Contracted a virus. Please help remove

Discussion in 'Computer Security' started by gib65, Feb 16, 2020.

  1. gib65

    gib65 Member

    Messages:
    172
    Hello.

    I downloaded some malware the other day (which I shouldn't have) and now I have this annoying popup that shows up in the bottom right corner of my screen:

    [​IMG]

    It was inadvertently downloaded from totalav.com as I was following along with a youtube video which directed me to that site to download a driver for a game controller.

    I removed all programs that I thought could be related to it but it still shows up. Can anyone help me remove it? Thanks.
     
  2. johnb35

    johnb35 Administrator Staff Member

    Messages:
    42,125
    Have you ran Malwarebytes and Adwcleaner yet? Thats always the first steps.
     
  3. gib65

    gib65 Member

    Messages:
    172
    I just ran them. Here are the logs:

    Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Scan Date: 2/16/20
    Scan Time: 9:31 AM
    Log File: c8ed7252-50d9-11ea-9f3c-9cb6d0c85e46.json

    -Software Information-
    Version: 4.0.4.49
    Components Version: 1.0.823
    Update Package Version: 1.0.19300
    License: Free

    -System Information-
    OS: Windows 10 (Build 17763.1039)
    CPU: x64
    File System: NTFS
    User: DESKTOP-L11K80P\junkm

    -Scan Summary-
    Scan Type: Threat Scan
    Scan Initiated By: Manual
    Result: Completed
    Objects Scanned: 440706
    Threats Detected: 23
    Threats Quarantined: 23
    Time Elapsed: 2 min, 16 sec

    -Scan Options-
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Detect
    PUM: Detect

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 0
    (No malicious items detected)

    Registry Value: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Data Stream: 0
    (No malicious items detected)

    Folder: 6
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 4\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 4\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 4\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,

    File: 17
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\000004.log, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\000005.ldb, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\CURRENT, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\LOCK, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\LOG, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\LOG.old, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\MANIFEST-000001, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\000004.log, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\000005.ldb, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\CURRENT, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\LOCK, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\LOG, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\MANIFEST-000001, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Web Data, Replaced, 306, 455058, 1.0.19300, , ame,
    PUP.Optional.PushNotifications, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 2\Preferences, Replaced, 217, 791001, 1.0.19300, , ame,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Web Data, Replaced, 306, 455058, 1.0.19300, , ame,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Web Data, Replaced, 306, 455058, 1.0.19300, , ame,

    Physical Sector: 0
    (No malicious items detected)

    WMI: 0
    (No malicious items detected)


    (end)

    Malwarebytes Quarantine report:

    Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Scan Date: 2/16/20
    Scan Time: 9:31 AM
    Log File: c8ed7252-50d9-11ea-9f3c-9cb6d0c85e46.json

    -Software Information-
    Version: 4.0.4.49
    Components Version: 1.0.823
    Update Package Version: 1.0.19300
    License: Free

    -System Information-
    OS: Windows 10 (Build 17763.1039)
    CPU: x64
    File System: NTFS
    User: DESKTOP-L11K80P\junkm

    -Scan Summary-
    Scan Type: Threat Scan
    Scan Initiated By: Manual
    Result: Completed
    Objects Scanned: 440706
    Threats Detected: 23
    Threats Quarantined: 23
    Time Elapsed: 2 min, 16 sec

    -Scan Options-
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Detect
    PUM: Detect

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 0
    (No malicious items detected)

    Registry Value: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Data Stream: 0
    (No malicious items detected)

    Folder: 6
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 4\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 4\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 4\Sync Data\LevelDB, Quarantined, 306, 455058, , , ,

    File: 17
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\000004.log, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\000005.ldb, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\CURRENT, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\LOCK, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\LOG, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\LOG.old, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data\LevelDB\MANIFEST-000001, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\000004.log, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\000005.ldb, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\CURRENT, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\LOCK, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\LOG, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\Users\junkm\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data\LevelDB\MANIFEST-000001, Quarantined, 306, 455058, , , ,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Web Data, Replaced, 306, 455058, 1.0.19300, , ame,
    PUP.Optional.PushNotifications, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 2\Preferences, Replaced, 217, 791001, 1.0.19300, , ame,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Web Data, Replaced, 306, 455058, 1.0.19300, , ame,
    PUP.Optional.Astromenda, C:\USERS\JUNKM\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 3\Web Data, Replaced, 306, 455058, 1.0.19300, , ame,

