Doghead Posted January 9, 2021 ID:1431397 Share Posted January 9, 2021 Hello, I seem to be affected by this same malware. Spawns at every reboot, messes up with google search results in every browser and seems to be obtrusive of changes in settings. I can't download the files that were used to clean it and I can't reset the Group Policy ("System cannot find the file specified"). I could find the post copy pasting Zemana's results, which seems to be the only temporary fix. kevinf80 named it a variation of AutoconfigURL. Any help will be appreciated. Quote MD5 : Status : Scanned Object : software\microsoft\windows\currentversion\internet settings\connections Publisher : Size : 0 Detection : MaliciousSetting f Action : Delete ----------------------------------------------------------------------- MD5 : Status : Scanned Object : software\policies\microsoft\internet explorer\control panel Publisher : Size : 0 Detection : MaliciousSetting Action : Delete ----------------------------------------------------------------------- MD5 : Status : Scanned Object : software\wow6432node\policies\microsoft\internet explorer\control panel Publisher : Size : 0 Detection : MaliciousSetting Action : Delete ----------------------------------------------------------------------- Link to post Share on other sites More sharing options...
kevinf80 Posted January 9, 2021 ID:1431402 Share Posted January 9, 2021 Hello Doghead and welcome to Malwarebytes, Continue with the following: If you do not have Malwarebytes installed do the following: Download Malwarebytes version 4 from the following link:https://www.malwarebytes.com/mwb-download/thankyou/ Double click on the installer and follow the prompts. When the install completes or Malwarebytes is already installed do the following: Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab. Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following: Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply... Thank you, Kevin.... Link to post Share on other sites More sharing options...
Doghead Posted January 10, 2021 Author ID:1431416 Share Posted January 10, 2021 Hello Kevin, Thanks for the fast reply. Here's the requested files. ps: I hope Spanish is not a problem with the Farbar files. AdwCleaner[C03].txt Malwarebytes report.txt Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Solution kevinf80 Posted January 10, 2021 Solution ID:1431450 Share Posted January 10, 2021 (edited) Hiya Doghead, Thanks for those logs, continue: Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.Note: If the tool warned you about an outdated version please download and run the updated version.NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system....https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Next, Run a scan with Zemana, does the issue return..? Thank you, Kevin... fixlist.txt Edited January 10, 2021 by kevinf80 typing error Link to post Share on other sites More sharing options...
Doghead Posted January 10, 2021 Author ID:1431486 Share Posted January 10, 2021 All done. Zemana detected one persistent malicious setting. Quote MD5 : Status : Scanned Object : software\microsoft\windows\currentversion\internet settings\connections Publisher : Size : 0 Detection : MaliciousSetting f Action : Delete msert Jan 10.log Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 10, 2021 ID:1431519 Share Posted January 10, 2021 Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Rename FRST to FRSTEnglish before running.... (right click on FRST, select "Rename") Link to post Share on other sites More sharing options...
kevinf80 Posted January 10, 2021 ID:1431521 Share Posted January 10, 2021 Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Rename FRST to FRSTEnglish before running.... (right click on FRST, select "Rename") Link to post Share on other sites More sharing options...
Doghead Posted January 10, 2021 Author ID:1431531 Share Posted January 10, 2021 Here it is. Seems the obnoxious ads are gone for now. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 10, 2021 ID:1431538 Share Posted January 10, 2021 Those logs look good, no signs of any malware. Do you have any remaining issues or concerns...? Link to post Share on other sites More sharing options...
Doghead Posted January 10, 2021 Author ID:1431545 Share Posted January 10, 2021 Ran Zemana again and came out clean. Thank you very much for your assistance. I hope my donation is enough to compensate your time. Link to post Share on other sites More sharing options...
Doghead Posted January 10, 2021 Author ID:1431547 Share Posted January 10, 2021 Have you figured out how this malware is originated? I'd really like to avoid it next time. Link to post Share on other sites More sharing options...
kevinf80 Posted January 11, 2021 ID:1431566 Share Posted January 11, 2021 Hiya Doghead, Your system was exploited with AutoConfigURL infection, using software such as KMSpico is known to cause that and other issues, especially as in your case Task Sheduler was set up to make outbound calls from that software. There was also an open door through your Firewall for same software... Continue to clean up: Right click on FRST here: C:\Users\Gabriel Rocha\Downloads\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator" If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall That action will remove FRST and all created files and folders... Next, Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2 Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/ Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/ Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download From there you should be good to go... Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... 1 Link to post Share on other sites More sharing options...
kevinf80 Posted January 12, 2021 ID:1431982 Share Posted January 12, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts