Jump to content
SAVpanda

same malware keeps being detected every other scan

Recommended Posts

I downloaded and ran the Farbar tool and have attatched the first and addition files.

Like the title says, I keep seeing repeated malware on scans. I keep moving it to quarentine but the same ones and more pop up on the next scan. What do i do?

FRST.txt Addition.txt

Share this post


Link to post
Share on other sites

Hi,     :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 


I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.

Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.5.4.760.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Please know I help here as a volunteer.  and that I am not on 24 x 7.

Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,

Sincerely.

 

Share this post


Link to post
Share on other sites

Thank you. I did uninstall and reinstall google chrome before I saw your reply just to let you know if that matters.

Here is the zip file you requested.

mbst-grab-results.zip

Share this post


Link to post
Share on other sites

ok.   Thanks for sending the report ZIP file.  I will be making another reply soon.

Just please do not be making any changes, tweaks or adjustments on your own.   If you have questions, ask me first.

Share this post


Link to post
Share on other sites
Posted (edited)

Thanks for the support tool report.

Some of these issues are due to Chrome browser being harder to clean because of the use of the Google SYNC feature.  Lets set the SYNC to Off.

Use the Chrome browser  to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   2   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

 

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the address bar

Then look deeper in SETTINGS

image.png.370d3a4e0939f3007081edb2bd6c12f1.png

Make real sure it is "NOT" set to "continue where you left off"

.

[    3    ]

This next task should run in around 20 minutes or so, perhaps less.   Just please close applications & web browser windows that you opened that are now still open.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

 

Patience is key in all this.  We will be doing more, later.

Sincerely.

 

Edited by Maurice Naggar
corrected

Share this post


Link to post
Share on other sites

Sorry.  My bad.  I have corrected a few lines that appeared out of sequence.  You may need to do a Refresh to see the edited copy.

Share this post


Link to post
Share on other sites

The adwcleaner found 5 PUPs. Might be a stupid question, but want me to quarantine these or click cancel?

Share this post


Link to post
Share on other sites

Yes, have them quarantined / removed

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Share this post


Link to post
Share on other sites

Thank you for the Adwcleaner report.

This is a next step to cleanup a few things on this system, including 2 executable files in user Temp area & which do not belong there in first place.

We will  do more after this.

.

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

This custom script is for   SAVpanda   only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

image.png.c1a95db88ae0606289299734be8aba54.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

 

Fixlist.txt

Share this post


Link to post
Share on other sites

Bravo.   Thanks for the log-report.   The custom fix went as expected.

Lets do a new scan with Malwarebytes for Windows.

Please do a new Scan on this machine, using Malwarebytes for Windows.

To run a Threat Scan, open Malwarebytes for Windows and click the blue Scan button.

Have patience during the run.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Then also, kindly provide me an overall sense of the status of the situation after that run.

Sincerely,

Maurice

Share this post


Link to post
Share on other sites

OK. Looks like the scan found 2 and I quarantined them. 

The scan report is attached.

Overall 2 is better than the original 10-15 that the scans used to come up with. Whatever this virus is had got into my google accounts yesterday, making random purchase transactions. I had to change all my passwords and am dealing with getting those transactions cancelled. I had changed all passwords for everything and no new transactions have been made since. This was all before I posted on this website. I was just getting constant malware every scan, thats when I posted here. 

So is there anything else I need to do or are these infections resolved?

Malwarebytes scan date 3-20-20 time 1443.txt

Share this post


Link to post
Share on other sites

Thanks.

There is something somewhere in Chrome's "web data" that has traces of "mysearchdial".

There is some sort of traces of what is classified as PUP.Optional.MySearchDial

Find the FRSTENGLISH.exe   on the Downloads folder.

Start FRSTENGLISH.
Type the following ( better yet, use COPY  then Paste)   into the search box exactly as show then press the Search Files button

SearchAll: mysearchdial;searchdial

Please wait while the program searches for all entries relating to this program, when done a search.txt log will be saved to the desktop. Please attach this log to your next reply.

[   NEXT step]

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Look at & un-tick   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Share this post


Link to post
Share on other sites

If other parties have made purchases on your credit cards, you may well be a victim of identity or credit card account theft.

Review all your recent charges on your credit cards and checking & bank accounts.

If anything appears as theft, be sure you let those companies know  & ask to be put on a identity theft watch.

.

