Malware/Windows 7

Discussion in 'Malware Removal' started by Charles, Nov 20, 2017.

  1. Charles

    Charles

    Joined:
    Jun 19, 2000
    Messages:
    1,443
    Location:
    California
    Opened FRST(FRST64) and pressed Fix button just once, file pasted below.

    --------------------------------------------------------------------------------------------------------------

    Fix result of Farbar Recovery Scan Tool (x64) Version: 19-11-2017
    Ran by Carlos (25-11-2017 06:41:13) Run:1
    Running from C:\Users\Carlos\Desktop
    Loaded Profiles: Carlos (Available Profiles: Carlos & Guest)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File

    *****************

    HKLM\System\CurrentControlSet\Services\AppMgmt => key removed successfully
    AppMgmt => service removed successfully
    HKLM\System\CurrentControlSet\Services\catchme => key removed successfully
    catchme => service removed successfully
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4} => key removed successfully
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856} => key removed successfully
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4} => key removed successfully
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247} => key removed successfully
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04} => key removed successfully
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA} => key removed successfully
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2} => key removed successfully

    ==== End of Fixlog 06:41:13 ====
     
  2. Charles

    Charles

    Joined:
    Jun 19, 2000
    Messages:
    1,443
    Location:
    California
    Malwarebytes 3.3.1 still picking these up.

    Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Scan Date: 11/25/17
    Scan Time: 2:42 PM
    Log File: f0d01281-d231-11e7-871b-001fc615416a.json
    Administrator: Yes

    -Software Information-
    Version: 3.3.1.2183
    Components Version: 1.0.236
    Update Package Version: 1.0.3346
    License: Free

    -System Information-
    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: Carlos-PC\Carlos

    -Scan Summary-
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 404995
    Threats Detected: 4
    Threats Quarantined: 0
    (No malicious items detected)
    Time Elapsed: 30 min, 12 sec

    -Scan Options-
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Warn
    PUM: Detect

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 0
    (No malicious items detected)

    Registry Value: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Data Stream: 0
    (No malicious items detected)

    Folder: 0
    (No malicious items detected)

    File: 4
    PUP.Optional.Searching.ShrtCln, C:\USERS\CARLOS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, [16431], [454819],1.0.3346
    PUP.Optional.Searching.ShrtCln, C:\USERS\CARLOS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, [16431], [454819],1.0.3346
    PUP.Optional.Searching.ShrtCln, C:\USERS\CARLOS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, [16431], [454819],1.0.3346
    PUP.Optional.SearchModule, C:\USERS\CARLOS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, [674], [458372],1.0.3346

    Physical Sector: 0
    (No malicious items detected)


    (end)
     
  3. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    690
    Location:
    Daly City, CA
    just execute the program and press Fix
     
  4. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    690
    Location:
    Daly City, CA
    Your MBAM log says "No Action By User".
    You need to fix those findings.
     
  5. Charles

    Charles

    Joined:
    Jun 19, 2000
    Messages:
    1,443
    Location:
    California
    I see that yet I quarintined them.
     
  6. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    690
    Location:
    Daly City, CA
    This is not what I see from your log.
    If you quarantined them and they come up again with a new scan then most likely some Chrome addon creates them.

    In that case....

    Reset Chrome...
    Click on "Customize and control Google Chrome":
    [​IMG]
    Click "Settings" then "Show advanced settings" at the bottom of the screen.
    Click "Reset browser settings" button.
    Restart Chrome.

    If the above didn't help....

    Reinstall Chrome...
    If you want to save your bookmarks...
    How to Backup Bookmarks in Google Chrome
    If you want to save your passwords as well see here: Backup & Restore Google Chrome Passwords in Windows 10/8/7
    • Close all Chrome windows and tabs.
    • Go to the Start menu > Control Panel. (Windows 8 users: Learn how to access the Control Panel)
    • Click Programs and Features.
    • Double-click Google Chrome.
    • Click Uninstall from the confirmation dialog. Delete your user profile information, like your browser preferences, bookmarks, and history, by selecting the "Also delete your browsing data" checkbox.
    Install fresh copy.
     
  7. Charles

    Charles

    Joined:
    Jun 19, 2000
    Messages:
    1,443
    Location:
    California
    I tried quarintining, deleting these below. I tried reseting Chrome, reinstalling chrome, rebooting and they always come back after running Malwarebytes. Possibilities are to reinstall OS, or build new system and use this drive to move files around. If I build a new system and use this drive as data drive can I infect the primary (new system) drive from this drive by moving files around?

    PUP.Optional.Searching.ShrtCln, C:\USERS\CARLOS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, [16431], [454819],1.0.3346
    PUP.Optional.Searching.ShrtCln, C:\USERS\CARLOS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, [16431], [454819],1.0.3346
    PUP.Optional.Searching.ShrtCln, C:\USERS\CARLOS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, [16431], [454819],1.0.3346
    PUP.Optional.SearchModule, C:\USERS\CARLOS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, [674], [458372],1.0.3346
     
  8. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    690
    Location:
    Daly City, CA
    When you reinstall Chrome make sure "sync" is being disabled.
    Also, why does your log says "No Action By User"?
     
  9. Charles

    Charles

    Joined:
    Jun 19, 2000
    Messages:
    1,443
    Location:
    California
    Recheck and chrome sync is off.
    I followed everything above. Would "No Action By User" be remedied with running FRST64 Fit it? Below is the latest file after running again.

    Fix result of Farbar Recovery Scan Tool (x64) Version: 30-11-2017
    Ran by Carlos (05-12-2017 05:58:50) Run:2
    Running from C:\Users\Carlos\Desktop
    Loaded Profiles: Carlos (Available Profiles: Carlos & Guest)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Carlos\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File

    *****************

    AppMgmt => service not found.
    catchme => service not found.
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4} => key not found
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856} => key not found
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4} => key not found
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247} => key not found
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04} => key not found
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA} => key not found
    HKU\S-1-5-21-3586660956-3886300925-2189714754-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2} => key not found

    ==== End of Fixlog 05:58:50 ====
     
  10. Charles

    Charles

    Joined:
    Jun 19, 2000
    Messages:
    1,443
    Location:
    California
    Tried quarantining files again and deleting them but keep coming back after rebooting and scanning malwarebytes. Those files kept being picked even after uninstalling Chrome.

    I got a NEW drive for fresh installation of Windows 7 but concerned whether moving picture files, word files or excel files residing in this drive can affect the new drive. This drive will not be my boot drive anymore but a data drive.

    Anything else we can try?
     
  11. glc

    glc Forum Administrator Staff Member

    Joined:
    May 26, 2000
    Messages:
    35,205
    Location:
    Joplin MO
    Nope, as long as they scan clean. Move everything you need then reformat it. Leave it disconnected till Windows and antimalware is installed on the new drive.
     
  12. Charles

    Charles

    Joined:
    Jun 19, 2000
    Messages:
    1,443
    Location:
    California
    ,

    Thanks!
     
  13. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    690
    Location:
    Daly City, CA
    Last edited: Dec 5, 2017
  14. Charles

    Charles

    Joined:
    Jun 19, 2000
    Messages:
    1,443
    Location:
    California
    Will do.
     
  15. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    690
    Location:
    Daly City, CA