Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible Malware/Miner (FRST/Addition Attached)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible Malware/Miner (FRST/Addition Attached)

Unread postby Diesel0022 » March 27th, 2020, 12:50 pm

Hey Guys,
Downloaded something and it locked me out of booting up, basically it would just show my command prompt and I would have to manually start explorer through the task manager. Friend of mine said he used the same download and it installed a Miner on his PC. Hoping someone could help out with this
You do not have the required permissions to view the files attached to this post.
Diesel0022
Active Member
 
Posts: 6
Joined: March 27th, 2020, 12:31 pm
Advertisement
Register to Remove

Re: Possible Malware/Miner (FRST/Addition Attached)

Unread postby Gary R » March 31st, 2020, 5:26 pm

Sorry you've been kept waiting.

Just looking over your logs now, I'll get back to you as soon as I've finished analysing them.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible Malware/Miner (FRST/Addition Attached)

Unread postby Gary R » March 31st, 2020, 6:22 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the "Infected? Virus, malware, adware, ransomware, oh my!" forum and wait for help.


Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.


Hi

I'm Gary R,

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

As an added safety precaution, before we start removing anything, I'd like you to make a backup of your Registry, which we can restore to if necessary.

Please click on THIS link, and follow the instructions for installing TCRB and creating a backup of your Registry.

Please observe these rules while we work:
  • Do not edit your logs in any way whatsoever.
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


For the duration of this "fix", I need you to remove Avast, and use Windows Defender (or whatever they're calling it these days) as your defensive program.

So please uninstall the following programs ....

Avast Premium Security
Avast SecureLine VPN

... and reboot your computer afterwards to complete the uninstall.

You can re-install Avast once we've finished, but to be honest personally I would recommend you do not.

Once that's done, I'd like you to run a new scan with FRST, and post me the new FRST.txt and Addition.txt logs.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible Malware/Miner (FRST/Addition Attached)

Unread postby Diesel0022 » April 1st, 2020, 4:12 pm

Hi Gary,
Please see attached, avast and its associated VPN have been removed. Im going to take your advice and leave avast antivirus uninstalled however the VPN is handy for me as I play FPS' where DDoSing is rather common
You do not have the required permissions to view the files attached to this post.
Diesel0022
Active Member
 
Posts: 6
Joined: March 27th, 2020, 12:31 pm

Re: Possible Malware/Miner (FRST/Addition Attached)

Unread postby Gary R » April 1st, 2020, 5:33 pm

No sign of any active malware in your logs, however it does not look as if Avast has been totally removed, and your logs do show that Avast was causing a number of code integrity problems, so we need to remove the remnants and see if that affects anything.

So ....

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank randomly named .txt Notepad file will open.
  • Copy and paste the following into it (don't include Code: Select all) ....
Code: Select all
SearchScopes: HKLM -> DefaultScope {13526EF3-1889-448B-AA0C-4CF7C0037058} URL = hxxp://www.bing.com/search?q={searchTerms}&form=PRNAM1&src=IE11TR&pc=NMTE
SearchScopes: HKLM -> {13526EF3-1889-448B-AA0C-4CF7C0037058} URL = hxxp://www.bing.com/search?q={searchTerms}&form=PRNAM1&src=IE11TR&pc=NMTE
SearchScopes: HKLM-x32 -> DefaultScope {13526EF3-1889-448B-AA0C-4CF7C0037058} URL = hxxp://www.bing.com/search?q={searchTerms}&form=PRNAM1&src=IE11TR&pc=NMTE
SearchScopes: HKLM-x32 -> {13526EF3-1889-448B-AA0C-4CF7C0037058} URL = hxxp://www.bing.com/search?q={searchTerms}&form=PRNAM1&src=IE11TR&pc=NMTE
SearchScopes: HKU\S-1-5-21-2825346925-3975081358-1914956935-1002 -> DefaultScope {13526EF3-1889-448B-AA0C-4CF7C0037058} URL = 
SearchScopes: HKU\S-1-5-21-2825346925-3975081358-1914956935-1002 -> {13526EF3-1889-448B-AA0C-4CF7C0037058} URL = 
SearchScopes: HKU\S-1-5-21-2825346925-3975081358-1914956935-1002 -> {1C438BC6-4F49-47DA-8B71-66AB89A3F83B} URL = hxxps://privatesearch.adaware.com/?gd=SY1001470&d=200321&q={searchTerms}
BHO: No Name -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> No File
FF Extension: (Avast SafePrice | Comparison, deals, coupons) - C:\Users\misfi\AppData\Roaming\Mozilla\Firefox\Profiles\64on43rx.default\Extensions\sp@avast.com.xpi [2019-08-26]
FF Extension: (Avast Online Security) - C:\Users\misfi\AppData\Roaming\Mozilla\Firefox\Profiles\64on43rx.default\Extensions\wrc@avast.com.xpi [2019-08-26]
FF Notifications: Mozilla\Firefox\Profiles\oowq5ggu.default-release-1584804676275 -> hxxps://movieshdstreaming.com
S3 aswTap; C:\WINDOWS\System32\drivers\aswTap.sys [53904 2018-09-05] (AVAST Software s.r.o. -> The OpenVPN Project)
C:\WINDOWS\System32\drivers\aswTap.sys
S3 tap0901; C:\WINDOWS\System32\drivers\tap0901.sys [27136 2014-11-05] (OpenVPN Technologies, Inc. -> The OpenVPN Project)
C:\WINDOWS\System32\drivers\tap0901.sys
2020-04-01 14:02 - 2019-09-13 00:09 - 000000000 ____D C:\Program Files\AVAST Software
2020-04-01 14:02 - 2019-08-26 20:13 - 000000000 ____D C:\ProgramData\AVAST Software
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1: [IObitUnstaler] -> {836AB26C-2DE4-41D3-AC24-4C6C2699B960} =>  -> No File
ContextMenuHandlers4: [IObitUnstaler] -> {836AB26C-2DE4-41D3-AC24-4C6C2699B960} =>  -> No File
ContextMenuHandlers6: [IObitUnstaler] -> {836AB26C-2DE4-41D3-AC24-4C6C2699B960} =>  -> No File
FirewallRules: [{5D67F1B3-6418-402D-B447-1DC89A3C89D3}] => (Allow) C:\Users\misfi\AppData\Roaming\uTorrent\uTorrent.exe No File
FirewallRules: [{2D2F36FA-B23F-43C1-B847-449C2FDBD4F7}] => (Allow) C:\Users\misfi\AppData\Roaming\uTorrent\uTorrent.exe No File
VirusTotal: C:\WINDOWS\System32\drivers\BthA2dp.sys;C:\windows\system32\rtvcvfw64.dll;C:\Windows\SysWOW64\rtvcvfw32.dll 
EmptyTemp:
CMD: ipconfig /flushdns

