Fake Chromium Virus

[Jtalk4456]

I seem to have gotten a fake chromium though some install clicking too fast. I remember accidentally clicking through an express install and i'm assuming it happened then. It is persistent, and pops us very occasionally and randomly. Task manager kills it, but it waits a while and comes back. It will just open on it's own and sit there. If I try to click off it, it puts itself back to front of screen. I found Chromium in the control panel and uninstalled. It still occasionally pops up but is no longer in the program list to uninstall. The last time it popped up there was a process I found, didn't get a screenshot of the name, but i think is was html something or another. I used properties and traced it back to the SYSWOW64 folder. Terminating it killed chromium, so it was the process for sure. Upon some research I found that the syswow folder has to do with converting 32 bit programs into 64 bit processes or something like that, but that it is common for a virus to make a fake syswow folder. I tried removing it, but it was protected and in use of course. I used a program called lockhunter to unlock and remove the folder after a restart. Restarted and nothing has changed. I have included a hijack this report that I don't know how to read. If you have any clue how to get rid of this thing, it would be greatly appreciated. If you need some other report or log from a different program let me know. Also antivirus scans aren't picking it up

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 1:11:20 PM, on 7/7/2018
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.17134.0001)

Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Steam\steam.exe
C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
C:\Users\jtalk\PortableApps\PortableApps.com\PortableAppsPlatform.exe
C:\Users\jtalk\PortableApps\SpybotPortable\SpybotPortable.exe
C:\Users\jtalk\PortableApps\SpybotPortable\SpybotPortable.exe
C:\Users\jtalk\PortableApps\SpybotPortable\App\Spybot\SDWelcome.exe
C:\Users\jtalk\PortableApps\SpybotPortable\App\Spybot\SDScan.exe
C:\Users\jtalk\PortableApps\HijackThisPortable\HijackThisPortable.exe
C:\Users\jtalk\PortableApps\HijackThisPortable\HijackThisPortable.exe
C:\Users\jtalk\PortableApps\HijackThisPortable\App\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_dmontlsfs_18_21_03¶m1=1¶m2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutCtD0CtAyB0ByEyCyEtD0BtCzztCtByDtN0D0Tzu0StBtAtAyCtN1L2XzuyEtFtByEtFtDtFzyyBtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2StAyByE0Bzy0F0AtDtGtAtA0EtAtGtD0BzyyCtGtCtC0F0AtG0DtAyCyEyC0EtDzy0FtB0FyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzyyCtAtC1TtByCtGtD1O1O1QtGyEtAtAzytGzzyCtDtBtGzz1StCyDyDtB1OtD1T1PtA1Q2QtN0A0LzuyEtN1B2Z1V1T1S1NzutN1Q2Z1B1P1RzutCyDtByBtAtDyByCtDtA%26cr%3D50418689%26a%3Dwbf_dmontlsfs_18_21_03%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_dmontlsfs_18_21_03¶m1=1¶m2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutCtD0CtAyB0ByEyCyEtD0BtCzztCtByDtN0D0Tzu0StBtAtAyCtN1L2XzuyEtFtByEtFtDtFzyyBtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2StAyByE0Bzy0F0AtDtGtAtA0EtAtGtD0BzyyCtGtCtC0F0AtG0DtAyCyEyC0EtDzy0FtB0FyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzyyCtAtC1TtByCtGtD1O1O1QtGyEtAtAzytGzzyCtDtBtGzz1StCyDyDtB1OtD1T1PtA1Q2QtN0A0LzuyEtN1B2Z1V1T1S1NzutN1Q2Z1B1P1RzutCyDtByBtAtDyByCtDtA%26cr%3D50418689%26a%3Dwbf_dmontlsfs_18_21_03%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = %11%\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=
O2 - BHO: Lync Click to Call BHO - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_161\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_161\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [HP OfficeJet Pro 6960 (NET)] "C:\Program Files\HP\HP OfficeJet Pro 6960\Bin\ScanToPCActivationApp.exe" -deviceID "TH66U340ZN:NW" -scfn "HP OfficeJet Pro 6960 (NET)" -AutoStart 1
O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
O4 - HKCU\..\Run: [CCleaner] "C:\Program Files\CCleaner\CCleaner64.exe" /AUTO
O4 - HKCU\..\Run: [DAEMON Tools Lite Automount] "C:\Program Files\DAEMON Tools Lite\DTAgent.exe" -autorun
O4 - HKCU\..\Run: [electron.app.games-from-space-client] C:\Users\jtalk\AppData\Local\Programs\games-from-space-client\Games from Space.exe --minimized
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_29_0_0_140_Plugin.exe -update plugin
O4 - HKUS\S-1-5-19\..\Run: [OneDriveSetup] C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [WAB Migrate] %ProgramFiles%\Windows Mail\wab.exe /Upgrade (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OneDriveSetup] C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [WAB Migrate] %ProgramFiles%\Windows Mail\wab.exe /Upgrade (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2826968937-3658326969-3046202494-1002\..\Run: [OneDrive] "C:\Users\Chris\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background (User 'Chris')
O4 - HKUS\S-1-5-21-2826968937-3658326969-3046202494-1002\..\RunOnce: [Application Restart #0] C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe atlogon (User 'Chris')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\Program Files\Microsoft Office\Root\Office16\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\root\Office16\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\root\Office16\ONBttnIE.dll
O9 - Extra button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll
O9 - Extra 'Tools' menuitem: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{fd5674e6-eaa9-468e-9aba-6d5bf752ed32}: NameServer = 1.1.1.1,1.0.0.1
O18 - Protocol: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL
O18 - Protocol: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL
O18 - Protocol: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL
O18 - Protocol: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL
O18 - Protocol: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Protocol: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Filter hijack: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLMF.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - AMD - C:\WINDOWS\System32\DriverStore\FileRepository\c0323831.inf_amd64_1212be4b9fe2386c\atiesrxx.exe
O23 - Service: AMD User Experience Program Launcher (AUEPLauncher) - Unknown owner - C:\Program Files (x86)\AMD\Performance Profile Client\AUEPLauncher.exe
O23 - Service: @%SystemRoot%\system32\DiagSvcs\DiagnosticsHub.StandardCollector.ServiceRes.dll,-1000 (diagnosticshub.standardcollector.service) - Unknown owner - C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe (file missing)
O23 - Service: Disc Soft Lite Bus Service - Disc Soft Ltd - C:\Program Files\DAEMON Tools Lite\DiscSoftBusServiceLite.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: EQU8_tabg - Int3 Software AB - C:\Program Files (x86)\Steam\steamapps\common\TotallyAccurateBattlegrounds\TotallyAccurateBattlegrounds_Data\Plugins\agent.x64.equ8.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: Futuremark SystemInfo Service - Futuremark - C:\Program Files (x86)\Futuremark\SystemInfo\FMSISvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\SecurityHealthAgent.dll,-1002 (SecurityHealthService) - Unknown owner - C:\WINDOWS\system32\SecurityHealthService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SensorDataService.exe,-101 (SensorDataService) - Unknown owner - C:\WINDOWS\System32\SensorDataService.exe (file missing)
O23 - Service: @%SystemRoot%\System32\SgrmBroker.exe,-100 (SgrmBroker) - Unknown owner - C:\WINDOWS\system32\SgrmBroker.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spectrum.exe,-101 (spectrum) - Unknown owner - C:\WINDOWS\system32\spectrum.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\WINDOWS\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\WINDOWS\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\TieringEngineService.exe,-702 (TieringEngineService) - Unknown owner - C:\WINDOWS\system32\TieringEngineService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\WINDOWS\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\WINDOWS\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: @%systemroot%\system32\xbgmsvc.exe,-100 (xbgm) - Unknown owner - C:\WINDOWS\system32\xbgmsvc.exe (file missing)

