Jump to content

Malware not removing things properly


Recommended Posts

Hey chaps.

I recently have had issues with adware on my pc, it will randomly open my default web browser (chrome) on a russian ad page. Seems to just happen randomly, nothing appears to trigger it. It will also open a new tab for the page if chrome is open already.

Malwarebytes blocks the connection, and tells me to run a scan. However, after removing 7 things from my pc, it never finds any malicious software, but the problem persists. I have run adwcleaner a few times now, and the first 3-4 times, it removed a few things, but different things each time i ran it. However, that too says me pc is now clean.

What should i do next? Is there a different program or antivirus i can use that actually works?

Thanks

Link to post
Share on other sites

Hello Bovrinox and welcome to Malwarebytes,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

Thanks again, here is the scan log from malwarebytes

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/11/18
Scan Time: 8:03 PM
Log File: 4a9825cc-2567-11e8-bb54-74d435fb3972.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4302
License: Trial

-System Information-
OS: Windows 10 (Build 16299.248)
CPU: x64
File System: NTFS
User: DESKTOP-HB2D13M\Matthew

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 310998
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 9 min, 16 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

 

And the log from Adwcleaner

 

# AdwCleaner 7.0.8.0 - Logfile created on Sun Mar 11 20:18:57 2018
# Updated on 2018/08/02 by Malwarebytes 
# Running on Windows 10 Home (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

No malicious folders deleted.

***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

No malicious registry entries deleted.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [1775 B] - [2018/3/10 13:18:18]
C:/AdwCleaner/AdwCleaner[C1].txt - [1408 B] - [2018/3/10 13:28:37]
C:/AdwCleaner/AdwCleaner[S0].txt - [1715 B] - [2018/3/10 13:17:38]
C:/AdwCleaner/AdwCleaner[S1].txt - [1247 B] - [2018/3/10 13:28:24]
C:/AdwCleaner/AdwCleaner[S2].txt - [1217 B] - [2018/3/10 13:38:9]
C:/AdwCleaner/AdwCleaner[S3].txt - [1284 B] - [2018/3/10 13:54:11]
C:/AdwCleaner/AdwCleaner[S4].txt - [1352 B] - [2018/3/11 9:48:52]
C:/AdwCleaner/AdwCleaner[S5].txt - [1419 B] - [2018/3/11 20:18:39]


########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt ##########

 

 

And finally the MSRT log

 


---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.57, February 2018 (build 5.57.14524.1)
Started On Sun Mar 11 20:29:18 2018

Engine: 1.1.14500.5
Signatures: 1.261.542.0
Run Mode: Interactive Graphical Mode
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Sun Mar 11 20:29:44 2018


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.57, February 2018 (build 5.57.14524.1)
Started On Sun Mar 11 20:29:53 2018

Engine: 1.1.14500.5
Signatures: 1.261.542.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Sun Mar 11 20:33:08 2018


Return code: 0 (0x0)

 

Thanks for your help my man, it does seem to be fixed now, not sure how as the antivirus things didn't find anything haha. Ill stick to my engines, i understand cogs an stuff, not computers! XD

Matt

Fixlog.txt

Link to post
Share on other sites

Thanks for the logs and update Bovrinox, if you have no more issues or concerns continue with the following to clean up:

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Thanks for all your help Kevin.

On a completely unrelated note, I have been having trouble with my PC randomly restarting for no apparent reason, with no errors. Just like pressing the reboot button or something. I suspected it my be thermal shutdown, but after careful mongering it doesn't appear to be the case, and i cant replicate what makes it do it. I was just wondering if anything in the logs may indicate a problem elsewhere that might be causing it? It happens even if no programs are running, sometimes within a few mins of starting up my pc, sometimes it wont do it for days.

This has been going on long before i had any malware/viruses that i know of, so i think it is probably hardware related. Any input would be greatly appreciated!

Matt

 

Edited by Bovrinox
Link to post
Share on other sites

The original issue was a Browser Hijacker specific to Chrome, we fix with FRST. i did not see anything in your logs to attribute powering down.... Run the following:

Please download VEW by Vino Rosso from HERE and save it to your Desktop.
 
