Android8888

Hi Alex, I'm glad to know that. You're most welcome! To help keep malware off your system below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please consider using these ideas to help secure your computer. Keep your Windows Operating System up-to-date. Keep your Antivirus program up-to-date. Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain check-boxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser. Keep Malwarebytes Anti-Malware (MBAM) update and perform a regular scan to your system as it will make it harder for malware to reside on your computer. A complete guide on using MBAM can be found here A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program with resident protection at a time. Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. A similar category of programs is called "scareware" or Rogue programs. Rogue programs are active infections that will pop-up on your computer and tell you that you are infected when you are not. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above. Another most feared threat at the moment is an infection by a Ransomware. A Ransomware infection is a program that ransoms the data or functionality of your computer until you perform an action. This action is typically to pay a ransom in the form of Bitcoins or another payment method. I advise you to read more info on this terrible threat here and here. Please keep your programs up to date. This applies to most of the programs and all your Internet Browsers in particular. Vulnerabilities in the programs are often exploited in order to install malware on your PC. Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety. Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware. Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety. Don't click on links received in instant message programs. A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available here For much more useful and complete information, please read the following links to fully understand PC Security and Best Practices: So how did I get infected in the first place Answers to common security questions - Best Practices Hopefully these steps will help to keep you error and malware free. If you run into more difficulty, we will certainly do what we can to help. Happy surfing and stay safe. Android8888 (Rui)

Hello AlexUK, I apologize for the delay in responding. To answer your questions: Concerning the One Drive issue, I do not use One Drive either, but it is built-in on Windows 10 by default. And No, this is not malware related. Please read the information on these links and see if that helps you with the One Drive issue: https://answers.microsoft.com/en-us/onedrive/forum/odstart-odinstall/onedrive-windows-10-high-cpu-memory/5dff8974-daee-4594-b633-fca4b295417d https://www.addictivetips.com/windows-tips/fix-high-cpu-usage-by-onedrive/ Well, It's always hard to tell if your system has ever been compromised due to malware. However, it is always advisable to at least once from time to time change all passwords as a precaution. Are there any issues or concerns with the computer or that is all?

You're most welcome! Come back whenever you need... Regards, Android8888 (Rui)

I'm glad to know that! No Affonso, I think that is all. Now, to help keep malware off your system below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please consider using these ideas to help secure your computer. Keep your Windows Operating System up-to-date. Keep your Antivirus program up-to-date. Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser. Keep Malwarebytes Anti-Malware (MBAM) update and perform a regular scan to your system as it will make it harder for malware to reside on your computer. A tutorial on using MBAM can be found here and a complete guide here Please Note:[/color] Only the paid for version has real time capabilities. Please go here and scroll down to find a comparison list of the two versions. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above. Another most feared threat at the moment is an infection by a Ransomware. A Ransomware infection is a program that ransoms the data or functionality of your computer until you perform an action. This action is typically to pay a ransom in the form of Bitcoins or another payment method. I advise you to read more info on this terrible threat here and here. Please keep your programs up to date. This applies to most of the programs and all your Internet Browsers in particular. Vulnerabilities in the programs are often exploited in order to install malware on your PC. Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety. Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware. Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety. Don't click on links received in instant message programs. A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available here For much more useful and complete information, please read the following links to fully understand PC Security and Best Practices: So how did I get infected in the first place Answers to common security questions - Best Practices Hopefully these steps will help to keep you error and malware free. If you run into more difficulty, we will certainly do what we can to help. Can we close this topic?

Good news. Your computer appears to be clean and free of malware. Run a program like FileHippo Update Checker or UCheck to see what programs need to be updated. After doing updates you can remove the tools we used in this clean-up by running DelFix. Follow the instructions below to download and execute DelFix. Download DelFix and move the executable to your Desktop; Right-click on DelFix.exe and select Run as Administrator; Check ONLY the following options : Remove disinfection tools (this option will remove the tools used in the cleaning process). Create registry backup (this option will create a backup from the Windows Registry). Purge system restore (this option will remove all previous and possibly infected restore points, and will create a new and clean restore point of your system). Once the options mentioned above are checked, click on Run; After DelFix is done running, a log will open. I don't need to see that log, just close and delete it. Are there any issues or concerns with the computer?

