evanw Posted April 16, 2019 ID:1308052 Share Posted April 16, 2019 I restarted an ASUS Notebook PC from 2013 which has been on a shelf since summer 2016. It is running Windows 8.1. It became clear that the PC was infected with adware and Trojans, and had multiple browsers etc. I uninstalled a bunch of programs and now only have Internet Explorer loaded. I ran MalwareBytes several times, the latest today. The log file is below. Should I be concerned that the software is only quarantining 1 of 5 items? What should I do next? Evan Malwarebytes Tuesday 16th April 2019.txt Link to post Share on other sites More sharing options...
evanw Posted April 17, 2019 Author ID:1308148 Share Posted April 17, 2019 I had a message linked to my request yesterday to provide more log files, I could not see how to reply to that thread so as instructed sending a new topic. I attach a Threat Scan, and the FRST files requested all run this morning. Original text: I restarted an ASUS Notebook PC from 2013 which has been on a shelf since summer 2016. It is running Windows 8.1. It became clear that the PC was infected with adware and Trojans, and had multiple browsers etc. I uninstalled a bunch of programs and now only have Internet Explorer loaded. I ran MalwareBytes several times, the latest today. The log file is below. Should I be concerned that the software is only quarantining 1 of 5 items? What should I do next? EvanW Malwarebytes threat scan 17 April EvanW.txt Malwarebytes threat scan Quarantine removal report 17 April EvanW.txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
nasdaq Posted April 17, 2019 ID:1308195 Share Posted April 17, 2019 Hello, Welcome to Malwarebytes. I'm nasdaq and will be helping you. If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed. === Download the Farbar Recovery Scan Tool (FRST).Choose the 32 or 64 bit version for your system. and save it to a folder on your computer's Desktop. Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. How to attach a file to your reply: In the Reply section in the bottom of the topic Click the "more reply Options" button. Attach the file. Select the "Choose a File" navigate to the location of the File.Click the file you wish to Attach.Click Attach this file.Click the Add reply button. === Please post the logs for my review. Wait for further instructions === Link to post Share on other sites More sharing options...
evanw Posted April 17, 2019 Author ID:1308220 Share Posted April 17, 2019 I ran a new threat scan today and included the post quarantine report also, plus the other two files from the Farbar recovery scan made today. EvanW Malwarebytes threat scan 17 April EvanW.txt Malwarebytes threat scan Quarantine removal report 17 April EvanW.txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
nasdaq Posted April 17, 2019 ID:1308229 Share Posted April 17, 2019 Hello, Welcome to Malwarebytes. I'm nasdaq and will be helping you. If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed. === Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from. The location is listed in the 3rd line of the FRST.txt log you have submitted. Run FRST and click Fix only once and wait. The tool will create a log (Fixlog.txt) please post it to your reply. === You are predently using INTERNET EXPLORER Reset Internet Explorer: Menu > Tools > Internet Options > Advanced Tab. Click the Reset button on the bottom of the pane. Click the Apply button. Close IE. === Is Chrome used on this computer? Is Malwarebytes always reporting these items event after they have been deleted? ======= Please post the Fixlog.txt and let me know what problem persists. fixlist.txt Link to post Share on other sites More sharing options...
evanw Posted April 18, 2019 Author ID:1308411 Share Posted April 18, 2019 Attached the fix log file after I ran the FRST64 application. I performed the reset on IE. The computer did have, Chrome and Opera installed which I recently uninstalled. There is also an application from Baidu which when I try to run uninstall it provides a rising sun image and options in Chinese text. There is a small logo that appears top left of the screen and all the text is in Chinese. I took a screen shot also attached. Evan Fixlog.txt Link to post Share on other sites More sharing options...
nasdaq Posted April 18, 2019 ID:1308457 Share Posted April 18, 2019 Hi, There are may entries in your logs referring to Baidu should we remove them all. Are you using the service? I can remove them all is you wish. Link to post Share on other sites More sharing options...
