Jump to content

Malware Infection - Need Help


Recommended Posts

Hello,

I'm not 100% sure, but I think my PC is infected with Malware, maybe because I accidentally clicked a link or downloaded an infected file. I believe it might be affecting the registry or system startup, or it might be a rootkit? Here is some info that hopefully helps from my troubleshooting:

  • I tried booting the PC in safe mode and running malwarebytes, but it says nothing is detected. Strangely enough though, it shows all the protection as being disabled in safe mode
  • I was unable to run disk cleaner in safe mode - the options for drives besides my C: drive were missing, and I don't think the disk was actually cleaned for the C drive. I tried using CC Cleaner instead (also in safe mode), but it starts up and once it gets to a certain point it just shuts down, and I'm unable to open it again..
  • Avast Antivirus will not open at all in Safe mode
  • I've ran Rkill but it hasn't detected anything
  • I ran HitmanPro. It identified the GOG Galaxy.exe file as a PUP. I tried to delete it, and then got a blue screen of death. I turned the PC off and back on, and it's working again
  • All the programs that are supposed to be run on startup aren't, so I'm wondering if they're being overwritten.

Here is my Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/6/19
Scan Time: 7:40 PM
Log File: d008ddce-1214-11e9-9112-00ff3931847e.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.508
Update Package Version: 1.0.8661
License: Premium

-System Information-
OS: Windows 10 (Build 17134.472)
CPU: x64
File System: NTFS
User: TREY-PC\Trey

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 346034
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 3 min, 0 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

The FRST logs are attached. Thank you for your help.

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello RGZ7777 and welcome to Malwarebytes,

Continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Let me see those logs in your reply, also tell me if there are any remaining issue or concerns....

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

Hey Kevin.

Attached are the all the requested files. minus the AdwCleaner log. I didn't move forward with that one because your instructions said there would be a EULA to accept (I didn't see one to accept), that it would say 'Scan' (It said 'Scan Now' for me), and that I would need to check to make sure all the tabs are checked and then click Clean (I did not see any tabs). Please see the 'AdwareCleaner Pic.png' screenshot I took to see what my Adware Cleaner looks like.

 

Thank you again!

 

SophosVirusRemovalTool.log

SophosVirusRemovalTool_cloud4.log

Fixlog.txt

2019.01.07-20.39.31-i0-t92-d3.txt

AdwareCleaner Pic.png

Link to post
Share on other sites

Yes regarding AdwCleaner, the EULA usually shows on the first run, if you`ve already used AdwCleaner it does no show on subsequent runs. The image you show from AdwCleaner scan indicates no threats found, in that case no further action is required...

What is happening with your system now, any odd or erratic behavior, any remaining issues or concerns...

Link to post
Share on other sites

After using my PC yesterday, I didn’t notice anything out of the ordinary. Did all of the logs look good? I just want to be sure it’s not a rootkit or something hiding during startup. 

And I was also wondering why Galaxyclient.exe was detected as a PUP in HitmanPro, and when I went to fix it I got a blue screen of death - that’s one just seemed a little odd to me. 

Link to post
Share on other sites

Hello RGZ7777,

There was no indication of any malware or infection in your logs. Regarding HitmanPro, yes it canbe aggressive, any entries flagged by an application you are unsure of should always be checked out before going for "Quarantine" or "Removal" VirusTotal is a good site to use: https://www.virustotal.com/en/

Unless you have any other issues we can clean up:

Right click on FRST here: C:\Users\Trey\Desktop\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders... It can take several minutes to complete.

Next,

Uninstall Sophos AV and Zemana http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Also delete this folder if still present: C:\ProgramData\Sophos

Next,

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

Link to post
Share on other sites

  • 2 weeks later...

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.