--
End of file - 12550 bytes
 

[Guest]

Malwarebytes does anything?

 

[captain_to_fire]

Run a full system scan with your anti-virus (I'm assuming it's Windows Defender). If that doesn't work, you can try using downloading a trial copy of paid AV programs like Bitdefender or Kaspersky or try their free virus removal tool. [another one here]. I don't exactly recommend Malwarebytes as its detection is quite sloppy even with an on-demand scan. https://www.mrg-effitas.com/wp-content/uploads/2018/05/MRG-Effitas-2018Q1-360-Assessment.pdf

 

Have you tried uploading the suspicious file to http://virustotal.com/?

Edited July 7, 2018 by captain_to_fire

[Tabs]

31 minutes ago, Jtalk4456 said:

I used properties and traced it back to the SYSWOW64 folder. Terminating it killed chromium, so it was the process for sure. Upon some research I found that the syswow folder has to do with converting 32 bit programs into 64 bit processes or something like that, but that it is common for a virus to make a fake syswow folder. I tried removing it, but it was protected and in use of course. I used a program called lockhunter to unlock and remove the folder after a restart. Restarted and nothing has changed.

 

You removed the SysWoW64 folder in its entirety? The SysWoW64 folder holds all of the needed DLL files for installed 32-bit programs to work on your pc. You may have just created a huge amount of problems for yourself down the line.

[Jtalk4456]

1 minute ago, Tabs said:

 

You removed the SysWoW64 folder in its entirety? The SysWoW64 folder holds all of the needed DLL files for installed 32-bit programs to work on your pc. You may have just created a huge amount of problems for yourself down the line.

