Hi, Minhaz.

Please, download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt. Please copy and paste the content of these two logs in your next reply.

NOTES:

1. Do not run any tool unless instructed to do so. Also, do not uninstall or install any software during the proceedure, unless I ask you to do so.

2. Always ask before act. Do not continue if you are not sure, or if something unexpected happens.

3. I am still in training and my fixes have to be approved by my instructor, so there may be a slight delay in my replies. Look at it as a good thing though, since you will have two people looking at your problem.

 

Hi. Thanks for replying.

Windows smart defender this malware software is a threat for my computer.

"Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk."

And I did not install it.

 

Hello!

No, it's not a risk. There is nothing to worry about. Please, press More Info, Run anyway, and then Yes to the disclaimers.

 

Hi, Minhaz.

Do you still need assistance?

 

I'm leaving this thread due to lack of feedback. If you still need assistance, please send me a PM (Personal Message) with a link to your topic.

 

HI. ran the scan and it produced 2 notepad log. Do I need to delete any personal info from that log? I see it shows my computer name and number. Do I need to delete and then give it to you? Thank you.

 

Hi, Minhaz.

The details in the logs doesn't provide confidential data other than the content of the computer. The "computer number" has nothing to do with passwords or keys or anything that needs to stay secret. Please tell me if you want me to mark this thread in progress again.

 

Yes please mark it as progressing. And could you please check for any keylogger type thing I have into my system? My laptop is suddenly slower than before. Thanks.

 

Thank you.

I will be back to you later today.

 

Hi Dr.M,

Just as an FYI, in case you're not aware, this user received a suspicious email supposedly from PayPal so I'm including a link to the thread about that in General Security as I feel it's important to mention. He actually clicked the link but Firefox blocked access to the site apparently.

https://forums.techguy.org/threads/suspicious-email-from-paypal.1243724/

 

Thank you, Cookiegal.

Minhaz, until I provide the fix, please change email and Paypal passwords, using a healthy computer.

 

You're welcome and thanks for helping us out with malware removal during your training.

 

Hi, Minhaz.

My comments / instructions regarding your logs:

1. Questionable program

Did you intentionally installed Web Companion (Lavasoft)? It is supposed to be a legitimate program, but it also may has been bundled with a third party software. In that case, it has to be uninstalled.

2. Notifications from sites

Did you intentionally enable notifications from these sites?

hxxps://159188334492330.webpush.freshchat.com;
hxxps://3.lodder1.biz;
hxxps://app.gotowebinar.com;
hxxps://gcx.alibaba.com;
hxxps://mail.google.com;
hxxps://upfronttrading.com;
hxxps://www.facebook.com;
hxxps://www.youtube.com

3. Chrome extensions

Are you aware of these Chrome extensions? Many of them have to do with ads, buying options and tracking.

CHR Extension: MBS Retriever
CHR Extension: Rakuten: Get Cash Back For Shopping
CHR Extension: Alexa Traffic Rank
CHR Extension: DS Amazon Quick View
CHR Extension: Commerce Inspector
CHR Extension: Turbo Ad Finder
CHR Extension: Keepa - Amazon Price Tracker
CHR Extension: AMZScout Pro
CHR Extension: RevROI

4. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
AlternateDataStreams: C:\ProgramData:12C4B9B2BC247C8E [1]
AlternateDataStreams: C:\Users\All Users:12C4B9B2BC247C8E [1]
AlternateDataStreams: C:\ProgramData\Application Data:12C4B9B2BC247C8E [1]
AlternateDataStreams: C:\ProgramData\PACE:603CFC9DABD4D885 [217]
FirewallRules: [{034FA81F-A756-46B0-AA14-DF3962D1CF7C}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\Resolve.exe No File
FirewallRules: [{E698A352-9ED5-415E-AC28-E775161904CC}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\bmdpaneld.exe No File
FirewallRules: [{3937DCE4-F46D-451E-AE1C-4257C5044C64}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\DaVinciPanelDaemon.exe No File
FirewallRules: [{61072599-9107-4658-BA09-279090127E5D}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\JLCooperPanelDaemon.exe No File
FirewallRules: [{885BE204-FDC1-4640-B42D-7C42C8D1121A}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\EuphonixPanelDaemon.exe No File
FirewallRules: [{EACCC3CF-589B-4B37-9FF8-1F62AFC0F8F3}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\TangentPanelDaemon.exe No File
FirewallRules: [{01FB87B4-116C-411C-8E3C-C03E9A651996}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\ElementsPanelDaemon.exe No File
FirewallRules: [{0E89711B-A271-4238-8A0C-BF11A7EA6349}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\OxygenPanelDaemon.exe No File
FirewallRules: [{504E0981-09AD-4B9C-861C-B20ACBEE5D66}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\DPDecoder.exe No File
FirewallRules: [{16A45D7B-3629-4979-96F1-2C66C50F9BAD}] => (Allow) C:\ProgramData\Blackmagic Design\DaVinci Resolve\Support\QtDecoder\QTDecoder.exe No File
FirewallRules: [TCP Query User{284D7C42-5173-4199-8517-70F8911A51DE}C:\program files\blackmagic design\davinci resolve\dpdecoder.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\dpdecoder.exe No File
FirewallRules: [UDP Query User{C8067D8A-D378-47E3-9845-A9513FF7DCA4}C:\program files\blackmagic design\davinci resolve\dpdecoder.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\dpdecoder.exe No File
FirewallRules: [TCP Query User{EF31B8FB-4D57-4617-8A3D-37C122981C46}C:\program files\blackmagic design\davinci resolve\resolve.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\resolve.exe No File
FirewallRules: [UDP Query User{131247FB-E1DD-4CC9-8935-9F589E88B992}C:\program files\blackmagic design\davinci resolve\resolve.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\resolve.exe No File
FirewallRules: [TCP Query User{4F9910DB-64FC-46DC-918D-EEE78C4CDC49}C:\program files\blackmagic design\davinci resolve\fuscript.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\fuscript.exe No File
FirewallRules: [UDP Query User{7B787287-899A-4EAE-953F-B613304766CC}C:\program files\blackmagic design\davinci resolve\fuscript.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\fuscript.exe No File
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-390618557-1855211283-2962443170-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
C:\Program Files\Blackmagic Design
C:\ProgramData\Blackmagic Design
Emptytemp:
End::

• Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Please post the log in your next reply.

In your next reply, please post:

1. Your replies about the steps 1-3 above
2. The fixlog.txt

 

1. it is there for a long time. I do not know what it does. I some stopped it from popping up on my icon tray (bottom left)

2. hxxps://159188334492330.webpush.freshchat.com;
Do not know what it is. and when enabled notification

hxxps://3.lodder1.biz;
Do not know what it is

hxxps://app.gotowebinar.com;
Cannot remember when enabled notification

hxxps://gcx.alibaba.com;
Once enabled but stopped

hxxps://mail.google.com;
Cannot remember

hxxps://upfronttrading.com;
Cannot remember

hxxps://www.facebook.com;
Once enabled but stopped

hxxps://www.youtube.com
Once enabled but stopped


3. I know all of these chrome extensions. I installed and use them.

 

Hi, Minhaz.

1. Uninstall a program

• Press the Windows Key + R.
• Type appwiz.cpl in the Run box and click OK.
• The Add/Remove Programs list will open. Locate the following program on the list:

Web Companion

• Select the above program and click Uninstall.
• Restart the computer.

2. Run MBAM

• Open Malwarebytes you have already installed in your computer.
• Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:

Under the title Scan Options, all the options are checked.
Under the title Windows Security Center (Premium only) is unchecked.
Under the title Potentially unwanted items are set to Always.

• Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
• When finished, you will see the Thread Scan Summary window open.
• If threads are not found, click View Report and proceed to the two last steps below.
• If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
• Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
• Find the report with the most recent date and double click on it.
• Click on Export and then Copy to Clipboard.
• Paste its content here, in your next reply.

3. Run Adware Cleaner

Download AdwCleaner and save it to your desktop.

• Double click AdwCleaner.exe to run it.
• Click Scan Now.
  • When the scan has finished, a Scan Results window will open.
  • Click Cancel (at this point do not attempt to Quarantine anything that is found)
• Now click the Log Filestab.
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
  • A Notepad file will open containing the results of the scan.
  • Please post the contents of the file in your next reply.

