Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn virus removal and suspicious activity


  • This topic is locked This topic is locked
12 replies to this topic

#1 Mormoka

Mormoka

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:50 PM

Posted 13 December 2015 - 01:48 PM

(All screenshots have been taken only recently specifically FOR this topic post.)

 

Hello I downloaded an infected file that suddenly had my computer filled and installed of so many programs, I've removed pretty much everything I can find with anti-virus/scanning software. (I use herdprotect and 360 Total security.) I also have Glasswire firewall, which is what has picked up all of the activity and connections my computer received after the initial download of the infected file. 

 

f1a237965943dbdd917b9d0ecea322c4.png

 

This is the suspicious activity that was picked up. 

 

b004fec2a486cbc5bafb8d6db56dabe6.png

 

PlayGem 1.0 was one of the program/viruses added and won't disappear from the programs list. I can't find any folders to do with playgem as they were removed in an attempt to clean it off, whenever I try to uninstall Playgem 1.0 from the control panel my antivirus is overwhelmed by sudden detected trojans, a scan starts and everything is quarantined but this program still won't go away, it only repeats as I mentioned the process and remains under programs.

 

I have had A LOT of things installed, detected and removed since this all began,  my computer's performance has improved (it was really slow) and I don't get any strange advert pop ups, which also occurred when the original file was downloaded. The processes that puts my machine to 100% disk space usage are my anti-virus/scanners and the Service Host: Local Service processes. I can't say all of the latter are guilty of using so much disk but the ones i had noticed being so demanding were (network restricted & No impersonation). Looking in task manager now I realise there's a lot more there. Is this normal?

 

e3f075ee648d00a5f2cb85c7681a0d44.png

 

I also have high disk usage suddenly brought on by my anti-virus programs when they are open/scanning, I know this might be relatively normal but there's a noticeable difference to the performance of my computer now than before this all happened. Google chrome is also freezing and crashing a lot since the download.

 

In a sort of panic I changed my security/firewall settings to highest security and to block inbound connections, I'm no expert with computer technology and I don't really know if this was a good idea or if I should have to change it back. Please help I'm not sure what to do now, I really don't want to lose my computer.

If I may also add that the game I play often (League of Legends) now 'jumps' around where its positioned, shifting a little in whatever position for a short half a second before re-positioning itself, and in game the screen flashes black for a very few milliseconds, I've noticed it flashes when keys are pressed. I'm worried something has happened to my graphics drivers but I can't say it's not the firewall changes? The whole game has actually closed itself randomly, with no warning or freezing, it literally just closes.

 

I'm not sure what other information to provide, and I hope I'm not being disrespectful or rude, please let me know if I need to provide more information, thank you.


Edited by Mormoka, 13 December 2015 - 02:21 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:50 PM

Posted 15 December 2015 - 07:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===


Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


How is the computer running now?
Wait for further instructions.

#3 Mormoka

Mormoka
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:50 PM

Posted 15 December 2015 - 03:19 PM

Hello thanks for replying

 

I'm afraid to say that when I tried to download AdwCleaner it was immediately picked up as a trojan by 360 and quarantined. I have to ask if it's really safe because I feared a repeat of what had already happened, what do I do?

 

My computer is free of pop ups (for now) and strange programs but my game still suffers, I am unable to tab/click back in the game once tabbed out and I'm not able to type (pre game launch) because it 'clicks off ' the window, another problem I've picked up is that when I click restart it 'freezes' for several seconds, this doesn't happen all the time though. I've also noticed windows/apps popping up and then disappearing in the background and it's a little concerning.

 

For now here is the log from Malwarebytes scan, as you asked to do everything in order and I can't proceed with the next step, sorry this is all I can offer at the moment. 

 
Attached File  MWB Log 1.txt   1.02KB   2 downloads

Edited by Mormoka, 15 December 2015 - 03:20 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:50 PM

Posted 16 December 2015 - 08:41 AM

The AdwCleaner tool is quite safe.
It does check some registry settings and you 360 program may object to this.

Leave it alone for now.

Post the logs after running the Farbar tool.

#5 Mormoka

Mormoka
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:50 PM

Posted 16 December 2015 - 12:12 PM

Again it was picked up by 360 (Farbar) but it wasn't removed nor was it a 'trojan' this time, it was picked up as just an unknown program, I hope it was okay to allow it.

 

I'm not sure if I'm supposed to tick any boxes so I left it all as it and run the scan, here are the logs for that.