I don't really run any 32 bit programs, but as i said it didn't delete anyways, and it seemed to be a fake folder for the virus

[Tabs]

2 minutes ago, Jtalk4456 said:

I don't really run any 32 bit programs, but as i said it didn't delete anyways, and it seemed to be a fake folder for the virus

It just alarmed me somewhat and wanted for you to be aware of the possible consequences if the legitimate SysWoW64 folder is deleted.

 

The next time it pops up, can you take a screenshot of resource monitor on the Disk tab, with the process selected and the "Disk Activity" dropdown open? This will allow us to see what files and folders are being accessed and possibly determine where it's launching from.

 

[Jtalk4456]

5 minutes ago, Tabs said:

It just alarmed me somewhat and wanted for you to be aware of the possible consequences if the legitimate SysWoW64 folder is deleted.

 

The next time it pops up, can you take a screenshot of resource monitor on the Disk tab, with the process selected and the "Disk Activity" dropdown open? This will allow us to see what files and folders are being accessed and possibly determine where it's launching from.

 

Fair enough. I'll try but when i say it pops up once in a while i mean like maybe once a week...

[Jtalk4456]

to answer an earlier question, windows defender didn't catch a thing, and I tried spybot portable and still found nothing

[Amazonsucks]

Those are all pretty useless. Just get malwarebytes premium trial and run a threat scan with rootkit detection enabled in settings.

 

You may need to do DISM and SFC after since you deleted system files.

 

 

[Jtalk4456]

On 7/7/2018 at 7:59 PM, Amazonsucks said:

Those are all pretty useless. Just get malwarebytes premium trial and run a threat scan with rootkit detection enabled in settings.

 

You may need to do DISM and SFC after since you deleted system files.

 

 

i'll give that a try. Again though the program didn't remove the syswow folder or anything inside. I'll still do sfc to be safe, but i don't think that will change much. I haven't heard of dism though. What is it and what does it do

[Jtalk4456]

ok so it finally happened again and I got multiple screenshots this time, and made sure to keep track of which file it pointed to.

It's still not in my program list, but it's in the start menu. If I right click to uninstall it takes me to the apps and program list, which it is absent from. If I right click->more->open file location, it gives me the shortcut in the start menu as pictured below. in the last two pictures, i started the chromium from the start menu and checked the task manager and found the file location there. I believe i deleted that last time and it came back, but i'm not too sure if i got that far. I've killed both processes now and hoping someone here knows a way to kill it to make sure it's gone.

 

 

[Tosa]

I'd just reinstall Windows rather than dealing with such persistent malware. I don't know about you, but I have a seperate storage drive for my files, which I don't touch when I reinstall Windows. I also keep my documents and such in OneDrive, and my Steam library is also on the storage drive, so when I reinstall Steam later, I can add the old library and it'll discover the games without having to download them all over.

 

I'll encourage you to also have a strategy where you assume you're going to format and reinstall at some point anyway, as well as being prepared for having a drive fail. I'll save you a headache, guaranteed.

[Jtalk4456]

21 minutes ago, Tosa said:

I'd just reinstall Windows rather than dealing with such persistent malware. I don't know about you, but I have a seperate storage drive for my files, which I don't touch when I reinstall Windows. I also keep my documents and such in OneDrive, and my Steam library is also on the storage drive, so when I reinstall Steam later, I can add the old library and it'll discover the games without having to download them all over.

 

I'll encourage you to also have a strategy where you assume you're going to format and reinstall at some point anyway, as well as being prepared for having a drive fail. I'll save you a headache, guaranteed.

I plan on a strategy like that, but right now this is my only computer. with my work schedule it would take a day or two to get that done and have no pc in the mean time. Also I'm trying to learn about security so i want to know how to get rid of this guy. currently it's not harming the pc in any way, just being an annoying bugger. If I can learn how to get rid of things like this, it will be more beneficial to me right now. I do have the files separated, but most of my steam library is on the ssd. 

[Tosa]

2 minutes ago, Jtalk4456 said:

currently it's not harming the pc in any way

You probably have no idea what it's actually doing behind the scenes. For all we know, it might open up backdoors, participate in a botnet, steal your login credentials, banking details etc. And you'll never know for sure if it's completely gone, or if it came with a stealthy companion.

[Jtalk4456]

3 minutes ago, Tosa said:

You probably have no idea what it's actually doing behind the scenes. For all we know, it might open up backdoors, participate in a botnet, steal your login credentials, banking details etc. And you'll never know for sure if it's completely gone, or if it came with a stealthy companion.

fair enough. Do you know how to get rid of it so i don't have to wipe the whole drive yet, though?

[Tosa]

3 minutes ago, Jtalk4456 said:

Do you know how to get rid of it so i don't have to wipe the whole drive yet, though?