In your next reply, please make sure to post:

1. The MBAM report
2. AdwCleaner[S0*].txt

 

1. Web companion uninstalled.

2. Malware report

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/1/20
Scan Time: 7:01 PM
Log File: 23870d18-8c08-11ea-bdb1-ace2d378565b.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.875
Update Package Version: 1.0.23290
License: Free

-System Information-
OS: Windows 10 (Build 18362.778)
CPU: x64
File System: NTFS
User: LAPTOP-8VTP8FCB\Minha

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 319742
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 11 min, 11 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

3. attached

 

Hi, Minhaz.

1. Run AdwCleaner (clean mode)

Let me explain to you the log created by AdwCleaner:

The findings in the Registry are PUPs which stands for Potentially Unwanted Programs. In the instructions below, I will list them all to be removed. Have in mind that two of the extensions you use are detected as PUP:

• Alexa Traffic Rank
• Honey

If you want to keep them, it's your choice, and you can uncheck them.

The section at the bottom under "Preinstalled Software" is software that was apparently installed when the device was new, which you may or may not use. Feel free to keep or remove the "Preinstalled Software".

To proceed, please do the following:

• Double click AdwCleaner.exe on your Desktop, to run it as you did before.
• Click Scan Now.
• When the scan has finished a Scan Results window will open.
• Please check the following boxes and then click Quarantine.
  

  PUP.Optional.PCProtect C:\ProgramData\SecuritySuite
  PUP.Optional.InstallCore HKCU\Software\csastats
  PUP.Optional.PCProtect HKCU\Software\SSProtect
  PUP.Optional.TotalAV HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.totalav.passwordvaultassistant
  PUP.Optional.TotalAV HKLM\SOFTWARE\Mozilla\NativeMessagingHosts\com.totalav.passwordvaultassistant
  PUP.Optional.WebCompanion HKCU\Software\Lavasoft\Web Companion
  PUP.Optional.WebCompanion HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
  PUP.Optional.WebCompanion HKLM\SYSTEM\Setup\FirstBoot\Services\WCAssistantService
  PUP.Optional.WebCompanion HKLM\Software\Wow6432Node\Lavasoft\Web Companion
  PUP.Optional.WebCompanion HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
  PUP.Optional.WebCompanion HKU\.DEFAULT\Software\Mozilla\NativeMessagingHosts\com.webcompanion.native
  PUP.Optional.WebCompanion HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
  PUP.Optional.Legacy Alexa Traffic Rank - cknebhggccemgcnbidipinkifmmegdel
  PUP.Optional.Legacy Honey - jid1-93CWPmRbVPjRQA@jetpack
  PUP.Optional.DefaultSearch.ShrtCln Bing Default Search
  PUP.Optional.DefaultSearch.ShrtCln Bing Default Search

• Click Next.
  • If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
  • Check any pre-installed software items you want to remove. It is your PC so if you wish to keep them, feel free to do so. However, if you don't use them or are unsure, feel free to NOT select any of them.
  • Click Quarantine.
• A prompt to save your work will appear.
  • Click Continue when you're ready to proceed.
• A prompt to restart your computer will appear.
  • Click Restart Now.
• Once your computer has restarted:
  • If it doesn't open automatically, please start ADWCleaner.
  • Click the Log Files tab.
  • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
  • A Notepad file will open containing the results of the removal.
  • Please post the contents of the file in your next reply.

2. Run FRST

• Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please copy and paste the content of these two logs in your next reply.

In your next reply, please post:

1. The AdwCleaner[C0*].txt
2. The new FRST..txt and Addition.txt.

 

Hello . I have attached these files.

 

Hi, Minhaz.

