nivedx #1 Posted October 18 Looking for help removing this threat, also should I change any financial info that I've accessed while this threat was present? Bytes.txt Addition.txt FRST.txt Share this post Link to post Share on other sites
Maurice Naggar #2 Posted October 18 Hi, My name is Maurice. I will be helping and guiding you, going forward on this case. Please follow my directions as we go along. Please do not do any changes on your own without first checking with me. If you will be away for more than 3 consecutive days, do try to let me know ahead of time, as much as possible. Please only just attach all report files, etc that I ask for as we go along. Let’s start by doing a new thorough scan with Malwarebytes for Windows. The goal is to see whether there is an infection or P U P. Let's do one new run with Malwarebytes for Windows. Start Malwarebytes. Click Settings. Click Protection tab & scroll down to Scan options. On the section "Potential Threat Protection" look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to "Always detect PUPS ". and look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to "Always detect PUM ". Then once all set there, click on SCAN button Then insure Threat scan has a check mark. Then click Start scan. Review the results list. Then I would suggest you make sure all lines have a check mark To that end, if you click the very top left checkbox you can force all detected lines ( if any are detected) to be selected for removal. Be sure each line is checked. Then you can proceed to click on the blue button Quarantine selected. In Malwarebytes. Click the Reports button ( on the left ) Look for the "Scan Report" that has the most recent Date and time. When located, click the check box for it and click on View Report. Then click the Export button at the bottom left. Then select Text File (*.txt) Put in a name for that file and remember where the file is created. Then attach that file with your next reply Share this post Link to post Share on other sites
nivedx #3 Posted October 18 Here's the newest log newlog.txt Share this post Link to post Share on other sites
Maurice Naggar #4 Posted October 18 ok. That is a good run. Let's do some follow up. Using Chrome browser, need you to go to https://www.google.com/settings/chrome/sync and sign into your account. Scroll down until you see the "reset sync" button and click on the button At the prompt click on "Ok". [ 2 ] for Chrome, while Chrome is running: Press & hold SHIFT+CTRL+Del keys on keyboard to get menu for clearing browsing data: Check mark the line "Browsing history" Check mark the line "Download history" Check mark the lined "Cached images and files" and press Clear Data button ( in blue ) [ 3 ] See this article on our Malwarebytes Bloghttps://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/ You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. Scroll down to the tips section "How do I disable them". [ 4 ] I suggest you install the Malwarebytes Browser guard on to Chrome browser. To get & install the Malwarebytes Browser Guard extension for Chrome, Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee Then proceed with the setup. [ 5 ] For FIREFOX browser To get & install the Malwarebytes Browser Guard Firefox extension. Open this link in your Firefox browser: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/ Then proceed with the setup. That link is for English US. There are other language version. Just go to the very bottom right of the page and look at “Change language” list drop down. Share this post Link to post Share on other sites
nivedx #5 Posted October 18 Cleared data, disabled push notifications and grabbed the browser guard are we all set? Could this threat of compromised accounts I logged into? Share this post Link to post Share on other sites
Maurice Naggar #6 Posted October 18 Sorry, I cant tell what you mean " threat of compromised accounts I logged into ". What I see here is a add-on that needs to be removed. I appreciate knowing you have done my last suggestions. Let's do what follows here, just to insure that the prior mis-use of powershell is all gone. [ A ] There is a add-on called Browser Assistant & it needs to be Uninstalled. 1. Type the Windows key+R to open the Run command. 2. Type control appwiz.cpl and hit Enter. The Programs and Features window will appear. 3. Locate Browser Assistant and click once to select it, then click the Uninstall button. For uninstall help, you may also refer to these links: Windows 10:https://www.cnet.com/how-to/how-to-uninstall-an-app-or-program-in-windows-10/ [ B ] Close and save any open work files before starting this procedure. I am sending a custom fix script to do some cleanups. This custom script is for Nivedex only. Please Close and save any open work files before you start this next step. It may involve a Windows Restart at the end of it. I am sending a custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair. Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the D:\Downloads folder The tool named FRST64.exe tool is already on the Downloads folder. Start the Windows Explorer and then, open the D:\Downloads folder. Double click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply. Let me know how this goes. We can do other steps, later, as needed. Cheers, Fixlist.txt Share this post Link to post Share on other sites
nivedx #7 Posted October 18 I do not have "Browser Assistant" in my uninstall list Share this post Link to post Share on other sites
nivedx #8 Posted October 18 Sorry, I cant tell what you mean " threat of compromised accounts I logged into " If I logged onto my banking website do I need to change my passwords? Share this post Link to post Share on other sites
Maurice Naggar #9 Posted October 19 Please do go forward with the FRST Fix run and attach the log. We can cover the rest later. For your bank, you can if you wish, change the password. Share this post Link to post Share on other sites
