Contracted a virus. Please help remove

gib65

Member
Hello.

I downloaded some malware the other day (which I shouldn't have) and now I have this annoying popup that shows up in the bottom right corner of my screen:



It was inadvertently downloaded from totalav.com as I was following along with a youtube video which directed me to that site to download a driver for a game controller.

I removed all programs that I thought could be related to it but it still shows up. Can anyone help me remove it? Thanks.
 

gib65

Member
I just ran them. Here are the logs:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/16/20
Scan Time: 9:31 AM
Log File: c8ed7252-50d9-11ea-9f3c-9cb6d0c85e46.json

-Software Information-
Version: 4.0.4.49
Components Version: 1.0.823
Update Package Version: 1.0.19300
License: Free

-System Information-
OS: Windows 10 (Build 17763.1039)
CPU: x64
File System: NTFS
User: DESKTOP-L11K80P\junkm

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 440706
Threats Detected: 23
Threats Quarantined: 23
Time Elapsed: 2 min, 16 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 6
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 4\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 4\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 4\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,

File: 17
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\000004.log, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\000005.ldb, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\CURRENT, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\LOCK, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\LOG, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\LOG.old, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\MANIFEST-000001, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\000004.log, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\000005.ldb, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\CURRENT, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\LOCK, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\LOG, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\MANIFEST-000001, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Web Data, Replaced, 306, 455058, 1.0.19300, , ame,
PUP.Optional.PushNotifications, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 2\Preferences, Replaced, 217, 791001, 1.0.19300, , ame,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Web Data, Replaced, 306, 455058, 1.0.19300, , ame,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Web Data, Replaced, 306, 455058, 1.0.19300, , ame,

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Malwarebytes Quarantine report:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/16/20
Scan Time: 9:31 AM
Log File: c8ed7252-50d9-11ea-9f3c-9cb6d0c85e46.json

-Software Information-
Version: 4.0.4.49
Components Version: 1.0.823
Update Package Version: 1.0.19300
License: Free

-System Information-
OS: Windows 10 (Build 17763.1039)
CPU: x64
File System: NTFS
User: DESKTOP-L11K80P\junkm

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 440706
Threats Detected: 23
Threats Quarantined: 23
Time Elapsed: 2 min, 16 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 6
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 4\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 4\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 4\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,

File: 17
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\000004.log, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\000005.ldb, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\CURRENT, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\LOCK, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\LOG, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\LOG.old, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\MANIFEST-000001, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\000004.log, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\000005.ldb, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\CURRENT, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\LOCK, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\LOG, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\MANIFEST-000001, Quarantined, 306, 455058, , , ,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Web Data, Replaced, 306, 455058, 1.0.19300, , ame,
PUP.Optional.PushNotifications, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 2\Preferences, Replaced, 217, 791001, 1.0.19300, , ame,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Web Data, Replaced, 306, 455058, 1.0.19300, , ame,
PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Web Data, Replaced, 306, 455058, 1.0.19300, , ame,

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

AdwCleaner [S00]:

# -------------------------------
# Malwarebytes AdwCleaner 8.0.2.0
# -------------------------------
# Build: 01-27-2020
# Database: 2020-01-24.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 02-16-2020
# Duration: 00:01:08
# OS: Windows 10 Pro
# Scanned: 34824
# Detected: 23


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

PUP.Optional.Booking C:\Users\junkm\Favorites\Booking.com.url

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

PUP.Optional.Legacy Web Search
PUP.Optional.Legacy http://homepage-web.com/?s=acer&m=start