 

Attached File  FRST.txt   51.99KB   2 downloads

 

Attached File  Addition.txt   44.57KB   2 downloads



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:50 PM

Posted 17 December 2015 - 09:20 AM

PlayGem 1.0 was one of the program/viruses added and won't disappear from the programs list.


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF user.js: detected! => C:\Users\Morwenna\AppData\Roaming\Mozilla\Firefox\Profiles\mdiwmoxa.default\user.js [2015-06-29]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\!33B4A51AC4BCC6BFAE5C89ACEF60481C33B4.js [2015-12-12] <==== ATTENTION
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\33B4A51AC4BCC6BFAE5C89ACEF60481C33B4 [2015-12-12] <==== ATTENTION
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 SysInfo; \??\C:\Windows\system32\drivers\SysInfo.sys [X]
Task: {091472FF-E3CB-41EF-B33C-65FACBA6D5CB} - System32\Tasks\{E8BD9A8B-13E9-4812-ABBF-61277A8FA20B} => pcalua.exe -a "C:\Program Files (x86)\PlayGem\uninst.exe"
Task: {37D908C0-0CCF-47EB-873B-F2008AECABA9} - \Afpletuin -> No File <==== ATTENTION
Task: {3A22CFA3-CC61-4C85-A690-91A21D2D3B8C} - \bvxvyxxvcy -> No File <==== ATTENTION
Task: {3F89DFA8-002C-48B7-B206-09C067310957} - System32\Tasks\{44435860-8608-4025-AC00-ED037420A460} => pcalua.exe -a C:\ProgramData\FlashBeat\uninstall.exe
C:\ProgramData\FlashBeat


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===
 

PlayGem 1.0 was one of the program/viruses added and won't disappear from the programs list.


Please run the Farbar Recovery Scan Tool. Enter PlayGem
in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.
===


Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Control Panel > Programs and Features applet.
Java 7 Update 80 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F06417080FF}) (Version: 7.0.800 - Oracle)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Java 8 Update 60 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218060F0}) (Version: 8.0.600.27 - Oracle Corporation)

===

Please post the logs and let me know what problem persists.

#7 Mormoka

Mormoka
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:50 PM

Posted 20 December 2015 - 04:07 PM

Okay so I made the fixlist.txt and had farbar do it's thing with the "Fix" button, then after restart did the PlayGem search, here are the results for both of them.

 

Attached File  Fixlog.txt   4.36KB   1 downloads

 

Attached File  Search.txt   1.6KB   1 downloads

 

Then I removed all previous Java (like you mention there was 3 of them) and re-downloaded/installed Java from the Java website.

 

Looking in the program list I see that PlayGem has disappeared, I also noticed a program called 'Food Video', I've seen it here before but I never knew what it was, it's still in my Programs so I assume it's something safe? I would rather remove it since it's just a really weird name anyway but if it's important then that would be good to know.

 

9528d0774646bf7087a621e19f4a434c.png



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:50 PM

Posted 21 December 2015 - 08:46 AM

Copy the text IN THE CODE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"PlayGem.exe"=-
[HKEY_USERS\S-1-5-21-2983020526-803008404-3560651913-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files (x86)\PlayGem\uninst.exe"=-
[HKEY_USERS\S-1-5-21-2983020526-803008404-3560651913-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files (x86)\PlayGem\PlayGem.exe"=-
[HKEY_USERS\S-1-5-21-2983020526-803008404-3560651913-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Program Files (x86)\PlayGem\uninst.exe"=-
Restart the when completed.

You can delete the fixme.reg file when done.

===

Remove 'Food Video' via the Control Panel > Programs features applet.
It's considered PUP (Potentially Unwanted Program) installed without your consent.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:50 PM

Posted 27 December 2015 - 10:55 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,580 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:50 PM

Posted 30 December 2015 - 08:30 AM

The program may have already been removed but the Entry is still present in the Registry.
 
Run this tool and try to remove it.
 
Please download the free version of GeekUninstall:
  • Please create a system restore point before continuing with the instructions.
  • Open the geek.zip file and run the geek.exe file inside of it.
  • A window will open, please from the list of programs click on the listed program(s), or anything similar, to remove it:
  • Food Video
  • Click on Action on the top menu and then select Force Removal.
  • When asked if you are sure you want to perform a forced removal, click Yes.
  • A window will appear telling the File System and Registry locations, click Finish.
  • Once all traces are removed, click Close.
  • Repeat for each of the programs on the list.


