-1001\...\Run: [MicrosoftEdgeAutoLaunch_D22E4B5F304EE6D7FD0FD88330F2D2C3] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start [3854376 2024-01-17] (Microsoft Corporation -> Microsoft Corporation)
HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] -> 
HKU\S-1-5-21-4039316842-3286948053-4252116158-1001\...\Run: [BingSvc] => C:\Users\gagar\AppData\Local\Microsoft\BingSvc\BingSvc.exe [6669856 2024-01-02] (Microsoft Corporation -> Microsoft Corporation)
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {3D1B6979-87CA-4F32-B839-F238C3388723} - System32\Tasks\GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem122.0.6253.0{D14E4DA2-27E8-41D1-BE6C-2AD4B49E6D98} => C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe [4652320 2024-01-17] (Google LLC -> Google LLC) <==== ATTENTION
Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe  (No File)
Task: {8EB6C1E2-06A7-4957-838D-88E8E4839F64} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults => %systemroot%\system32\MusNotification.exe  LogonUpdateResults (No File)
Task: {78E5E9D9-D485-4F15-A0D4-B9E1D9FDAB44} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe  /RunOnAC RebootDialog (No File)
Task: {E843971A-4D66-452F-B7C1-585CD1649D4D} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe  /RunOnBattery RebootDialog (No File)
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (No File)
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{105db705-7a70-441b-8c0b-c22b44369aff}: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{36a3e9be-5099-4004-9675-4cd8bbf028b7}: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{38bff250-fd5e-4c92-a049-24ade1186f10}: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{94494728-4c2d-4373-8e07-58d5f50b4310}: [DhcpNameServer] 194.168.4.100 194.168.8.100
S2 GoogleUpdaterInternalService122.0.6253.0; C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe [4652320 2024-01-17] (Google LLC -> Google LLC) <==== ATTENTION
S2 GoogleUpdaterService122.0.6253.0; C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe [4652320 2024-01-17] (Google LLC -> Google LLC) <==== ATTENTION
S3 aswTap; C:\WINDOWS\System32\drivers\aswTap.sys [53904 2021-02-18] (AVAST Software s.r.o. -> The OpenVPN Project)
C:\WINDOWS\System32\drivers\aswTap.sys
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
C:\WINDOWS\system32\Tasks\GoogleSystem
C:\ProgramData\Avast Software
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=mpnpojknpmmopombnjdcgaaiekajbnjb
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=fmgjjmmmlfnkbppncabfkddbjimcfncm
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=aghbiahbpaijignceidepookljebhfak
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=fhihpiojkbmbpdjeoajapmgkhlnakfjf
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=kefjledonklijopmnomlcbpllchaibag
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk -> C:\Program Files\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory="Profile 1" --app-id=agimnkijcaahngcdmfeangaknmldooml
ShortcutWithArgument: C:\Users\gagar\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\69639df789022856\Nik - Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google LLC) -> --profile-directory="Profile 1"
HKLM\...\StartupApproved\StartupFolder: => "Avast SecureLine VPN.lnk"
FirewallRules: [{779C1081-13E4-4CDD-B5A1-9CF590562509}] => (Allow) C:\Program Files (x86)\Google\Chrome Remote Desktop\121.0.6167.13\remoting_host.exe (Google LLC -> Google LLC)
FirewallRules: [{17473B01-8E97-4B3E-B657-A6E47D94E6AC}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\DARK SOULS III\Game\DarkSoulsIII.exe => No File
FirewallRules: [{02F72279-553A-4A31-8BF5-4229E71DDF3F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\DARK SOULS III\Game\DarkSoulsIII.exe => No File
FirewallRules: [{CA6D9CA6-DB9D-4B08-9E05-D6D956357C98}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x64\3DMark.exe => No File
FirewallRules: [{BC754E56-745A-4DDB-ADD7-90C54255D08D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x64\3DMark.exe => No File
FirewallRules: [{2C10B115-FC54-4EAE-BD7F-8A36D11C237D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x86\3DMark.exe => No File
FirewallRules: [{4705AE43-9DEC-4B05-A577-80CAE78F2B7E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x86\3DMark.exe => No File
FirewallRules: [{87ADF9E7-7ECF-4754-A4A1-9AC57E98165F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wolcen\win_x64\Wolcen.exe => No File
FirewallRules: [{312E655C-A435-4FB0-BB06-FEEA44759107}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wolcen\win_x64\Wolcen.exe => No File
FirewallRules: [{17EF5417-7893-4678-964D-27638DF3A040}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x64\3DMark.exe => No File
FirewallRules: [{455FE6C9-58A2-49F3-B442-21BDDB0A81DA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x64\3DMark.exe => No File
FirewallRules: [{1303FA3C-E03A-42A8-99D0-E451C19EF997}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x86\3DMark.exe => No File
FirewallRules: [{0FE80D5C-203A-422C-B98E-587BF1809B2E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\3DMark\bin\x86\3DMark.exe => No File
FirewallRules: [{A556DCA5-60C0-4003-AD9A-1ABDBB320480}] => (Allow) LPort=33060
FirewallRules: [{409360E4-F804-4E56-B055-FF8107874BE4}] => (Allow) LPort=3306
FirewallRules: [{33EC5039-B548-4569-9B31-A34F0836B199}] => (Allow) C:\GOG Games\Diablo\Diablo.exe => No File
FirewallRules: [{F4468CA5-D427-4B30-BC38-4E13312EA6C7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wolcen\win_x64\Wolcen.exe => No File
FirewallRules: [{BFAE61FC-C688-48B2-AC17-0FF96E7CE777}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wolcen\win_x64\Wolcen.exe => No File
FirewallRules: [{C09A3EF7-F9F4-4C0B-9EE7-AD80755C4BE0}] => (Allow) C:\Users\gagar\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{79A136E5-021C-4113-916C-CA9002B6211C}] => (Allow) C:\Users\gagar\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{282416C2-88AF-4472-8A51-FEA47ABFA6D3}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [{61BB7226-A3A4-431C-9128-16C6756269EA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [{3C3679B1-CB68-47CE-9B0F-537B5663B1C4}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [{A69BA849-F761-402A-B8F9-8CBF0C283E84}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [TCP Query User{0CD16E40-6792-46CA-A8BE-2251F9254FF4}C:\jdk-17.0.6+10\bin\java.exe] => (Allow) C:\jdk-17.0.6+10\bin\java.exe
FirewallRules: [UDP Query User{126BEA2F-EF77-4E5B-B552-57558A0AC908}C:\jdk-17.0.6+10\bin\java.exe] => (Allow) C:\jdk-17.0.6+10\bin\java.exe
File: C:\totalcmd
File: C:\Users\gagar\Downloads\7C95v2J.zip
File: C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe 
Folder: C:\Program Files (x86)\Google\GoogleUpdater
Folder: C:\totalcmd
VirusTotal: C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.0\updater.exe 
C:\WINDOWS\system32\drivers\etc\hosts
Hosts:
cmd: net stop bits
Move: C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db.old
cmd: net start bits
cmd:  bitsadmin /list /allusers
CMD: del /f /s /q %windir%\prefetch\*.*
CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
CMD: ipconfig /flushdns
C:\Windows\Temp\*.*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
emptytemp:
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
Reboot:
End::

