Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with PUP.Goobza


  • This topic is locked This topic is locked
5 replies to this topic

#1 violinkit1213

violinkit1213

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 12 September 2016 - 10:04 AM

Hello, last night I was infected with the Pup.Goobza virus, the whole shebang: pc speedup, search module, etcetc. and several dastardly rootkits.

 

I did sort of find a guide here on Bleepingcomputers as well as Tenforum, and I feel like I've sort of cleared most of the egregious stuff out, but could use some help in making sure everything is nice and clean.

 

I ran RKill, RogueKiller, TDSSKiller, Malwarebytes, and Eset Online Scan multiple times until all of those listed programs have come up clean.

 

I also ran Malwarebytes in safe mode multiple times before booting up Eset Online Scan.

 

The reason I'm unsure is because while I was running my first ESET online scan, Malwarebytes was still blocking malicious incoming websites. ESET did end up picking up about 3 more threats and did successfully delete them and since then nothing has been showing up but I would just like to make sure.

 

This was my last malwarebytes scan log. I ran malwarebytes with Detect Rootkit selected.

 

Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: kit

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 453908
Time Elapsed: 29 min, 36 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)
 


Edited by violinkit1213, 12 September 2016 - 10:21 AM.


BC AdBot (Login to Remove)

 


#2 violinkit1213

violinkit1213
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 12 September 2016 - 10:22 AM

These are my FRST and Addition logs.

Attached Files



#3 violinkit1213

violinkit1213
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 12 September 2016 - 07:15 PM

So it's been about a day and so far the system is looking good, no more weird SVChost trying to connect to strange websites, and the scans are coming up clean. Hope to hear back from you guys soon!



#4 violinkit1213

violinkit1213
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 12 September 2016 - 07:50 PM

Nevermind, Pup.Goobza just popped up again and reinstalled Search Module.



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 PM

Posted 13 September 2016 - 07:15 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(SweetLabs, Inc) C:\Users\kit\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe
CHR Extension: (Chrome Web Store Payments) - C:\Users\kit\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-09-12]
Task: {4AD9FD86-BEF2-4E7B-96CF-77BFF44B9118} - System32\Tasks\App Explorer => C:\Users\kit\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe [2016-06-28] (SweetLabs, Inc)
C:\Users\kit\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\kit\AppData\Local\Host App Service

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
==

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Please post the logs and let me know what problem persists with this computer.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 PM

Posted 19 September 2016 - 08:39 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users