nivedx #10 Posted October 19 Sorry for the delay had to work all day. Fixlog.txt Share this post Link to post Share on other sites
Maurice Naggar #11 Posted October 20 Thanks for the log report. Windows indicates that "Browser Assistant" is installed. Browser Assistant (HKLM-x32\...\{DFAA6F11-C27B-4EC0-83AE-3AC5B124A899}) (Version: 1.32.7106.16145 - Realistic Media Inc.) We need to see what traces there are for it. We will use FRST64 to search for it. FRST64 is on the D:\Downloads folder. Start FRST64. Type the following ( better yet, use COPY then Paste) into the search box exactly as show then press the Search Files buttonSearchAll: Browser Assistant Please wait while the program searches for all entries relating to this program, when done a search.txt log will be saved to the desktop. Please attach this log to your next reply. Sincerely. Share this post Link to post Share on other sites
Maurice Naggar #13 Posted October 21 I have a new custom fix. Please first delete the file I had you save before named FIXLIST.txt I have attached a new one. This custom script is to cleanout remains of "browser assistant". Close and save any open work files before starting this procedure. I am sending a custom fix script to do some cleanups. This custom script is for Nivedex only. Please Close and save any open work files before you start this next step. It may involve a Windows Restart at the end of it. I am sending a custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair. Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the D:\Downloads folder The tool named FRST64.exe tool is already on the Downloads folder. Start the Windows Explorer and then, open the D:\Downloads folder. Double click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply. Let me know how this goes. Sincerely, Maurice Fixlist.txt Share this post Link to post Share on other sites
nivedx #14 Posted October 21 Here's the latest log Fixlog.txt Share this post Link to post Share on other sites
Maurice Naggar #15 Posted October 21 Thanks for the log. Bravo. Tell me, please, How is the system now ? and please, do a new scan with Malwarebytes for Malware & send me the scan report from that run. Sincerely, Maurice Share this post Link to post Share on other sites
Maurice Naggar #17 Posted October 21 Thanks. What is reported is a P U P .... PUP.Optional.ASK ....it is associated to to Chrome's "sync data" This last run indicates all items were quarantined. Please re-do a new scan & lets see the next report. Thanks. Hopefully the next one will be zero items tagged. Share this post Link to post Share on other sites
nivedx #18 Posted October 21 Should I not quarantine? newscan.txt Share this post Link to post Share on other sites
Maurice Naggar #19 Posted October 21 You SHOULD quarantine. Please read all of this & apply the tips. Let’s start by doing a new thorough scan with Malwarebytes for Windows. The goal is to see whether there is an infection or P U P. Let's do one new run with Malwarebytes for Windows. Start Malwarebytes. Click Settings. Click Protection tab & scroll down to Scan options. On the section "Potential Threat Protection" look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to "Always detect PUPS ". and look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to "Always detect PUM ". and scroll all the way down to the section Automatic Quarantine On the line "Automatically quarantine detected malware" be sure it is ON Then once all set there, click on SCAN button Then insure Threat scan has a check mark. Then click Start scan. Review the results list. Then I would suggest you make sure all lines have a check mark To that end, if you click the very top left checkbox you can force all detected lines ( if any are detected) to be selected for removal. Be sure each line is checked. Then you can proceed to click on the blue button Quarantine selected. In Malwarebytes. Click the Reports button ( on the left ) Look for the "Scan Report" that has the most recent Date and time. When located, click the check box for it and click on View Report. Then click the Export button at the bottom left. Then select Text File (*.txt) Put in a name for that file and remember where the file is created. Then attach that file with your next reply Share this post Link to post Share on other sites
nivedx #20 Posted October 21 Here it is latestscan.txt Share this post Link to post Share on other sites
Maurice Naggar #21 Posted October 22 We just need to do one other very quick cleanup for Chrome. First, delete the FIXLIST.txt I had you save before. I am sending a new one with this. It is attached. Close and save any open work files before starting this procedure. I am sending a custom fix script to do some cleanups. This custom script is for Nivedex only. Please Close and save any open work files before you start this next step. It may involve a Windows Restart at the end of it. I am sending a custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair. Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the D:\Downloads folder The tool named FRST64.exe tool is already on the Downloads folder. Start the Windows Explorer and then, open the D:\Downloads folder. Double click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply. Let me know how this goes Fixlist.txt Share this post Link to post Share on other sites
nivedx #22 Posted October 22 Heading to bed Fixlog.txt Share this post Link to post Share on other sites
Maurice Naggar #23 Posted October 22 Thank you for doing that & the log. The run was just as planned. This cleaned up the area of Chrome that was triggering the P U P tag. Bravo. Let me know if you need other help at this point. Sincerely, Maurice Share this post Link to post Share on other sites
Maurice Naggar #24 Posted October 23 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks Share this post Link to post Share on other sites