  • #11 Mormoka

    Mormoka
    • Topic Starter

    • Members
    • 5 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:05:50 PM

    Posted 31 December 2015 - 06:26 PM

    Okay I used GeekUninstall (free version since the 'pro' version sent me to another site?) but I accidentally clicked remove entry, there was no warning or pop up it immediately just disappeared and I'm not sure what to do about that.

    I'm happy to say however that I have had fewer problems since this all started, I haven't said it yet so, thank you for helping me. c: 

     

    Can I ask if you're aware of "Process Explorer" program? I was looking and found it as a task manager replacement because there are a lot of svchost processes running (aswell as other things i want to look at/verify), it is as it was described, more advanced than Task Manager so I'm at a loss again.


    Edited by Mormoka, 31 December 2015 - 06:27 PM.


    #12 nasdaq

    nasdaq

    • Malware Response Team
    • 38,580 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:01:50 PM

    Posted 01 January 2016 - 08:39 AM

    Okay I used GeekUninstall (free version since the 'pro' version sent me to another site?) but I accidentally clicked remove entry, there was no warning or pop up it immediately just disappeared and I'm not sure what to do about that.

    No need for the Pro version.
    p.s.
    Could it be that your Antivirus quarantined the download file?


    If you want to get the free version. I had no problems with it.

    ===

    Can I ask if you're aware of "Process Explorer" program?

    Yes this is my canned speech.

    Please Download Tweaking.com - Windows Repair from Here
    [list]
    • Install and then run the program
    • Execute the instructions on Step 1 Important
    • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
    • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
    • Click on Repairs
    • Click Repairs - Open Repairs in the bottom right corner
    • Click the Unselect All button then select just the item(s) listed below

    • 
      My note.
      The repair options are listed below. Select the ones you want to fix. Make sure you have a good backup as suggested if you want to repair anything.
      
      
    • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
    • Please copy and paste the Contents of this file on your next reply.

    • ===


      01 - Repair Registry Permissions
      02 - Reset File Permissions (2)
      .. 02.01 File Permissions C:\
      .. 02.02 File Permissions D:\
      03 - Reset Service permissions
      04 - Register System Files
      05 - Repair WMI
      06 - Repair Windows Firewall
      07 - Repair Internet Explorer
      08 - Repair MDAC/MS Jet
      09 - Repair HOSTS File
      10 - Remove Policies Set By Infections
      11 - Repair Start Menu Icons Removed by Infections
      12 - Repair Icons
      13 - Repair Network (previously Repair Winsock & DNS Cache)
      14 - Removed Temp Files
      15 - Repair Proxy Settings
      16 - Unhide Non System Files (2)
      .. 16.01 Unhide C:\
      .. 16.02 Unhide D:\
      17 - Repair Windows Updates
      18 - Repair CD/DVD Missing/Not Working
      19 - Repair Volume Shadow Copy Service
      20 - Repair Windows Sidebar/Gadgets
      21 - Repair MSI (Windows Installer)
      22 - Repair Windows Snipping tool
      23 - Repair File Associations (12)
      .. 23.01 - Repair bat Associations
      .. 23.02 - Repair cmd Associations
      .. 23.03 - Repair com Associations
      .. 23.04 - Repair Directory Associations
      .. 23.05 - Repair Drive Associations
      .. 23.06 - Repair exe Associations
      .. 23.07 - Repair Folder Associations
      .. 23.08 - Repair inf Associations
      .. 23.09 - Repair lnk (Shortcut) Associations
      .. 23.10 - Repair msc Associations
      .. 23.11 - Repair reg Associations
      .. 23.12 - Repair scr Associations
      24 - Repair Windows Safe Mode
      25 - Repair Print Spooler
      26 - Restore Important Windows Services
      27 - Set Windows Service to Default Startup
      28 - Repair Windows 8 Apps Store
      29 - Repair Windows 8 Component Store
      30 - Repair Windows 8 COM+ Unmarshalers
      31 - Repair Windows 'New' Submenu
      32 - Restore UAC (User Account Control) Settings
      33 - Repair Performance Counters
      ===

      If all is well.

      To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
      http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
      ===




    #13 nasdaq

    nasdaq

    • Malware Response Team
    • 38,580 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:01:50 PM

    Posted 07 January 2016 - 08:20 AM

    It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users