Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Suspicious activity on your account (google)

1121 Views 10 Replies 3 Participants Last post by  DR.M
besmarques
So,long story short

Some days ago i installed some unsucure software and got some problems with that. Someone got access to my facebook account and made some ads there.

I solved that first problem, recovered my password but later on i got the same problem again.

My train of thought took me to that something should be on my computer that would allow someone to get access to my info. Since the computer i was using (and still am now) is a secondary computer i just decided to clean format everything and install windows 11 again.

I couldn't go for the most safe option that would be install everything from a new media drive of from the internet (no media drive accessible or enough internet speed to download a full windows image).

I then installed malwarebytes, scanned everything. Did the same using online eset scanner. No problems. Started installing software, no problem. Then i ssync the google account

Eveything worked fine, this was 4 days ago or something.

Today i get a google suspicious activity on your account coming from this device. No malwarebytes problems detected, no software other than something that came from valid sources.

So, i'm kind of worried that something is still here and i cant find it. So i need some help with this.
Reply
Save
Like
1 - 11 of 11 Posts
besmarques
FRST64 files

(it looks like the forum is not accepting the FRST.txt file not even allows me to paste the text that is inside the file

Attachments

Reply
Save
Like
Cookiegal
Please zip the frst.txt file and then attach it. Right-click the file and select "send to" then "compressed (zipped) folder.
Reply
Save
Like
besmarques
Cookiegal said:
Please zip the frst.txt file and then attach it. Right-click the file and select "send to" then "compressed (zipped) folder.
Click to expand...
Ohh, tried to rar compress it but i couldn't upload.

Zip is working and here it is

Attachments

Reply
Save
Like
DR.M
Hi, besmarques.

Welcome to TSG. :)

It would be very helpful for me to do the following, so I can review the logs in English:
  • Right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe
  • Run the renamed FRST and attach for me the 2 new logs to check.
Reply
Save
Like
besmarques
DR.M said:
Hi, besmarques.

Welcome to TSG. :)

It would be very helpful for me to do the following, so I can review the logs in English:
  • Right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe
  • Run the renamed FRST and attach for me the 2 new logs to check.
Click to expand...
Hi Mr.D, thank you for the reply.

Attached are the zipped files in english

Attachments

Reply
Save
Like
DR.M
The logs seem clean. But we will make some additional checks to be sure about it.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

========================

1. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code: 
Start::
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-2665634726-1736431308-1191673962-1001\...\Run: [GalaxyClient] => [X]
Task: {87EF75E6-F337-4D6B-A8AC-A52319823C97} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => C:\WINDOWS\system32\MusNotification.exe (No File)
Task: {F5435CDB-EF7D-4FE2-95E3-DB7257DD2EFD} - System32\Tasks\ASUS Optimization 36D18D69AFC3 => C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_31188efe6ea572b9\ASUSOptimization\AsusHotkeyExec.exe -CancelShutdown (No File)
S3 RoutePolicy; C:\WINDOWS\System32\drivers\RoutePolicy.sys [98304 2022-05-07] (Microsoft Windows -> )
C:\WINDOWS\System32\drivers\RoutePolicy.sys
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

2. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

3. Run Malwarebytes (scan only)

I know you said you already ran Malwarebytes. Run it once more with the following settings:
  • Open Malwarebytes.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code: 
    Under the title Scan Options, all the options are checked.
Under the title Windows Security Center (Premium only) the option is NOT checked.
Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

In your next reply, please post:
  1. The fixlog.txt
  2. The AdwCleaner[S0*].txt
  3. The Malwarebytes report
See less See more
Reply
Save
Like
besmarques
Hi again Dr.M

Here it is everything you asked for.

Once again, thank you for your time.