evanw Posted April 18, 2019 Author ID:1308472 Share Posted April 18, 2019 Yes please I would like all the Baidu removed. I am not using the service. EvanW Link to post Share on other sites More sharing options...
nasdaq Posted April 18, 2019 ID:1308498 Share Posted April 18, 2019 Hi, Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from. The location is listed in the 3rd line of the FRST.txt log you have submitted. Run FRST and click Fix only once and wait. The tool will create a log (Fixlog.txt) please post it to your reply. === Please post the Fixlog.txt and let me know what problem persists. fixlist.txt Link to post Share on other sites More sharing options...
evanw Posted April 18, 2019 Author ID:1308540 Share Posted April 18, 2019 Thank you. I have run and attached the fix log. So far no specific issues. EvanW Fixlog.txt Link to post Share on other sites More sharing options...
evanw Posted April 19, 2019 Author ID:1308602 Share Posted April 19, 2019 This morning Malwarebytes ran automatically on start up and found 5 threats. Quarantine resulted in only 1 file being removed, 4 failed. Log attached. Malwarebytes Report Scan 4 items not removed.txt Link to post Share on other sites More sharing options...
nasdaq Posted April 19, 2019 ID:1308675 Share Posted April 19, 2019 Hi, Your copy of Chrome has been compromised Remove Chrome from your Computer and reinstall a fresh copy later. If you remove the syncing of your account you must remove it before you save your bookmarks etc... Delete Your Google Chrome Browser Sync Data if you sync with other devices. <- Important ...https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/ Before you remove Chrome Export your Bookmarks Chrome will export your bookmarks as a HTML file, which you can then import into another browser. How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks Before you remove Chrome Export your Passwords How to export your saved passwords from Chromehttps://betanews.com/2018/03/09/export-chrome-passwords/ Clear your Chrome cache and cookieshttps://support.google.com/chromebook/answer/183083?hl=en Remove Chrome using the the instructions on this page.https://support.google.com/chrome/answer/95319?hl=en Re-install Chrome and the Bookmarks. <<<>> Keep me posted. Link to post Share on other sites More sharing options...
evanw Posted April 21, 2019 Author ID:1308921 Share Posted April 21, 2019 I had already uninstalled Chrome and Opera, so I cannot uninstall. I did a file search for Chrome and deleted the remaining files. Not all of them would delete (permissions, although I am an administrator). The scan log from this morning is down to one threat that comes up as removal failed. Should I reinstall Chrome? it is my preferred browser. EvanW Link to post Share on other sites More sharing options...
evanw Posted April 21, 2019 Author ID:1308922 Share Posted April 21, 2019 I can no longer attach files to this thread. This mornings scan log is pasted below. Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 21/04/2019 Scan Time: 12:17 Log File: a65ef038-641e-11e9-8ab5-74d02b1e9580.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.10260 Licence: Trial -System Information- OS: Windows 8.1 CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Scheduler Result: Completed Objects Scanned: 264767 Threats Detected: 1 Threats Quarantined: 0 Time Elapsed: 17 min, 18 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 PUP.Optional.HTTPBreaker, C:\USERS\EVANW_000\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Removal Failed, [402], [455245],1.0.10260 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) Link to post Share on other sites More sharing options...
nasdaq Posted April 21, 2019 ID:1308950 Share Posted April 21, 2019 Hi, Refer to post No. 12. For now just remove the Sync (no 2) as suggested. Restart the computer normally. If MBAM still report the PUP.Optional.HTTPBreaker then to remove what is in Chrome Preferences you will have to follow my directives to remove Chrome completely. p.s. If the MBAM does not report the PUP then you should be good. Link to post Share on other sites More sharing options...
evanw Posted April 21, 2019 Author ID:1308958 Share Posted April 21, 2019 So having restarted the computer and done another scan it had come up with zero threats. I will now reinstall Chrome and check everything is stable in the coming days. Many thanks for your help so far. EvanW Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25, 2019 Root Admin ID:1309493 Share Posted April 25, 2019 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts