remote connections, browser scripts blocking, general nightmare - Virus, Trojan, Spyware, and Malware Removal Help (2024)

#1BusyBusy

BusyBusy

Members
14 posts
OFFLINE

Local time:12:36 PM

Posted 25 March 2022 - 09:34 PM

This has been going on for a while its make it hard for me to resolve this etc so it can be hard to to upload logs reply etc.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2BusyBusy

BusyBusy

Topic Starter

Members
14 posts
OFFLINE

Local time:12:36 PM

Posted 25 March 2022 - 09:43 PM

FRST.txt 44.41KB3 downloadsMBAM Q log1.txt 5.2KB7 downloadsAdwCleanerS00.txt 3.72KB3 downloadsAddition.txt 37.45KB4 downloads

Edited by BusyBusy, 25 March 2022 - 09:53 PM.

#3nasdaq

nasdaq

Malware Response Team
48,328 posts
OFFLINE

Gender:Male
Location:Montreal, QC. Canada
Local time:10:36 PM

Posted 26 March 2022 - 09:15 AM

Hello, Welcome to BleepingComputer.

I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

===

Please run the AdwCleaner tool and delete all the items that have been identified.

<<<>>>

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.

Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to the a new file.

startComment: For your security a new restore point will be created.CreateRestorePoint:Comment: We need to close all processes to complete the fix.CloseProcesses:Comment: Items from the FRST.TXT log that will be removed from the Registry.IFEO\notepad.exe: [Debugger] "C:\Program Files\Notepad2\Notepad2.exe" /zGroupPolicy: Restriction - Windows Defender <==== ATTENTIONGroupPolicy\User: Restriction ? <==== ATTENTIONPolicies: C:\Users\22351\NTUSER.pol: Restriction <==== ATTENTIONTask: {0D8F85A4-5288-474A-87B4-EE173287C8A1} - System32\Tasks\Norton Product InstallerIdle => C:\Users\22351\AppData\Local\Temp\SymInstallStub.exe /partnerid=adobeebook /productlist=ns /staging=false /delay=0 /launchedby=4 (No File) <==== ATTENTIONTask: {2C56DC96-CBF8-4216-A8E6-7C8961B5A0AE} - System32\Tasks\OneDrive Standalone Update Task => C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\OneDriveStandaloneUpdater.exe (No File)Task: {56B9E9C8-9D24-4F0D-BE33-8D7E923E410F} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe --automatic (No File)Task: {D6BD6DCA-312A-457F-9F4F-4A799FC3F0F9} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office16\OLicenseHeartbeat.exe (No File)Task: C:\WINDOWS\Tasks\Norton Product InstallerIdle.job => C:\Users\22351\AppData\Local\Temp\SymInstallStub.exeFF Plugin-x32: @baidu.com/YunWebDetectPlugin -> C:\Users\22351\AppData\Roaming\baidu\BaiduNetdisk\npYunWebDetect.dll [No File]S3 BaiduNetdiskUtility; C:\Users\22351\AppData\Roaming\baidu\BaiduNetdisk\YunUtilityService.exe [X]S2 SpSvc; C:\MobileEmuMaster\Utils\SpSvc.dll [X]NETSVCx32: SpSvc -> C:\MobileEmuMaster\Utils\SpSvc.dll ==> No FileNETSVCx32: HpSvc -> no filepath.NETSVCx32: DesktopSvc -> no filepath.NETSVCx32: YxhGameSvc -> no filepath.NETSVCx32: WpSvc -> no filepath.NETSVCx32: TmSvc -> no filepath.Comment: Items from the Addition.txt log that will be removed.CustomCLSID: HKU\S-1-5-21-4195069598-2995581464-2420799152-24386_Classes\CLSID\{679F137C-3162-45da-BE3C-2F9C3D093F64}\Shell\Open\Command -> C:\Users\22351\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exe -diskopenCustomCLSID: HKU\S-1-5-21-4195069598-2995581464-2420799152-24386_Classes\CLSID\{679F137C-3162-45da-BE3C-2F9C3D093F64} -> [????] => C:\Users\22351\AppData\Roaming\baidu\BaiduNetdisk\ [0000-00-00 00:00]ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No FileFirewallRules: [{2CB3AB2B-FC73-4F87-B475-1942F577F1C4}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiAppOld.exe => No FileFirewallRules: [{45A587F1-B71C-4A48-8D62-5F9D9769C610}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\Next\WirelessDisplay.exe => No FileFirewallRules: [{0B29479D-E6A7-4C1C-A2A5-8D9A9A9F1D2E}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\SmartAgentTest.exe => No FileFirewallRules: [{F3A7763A-23F3-471A-AF5E-2BE39B69FAEB}] => (Allow) C:\Users\22351\AppData\Local\Temp\044r87X9\LDSGameMasterInstRoad_214101.exe => No FileFirewallRules: [{89E204F1-028E-4883-B450-61E005210BBD}] => (Allow) C:\Users\22351\AppData\Local\Temp\044r87X9\LDSGameMasterInstRoad_214101.exe => No FileFirewallRules: [{B52E401F-6F90-4FC8-82C4-41DE6E8BE6A2}] => (Allow) C:\MobileEmuMaster\SoftMgr\SoftMgrInst.exe => No FileFirewallRules: [{6773A606-E44D-42B0-A8FE-F7AF68EB0C76}] => (Allow) C:\MobileEmuMaster\SoftMgr\SoftMgrInst.exe => No FileFirewallRules: [{83CFD08B-B0B2-4B34-A709-52B70DD5B380}] => (Allow) C:\Program Files (x86)\BirdWallpaper\360wpsrv.exe => No FileFirewallRules: [{C3A7439C-E000-480A-9510-30A13820281C}] => (Allow) C:\Program Files (x86)\BirdWallpaper\360wpsrv.exe => No FileComment: Files/Folders that will be deleted.C:\ProgramData\{0163FD7D-6298-484b-AE3A-452189A10221}.tmpC:\ProgramData\TencentC:\Users\22351\AppData\Roaming\TencentComment: TCP/IP ResetCMD: netsh int ip resetCMD: ipconfig /flushDNSComment: To rebuild the performance counter library values.CMD: "%WINDIR%\SYSTEM32\lodctr.exe /R"CMD: "%WINDIR%\SysWOW64\lodctr.exe /R"CMD: "C:\Windows\SYSTEM32\lodctr.exe /R"CMD: "C:\Windows\SysWOW64\lodctr.exe /R"Comment: Use Farbar routine to delete temp filesC:\Windows\Temp\*.*C:\WINDOWS\system32\*.tmpC:\WINDOWS\syswow64\*.tmpC:\Users\22351\AppData\Local\Temp\044r87X9Comment: The system will restart.Reboot:End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.

The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Please post the Fixlog.txt and let me know what problem persists.

#4BusyBusy

BusyBusy

Topic Starter

Members
14 posts
OFFLINE

Local time:12:36 PM

Posted 26 March 2022 - 07:06 PM

Fixlog.txt 52.24KB2 downloads

#5nasdaq

nasdaq

Malware Response Team
48,328 posts
OFFLINE

Gender:Male
Location:Montreal, QC. Canada
Local time:10:36 PM

Posted 27 March 2022 - 07:16 AM

Hi,

Looking good.

Is the problem solved?

#6BusyBusy

BusyBusy

Topic Starter

Members
14 posts
OFFLINE

Local time:12:36 PM

Posted 30 March 2022 - 12:17 AM

For now yes but this is what usually happens and then its back. The browsers are infected aswell, maybe a rootkit and remote connections aswell.I just to make sure its gone this time.While I have you here do you know of any forums or people that are good with MACs? My mac is so much worse than the pc.Thanks for your time!

#7nasdaq

nasdaq

Malware Response Team
48,328 posts
OFFLINE

Gender:Male
Location:Montreal, QC. Canada
Local time:10:36 PM

Posted 30 March 2022 - 07:30 AM

Hi,

Mac OS forum.

https://www.bleepingcomputer.com/forums/f/172/mac-os/

---

Let me know in a day what problem persist with this computer.

p.s.

Is this computer browser synced with the Mac?

Edited by nasdaq, 30 March 2022 - 07:31 AM.

#8BusyBusy

BusyBusy

Topic Starter

Members
14 posts
OFFLINE

Local time:12:36 PM

Posted 30 March 2022 - 04:24 PM

Hi I have attached a recent mbam log but after its said it detected a trojan but I didnt see it in the quarantine.

Thanks heaps!mbam log1.txt 1.19KB2 downloads

#9nasdaq

nasdaq

Malware Response Team
48,328 posts
OFFLINE

Gender:Male
Location:Montreal, QC. Canada
Local time:10:36 PM

Posted 31 March 2022 - 07:36 AM

Hi,

You are getting a good protection form MBAM.

The attack was probably blocked before any damage was done.

Learn how to manage these notifications.

https://support.malwarebytes.com/hc/en-us/articles/360038984933-Notifications-settings-in-Malwarebytes-for-Windows