Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Do I have a virus?


  • Please log in to reply
9 replies to this topic

#1 Guest_danimondial_*

Guest_danimondial_*

  • Guests
  • OFFLINE
  •  

Posted 26 April 2017 - 04:46 PM

I am not sure if I should worry about this, but I think something's wrong...

Yesterday, I realized that a game that I have installed 2 weeks ago had a bitcoin miner in it (actually, some people said it had one), I haven't realized if my GPU or CPU usage was high, but some people that have downloaded the same game said their GPU's usage was 100%. They also said something about an "ISSCH" folder that was placed randomly in "C:". I deleted the ISSCH folder that was in my "C:\Users\DANI\AppData\Local\Mozilla" (people said it was placed randomly and one guy said his ISSCH folder was placed in \Local\Payday2), after I deleted the folder I uninstalled the game and search for the ISSCH folder again and found it in the same place, that was weird, so, I deleted it again and went to my flash drive where I had hidden files (right click on something and check 'Hidden'). There were no files, so I thought that I set to not show hidden files (in Folder Options). I went to folder options, but neither "Show hidden files" nor "Don't show hidden files" was checked. I checked "Show hidden files" and clicked Apply and OK, but it did nothing. I went back and again neither of the 2 options were selected. I selected to show hidden files and click apply and ok 10 times but it still didn't work.

I restarted my computer and I went to folder options. Now don't show was selected, I selected to show and this time it worked. I went to my flash drive and I could see the files.

After this, I restarted it again, but I booted into safe mode (F8), I used Malwarebytes and ComboFix. ComboFix deleted some things (I have the log from ComboFix if you want). After this, I haven't realized a weird thing, I haven't gotten pop-ups, got my homepage change or obvious stuff, thought my memory was pretty high. Right after I booted:

 

9ghghRA.png - Windows 7 64bit SP1

 

But with Chrome closed (no chrome.exe processes) I have 2.5GB. Here are the processes: 

 

iq3nJ7D.png

and msconfig:

 

 f2zcbIA.png

 

Other than that, my CPU and GPU usage are pretty normal (even when I have Chrome running):

 

t3aJyAf.png

 

this was taken when running a scan with Avast, idk if 4gb is too much for avast.

 

tzNXbV2.png

 

my specs:

  • amd fx-8300 8-core 3,3ghz
  • sapphire radeon hd 7750 1gb gddr5
  • gigabyte GA-907A-DS3P
  • 8gb kingstion 1600mhz ram

Edited by danimondial, 26 April 2017 - 04:48 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,097 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee

Posted 26 April 2017 - 05:47 PM

Welcome to BC....

 

I noticed Hola in what you posted. You should consider removing it. More info here: Adios, Hola! - Why you should immediately uninstall Hola

 

Use the programs below to clean, remove adware and remove malware.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

download Zemana AntiMalware and install it

  • Run the application
  • Click "Next" and then Scan
  • When the scan has finished click Next to remove any threats.
  • Click the bars in the top right corner to display the logs, double click your log
  • copy and paste the log into your reply
  • Please download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Guest_danimondial_*

Guest_danimondial_*

  • Guests
  • OFFLINE
  •  

Posted 27 April 2017 - 06:45 AM

I removed Hola from my Chrome extensions and uninstalled it from Control Panel. AdwCleaner also removed the folders that Hola was installed in.

 

AdwCleaner[S0].txt:

# AdwCleaner v6.046 - Logfile created 27/04/2017 at 13:16:53

# Updated on 24/04/2017 by Malwarebytes
# Database : 2017-04-25.1 [Server]
# Operating System : Windows 7 Ultimate Service Pack 1 (X64)
# Username : DANI - DANI-PC
# Running from : C:\Users\DANI\Desktop\adwcleaner_6.046.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Users\DANI\AppData\Roaming\Hola
Folder Found:  C:\Program Files\Hola
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKU\.DEFAULT\Software\Hola
Key Found:  HKU\S-1-5-18\Software\Hola
Key Found:  [x64] HKLM\SOFTWARE\Hola
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MsConfig\StartupReg\hola
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hola.org
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [1320 Bytes] - [27/04/2017 13:16:53]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1393 Bytes] ##########

 

AdwCleaner[C0].txt:

 

# AdwCleaner v6.046 - Logfile created 27/04/2017 at 13:17:13

# Updated on 24/04/2017 by Malwarebytes

# Database : 2017-04-25.1 [Server]

# Operating System : Windows 7 Ultimate Service Pack 1 (X64)

# Username : DANI - DANI-PC

# Running from : C:\Users\DANI\Desktop\adwcleaner_6.046.exe

# Mode: Clean

# Support : https://www.malwarebytes.com/support

 

 

 

***** [ Services ] *****

 

 

 

***** [ Folders ] *****

 

[-] Folder deleted: C:\Users\DANI\AppData\Roaming\Hola

[-] Folder deleted: C:\Program Files\Hola

 

 

***** [ Files ] *****

 

 

 

***** [ DLL ] *****

 

 

 

***** [ WMI ] *****

 

 

 

***** [ Shortcuts ] *****

 

 

 

***** [ Scheduled Tasks ] *****

 

 

 

***** [ Registry ] *****

 

[-] Key deleted: HKU\.DEFAULT\Software\Hola

[#] Key deleted on reboot: HKU\S-1-5-18\Software\Hola

[-] Key deleted: [x64] HKLM\SOFTWARE\Hola

[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MsConfig\StartupReg\hola

[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hola.org

 

 

***** [ Web browsers ] *****

 

 

 

*************************

 

:: "Tracing" keys deleted

:: Winsock settings cleared

 

*************************

 

C:\AdwCleaner\AdwCleaner[C0].txt - [1192 Bytes] - [27/04/2017 13:17:13]

C:\AdwCleaner\AdwCleaner[S0].txt - [1480 Bytes] - [27/04/2017 13:16:53]

 

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1338 Bytes] ##########

 

JRT.txt:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 7 Ultimate x64 
Ran by DANI (Administrator) on 27.04.2017 at 13:25:56,67
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 16 
 
Successfully deleted: C:\Users\DANI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\DANI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\DANI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EK0I81BN (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\DANI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\DANI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\DANI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXJ1RXG3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\DANI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PJ0HL0BJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\DANI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X1MNZMJQ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EK0I81BN (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXJ1RXG3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PJ0HL0BJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X1MNZMJQ (Temporary Internet Files Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 27.04.2017 at 13:28:44,46
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by danimondial, 27 April 2017 - 06:54 AM.


#4 buddy215

buddy215

  • Moderator
  • 13,097 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:53 PM

Posted 27 April 2017 - 08:55 AM

Did Zemana find anything?

 

Something else I noticed....you have two antivirus programs. BitDefender and Avast. I suggest you either completely disable or uninstall one of those.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Guest_danimondial_*

Guest_danimondial_*

  • Guests
  • OFFLINE
  •  

Posted 27 April 2017 - 09:02 AM

Actually, I have three... Malwarebytes, Avast and BitDefender... :lmao:

Which one do you think I should keep?



#6 buddy215

buddy215

  • Moderator
  • 13,097 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee

Posted 27 April 2017 - 09:08 AM

Keep MBAM and either of the other two....lean just a bit toward BitDefender


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 Guest_danimondial_*

Guest_danimondial_*

  • Guests
  • OFFLINE
  •  

Posted 27 April 2017 - 09:16 AM

Ok, I uninstalled Avast...

So from the logs that I sent you, did you saw anything unusual?



#8 buddy215

buddy215

  • Moderator
  • 13,097 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:53 PM

Posted 27 April 2017 - 09:58 AM

Other than what has been mentioned....nothing unusual. But you haven't given me the Zemana results.

 

 download Security Check by glax24 and save the file to the Desktop

  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 Guest_danimondial_*

Guest_danimondial_*

  • Guests
  • OFFLINE
  •  

Posted 27 April 2017 - 10:18 AM

Yeah... I read online that Zemana is kinda 'shady'.

And BTW, I still don't understand why I couldn't select any of the two options from the folder options, but after I rebooted it worked normally... 

ERA5gKa.png - this is how it looked before I rebooted


Edited by danimondial, 27 April 2017 - 10:36 AM.


#10 buddy215

buddy215

  • Moderator
  • 13,097 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee

Posted 27 April 2017 - 11:18 AM

Zemana is not "shady". I have seen one review that complained about it not being protective but just as a scanner. But it has been proven to be useful.

Up to you whether to run it or not. It is free for 15 days. Use it...then uninstall it.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users