Jump to content

Need help with Checkupdate.exe / Registry Value Malware


Recommended Posts

Well I managed to get my first virus in a decade due to negligence and being tired. Having a hell of a hard time actually getting rid of it though. I've formatted and reinstalled windows twice now each time I've ran Malwarebytes once and it finds ~170 threats that I quarantine, then 2 "Registry Value" PUP's repeatedly keep popping up. I've traced the Registry Key path that Malwarebytes gives me to a corrupted folder that contains what is being generated but even after deleting those in my Registry it continues to generate those 2 small PUP's from somewhere else but I don't have super in-depth knowledge of Registry files so it's hard to find the origin source.

As i've said this is my first virus in a decade and i've never had one this deep so at this point i'm at a loss on what my actions are. I've enclosed a couple files including my malwarebytes report of the two PUP's in question, and a screenshot comparing the Registry Key being created & location to the Registry Value path that Malwarebytes leads me on.

I'm hoping to maybe get some feedback on what I could be looking for in my registry (or if someone can spot it in my brief screenshot) or if there are any trusted programs that can help the registry? Or is my only option trying to Hardwipe everything with DBAN? If I used DBAN would it absolutely necessary to DBAN even my external HDD?

Literally any help or feedback is appreciated, thank you.

Addition.txt

FRST.txt

plshelp.png

updatePUP.txt

Link to post
Share on other sites

  • Root Admin

Hello @Machara and :welcome:

Please run the following fix.

NOTE: It will also kick off a Full Disk check that may take a few hours to run depending on the speed of your computer. Please let it run on reboot.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

Link to post
Share on other sites

  • Root Admin

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks, I'll check back on you again sometime tomorrow

Ron

 

Link to post
Share on other sites

Well one of the errors which was a "Checkupdate.exe - Core.dll" error that was related to the virus doesn't happen anymore, and Malwarebytes is not finding anymore PUP's like it was either so it all looks good so far. When I shut down my pc I still get a weird "Ipconfig.exe" error that only really pops up before shutting down amounting to no real harm. But at this point i'm not sure if it's related to the virus, or if it is just something i should re-install windows and apply the "Nail on the coffin" so to speak. Regardless, thank you very much for the assistance.

 

Edit: AdwCleaner is still picking up PUP.Optional.Legacy I'm not too sure if that is pertinent.

Edited by Machara
Link to post
Share on other sites

  • Root Admin

What is this task for? It looks like it was probably manually created by you.

Task: C:\Windows\Tasks\WinmendUpdateTask_Robby.job => G:\Folder Hidden\LiveUpdate.exe

You also have an error in your  Volume Shadow Copy Service. Please download and run the following tool to see if it can fix it for you.

Acronis VSS Doctor

Free tool for diagnosing and repairing Volume Shadow Copy Service issues
https://www.acronis.com/en-us/personal/vss-diagnostic-free-tool/

 

I don't see an obvious reason why a DOS box would come up for an IP but it could possibly be one of your game or other installs you have doing it on purpose.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.