Jump to content

malware and popup in my PC


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi all,

Again here, last week i have taken malware POP.UP virus family tree, then i have quarantine it with MalwareBytes software and removed .exe infected, cleared all apps extra that the malware installed automatically on my PC like CCcleaner, avast, opera etc... but problems still occur.

I have installed HjackThis and FRST64, but FRST64 don't open on win11. MalwareBytes report and scan it's all free but i'm not sure of this, i see my PC still slow guys.

Attached reports.

Thanks in advance for the support.

HiJackThis.log

Link to post
Share on other sites

Hello @Perucho10 and welcome back:

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Link to post
Share on other sites

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Select ViewShowFile name extensions

The IP Block notice by Malwarebytes does mean that your device is being protected from potential harm. Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes sca

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

MB4_scan_tick_ALL.jpg.d5c4071c62ed66534301fbb217b93bc0.jpg

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.6c45445994d4125c0b617ac7c5551e03.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

The "Block" notices mean that Malwarebytes IS protecting the Windows machine. Do not fret unnecessarily. BUT I urge you to CLOSE / EXIT Chrome browser. Instead just use EDGE browser.

If possibly you have a browser issue, can you try using a different web browser?
But in any event, always SAVE the downloads I guide you to. Then after download is complete, you go to the file using File Explorer.
and only then, launch it from there.

Let's do one special run  with Malwarebytes Adwcleaner. 
 
It will not take much time, Read over all lines before starting so that you have a good understanding of the whole method. Take your time and go careful. I ant to make sure you select all of what I list below - before- pressing the "scan" button.
 
First download & save it
 
Then go to where the EXE file is saved. Start Adwcleaner.  Do not rush. There are a few first choices to set as I have listed below.
 
Reply YES at the Windows prompt to allow the program to proceed and make changes. That is the usual Windows security prompt.
 
When AdwCleaner starts, on the left side of the window, click on “Settings” and then enable these repair actions on that tab-window
by clicking their button to the far-right for ON status
Delete IFEO keys
Delete tracing keys
Delete Prefetch files
Reset Proxy
Reset IE Policies
Reset Chrome policies
Reset Winsock
Reset HOSTS file
 
ADW-s-1.png.c32838f45f840beb2b835ad51f0a1b7c.png
 
 
ONLY after you have set the selections above ....only after that .....
Now On the left side of the AdwCleaner window, click on “Dashboard” and then click “Scan” to perform a computer scan.
 
 
This can take several minutes.
When the AdwCleaner scan is completed it will display all of the items it has found. Click on the “Quarantine” button To remove what it found.
 
AdwCleaner will now prompt you to save any open files or data as the program will need to close any open programs before it starts to clean.
Click on the “Continue” button to finish the removal process.
 
 
 
Attach the clean log from Adwcleaner when all completed. For example AdwCleaner[C00],txt
There is much more to do even after this.
Link to post
Share on other sites

  • Solution

Keep in mind much patience is required. Keep in mind I am a volunteer here + I am not on all the time + I have other cases that I need to get back to. This case will take more actions and may well need more attention later. This is not a cure-all procedure here.

Next first step, is to "Turn OFF ( to DISABLE) the "fast starup" of Windows 11
See https://www.windowscentral.com/software-apps/windows-11/how-to-enable-or-disable-fast-startup-on-windows-11

When that is done, be sure to do ( from Start menu) one Power >> Shutdown >> Restart.
Having "fast startup" can complicate our efforts to fix problems.

( 2 )

Temporarily disable Microsoft SmartScreen  & leave it off until the end of this case. 

( 3 )

First, please be sure to EXIT out / Close any open work you may have open at this point. We want the next runs to have sole use.

I would like you to run a custom cleanup script that will do the following
cleanup a specific sub-folder of user-TEMP folder + also empty the Windows Recycle Bin
it will do housekeeping to empty out temporary file areas
It will attempt to do 3 scans with Windows Defender antivirus to check for trojans & viruses
It will make a log file on the Desktop named Klearemlog.txt

Save the attached zip file to your system. If possible save it to the Desktop.

Klearem.zip < - - -
Then with File Explorer find the Klearem.zip

Next, with that zip file, Extract all content to the Desktop

Then with File Explorer, go to Klearem.txt and do a RIGHT-click with the mouse & select

Rename


and rename it to

Klearem.ps1

Once that is confirmed, then do a RIGHT-click on

Klearem.ps1

& select the option

Run with Powershell

.
It will / should display as the 2nd choice on the option menu. Pick "Run with Powershell" and tap Enter.

Next, you may be questioned with "Execution Policy Change" prompt. If so, respond with/ type  

Y

and tap Enter.
From then on, the script will automatically run.
When it has finished you should see a on-screen display

End of run. Please look for 'Klearemlog.txt' on the Desktop. Press Enter to exit

Next step right after that, please

you can simply download & save a  copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Then with File Explorer, go to FRST64.exe and do a RIGHT-click with the mouse & select

Rename


and rename it to

FRSTENGLISH.exe

RIGHT-click on FRSTENGLISH and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

  •  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
  • Press the Scan button.

_frst_scan.jpg

  • It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
  • Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
  • Close Notepad IF those show up on Notepad.
  • Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.
  • Also attach KEAREMLOG.txt from the Desktop to the next Reply.

There is more to do. Patience is called for. We are running the script above only due to not having a Farbar FRST64 report. The script here is only for one time use.

NOTICE: This script was written specifically for this user , for use on this particular machine. Running this on another machine may lead to unforseen results.

Edited by Maurice Naggar
Link to post
Share on other sites

  • 4 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.