Download Malwarebytes v.4 . Install and run.



  • Once the MBAM dashboard opens, click on Settings (gear icon).
  • Click on Security tab and make sure that all four Scan options are enabled.
  • Close Settings and click on the Scan button on the dashboard.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.
  • If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and include that log on your next reply.
 
@veeg - I undeleted the above post - I figured you may not have realised it from from @Malnutrition who is currently having issues logging into his regular account.
Hope that is the reason you deleted it??? :)
 

Adware Cleaner


  • Download AdwCleaner and save it to your Desktop
  • Right-click on AdwCleaner.exeand select, Run as Administrator
  • Accept the EULA (I accept), then click on Scan Now
  • Let the scan complete
  • Once the scan completes, make sure that every item listed in the different tabs is checked and click on the Quarantine and delete.
  • Once the cleaning process is complete, AdwCleaner will ask you to restart your computer
  • Close all other open windows and allow it to restart
  • After the restart, Notepad will open with the AdwCleaner cleaning log
  • Please Attach the contents of that log into your next reply to me


  • Next please re run FRST and post the two logs fresh, after running adware cleaner and rebooting.

Let me know if any issues remain, I will have to check the logs you posted when I get home.
 
Your computer appears clean to me, are there any issues that indicate malware?

Copy the content of the code box below.
Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.


Code: 
Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
AlternateDataStreams: C:\Users\gagar\OneDrive\Desktop\adwcleaner.exe:MBAM.Zone.Identifier [136]
CHR StartupUrls: Default -> "hxxps://ncore.cc/torrents.php","chrome://downloads/"
S3 GPUZ-v2; \??\C:\WINDOWS\TEMP\GPUZ-v2.sys [X] <==== ATTENTION
emptytemp:
Reboot:
End::
 
No, had no issues that would indicate it. Only been sent here from the other thread and been told that they wont be able to help me while someone here does not give the green light.

I have ran the command above.
 
You are clean. This will be marked as solved as there is no malware on your machine. There was a bit of adware and some clutter, which has been removed.

Download KpRM
Save to Desktop
Check Delete Tools'
Check Delete Restore points.
Create Restore point.
Click delete quarantines.
Then click run.


I suggest:
Ublock Origin
O&O Shutup Ten
O&O App Buster
 
Status
Not open for further replies.
Top Bottom