Jump to content

My PC is probably filled with Malware

Jayce

By Jayce
in Resolved Malware Removal Logs

 Share

Recommended Posts

Jayce

Jayce

Posted
Posted

I recently installed a Windows Activator but it installed a bunch of other software as well as renamed my User Profile to "Folders". I can't open my Chrome nor my Firefox, I've uninstalled them and currently relying on Microsoft Edge as it's the only browser that's not affected somehow. I'm afraid of turning off my PC as it might be dead for good the moment I shut it down.

Addition.txt

exportsummary -malwarebytes.txt

FRST.txt

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
RunBooster (HKLM\...\RunBooster) (Version: 1.0.3 - SkyNET Corporation) <==== ATTENTION
ShutdownTime version 1.0 (HKLM-x32\...\ShutdownTime_is1) (Version: 1.0 - )

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites
Jayce

Jayce

Posted
  • Author
Posted

Hi nasdaq, thank you for replying. It seems that one of my colleagues "force deleted" RunBooster's full folder, but I successfully uninstalled ShutdownTime version 1.0

Here's the FixLog.txt but it seems that my User Account or rather my File Explorer's name hasn't been replaced from "Folders" to "ISC-PC" example is the image below from "Jay Cee" to  the name "Folders". On the other hand, my browsers are still screwed up in a way that I can't browse anything properly, like it loads the resources of the website but not all of them which results to a wall of texts and hyperlinks.

Thank you for taking your time to assist me

Fixlog.txt

image.png

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hi,

This entry in your FRST.TXT log is a concern.
Failed to access process -> set.exe

I searched for the file in the C:\ and C:\Windows\System32 but got no result.

Lets see what we can find in the Registry.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
set.exe
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====

Lets see check your files.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
set.exe
Once done, click on the Search File search button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
===

Please post the logs for my review.

p.s.
Let see if we can get Chrome to work.

Your copy of Chrome has probably been compromised

step1.gif Remove Chrome from your Computer and reinstall a fresh copy later.

step2.gifIf you remove the syncing of your account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other devices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

step3.gif Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.
How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

step4.gif Before you remove Chrome Export your Passwords
How to export your saved passwords from Chrome
https://betanews.com/2018/03/09/export-chrome-passwords/

step5.gif Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

step6.gif Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

step7.gif Re-install Chrome and the Bookmarks.
<<<>>>

Link to post
Share on other sites
Jayce

Jayce

Posted
  • Author
Posted

Farbar Recovery Scan Tool (x64) Version: 20.02.2019
Ran by ISC-PC (20-02-2019 20:17:22)
Running from C:\Users\ISC-PC\Desktop\PCFix
Boot Mode: Normal

================== Search Registry: "set.exe" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\AVAST Software\Avast\PUB-Removed]
"1d4c5570e8a9f32"="|C:\ProgramData\Logic Cramble\set.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\SystemReset.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellScript.1\Shell\0\Command]
""=""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & '%1'""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{14371053-1813-471a-9510-1cf1d0a055a8}]
"ResourceFileName"="%WINDIR%\system32\IME\IMEJP\IMJPSET.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{14371053-1813-471a-9510-1cf1d0a055a8}]
"MessageFileName"="%WINDIR%\system32\IME\IMEJP\IMJPSET.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\PUB-Removed]
"1d4c5570e8a9f32"="|C:\ProgramData\Logic Cramble\set.exe"

====== End of Search ======

 

Farbar Recovery Scan Tool (x64) Version: 20.02.2019
Ran by ISC-PC (20-02-2019 20:17:46)
Running from C:\Users\ISC-PC\Desktop\PCFix
Boot Mode: Normal

================== Search Files: "set.exe" =============


====== End of Search ======

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted (edited)

Please ignore this, execute the fix in the next post.

Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Quote


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\AVAST Software\Avast\PUB-Removed]
"1d4c5570e8a9f32"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\PUB-Removed]
"1d4c5570e8a9f32"=-

Restart the computer when completed.

You can delete the fixme.reg file when done.
===

How is the computer running now?

Edited by nasdaq
Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Quote

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\AVAST Software\Avast\PUB-Removed]
"1d4c5570e8a9f32"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\PUB-Removed]
"1d4c5570e8a9f32"=-


 

Restart the computer when completed.

You can delete the fixme.reg file when done.
===

How is the computer running now?

Link to post
Share on other sites
Jayce

Jayce

Posted
  • Author
Posted

There's still some issues present,

- "Ads by Aura" pop up at random programs

- Chrome's default search is a malware link

- My User Profile doesn't match the User Folder (It's all renamed to "Folders")

- My PC suddenly tends to restart or freezes (this maybe hardware but I'd like to be sure that it's not caused by malware)

 

Thank you so much for taking your time in helping me

Ads by Aura.PNG

ChromeSearch.PNG

User Account.PNG

UserProfiles.PNG

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hi,

Lets start with this.