  • Press Ctrl+s to save fixlist.txt
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log

Next ...

You need to remove the following Google Chrome Extensions ....

CHR Extension: (Avast Online Security) - C:\Users\misfi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2020-03-31]
CHR Extension: (Chrome Media Router) - C:\Users\misfi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-03-31]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki]

See ... https://www.timeatlas.com/uninstall-chrome-extensions/

Next ...

Run a new scan with FRST and post me the new FRST.txt and Addition.txt logs as well as the fixlog.txt
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible Malware/Miner (FRST/Addition Attached)

Unread postby Diesel0022 » April 1st, 2020, 6:28 pm

Thanks Gary, I uninstalled Chrome as I don't use it but I went ahead and uninstalled the extensions beforehand. Attached you'll find the Fixlog and the new FRST/Addition files
You do not have the required permissions to view the files attached to this post.
Diesel0022
Active Member
 
Posts: 6
Joined: March 27th, 2020, 12:31 pm

Re: Possible Malware/Miner (FRST/Addition Attached)

Unread postby Gary R » April 2nd, 2020, 1:28 am

Log is still showing Chrome extensions present for Avast.

Please do the following ...

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank randomly named .txt Notepad file will open.
  • Copy and paste the following into it (don't include Code: Select all) ....
Code: Select all
C:\Users\misfi\AppData\Local\Google\Chrome

  • Press Ctrl+s to save fixlist.txt
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log

Next ...

Avast is still being shown as enabled, so to remove these false indications please do the following ...

Removing false AV and Firewall notifications in WMI using wbemtest.exe

  • Click Start > Run then type wbemtest.exe into the Open: box, click OK
  • This will launch Windows Management Instrumentation Tester
    • Click on the Connect button.
    • In the box at the top, where it says root\default change it to say root\securitycenter then click Connect
    • Click on Enum Instances
    • In the box that opens, type antivirusproduct and click OK
    • A box will open with a list of the anti-virus programmes that WMI sees on your computer.
      • Click on the one with the CLSID .... {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF} .... to highlight it, then click Delete
      • Click Close to close the Query box.
    • Click on Enum Instances
    • In the box that opens, type firewallproduct and click OK
    • A box will open with a list of the firewall programmes that WMI sees on your computer.
      • Click on the one with the CLSID .... {B693136B-F6EE-DD1C-A0EF-229B8B0B29C4} .... to highlight it, then click Delete
      • Click Close to close the Query box.
  • Exit out of Windows Management Instrumentation Tester

Reboot your computer.

DO NOT use the WMI Tester in any way other than the one described above. If you cannot find the CLSIDS I've named for removal then just exit out of WMI Tester and let me know.

Any problems with the instructions I've given you then let me know.




Do you still need to use Task Manager to start Explorer.exe each time you boot ?
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible Malware/Miner (FRST/Addition Attached)

Unread postby Diesel0022 » April 2nd, 2020, 3:16 pm

Hi Gary,
Attached is the fixlog, nothing was showing up in the wbemtest.exe. I no longer have to manually launch explorer on boot up
You do not have the required permissions to view the files attached to this post.
Diesel0022
Active Member
 
Posts: 6
Joined: March 27th, 2020, 12:31 pm

Re: Possible Malware/Miner (FRST/Addition Attached)

Unread postby Gary R » April 2nd, 2020, 5:49 pm

OK, looks like everything Avast has been removed then ...... don't know why the last FRST logs (Frst.txt & Addition.txt) showed remnants of Avast.

As you no longer have to manually launch Explorer.exe, it looks like your problem has been resolved ..... do you have any remaining issues that need dealing with ?

If you do, please let me know what they are.
If not, please let me know so that I can give you instructions for how to safely remove FRST, and so I can close this topic.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Possible Malware/Miner (FRST/Addition Attached)

Unread postby Diesel0022 » April 2nd, 2020, 5:59 pm

I think thats everything, I really appreciate the help with everything
Diesel0022
Active Member
 
Posts: 6
Joined: March 27th, 2020, 12:31 pm

Re: Possible Malware/Miner (FRST/Addition Attached)

Unread postby Gary R » April 2nd, 2020, 6:43 pm

You're welcome. :)

To uninstall FRST and remove all its files, please do the following ...

  • Rename FRST64.exe to Uninstall.exe
  • Double click on Uninstall.exe to launch it.
    • Your computer will reboot, and on reboot will remove FRST and all its files.

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 40 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware