Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Image Virus - Please Help


  • This topic is locked This topic is locked
13 replies to this topic

#1 MoonMan94

MoonMan94

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 30 November 2017 - 01:07 AM

Hey, so I was watching a stream on Twitch.tv and someone linked a screenshot and said something along the lines of "This is [insert streamer name]" after he died in the game he was playing. I clicked the link and there was a screenshot, it was really tiny and said click to expand, so I did and someone in the chatroom said "nobody click, it's a virus. He's done this before." but it was already too late by then. 

I tried deleting the image but it said it was open somewhere else, then I opened up task manager to see what was going on and I see that my Disk usage tab is at 100% and there isn't anything apparent causing it . After that I downloaded Malwarebytes and ran a scan, it said it found 4 different malware, and when it was all finished I restarted my computer. The first thing I did after that was see if the image was still there - it was, but I could delete it. Then I opened up task manager again only to find it was still at 100%, and when I opened up chrome I got a notification from Malwarebytes saying it blocked 2 different harmful websites. 

At this point, I don't really know what else to do, I'm not good at these kinds of things so the only thing left that I could think of was make a forum post. 

 

Please assist me on resolving this forum users and techsavvy people, otherwise the only thing I can think of trying is a factory reset, and I don't want that. :(



Also, here's a screenshot of what I downloaded just in case: 

http://prntscr.com/hh3zhg



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:39 PM

Posted 30 November 2017 - 07:40 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs.

Wait for further instructions.

#3 MoonMan94

MoonMan94
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 30 November 2017 - 02:49 PM

Hey nasdaq, thank you so much for replying!

 

 Here are the results: 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-11-2017
Ran by Sear (administrator) on ISAAC-PC (30-11-2017 14:21:00)
Running from C:\Users\Sear\Downloads
Loaded Profiles: Sear (Available Profiles: Sear & Mostafa & Other & DefaultAppPool)
Platform: Windows 10 Pro Version 1607 14393.1914 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
() C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(Hi-Rez Studios) C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.8\ToolbarUpdater.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
() C:\Users\Sear\AppData\Roaming\ADMicroscope\ADMicroscope.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe
(Logitech Inc.) C:\Program Files\Logitech\Gaming Software\LWEMon.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\avgui.exe
(Akamai Technologies, Inc.) C:\Users\Sear\AppData\Local\Akamai\netsession_win.exe
(Akamai Technologies, Inc.) C:\Users\Sear\AppData\Local\Akamai\netsession_win.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Discord Inc.) C:\Users\Sear\AppData\Local\Discord\app-0.0.298\Discord.exe
(Spotify Ltd) C:\Users\Sear\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
() C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
(Skillbrains) C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.10\Lightshot.exe
(Discord Inc.) C:\Users\Sear\AppData\Local\Discord\app-0.0.298\Discord.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
(Discord Inc.) C:\Users\Sear\AppData\Local\Discord\app-0.0.298\Discord.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.8.487.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe
(Microsoft® Windows® Operating System) C:\Windows\System32\Taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:39 PM

Posted 01 December 2017 - 09:02 AM



Hi,

Please post your FRST log one more time. The current one was truncated.

Also I need to see the Addition.txt file that was created by the Farbar program.

p.s.
You can if you wish attached them as explained in my first post.

#5 MoonMan94

MoonMan94
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 01 December 2017 - 02:16 PM

Sorry, forgot to press the attach button. 

Attached Files


Edited by MoonMan94, 01 December 2017 - 02:44 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:39 PM