Hello Alex, Thank you for the logs. The reports are good, the tools cleaned up some remnants. Please do this: Download the Malicious Software Removal Tool by Microsoft and save it to the computer's Desktop. Right click on the executable file and select Run as administrator; (the tool will expand to the 'Options' window) In the 'Scan Type' window, select Quick Scan; Perform a scan and click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key simultaneously to open the 'Run' function; 2) Type or copy and paste the following command to the 'Run Line' and press Enter: notepad c:\windows\debug\mrt.log Please post the contents of the log in your next reply. How is the computer running at this point? Rui

Hello. Got it. Thanks. You can always use on of the other options: FileHippo Update Checker or UCheck

Hello AlexUK and welcome back to Malwarebytes. My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear. Please read the instructions carefully and follow the directions in the order listed. Make sure to run all tools from the computer's Desktop and with Administrator privileges (i.e. right-click the tool icon and select Run as administrator). Next, Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply. Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file! Right-click on the FRST executable and select Run as Administrator; Click on the Fix button; On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad; Please attach the Fixlog.txt in your next reply; Next, Download AdwCleaner and move it to your computer Desktop; Right-click on AdwCleaner.exe and select Run as Administrator; Accept the EULA (I accept), then click on Scan; Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button; Once the cleaning process is complete, AdwCleaner will ask to restart your computer, please do it; After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply. Next, Please scan your computer with ESET Online Scanner. Click on this link to open ESET Online Scanner in a new window. Click on the Scan Now button to download the esetonlinescanner_enu.exe file and save it to your computer Desktop. Close all your programs and browsers and disconnect any USB flash drives from the computer. Please disable your Antivirus program to avoid potential conflicts, improve the performance and speed up the scan. Right-click on esetonlinescanner_enu.exe and select Run as administrator. Click Yes to accept the User Account Control security warning that may appear. It will open a window with the Terms of Use. Click the Accept button. Under Computer scan settings, check mark Enable detection of potentially unwanted applications. Then click Advanced settings and check mark the following options: Enable detection of potentially unsafe applications Clean threats automatically Click the Scan button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, click List Threats. Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Click the Back button. Click the Finish button. Note: If nothing is found, it will not produce a log. Please re-enable your Antivirus program. To summarize, please attach the following logs in your reply for my review: Fixlog.txt AdwCleaner clean log ESET log (if it produced one). fixlist.txt

I'm really glad to know that! Okay, it's time to check for outdated programs. Outdated programs contains security vulnerabilities that are exploited by malware in order to infect the computer without the user's knowledge. You can download, install and run a program like Personal Software Inspector (PSI) or FileHippo Update Checker or UCheck to see what programs need to be updated. After the updates, you can remove the tools we used in the removal process by running DelFix. This is a usefull application that will also delete itself after ran. Follow the instructions below to download and execute DelFix. Download DelFix and move the executable to your Desktop; Right-click on DelFix.exe and select Run as Administrator; Check the following options : Remove disinfection tools (this option will remove the tools used in the cleaning process). Create registry backup (this option will create a backup from the Windows Registry). Purge system restore (this option will remove all previous and possibly infected restore points, and will create a new and clean restore point of your system). Once the options mentioned above are checked, click on Run; After DelFix is done running, a log will open. I don't need to see that log. Just delete it. You can delete the folders and logs from the tools which DelFix didn't removed. Are there any issues or concerns with your computer at this point?