FRST64 Fixlog
Code: 
Fix result of Farbar Recovery Scan Tool (x64) Version: 09-11-2022 01

Ran by besma (09-11-2022 22:12:42) Run:1

Running from C:\Users\besma\Downloads

Loaded Profiles: besma

Boot Mode: Normal

==============================================



fixlist content:

*****************

Start::

CreateRestorePoint:

CloseProcesses:

HKU\S-1-5-21-2665634726-1736431308-1191673962-1001\...\Run: [GalaxyClient] => [X]

Task: {87EF75E6-F337-4D6B-A8AC-A52319823C97} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => C:\WINDOWS\system32\MusNotification.exe (No File)

Task: {F5435CDB-EF7D-4FE2-95E3-DB7257DD2EFD} - System32\Tasks\ASUS Optimization 36D18D69AFC3 => C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_31188efe6ea572b9\ASUSOptimization\AsusHotkeyExec.exe -CancelShutdown (No File)

S3 RoutePolicy; C:\WINDOWS\System32\drivers\RoutePolicy.sys [98304 2022-05-07] (Microsoft Windows -> )

C:\WINDOWS\System32\drivers\RoutePolicy.sys

EmptyTemp:

End::

*****************



Restore point was successfully created.

Processes closed successfully.

"HKU\S-1-5-21-2665634726-1736431308-1191673962-1001\Software\Microsoft\Windows\CurrentVersion\Run\\GalaxyClient" => removed successfully

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{87EF75E6-F337-4D6B-A8AC-A52319823C97}" => removed successfully

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87EF75E6-F337-4D6B-A8AC-A52319823C97}" => removed successfully

C:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => moved successfully

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" => removed successfully

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F5435CDB-EF7D-4FE2-95E3-DB7257DD2EFD}" => removed successfully

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F5435CDB-EF7D-4FE2-95E3-DB7257DD2EFD}" => removed successfully

C:\WINDOWS\System32\Tasks\ASUS Optimization 36D18D69AFC3 => moved successfully

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASUS Optimization 36D18D69AFC3" => removed successfully

HKLM\System\CurrentControlSet\Services\RoutePolicy => removed successfully

RoutePolicy => service removed successfully

C:\WINDOWS\System32\drivers\RoutePolicy.sys => moved successfully



=========== EmptyTemp: ==========



FlushDNS => completed

BITS transfer queue => 0 B

DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 15878079 B

Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 0 B

Windows/system/drivers => 77128492 B

Edge => 0 B

Chrome => 1035635069 B

Firefox => 0 B

Opera => 0 B



Temp, IE cache, history, cookies, recent:

Default => 0 B

ProgramData => 0 B

Public => 0 B

systemprofile => 0 B

systemprofile32 => 379 B

LocalService => 18329 B

NetworkService => 38149 B

besma => 219229661 B



RecycleBin => 2613386 B

EmptyTemp: => 1.3 GB temporary data Removed.



================================





The system needed a reboot.



==== End of Fixlog 22:13:37 ====

ADWcleaner

Code: 
# -------------------------------
# Malwarebytes AdwCleaner 8.4.0.0
# -------------------------------
# Build:    08-30-2022
# Database: 2022-10-10.1 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    11-09-2022
# Duration: 00:00:07
# OS:       Windows 11 (Build 22621.755)
# Scanned:  32103
# Detected: 0


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########
MalwareBytes
Code: 
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/9/22
Scan Time: 10:21 PM
Log File: db14853c-607c-11ed-97d0-48e7daa905bc.json

-Software Information-
Version: 4.5.16.217
Components Version: 1.0.1792
Update Package Version: 1.0.62070
License: Trial

-System Information-
OS: Windows 11 (Build 22621.755)
CPU: x64
File System: NTFS
User: Ryzen5700u\besma

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 267304
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 2 min, 14 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
See less See more
Reply
Save
Like
DR.M
Your logs are clean and you are ready to go.

Do you have any other question?
Reply
Save
Like
besmarques
DR.M said:
Your logs are clean and you are ready to go.

Do you have any other question?
Click to expand...
Great. No more questions from my side.

Thank you very much for your support
Reply
Save
Like
DR.M
Great.

The following tool will remove the tools we used as well as reset system restore points:

Download KpRm by kernel-panik and save it to your desktop.
  • Right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please copy and paste its contents in your next reply.
See less See more
Reply
Save
Like
1 - 11 of 11 Posts
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top