Posted 02 December 2017 - 08:55 AM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.8\ToolbarUpdater.exe
() C:\Users\Sear\AppData\Roaming\ADMicroscope\ADMicroscope.exe
GroupPolicy: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
SearchScopes: HKU\S-1-5-21-4022504605-1724209415-1906487737-1000 -> URL hxxp://search.conduit.com/Results.aspx?ctid=CT3325283&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SPD8553A31-BDBA-421B-B96C-DF61A657C656&q={searchTerms}&SSPV=
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\3.5.0\ViProtocol.dll [2015-12-10] (AVG Secure Search)
FF Homepage: Mozilla\Firefox\Profiles\zio8fb0r.default-1472274331369 -> hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wcg_chtengin_16_38&param1=1&param2=f%3D1%26b%3DFirefox%26cc%3Dca%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0F0EtC0AyCyBtD0B0ByC0F0D0E0CzyyCtN0D0Tzu0StCyBtByCtN1L2XzutAtFtByEtFyCtFyDtBtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2StAyDyD0CyEyEtDzytGyCtBzy0CtGyDzytA0AtGyDtAtA0CtGyCtAyByDtCtAtB0BtD0ByDtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0B0B0BtDtDtByCyBtG0By... (long line)
FF NewTab: Mozilla\Firefox\Profiles\zio8fb0r.default-1472274331369 -> about:newtab
FF SearchPlugin: C:\Users\Sear\AppData\Roaming\Mozilla\Firefox\Profiles\zio8fb0r.default-1472274331369\searchplugins\yahoo! powered.xml [2017-08-28]
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.3.8\\npsitesafety.dll [No File]
FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [No File]
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3325283&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPD8553A31-BDBA-421B-B96C-DF61A657C656&SSPV=","hxxp://start.mysearchdial.com/?f=1&a=ir_14_17_ch&cd=2XzuyEtN2Y1L1Qzu0F0EtC0AyCyBtD0B0ByC0F0D0E0CzyyCtN0D0Tzu0SzzyEzztN1L2XzutBtFtBtDtFyDtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyC0EtBtB0FtD0E0AtGtCyEyB0FtG0CyBzytBtGtBtBtA0CtGyDyB0EyCyE0AtDzztC0B0Ezz2QtN1M1F1B2Z1V1N2Y1L1Qzu2StA0Ezy0F0EyE0EtAtG0EyEzzzy... (long line)
CHR Extension: (Auto Clicker) - C:\Users\Sear\AppData\Local\Google\Chrome\User Data\Default\Extensions\daoghdmcjpjomfalbgjonallnfkhdccg [2016-01-12]
CHR Extension: (SPOTS - A better way to start) - C:\Users\Sear\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\ejocekekgcaldnmjngfdbmbeebcekelc [2015-05-01]
CHR HKU\S-1-5-21-4022504605-1724209415-1906487737-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ejocekekgcaldnmjngfdbmbeebcekelc] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4022504605-1724209415-1906487737-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
R2 vToolbarUpdater40.3.8; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.8\ToolbarUpdater.exe [1365064 2017-10-24] (AVG Secure Search)
U3 idsvc; no ImagePath
S3 X6va063; \??\C:\WINDOWS\SysWoW64\Drivers\X6va063 [X]
S3 XFDriver64; \??\C:\Program Files (x86)\Xfire2\XFDriver64.sys [X]

ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers3: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
Task: {06D4F759-B088-455E-B472-48FED8BF7BE3} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {10F24D01-9C01-4A51-95C0-7D99BDDBED30} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS.exe
Task: {2D390FFE-DC5B-412D-91AD-DD94D837CC93} - System32\Tasks\Microsoft\Windows\Setup\UpgradeTriggers\UpgradeReminderTask => C:\WINDOWS\System32\GWX\GWX.exe
Task: {3FE816F3-2D53-4A96-981B-BC14CC12BC46} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {515564DF-5CF2-4CC3-BBB4-3C99B2E02BCA} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {598875F3-27DB-44CE-A1D7-29931B747278} - System32\Tasks\{35BB9ED2-B24D-F2CC-5A65-2EDB5D70F3FD} => C:\Users\Sear\AppData\Local\{B2618~1\Updater.exe <==== ATTENTION
Task: {5C8643ED-C3ED-465B-B10F-7D2640D1C906} - System32\Tasks\0414bUpdateInfo => C:\ProgramData\Avg_Update_0414b\0414b_AVG-Secure-Search-Update.exe
Task: {6EE700FA-D399-4F9F-885F-8CE10786D4E7} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {7271EAAA-0135-4DBA-8D13-6062E8970F0E} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {7E87E7DF-C958-44C0-B144-CFD52A7F9FEF} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {A707705D-5F28-4B45-BCAB-FE61E7A741A2} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {B3205145-2400-4808-841D-851E7853F1F1} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {B6DDDB57-63BE-49F4-977F-7BA94E96EE18} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {B8680A3E-D88F-4247-877B-1171A6A69966} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {C13C5FFA-C1D2-451F-9B83-E2B730AAD74E} - System32\Tasks\Microsoft\Windows\Setup\UpgradeTriggers\UpgradeNowTask => C:\WINDOWS\System32\GWX\GWXUXWorker.exe
Task: {DDBC7195-917B-43CB-BE73-E084A14FA868} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {DF444B88-136D-49F8-AB0E-9B7A2E98B703} - System32\Tasks\ADMicroscope => C:\Users\Sear\AppData\Roaming\ADMicroscope\ADMicroscope.exe [2016-10-19] () <==== ATTENTION
Task: {E44CE51C-CC18-4D9B-8B80-7B1AE217154B} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {EB4DA0B4-315A-4A07-9FF1-C313BA4E0124} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\AutoKMS.job => C:\Windows\AutoKMS.exe
Task: C:\WINDOWS\Tasks\{35BB9ED2-B24D-F2CC-5A65-2EDB5D70F3FD}.job => C:\Users\Sear\AppData\Local\{B2618~1\Updater.exe <==== ATTENTION
ShortcutWithArgument: C:\Users\Sear\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://searchomepage.com/?uuid=5807d96abe1cb&ctoken=us3337eafczwt5ro1420&aid=adt
ShortcutWithArgument: C:\Users\Sear\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://searchomepage.com/?uuid=5807d96abe1cb&ctoken=us3337eafczwt5ro1420&aid=adt
ShortcutWithArgument: C:\Users\Sear\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\1ec0f72738fb119e\iMacros for Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://searchomepage.com/?uuid=5807d96abe1cb&ctoken=us3337eafczwt5ro1420&aid=adt
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://searchomepage.com/?uuid=5807d96abe1cb&ctoken=us3337eafczwt5ro1420&aid=adt
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://searchomepage.com/?uuid=5807d96abe1cb&ctoken=us3337eafczwt5ro1420&aid=adt
FirewallRules: [TCP Query User{DF46EBB0-FF0B-41FF-801B-9087326A4013}C:\windows\kmsemulator.exe] => (Allow) C:\windows\kmsemulator.exe
FirewallRules: [UDP Query User{5403D0D8-663D-4C90-A2FE-E9550B03BC96}C:\windows\kmsemulator.exe] => (Allow) C:\windows\kmsemulator.exe

C:\Windows\System32\Tasks\AutoKMS
C:\Windows\AutoKMS.exe
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\UpgradeTriggers\UpgradeReminderTask
C:\WINDOWS\System32\GWX
C:\Windows\System32\Tasks\ADMicroscope
C:\Users\Sear\AppData\Roaming\ADMicroscope
C:\Windows\System32\Tasks\{35BB9ED2-B24D-F2CC-5A65-2EDB5D70F3FD}
C:\Users\Sear\AppData\Local\{B2618~1
C:\WINDOWS\Tasks\{35BB9ED2-B24D-F2CC-5A65-2EDB5D70F3FD}.job
C:\windows\kmsemulator.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended. (You need to check with Internet Explorer) <- Important.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.

Java 8 Update 31 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418031F0}) (Version: 8.0.310 - Oracle Corporation)
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
===

Please let me know what problem persists with this computer.

#7 MoonMan94

MoonMan94
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 03 December 2017 - 07:29 AM

I've done everything listed, but I've got a few questions: 

 

- I've updated Java, can I continue to use Chrome as my browser?
- Why would I need to disable Java in my browsers?
- How can I tell whether the virus is gone or not?

I should note that every day since getting the virus my disk space usage has been fluctuating. It can go from 0 to 100. As of  right now, though, after doing everything you've told me to, it's jumping from anywhere between 0 to 5%.

 

Lastly,  Malwarebytes still blocks the same 2 websites when I enter a specific website, the 2 websites it blocks are called brightonclick.com and venturead.com I believe. It also blocks other websites sometimes - I think this is just blocking pop ups, though?

Attached Files


Edited by MoonMan94, 03 December 2017 - 07:30 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:39 PM

Posted 03 December 2017 - 08:53 AM

Hi,

I've got a few questions:

- I've updated Java, can I continue to use Chrome as my browser?
Yes, Chrome comes with Java.

- Why would I need to disable Java in my browsers?
This is only for Internet Explorer. If you disable it programs that needs it to run will prompt you to enable it.

- How can I tell whether the virus is gone or not?
I cleaned what I saw,

Run this Sophos Virus Removal Tool

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.
  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.
Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===


Lastly, Malwarebytes still blocks the same 2 websites when I enter a specific website, the 2 websites it blocks are called brightonclick.com and venturead.com I believe. It also blocks other websites sometimes - I think this is just blocking pop ups, though?


Malwarebytes is probably set to report the sites it blocs.
Turn if off if set.
How to.
https://support.malwarebytes.com/docs/DOC-1207

Let me know if you have other issues.

#9 MoonMan94

MoonMan94
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 06 December 2017 - 04:20 PM

Sorry for the late reply. I ran the scan overnight with no background interruptions but it did not pick up any threats

 

Also, my disk usage actually does still jump to high numbers, but not very often and it's not stuck at 100, not sure if that's normal or not.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:39 PM

Posted 07 December 2017 - 07:44 AM

Run this cleaning tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

===

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:39 PM

Posted 13 December 2017 - 08:08 AM

Are you still with me?

#12 MoonMan94

MoonMan94
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 13 December 2017 - 05:06 PM

I'm so sorry for my tardiness, I've been so preoccupied with exams that I totally forgot about this. 

I've ran the script and attached the file, and in all honesty I'm not even sure if I have a virus any more or not. At first, my disk usage was really high, and a folder got created that wasn't there before, but as far as I can tell my computer doesn't seem to be doing anything out of the ordinary. 

Attached Files



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:39 PM

Posted 14 December 2017 - 07:25 AM

Hi,

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#14 MoonMan94

MoonMan94
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 14 December 2017 - 11:29 PM

Thank you so much for your time and help, then. :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users