Hi Affonso, How is the computer behaving? Have you been experiencing freezes and restarts with it? Please keep me updated. Thank you. Rui

The entries that RogueKiller found are not malicious and your last FRST logs were clean. Let's check it further with the following tool. Please download Malwarebytes Anti-Rootkit BETA and save it to your computer Desktop. Right-click on the icon and select Run as administrator to start the extraction of the program; Click Yes to accept the User Account Control security warning that may appear; Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction); Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next; Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while); Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required); After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt (where TODAY'S-DATE is the scan date); Please attach that log in your next reply for my review.

Alright, but do not remove anything! How is the computer running now?

Hi Affonso, There are no signs of infection in FRST logs. We will run a script fix just for tidy up. First, Open Google Chrome; Type chrome://extensions in the address bar and press Enter; Click the trash can icon by the extension Search Swapper A confirmation dialog appears, click Remove. Next, Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply. Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file! Right-click on the FRST executable and select Run as Administrator; Click on the Fix button; On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad; Please attach the Fixlog.txt in your next reply; Please perform a new scan with RogueKiller_portable64.exe and post the RKlog.txt for my review. How is the system running at this point? Any issues or concerns? fixlist.txt

You're welcome!

Okay, I will check your logs and will get back in touch when ready. Thank you for your patience. Android8888 (Rui)

Hi, Yes do that, please. Also, re-run FRST in Normal mode and attach the two logs (FRST.txt and Addition.txt) for my review.

Okay, no worries. I must leave before Sophos finished, but there's no problem at all. Let the scan complete. I'll check the logs tomorrow. See you tomorrow.

It's okay. I understand. First, let Sophos run until the end and copy/paste the contents of its log. Then delete the Fixlog.txt, run another FRST fix with the fixlist.txt attached to this post and post the created Fixlog.txt Note: When running a fix with FRST you must click the Fix button fixlist.txt

There must be a Fixlog.txt in the same location as FRST64.exe Please attach it if you can.

Okay, could you please run another fix with this attached fixlist.txt now? It's very fast and will not reboot the computer. Then, continue with the rest of the instructions. fixlist.txt

Have you already run the FRST fix? What fixlist.txt file did you used, from my last post or from the previous one?

Hi Affonso, Please use this fixlist.txt instead of the one attached in my previous post. Thank you. Rui fixlist.txt

@Affonso You don't need to remove anything with RogueKiller so leave it for now. We will remove the leftovers with FRST. I see you don't have an Antivirus program installed. It is really dangerous to go online without an Antivirus, and you are extremely likely to get infected and the consequences could be even worse next time. In first place I strongly recommend you to install an Antivirus. You may want to consider a subscription and install Malwarebytes Premium which contain all the protection layers to maintain your computer safe. You can check here Malwarebytes 3 - FAQ for further information about Malwarebytes Premium. Please note that ONLY the Premium version has real time capabilities. Please go here and scroll down to find a comparison list of the two versions (Free and Premium). If you wish to consider that chance later, then any of the following are excellent free Antivirus. If you opt for this be sure to only install one. Avast Free Antivirus. Bitdefender Antivirus Free Edition To continue, please do this: Open Google Chrome; Type chrome://extensions in the address bar and press Enter; Click the trash can icon by the extensions Tampermonkey uBlock A confirmation dialog appears, click Remove. If you want to block advertisements you can use uBlock Origin instead of uBlock. It's a very light application. Please read these user reviews https://chrome.google.com/webstore/detail/ublock/epcnnfbjfcgphgdmggkamkmgojdagdnn/reviews?hl=en concerning uBlock. Next, Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply. Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file! Right-click on the FRST executable and select Run as administrator; Click on the Fix button; On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad; Please attach the Fixlog.txt in your next reply; Now let's do a final sweep with Sophos Virus Removal Tool to search for remnants. Be aware that this a very thorough scan and can take some time consuming, so please be patient. You may also want to note that this tool can detect and clean KMSPico if you don't remove it as I previously recommended you. Please download Sophos Virus Removal Tool and save it to your computer's Desktop. Right-click the icon and select Run as administrator. Click Yes to accept any security warnings that may appear. Click the Next button. Select 'I accept the terms in the license agreement', then click Next twice. Click the Install button and wait until the installation is complete. Click the Finish button. The tool created a shortcut icon on the Desktop of your computer. Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool. Click Yes to accept any security warnings that may appear. After it updates and a "Start Scanning" button appears in the lower right: Disconnect from the Internet or physically unplug your Internet cable connection. Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver. Temporarily disable your anti-virus and real-time anti-spyware protection. Click the "Start Scanning" button in the lower right to start the scan. After starting the scan, do not use the computer until the scan has completed. When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish. When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet. If any threats are found click Details, then View Log file (bottom left-hand corner). Copy and paste its contents in your next reply and note any errors encountered. Close the Notepad document, close the Threat Details screen, then click Start cleanup. Click Exit to close the program. If no threats were found, please confirm that result. Note: Whenever necessary, the log will be in the following location: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log Things I would like to see in your next reply: What you decide to do about the Antivirus. If you removed the Chrome extensions listed above. The contents of Fixlog.txt The contents of SVRT log Let me also know how is the computer running at this point. Thank you. Android8888 (Rui) fixlist.txt