Your copy of Chrome has probably been compromised

step1.gif Remove Chrome from your Computer and reinstall a fresh copy later.

step2.gifIf you remove the syncing of your account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other devices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

step3.gif Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.
How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

step4.gif Before you remove Chrome Export your Passwords
How to export your saved passwords from Chrome
https://betanews.com/2018/03/09/export-chrome-passwords/

step5.gif Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

step6.gif Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

step7.gif Re-install Chrome and the Bookmarks.
<<<>>>

If the problem persists IN CHROME and you Sync Chrome with other devices reset the Sync.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
<<<>>>

My PC suddenly tends to restart or freezes (this maybe hardware but I'd like to be sure that it's not caused by malware)
This may be the cause.
Follow the instructions on this page.
https://support.malwarebytes.com/docs/DOC-1123
===

Your accounts/profiles as listed in the Addition.txt log.
Administrator (S-1-5-21-708700642-721268705-855182592-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-708700642-721268705-855182592-503 - Limited - Disabled)
Guest (S-1-5-21-708700642-721268705-855182592-501 - Limited - Disabled)
ISC-GAMING (S-1-5-21-708700642-721268705-855182592-1004 - Administrator - Enabled) => C:\Users\ISC-GAMING
ISC-PC (S-1-5-21-708700642-721268705-855182592-1001 - Administrator - Enabled) => C:\Users\ISC-PC
ISC-STREAM (S-1-5-21-708700642-721268705-855182592-1003 - Administrator - Enabled) => C:\Users\ISC-STREAM
ISC-TOURNEY (S-1-5-21-708700642-721268705-855182592-1002 - Administrator - Enabled)
WDAGUtilityAccount (S-1-5-21-708700642-721268705-855182592-504 - Limited - Disabled)

The compromised accounts cannot be edited.
You can only create new accounts.

Let me know what problem persists.

Link to post
Share on other sites
Jayce

Jayce

Posted
  • Author
Posted

Apologies on the lack of updates, I've been away from that Computer due to a business trip. I'm back to my office, and have done the following things

- Exported my bookmarks

- Cleared all browsing data

- Removed Chrome

But there's still the issue with the following

- Ads by Aura is still present in my PC (it's not only in Chrome but rather to all browsers as well as some programs)

- Google Search has been stuck at Google.ga (Gabon?)

- ReCaptcha and verifications won't load at all

- I can't reinstall chrome due to this issue (see picture)


Thank you and apologies for the late update

image.png

image.png

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hi,

Repair these services.

Boot with Safe Mode with Networking. Execute the following.

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
03 - Reset Service permissions
04 - Register System Files
05 - Repair WMI
10 - Remove Policies Set By Infections
16 - Repair Windows Updates
20 - Repair MSI (Windows Installer)
25 - Restore Important Windows Services
26 - Set Windows Service to Default Startup
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.


===

Restart the computer normally.

===

Run the Farbar program and wait for it to be updated.

When completed scan the computer and post fresh logs for my review.

Let me know what problem persists.

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset and clean up" > "Restore settings to their original defaults"
 
Restart Chrome.
<<<>>>

If the problem persists in Chrome check this out.
Chrome Secure Preferences detection always comes back.

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

Execute the suggested fix.
===========

If Chrome is still using .ga region check the Setting.
Under the Start Up section remove anything referencing .GA

Let me know what problem persists.

Link to post
Share on other sites
Jayce

Jayce

Posted
  • Author
Posted

Hello Nasdaq, there's no Fixlist.txt file attached to your reply?

I still couldn't reinstall chrome at all due to this (See Image)

To clarify, all of my browsers are affected by this redirect, not just Chrome.

Ex. If I open Microsoft Edge and try to use Google.com, it still redirects me to Google.ga

Link to post
Share on other sites
Jayce

Jayce

Posted
  • Author
Posted

Hi,

It seems that even when I "allow" GoogleUpdate, it still won't install Chrome, the "Ads by Aura" is apparently still present but this time it's more subtle by means of it can be closed and it's mainly limited to my browsers

There's still no Fixlist.txt attached here, thanks :)

On 3/4/2019 at 3:31 AM, nasdaq said:

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset and clean up" > "Restore settings to their original defaults"
 
Restart Chrome.
<<<>>>

If the problem persists in Chrome check this out.
Chrome Secure Preferences detection always comes back.

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

Execute the suggested fix.
===========

If Chrome is still using .ga region check the Setting.
Under the Start Up section remove anything referencing .GA

Let me know what problem persists.

 

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hi,

Your copy of Chrome has probably been compromised

step1.gif Remove Chrome from your Computer and reinstall a fresh copy later.

step2.gifIf you remove the syncing of your account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other devices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

step3.gif Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.
How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

step4.gif Before you remove Chrome Export your Passwords
How to export your saved passwords from Chrome
https://betanews.com/2018/03/09/export-chrome-passwords/

step5.gif Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

step6.gif Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

step7.gif Re-install Chrome and the Bookmarks.
<<<>>>

Has your Chrome problem been solved?

Any remaining issues?

Link to post
Share on other sites
Jayce

Jayce

Posted
  • Author
Posted
On 3/5/2019 at 9:33 PM, nasdaq said:

Hi,

Your copy of Chrome has probably been compromised

step1.gif Remove Chrome from your Computer and reinstall a fresh copy later.

step2.gifIf you remove the syncing of your account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other devices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

step3.gif Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.
How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

step4.gif Before you remove Chrome Export your Passwords
How to export your saved passwords from Chrome
https://betanews.com/2018/03/09/export-chrome-passwords/

step5.gif Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

step6.gif Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

step7.gif Re-install Chrome and the Bookmarks.
<<<>>>

Has your Chrome problem been solved?

Any remaining issues?

Even upon following the error message, I can't install Chrome

Link to post
Share on other sites
Jayce

Jayce

Posted
  • Author
Posted

Hi nasdaq, it seems that after resetting my network to its default state, everything went well as it removed all of the infections, I managed to install Google Chrome and it removed the Google.ga as well, thank you for helping me with this problem.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.