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.DellCommand|PowerManager Folder C:\Program Files\DELL\COMMANDPOWERMANAGER
Preinstalled.DellCommand|PowerManager Folder C:\ProgramData\DELL\COMMANDPOWERMANAGER
Preinstalled.DellCommand|PowerManager Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{18469ED8-8C36-4CF7-BD43-0FC9B1931AF8}
Preinstalled.DellSupportAssistAgent Folder C:\Program Files\DELL\SAREMEDIATION\AGENT
Preinstalled.DellSupportAssistAgent Folder C:\Program Files\DELL\SAREMEDIATION\AUDIT
Preinstalled.DellSupportAssistAgent Folder C:\Program Files\DELL\SAREMEDIATION\PLUGIN
Preinstalled.DellSupportAssistAgent Folder C:\Program Files\DELL\SUPPORTASSISTAGENT
Preinstalled.DellSupportAssistAgent Folder C:\ProgramData\DELL\SAREMEDIATION\AGENT
Preinstalled.DellSupportAssistAgent Folder C:\ProgramData\DELL\SAREMEDIATION\PLUGIN
Preinstalled.DellSupportAssistAgent Folder C:\ProgramData\SUPPORTASSIST\CLIENT\TECHNICIANTOOLKIT
Preinstalled.DellSupportAssistAgent Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7F534701-39EA-4003-9E6D-138463879791}
Preinstalled.DellSupportAssistAgent Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7F534701-39EA-4003-9E6D-138463879791}
Preinstalled.DellSupportAssistAgent Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Dell SupportAssistAgent AutoUpdate
Preinstalled.DellSupportAssistAgent Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{03C35F56-A9AD-4B59-B061-B8CE41C4C22B}
Preinstalled.DellSupportAssistAgent Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9BEF4D9A-592C-4073-B202-30234347B3DA}
Preinstalled.DellSupportAssistAgent Task C:\Windows\System32\Tasks\DELL SUPPORTASSISTAGENT AUTOUPDATE
Preinstalled.DellUpdateforWindows10 Folder C:\Program Files (x86)\DELL\UPDATESERVICE
Preinstalled.DellUpdateforWindows10 Folder C:\Program Files\DELL\UPDATE
Preinstalled.DellUpdateforWindows10 Folder C:\ProgramData\DELL\UPDATESERVICE
Preinstalled.DellUpdateforWindows10 Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{70E9F8CC-A23E-4C25-B292-C86C1821587C}



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########


AdwCleaner [C00]:

# -------------------------------
# Malwarebytes AdwCleaner 8.0.2.0
# -------------------------------
# Build: 01-27-2020
# Database: 2020-01-24.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 02-16-2020
# Duration: 00:00:02
# OS: Windows 10 Pro
# Cleaned: 3
# Failed: 0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

Deleted C:\Users\junkm\Favorites\Booking.com.url

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

Deleted Web Search
Deleted http://homepage-web.com/?s=acer&m=start

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [3774 octets] - [16/02/2020 09:41:12]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########
 
Last edited by a moderator:

ssal

Active Member
I can't help you with your current situation.

But for the future, I would recommend you do what I religiously do for my two machines.

I have the boot drive partitioned into one partition for the boot and the loaded programs. And I have the rest of the SSD for my active project or data. I use the free Macrum Reflect software to mirror my boot drive. I also created the boot media in an USB. I image my boot drive religiously every week.

If I suspect that I have been attacked, I just pull out the USB and restore my boot drive from the last working session, and that's end of story.
 

johnb35

Administrator
Staff member
Let me know if you are still getting the popup. By chance, do you run mcafee antivirus software?
 

gib65

Member
Hi John,

The popups have been appearing much less frequently and not as flashy (i.e. just as text notifications like the image below rather than with the colorful graphics like in the OP). Some of them are the usual notifications that I've always gotten on Windows 10 (ex. updates are available for certain applications), but I'm also getting news feeds or advertisements for things like Tim Horton's which I've never gotten before:



I did have McAfee on my machine. It came with it. But I uninstalled everything to do with McAfee in an attempt to remove the virus (since it looked like it was McAfee related), which didn't work obviously.
 

johnb35

Administrator
Staff member
If those are truly notifications then you should be able to go into the notification settings and disable them. You can also Go into your browser settings and change the notification settings there too. I know firefox does, not sure about chrome but most likely it does.
 

Intel_man

VIP Member
Yeah its possible the virus/malware added a bunch of sites to the push notifications setting in your browser that you'll have to remove yourself per John's instructions.
 

gib65

Member
Turns out everything was on in notification settings. I went in and turn off all the notification I don't want. Things should be good now. Thanks.
 
Top