Jump to content

Recommended Posts

Antivirus turned up nothing at first. Wasn't even sure I had malware until I picked out Avira leaking memory on poolmon. Tried MBAR to no avail among other extraction tools. GMER scans result in BSOD, unless I specifically run in safe mode without admin privileges (weird), but I can't delete anything. MWB rootkit scan randomly picked up some malware after 9 hours but its not the source. Clean install is a last resort, so hopefully I have other options.

MWBreport.txt FRST.txt Addition.txt

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Do you know what this is for?
CHR Extension: (????????????[ChromeApps?]) - C:\Users\Clay\AppData\Local\Google\Chrome\User Data\Default\Extensions\eablgejicbklomgaiclcolfilbkckngf [2019-05-31]
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt.
===

Avast Browser

Syncing:

If the problem persists and Avast Browser is Synced with other devices please reset it.
https://support.avast.com/en-gb/article/Synchronize-Passwords-across-devices

Follow the directives under this section.

p.s.
Read the instructions before proceeding.
<<<>>>

Let me know what problem persists.
 

fixlist.txt

Share this post


Link to post
Share on other sites

Hi,

Do you know what this is for?
CHR Extension: (????????????[ChromeApps?]) - C:\Users\Clay\AppData\Local\Google\Chrome\User Data\Default\Extensions\eablgejicbklomgaiclcolfilbkckngf [2019-05-31]
===

 

Please run the Farbar program in Normal Mode using an Administrator account.

Post the logs for my review.

 

Share this post


Link to post
Share on other sites
2 hours ago, nasdaq said:

CHR Extension: (????????????[ChromeApps?]) - C:\Users\Clay\AppData\Local\Google\Chrome\User

no idea.

i ran the fixlist you originally gave me. that is what you wanted run right?

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

CHR Extension: (????????????[ChromeApps?])
Disable it from running in Chrome.
===

Both or these Anti Virus programs are enabled.

AV: Avira Antivirus (Enabled - Up to date) {88AE6B46-DC3C-455A-A21B-085F285A3546}
AV: Avast Antivirus (Enabled - Up to date) {EB19B86E-3998-C706-90EF-92B41EB091AF}

This can create problems and cause the computer to slow down.
Please disable one of them and restart the computer.

p.s.
If you decide to delete one of them us the uninstaller as suggested below.
This will remove all traces of the program.

Avast
Download and run their uninstaller tool from this site.
https://www.avast.com/en-ca/uninstall-utility

Restart the computer when the removal is completed.
-----

Avira removal program.
Read this article and proceed as suggested.
https://www.techsupportall.com/avira-uninstall-tool/

Restart the computer when the removal is completed.
<<<>>>

Please run the Farbar program and post fresh logs for my review.
 

Share this post


Link to post
Share on other sites
8 hours ago, nasdaq said:

CHR Extension: (????????????[ChromeApps?])
Disable it from running in Chrome.

I don't understand what you want me to do regarding this. I did however remove both avira and avast. I believe both were infected by the rootkit and couldn't uninstall them normally.

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites
13 hours ago, nasdaq said:

CHR Extension: (????????????[ChromeApps?])
Disable it from running in Chrome.

Actually thats probably a japanese game I used to play. Came up ???????? because of the japanese characters. In any case I disabled it.

Share this post


Link to post
Share on other sites

Yes it possibly was.

Stay safe.

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Share this post


Link to post
Share on other sites

Hey sorry there was a misunderatanding. Deactivating the chrome app hasn't stopped the rootkit. I'm still hoping you can go through my latest FRST logs posted yesterday.

Share this post


Link to post
Share on other sites

Hi,

Let's check for a rootkit.

Read carefully and follow these steps.
TDSS

  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

  • If an infected file is detected, the default action will be Cure, click on Continue.

  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.

  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


===

Run the Farbar program and post fresh logs for my review.

Share this post


Link to post
Share on other sites

Hi,

The Volume Shadow Copy Service and System Restore  may need attention.

Navigate to this page.
https://www.makeuseof.com/tag/3-check-system-restore-working/

Execute the instructions in Section 4 and 5 on the page.

Under section 5 when it comes time to select an option select the one  that says Keep my File

Restart the computer when done.

Let me know what problem persists.
 

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.