WOW6432Node Malware Removal

[Chris1234]

Dear Forum,

I have received an email in which someone states to have obtained a password of mine and tries to blackmail me with it. I took it seriously because while the credentials they had are not an actual password of mine, they are a account name of mine for a login. 
So I searched my system with Malwarebytes and found this "Adware Keen.Value" / WOW6432Node Updater thing and quarantined it. I then googled and found a thread about this in your forum here: https://forums.malwarebytes.com/topic/241531-wow6432node-updater/ 

Since this was exactly that malware I just followed the steps that were suggested in this topic until I reached the point where I need a custom fixlist file for FRST. 
If someone could me help with that I would be really grateful!

To recap, the steps I took so far are: 

- Malwarebytes scan and quarantine of the above files

- AdwCleaner scan and quarantine of two more files

- FRST Scan

- Microsoft Removal Tool Quick Scan

I will attach all the logs (some of which are in German, unfortunately).

As far as I understand the next step would be to properly deep clean the system with the custom fixlist for FRST?Malwarebytes Detection.txt

 

Thank you,

Chris

Addition.txt AdwCleaner[C00].txt AdwCleaner[S00].txt AdwCleaner[S01].txt FRST.txt Malwarebytes Clean.txt mrt.log

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your logs are clean of malware.

Malwarebytes removed it completely.

You may be interested in delete the items in MBAM's quarantine folder.
These are not active and not doing anything bad.

Follow these directives and delete all items in the Quarantine folder.
Quarantine or restore items with Malwarebytes
https://support.malwarebytes.com/hc/en-us/articles/360038479214-Quarantine-or-restore-items-with-Malwarebytes-for-Windows-v4

If you have any issues with this computer please advise.

Stay safe.

[Chris1234]

Hi Nasdaq and thanks for your reply! 

So there is nothing that could be left deep in my system that might be able to reactivate the malware or something like that? I'm asking because of the extensive procedure in the other thread with the Farbar Recovery Tool.

Thank you,
Chris

[nasdaq]

Hi,

You did good in running MBAM and AdwCleaner.

For your peace of mind run this program.

--RogueKiller--

• Download & SAVE to your Desktop Download RogueKiller
• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or above, right-click the program file and select "Run as Administrator"
• Accept the user agreements.
• Execute the scan and wait until it has finished.
• If a Windows opens to explain what [PUM's] are, read about it.
• Click the RoguKiller icon on your taksbar to return to the report.
• Click open the Report
• Click Export TXT button
• Save the file as ReportRogue.txt
• Click the Remove button to delete the items in RED  
• Click Finish and close the program.
• Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
  

=======

[Chris1234]

Thanks mate,

the scan showed no results  

Thank you so much for your help!

[nasdaq]

Glad we could help.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you