What is left here  ( mysearchdial) is a P U P  --- potentially unwanted type add-on.

Share this post


Link to post
Share on other sites

The search results are attatched.

Yea, the virus had got into my paypal and started making transactions. I've contacted all transactions so far, just waiting for cancellations and refunds. Thanks.

I downloaded the ESET scanner and am going to perform that now.

Search.txt

Share this post


Link to post
Share on other sites

Thanks for the Search log.   This has found nothing.   Please be sure to go forward with the ESET scan.

 

Later on, if needed, you may consider to switch to only using the BRAVE browser, which in my opinion, has more security than Chrome.

In the process of installing Brave, it would copy across all the saved site passwords that are on Chrome.

The Brave browser is at this link https://brave.com/

If you were to install Brave, then you can stop using Chrome.

Also, since this pc runs Windows 10,  you could just only use the EDGE browser.

Share this post


Link to post
Share on other sites

OK. I'm running the ESET scanner now and is roughly 45% complete. So far, it has detected 9 objects.

So, is using Google Chrome browser the only thing causing this PUP? If so, will my phone be affected too because that also is using the same Google Chrome account? 

Share this post


Link to post
Share on other sites

No, your phone should not be affected by whats going  on on this Windows.

Plus, you turned off the SYNC on Google like I listed before, right ?

Share this post


Link to post
Share on other sites

Yea, I unsynced Google earlier when following your instructions. 

I'm probably going to switch my default browser to EDGE and uninstall Google Chrome. Should I do this now while the ESET scanner is running or just wait till it's done? Also, should I sign out of Chrome before uninstalling or it doesn't matter?

Thanks.

Share this post


Link to post
Share on other sites

Let the ESET scan finish first, please.   After that, you can do what you need.

You can ( later I mean)  just exit out of Chrome, then uninstall it.

Share this post


Link to post
Share on other sites
Posted (edited)

The 2 unremoved files  ( due to access being a factor) are things included by Avast which the ESET scan has flagged as P U P

C:\Program Files\AVAST Software\Avast\setup\aswOfferTool.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    error while deleting (Access denied)

C:\Program Files\AVAST Software\Avast\setup\offertool_x64_ais-95d.vpx    Win32/Bundled.Toolbar.Google.D potentially unsafe application    error while deleting (Access denied)

On the other items that ESET flagged and removed it is important to know about those it tagged as "hacktools" which typically are bundled by stuff downloaded from dodgy sites.

It is important to only get files from known safe sources.

Make it a practice to always first "save" any download & second before even opening or doing anything, the 2nd step is to scan it with the resident antivirus, or even better, scan it with Windows Defender.

.

Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

.

Know that if you were to uninstall Avast, that the Windows Defender antivirus included with Windows 10 would come on.  It is a strong & very capable antivirus.  It is build in & is free.

As long as Avast is installed, the Windows Defender real-time protection is off.

.

You may delete the tagged Avast files by doing what follows.

1.  First step is to turn off Avast so you can do the deletes.

See the guide here  https://appuals.com/disable-avast-antivirus-temporarily/

 

2.     Open an elevated command prompt window i.e. run Command Prompt as an administrator .

There are 2 command-lines to do  & doing a tap of the Enter-key after each

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

del /s /q "C:\Program Files\AVAST Software\Avast\setup\aswOfferTool.exe"

once it is on the command-screen, tap the Enter-key to have it do the deletion.   Watch the result.

 

Next, Copy and Paste this next line as is

del /s /q "C:\Program Files\AVAST Software\Avast\setup\offertool_x64_ais-95d.vpx"

once it is on the command-screen, tap the Enter-key to have it do the deletion.   Watch the result.

Those 2 files are bundled with the program & should be thought of as adware.  Note the "offertool" is a part of the name.

.

Keep me advised on those steps above.

.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.   and let me know about the overall situation at that point.

 

P.S.  Turn on the Avast antivirus   ( assuming you are keeping it ).

 

Edited by Maurice Naggar
added note

Share this post


Link to post
Share on other sites

Hitting WINDOWS + X doesn't show command prompt, but it does show windows powershell. I just opened command prompt by searching it then right click and run as admin.

When I copy and pasted your lines one at a time, both said "Access is denied". I'm running it in admin so I don't know why it's denying me. 

Share this post


Link to post
Share on other sites

Also, I turned off Avast as instructed in the link before running the command prompt.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.