    Physical Sector: 0
    (No malicious items detected)

    WMI: 0
    (No malicious items detected)


    (end)

    AdwCleaner [S00]:

    # -------------------------------
    # Malwarebytes AdwCleaner 8.0.2.0
    # -------------------------------
    # Build: 01-27-2020
    # Database: 2020-01-24.1 (Cloud)
    # Support: https://www.malwarebytes.com/support
    #
    # -------------------------------
    # Mode: Scan
    # -------------------------------
    # Start: 02-16-2020
    # Duration: 00:01:08
    # OS: Windows 10 Pro
    # Scanned: 34824
    # Detected: 23


    ***** [ Services ] *****

    No malicious services found.

    ***** [ Folders ] *****

    No malicious folders found.

    ***** [ Files ] *****

    PUP.Optional.Booking C:\Users\junkm\Favorites\Booking.com.url

    ***** [ DLL ] *****

    No malicious DLLs found.

    ***** [ WMI ] *****

    No malicious WMI found.

    ***** [ Shortcuts ] *****

    No malicious shortcuts found.

    ***** [ Tasks ] *****

    No malicious tasks found.

    ***** [ Registry ] *****

    No malicious registry entries found.

    ***** [ Chromium (and derivatives) ] *****

    No malicious Chromium entries found.

    ***** [ Chromium URLs ] *****

    PUP.Optional.Legacy Web Search
    PUP.Optional.Legacy http://homepage-web.com/?s=acer&m=start

    ***** [ Firefox (and derivatives) ] *****

    No malicious Firefox entries found.

    ***** [ Firefox URLs ] *****

    No malicious Firefox URLs found.

    ***** [ Hosts File Entries ] *****

    No malicious hosts file entries found.

    ***** [ Preinstalled Software ] *****

    Preinstalled.DellCommand|PowerManager Folder C:\Program Files\DELL\COMMANDPOWERMANAGER
    Preinstalled.DellCommand|PowerManager Folder C:\ProgramData\DELL\COMMANDPOWERMANAGER
    Preinstalled.DellCommand|PowerManager Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{18469ED8-8C36-4CF7-BD43-0FC9B1931AF8}
    Preinstalled.DellSupportAssistAgent Folder C:\Program Files\DELL\SAREMEDIATION\AGENT
    Preinstalled.DellSupportAssistAgent Folder C:\Program Files\DELL\SAREMEDIATION\AUDIT
    Preinstalled.DellSupportAssistAgent Folder C:\Program Files\DELL\SAREMEDIATION\PLUGIN
    Preinstalled.DellSupportAssistAgent Folder C:\Program Files\DELL\SUPPORTASSISTAGENT
    Preinstalled.DellSupportAssistAgent Folder C:\ProgramData\DELL\SAREMEDIATION\AGENT
    Preinstalled.DellSupportAssistAgent Folder C:\ProgramData\DELL\SAREMEDIATION\PLUGIN
    Preinstalled.DellSupportAssistAgent Folder C:\ProgramData\SUPPORTASSIST\CLIENT\TECHNICIANTOOLKIT
    Preinstalled.DellSupportAssistAgent Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7F534701-39EA-4003-9E6D-138463879791}
    Preinstalled.DellSupportAssistAgent Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7F534701-39EA-4003-9E6D-138463879791}
    Preinstalled.DellSupportAssistAgent Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Dell SupportAssistAgent AutoUpdate
    Preinstalled.DellSupportAssistAgent Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{03C35F56-A9AD-4B59-B061-B8CE41C4C22B}
    Preinstalled.DellSupportAssistAgent Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9BEF4D9A-592C-4073-B202-30234347B3DA}
    Preinstalled.DellSupportAssistAgent Task C:\Windows\System32\Tasks\DELL SUPPORTASSISTAGENT AUTOUPDATE
    Preinstalled.DellUpdateforWindows10 Folder C:\Program Files (x86)\DELL\UPDATESERVICE
    Preinstalled.DellUpdateforWindows10 Folder C:\Program Files\DELL\UPDATE
    Preinstalled.DellUpdateforWindows10 Folder C:\ProgramData\DELL\UPDATESERVICE
    Preinstalled.DellUpdateforWindows10 Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{70E9F8CC-A23E-4C25-B292-C86C1821587C}



    ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########


    AdwCleaner [C00]:

    # -------------------------------
    # Malwarebytes AdwCleaner 8.0.2.0
    # -------------------------------
    # Build: 01-27-2020
    # Database: 2020-01-24.1 (Cloud)
    # Support: https://www.malwarebytes.com/support
    #
    # -------------------------------
    # Mode: Clean
    # -------------------------------
    # Start: 02-16-2020
    # Duration: 00:00:02
    # OS: Windows 10 Pro
    # Cleaned: 3
    # Failed: 0


    ***** [ Services ] *****

    No malicious services cleaned.

    ***** [ Folders ] *****

    No malicious folders cleaned.

    ***** [ Files ] *****

    Deleted C:\Users\junkm\Favorites\Booking.com.url

    ***** [ DLL ] *****

    No malicious DLLs cleaned.

    ***** [ WMI ] *****

    No malicious WMI cleaned.

    ***** [ Shortcuts ] *****

    No malicious shortcuts cleaned.

    ***** [ Tasks ] *****

    No malicious tasks cleaned.

    ***** [ Registry ] *****

    No malicious registry entries cleaned.

    ***** [ Chromium (and derivatives) ] *****

    No malicious Chromium entries cleaned.

    ***** [ Chromium URLs ] *****

    Deleted Web Search
    Deleted http://homepage-web.com/?s=acer&m=start

    ***** [ Firefox (and derivatives) ] *****

    No malicious Firefox entries cleaned.

    ***** [ Firefox URLs ] *****

    No malicious Firefox URLs cleaned.

    ***** [ Hosts File Entries ] *****

    No malicious hosts file entries cleaned.

    ***** [ Preinstalled Software ] *****

    No Preinstalled Software cleaned.


    *************************

    [+] Delete Tracing Keys
    [+] Reset Winsock

    *************************

    AdwCleaner[S00].txt - [3774 octets] - [16/02/2020 09:41:12]

    ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########
     
    Last edited by a moderator: Feb 16, 2020
  4. ssal

    ssal Active Member

    Messages:
    575
    I can't help you with your current situation.

    But for the future, I would recommend you do what I religiously do for my two machines.

    I have the boot drive partitioned into one partition for the boot and the loaded programs. And I have the rest of the SSD for my active project or data. I use the free Macrum Reflect software to mirror my boot drive. I also created the boot media in an USB. I image my boot drive religiously every week.

    If I suspect that I have been attacked, I just pull out the USB and restore my boot drive from the last working session, and that's end of story.
     
  5. johnb35

    johnb35 Administrator Staff Member

    Messages:
    42,125
    Let me know if you are still getting the popup. By chance, do you run mcafee antivirus software?
     
  6. gib65

    gib65 Member

    Messages:
    172
    Hi John,

    The popups have been appearing much less frequently and not as flashy (i.e. just as text notifications like the image below rather than with the colorful graphics like in the OP). Some of them are the usual notifications that I've always gotten on Windows 10 (ex. updates are available for certain applications), but I'm also getting news feeds or advertisements for things like Tim Horton's which I've never gotten before:

    [​IMG]

    I did have McAfee on my machine. It came with it. But I uninstalled everything to do with McAfee in an attempt to remove the virus (since it looked like it was McAfee related), which didn't work obviously.
     
  7. johnb35

    johnb35 Administrator Staff Member

    Messages:
    42,125
    If those are truly notifications then you should be able to go into the notification settings and disable them. You can also Go into your browser settings and change the notification settings there too. I know firefox does, not sure about chrome but most likely it does.
     
    Intel_man likes this.
  8. Intel_man

    Intel_man VIP Member

    Messages:
    5,786
    Yeah its possible the virus/malware added a bunch of sites to the push notifications setting in your browser that you'll have to remove yourself per John's instructions.
     
  9. gib65

    gib65 Member

    Messages:
    172
    Turns out everything was on in notification settings. I went in and turn off all the notification I don't want. Things should be good now. Thanks.
     

Share This Page