  • Double-click VEW.exe. to start, Vista and Windows 7/8/10 users Right Click and select "Run as Administrator"
  • Under 'Select log to query...check the boxes for both Application and System.
  • Under 'Select type to list... select both Error and Critical.
  • Click the radio button for 'Number of events...Type 15 in the 1 to 20 box.
  • Then click the Run button.
  • Notepad will open with the output log. It will take a couple of minutes to generate the log, please be patient.


Please post the Output log in your next reply.

 

 

Link to post
Share on other sites

That log seems to suggest a possible hardware problem. The best way forward is to alter the advanced system settings and stop windows from automatically restarting after a crash. when that is done windows should crash to a BSOD (Blue Screen of Death) and offer information (bug check)..

Type or copy/paste advanced system settings into the search function next to windows start button on taskbar.. then hit enter.

The "System Properties" window will open, from there select "Advanced" tab. From there select "Settings" under "Startup and Recovery" In the new window remove the checkmark from "Automaticlly Restart"

Also ensure "Write deugging information" is listed as per the attached image.. Then select ok, hopefully next crash you will get BSOD with helpful information. Also minidump folder will also have a file(s) for analysis..

 

startup.JPG

Link to post
Share on other sites

Hi Kevin,

my pc seems to have restarted again while i was away from it, as it was on the login screen rather than where I had left it. When i logged in, chrome was open on the microsoft support webpage for some reason, it definitely wasn't when I left it. Nothing else was running, and I had Steam open at the time I left it.

Would the BSOD  require interaction, or is it a timed thing? I don't know if it simply restarted for windows automatic updates or something rather than crashing again, and also the minidump folder is empty.

Thanks

Link to post
Share on other sites

Run the following. Select windows key and X key together. From the list select Command Prompt (Admin) at the command prompt type or copy/paste:

DISM /Online /Cleanup-Image /ScanHealth

Then hit the enter key, this check may take several minutes to complete. When done it will show 100% and whether or not there is any component store corruption...

Link to post
Share on other sites

I half expected a none corruption return, but was a worthwhile check. The system critical errors in Vew log are also not conclusive either, same one is repeated:

Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power

Those can be frustrating because is not definite, could be hardware issue, could be driver (usually video card) issue, etc etc... if a mini dump file is created we have better chance to identify the problem...

How old id your PC, hard drive, ram, video card...

 

Link to post
Share on other sites

Hi Kevin,

I think the oldest part will be the HDD, its the only part from the original computer i bought. It has since had new cpu, gpu and motherboard etc. A friend of mine is big into pc gaming so i get all his left overs! The parts aren't particularly old but they are second hand. It is still the same power supply unit, so could that be causing an issue if its not providing enough power? I have checked all the drivers and they are up to date. I did have issues with the Radeon thing running multiple instances a while back, but that  seems to be fixed now.

Matt

Link to post
Share on other sites

Hiya Matt,

Power supply unit faults are usually constant, not intermittent. The hard drive is a possibility if it has been in use for a long time..  Maybe worthwhile running checks..

Select the Windows key and X Key together. From the produced list select::

Command Promt (Admin)

Accept UAC alert...

At the Command prompt, type

CHKDSK C: /R

hit the Enter key.

You will get a message that the drive cannot be locked, but that the command can be scheduled to run at the next boot - hit the Y key, press Enter, and then reboot.

The CHKDSK may take a few hours depending on the size of the drive, so be patient!

After the CHKDSK has run use the following instructions to find the log:

Check Disk report:
 
  • Press the WindowsKey + R on your keyboard at the same time. Type eventvwr into the run box and click OK.
  • In the left panel, expand Windows Logs and then click on Application.
  • Now, on the right side, click on Filter Current Log.
  • Under Event Sources, (expand the drop down arrow) check only Wininit and click OK.
  • You mayl be presented with one or multiple Wininit logs.
  • Click on an entry corresponding to the date and time of the disk check.
  • On the top main menu, click Action > Copy > Copy Details as Text.
  • Paste the contents into your next reply.

Next,

Select the Windows key and X Key together. From the produced list select::

Command Promt (Admin)

At the Command prompt, type

SFC /SCANNOW

hit the Enter key

Wait for the scan to finish - make a note of any error messages - and then reboot.

Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and upload the zip file to your reply.


Lets see what those two checks return..

Thanks,

Kevin..

Link to post
Share on other sites

Hi Kevin,

Here is the log from the disk check. I ran it on C: and D: but there is only one log created. The scan on C: was completed almost instantly, which i though peculiar.

Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          17/03/2018 03:12:33 PM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      DESKTOP-HB2D13M
Description:


Checking file system on D:
The type of the file system is NTFS.
Volume label is Data.

A disk check has been scheduled.
Windows will now check the disk.                         

Stage 1: Examining basic file system structure ...
  538624 file records processed.                                                        
File verification completed.
  2992 large file records processed.                                  
  0 bad file records processed.                                    

Stage 2: Examining file name linkage ...
  1244 reparse records processed.                                      
  579500 index entries processed.                                                      
Index verification completed.
  0 unindexed files scanned.                                        
  0 unindexed files recovered to lost and found.                    
  1244 reparse records processed.                                      

Stage 3: Examining security descriptors ...
Cleaning up 37 unused index entries from index $SII of file 0x9.
Cleaning up 37 unused index entries from index $SDH of file 0x9.
Cleaning up 37 unused security descriptors.
Security descriptor verification completed.
  20439 data files processed.                                          
CHKDSK is verifying Usn Journal...
  39367936 USN bytes processed.                                                          
Usn Journal verification completed.

Stage 4: Looking for bad clusters in user file data ...
  538608 files processed.                                                              
File data verification completed.

Stage 5: Looking for bad, free clusters ...
  68315040 free clusters processed.                                                      
Free space verification is complete.

Windows has scanned the file system and found no problems.
No further action is required.

1795596287 KB total disk space.
1521518856 KB in 480281 files.
    119112 KB in 20440 indexes.
         0 KB in bad sectors.
    698155 KB in use by the system.
     65536 KB occupied by the log file.
 273260164 KB available on disk.

      4096 bytes in each allocation unit.
 448899071 total allocation units on disk.
  68315041 allocation units available on disk.

Internal Info:
00 38 08 00 dc a3 07 00 3c da 07 00 00 00 00 00  .8......<.......
dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-03-17T15:12:33.987436200Z" />
    <EventRecordID>11673</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>DESKTOP-HB2D13M</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Checking file system on D:
The type of the file system is NTFS.
Volume label is Data.

A disk check has been scheduled.
Windows will now check the disk.                         

Stage 1: Examining basic file system structure ...
  538624 file records processed.                                                        
File verification completed.
  2992 large file records processed.                                  
  0 bad file records processed.                                    

Stage 2: Examining file name linkage ...
  1244 reparse records processed.                                      
  579500 index entries processed.                                                      
Index verification completed.
  0 unindexed files scanned.                                        
  0 unindexed files recovered to lost and found.                    
  1244 reparse records processed.                                      

Stage 3: Examining security descriptors ...
Cleaning up 37 unused index entries from index $SII of file 0x9.
Cleaning up 37 unused index entries from index $SDH of file 0x9.
Cleaning up 37 unused security descriptors.
Security descriptor verification completed.
  20439 data files processed.                                          
CHKDSK is verifying Usn Journal...
  39367936 USN bytes processed.                                                          
Usn Journal verification completed.

Stage 4: Looking for bad clusters in user file data ...
  538608 files processed.                                                              
File data verification completed.

Stage 5: Looking for bad, free clusters ...
  68315040 free clusters processed.                                                      
Free space verification is complete.

Windows has scanned the file system and found no problems.
No further action is required.

1795596287 KB total disk space.
1521518856 KB in 480281 files.
    119112 KB in 20440 indexes.
         0 KB in bad sectors.
    698155 KB in use by the system.
     65536 KB occupied by the log file.
 273260164 KB available on disk.

      4096 bytes in each allocation unit.
 448899071 total allocation units on disk.
  68315041 allocation units available on disk.

Internal Info:
00 38 08 00 dc a3 07 00 3c da 07 00 00 00 00 00  .8......&lt;.......
dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
</Data>
  </EventData>
</Event>

 

I have attached the CBS log, the Scannow in command prompt returned no integrity errors

Thanks

CBS.rar

Link to post
Share on other sites

Hi Kevin,

Good timing there was just about to log in to my emails to tell you it hasn't, but then i clicked Chrome on my taskbar and it restarted! I checked the advanced system settings again, and it is still set not to restart on system crash, but it did anyway, with no BSOD. It has created a minidump log this time however, which i have attached.

Thanks

031818-25265-01.dmp

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.