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
FF Notifications: Mozilla\Firefox\Profiles\jnqjfqfx.default -> hxxps://projectlifemastery.com; hxxps://store.dji.com; hxxp://community.amazingsellingmachine.com; hxxps://mail.google.com
CHR Notifications: Default -> hxxps://159188334492330.webpush.freshchat.com; hxxps://3.lodder1.biz; hxxps://app.gotowebinar.com; hxxps://gcx.alibaba.com; hxxps://mail.google.com; hxxps://upfronttrading.com; hxxps://www.facebook.com; hxxps://www.youtube.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
AlternateDataStreams: C:\ProgramData:12C4B9B2BC247C8E [217]
AlternateDataStreams: C:\Users\All Users:12C4B9B2BC247C8E [217]
AlternateDataStreams: C:\ProgramData\Application Data:12C4B9B2BC247C8E [217]
AlternateDataStreams: C:\ProgramData\PACE:603CFC9DABD4D885 [217]
cmd: type C:\Windows\system32\GroupPolicy\Machine\registry.pol
EmptyTemp:
End::

• Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Please post the log in your next reply.

Are you experiencing any particular issue now with the computer?

 

Experiencing no particular issue.

Thank you.

 

Hi, Minhaz.

Your computer has no sign of active malware. Since you are not experiencing any particular issue, we can remove the tools we used, and reset system restore points:

Download KpRm by kernel-panik and save it to your desktop.

• Right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• Please copy and paste its contents in your next reply.

Now your computer is clean, here are some final tips about your computer's security from now on:

Some of the following, are from Klein's (2005) article, So how did I get infected in the first place. Since then, the article has been reproduced or linked to in dozens of locations. As a result, many malware experts have continued updating it, to include current operating systems and software program information. My source is Security Garden, and I marked for you the following:

1. Keep your Windows updated!
It is important always to keep current with the latest security fixes from Microsoft. This can patch many of the security holes through which attackers can infect your computer.

2. Update 3rd Party Software Programs
Third Party software programs have long been targets for malware creators. It has been stated that "Adobe's Reader and Flash and all versions of Java are together responsible for a total of 66 percent of the vulnerabilities in Windows systems exploited by malware.'' It's important to keep everything updated.

3. Update the browsers you use
Many malware infections install themselves by exploiting security holes in the Internet browser that you use. So... Keep them updated.

4. Be careful about what you download and what you open!

• Many "freeware" programs come with an enormous amount of bundled spyware that will slow down your system, spawn pop-up advertisements, or just plain crash your browser or even Windows itself. Watch for pre-checked options such as toolbars that are not essential to the operation of the installed software.
• Peer-to-peer (P2P) programs like Kazaa, BearShare, Imesh, Warez P2P, and others, allow the creation of a network enabling people to connect with other users and upload or download material in a fast efficient manner. BUT even if the P2P software you are using is "clean", a large percentage of the files served on the P2P network are likely to be infected.
• Cracked or pirated programs are not only illegal, but also can make your computer a malware target.
• Do not open any files without being certain of what they are!

5. Avoid questionable web sites!
Visit web sites that are trustworthy and reputable. Many disreputable sites will attempt to install malware on your system through "drive-by" exploits just by visiting the site in your browser. Lyrics sites, free software sites (especially ones that target young children), cracked software sites, and pornography sites are some of the worst offenders. Also, never give out personal information of any sort online or click "OK" to a pop-up unless it is signed by a reputable company and you know what it is.

6. PC means personal computer!
Don't give access to your computer to friends or family who appear to be clueless about what they are doing.

7. Back-up your work!
Make back-ups of your personal files frequently. You never know when you'll have to reformat and start from scratch. You can always reformat and reinstall programs, but you cannot replace your data if you haven't made backups.

8. Must-Have Software
An anti-virus and an anti-spyware/anti-malware program is a necessity for the security of your computer. Be sure that you keep them updated, and that real time protection is enabled.

If you have any questions or concerns please don't hesitate to ask!

I'm glad I was able to help you.

 

Hey, Minhaz.

Is everything OK? Have you used the KpRm tool?

Any question?

 

Hey, Minhaz.

Is everything OK? Have you used the KpRm tool?

Any question?

Sorry for late reply.

Yes, everything noted.

I have only windows default antivirus. I think it is sufficient.

Is my PC seems free of SPyware and keylogger too?

Thank you.

 

Hi, Minhaz.

Yes, your computer is free from malware.

Windows Defender, the built-in antivirus in Windows 10, is good enough to keep you protected, if you follow the safe computing rules. You have also Malwarebytes installed. It's the free version, meaning that it has no real protection option, but you can run it every now and then, depending on the computer's usage. These, can keep you protected.

 

Ok. Thank you very much all your help.