Hi, You did not attached the AdwCleaner[C0].txt file that is stored in C:\AdwCleaner. Please attach that log in your next reply for my review. I see you have KMSPico installed in your computer. This is an illegal software that can be used to “crack” or patch unregistered copies of Microsoft software. I recommend that you don’t use hack-tools because besides being illegal they can be associated with malware or unwanted software. There have been plenty of cases in which we have seen malware distributed with these kind of tools. You don't even have to download and run anything from some websites that host such software to infect your system - all you have to do is visit the site with your browser. I strongly recommend that you uninstall KMSPico, however that choice is up to you. If you choose to remove it, you can do so via Start > Control Panel > Programs and Features. Okay, the main rootkit infection has been deactivated and removed from your system. Now we will remove the leftovers with FRST. In Normal mode, please re-run a new scan with FRST and provide me a new set of logs for review. To summarize, please attach: AdwCleaner[C0].txt FRST.txt Addition.txt Android8888 (Rui)

Hi Affonso, I'm back! Okay, see if you are able to run the following scans in the order listed. Open Malwarebytes; On the left pane select Settings; Select the Protection tab; Scroll down to Scan Options and ensure Scan for Rootkitsis 'On' and leave all other settings to default. Go back to DashBoard and select the blue Scan Now tab; Note: The scan may take some time to finish, so please be patient. When the scan completes if potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selectedbutton. While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop. The log can also be viewed by clicking the log to select it, then clicking the View Report button. Please attach the log in your next reply. Next, Download AdwCleaner and move it to your computer Desktop; Right-click on AdwCleaner.exe and select Run as Administrator; Accept the EULA (I accept), then click on Scan; Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button; Once the cleaning process is complete, AdwCleaner will ask to restart your computer, please do it; After the restart, a log will open when logging in. Please attach that log in your next reply. Next, Please download RogueKiller_portable64.exe by Tigzy and save it to your computer Desktop. Now close all programs and Internet browsers and disconnect any USB or external drives from the computer before you run this scan! Right-click on the file RogueKiller_portable64.exeand select Run as administrator to start the tool. Click Yes to accept the User Account Control security warning that may appear. Once the tool is open, click the 'Scan' tab menu and the click the Start Scan button. Wait until the scan has finished. Note: This scan may take some time to complete; Warning: Do NOT remove any entry it found. They may not all be malicious and need to be carefully analyzed. Once finished the results will be displayed. Click on the Open Report button. It will open a new window. Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your computer Desktop. Close RogueKiller and attach the RKlog.txt to your next reply. To summarize, please attach the following logs in your reply: Malwarebytes log. AdwCleaner clean log. RKlog.txt log How is the computer behaving? Are you noticing any problems? Thank you. Android8888 (Rui)