Maybe. If you can figure out where it keeps it's files (mainly the .exe), you could live boot Ubuntu (for instance) from a USB, find the files there, and then there would be nothing stopping you from deleting these files. Linux completely ignores Windows' file permissions, and the malware doesn't run there, so it can't protect itself. Replacing the files with empty ones might also be an idea.

[Jtalk4456]

2 minutes ago, Tosa said:

Maybe. If you can figure out where it keeps it's files (mainly the .exe), you could live boot Ubuntu (for instance) from a USB, find the files there, and then there would be nothing stopping you from deleting these files. Linux completely ignores Windows' file permissions, and the malware doesn't run there, so it can't protect itself. Replacing the files with empty ones might also be an idea.

given the pics i posted, should it go away if i delete everything i found?

[NoRomanBatmansAllowed]

Idk if malwarebytes covers this stuff now that they bought it out, but definitely try running Adw_Cleaner. Deals with PUPs like no tomorrow.

[Tosa]

1 minute ago, Jtalk4456 said:

given the pics i posted, should it go away if i delete everything i found?

I don't know. For all I know, it might have some way of restoring itself. One way to find out.

Oh, and make sure to backup your files. If it detects you tinkering with it, we don't know what it'll do.

 

Btw, Ubuntu will let you delete SysWOW64. Don't do that.

[TopHatProductions115]

I have an app that may help a bit more than Windows' own Task Manager:
http://www.majorgeeks.com/files/details/system_explorer.html

 

Add Malwarebytes (with Premium Trial) to the mix, and you should be good to go. Use those 2 applications to monitor your system for a bit, and cut down most (if not all) of the rogue processes. Then, let Windows Defender take another shot - to redeem itself. If that doesn't kill everything, add AdwCleaner to the mix. If that doesn't do enough, check for any Restore Points you may have (which you should make sure you have - in case anything happens). If you don't have any, boot into Safe Mode and try to work from there until you can figure out what's going on. If you can't get anywhere from there, do a Refresh (not a full reset. keep files, loose apps). That is the last resort - if the Refresh isn't enough, copy your files to an external drive, get your Windows product key written somewhere safe, and nuke the drive. Re-install if you go this far, and I'll help you get up and running again if it comes to this point - PM me if you somehow get to this point.

 

TL;DR better hope you don't end up following through to the end of this post...

[Jtalk4456]

Thanks for all the help. I'll let you guys know what happens

[Ryujin2003]

50 minutes ago, Jtalk4456 said:

Thanks for all the help. I'll let you guys know what happens

I would also look at the task schedule. In my experience, many of these newer infections don't install themselves like they used to, so they hide a scheduled task to start them instead of doing it themselves as an installed program. If you find something that looks weird and see it staying a bunch of executable files you don't know, you can disable it delete the task and dig into what it's executing during task execution.

[ScratchCat]

2 hours ago, Jtalk4456 said:

fair enough. Do you know how to get rid of it so i don't have to wipe the whole drive yet, though?

Use Kaspersky Rescue Disk or as @Tosa said use a Linux Live USB, however do not use the infected computer as (unlikely but possible) it could infect a Linux distro also. If using the Live version install clamav with

sudo apt-get update
sudo apt-get install clamav

and use (google is your guide) it to scan the computer for any remains.

If you really did delete SysWoW64 you really should reinstall Windows as it is a key folder, if you remove a bullet from a patient but accidentally remove the liver the patient will still die.

[Tosa]

1 hour ago, ScratchCat said:

do not use the infected computer as (unlikely but possible) it could infect a Linux distro also

Going by that logic, you should probably get rid of the entire computer, as the malware could theoretically have infected your BIOS, GPU firmware, the firmware of the harddrives and any USB devices connected. All possible, but very unlikely. I wouldn't worry.

[Amazonsucks]

On 7/9/2018 at 12:21 PM, Jtalk4456 said:

i'll give that a try. Again though the program didn't remove the syswow folder or anything inside. I'll still do sfc to be safe, but i don't think that will change much. I haven't heard of dism though. What is it and what does it do

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows

 

It can do a lot of things. Repairing corrupted component stores is one of them.

 

Did you install the trial of malwarebytes premium, do the threat scan with rootkit detection enabled? A hyper scan wont be good enough. Do you have real time protection on?

 

If the answers are yes, did it remove the malware but you got reinfected or did MBAM not detect it at all?

 

If MBAM didnt get it at all, run this. Reboot if it tells you to.

 

https://www.malwarebytes.com/adwcleaner/

 

That almost certainly will obliterate it.

 

Ive been considering writing a basic cybersecurity guide and posting it but idk if itll get stickied. I can always point to it when people have these issues rather than re explain it i guess.

 

Also run this after Adwcleaner.

 

https://www.f-secure.com/en_US/web/home_us/online-scanner

 

You should not be using normal task manager if you wanna get 1337 into cybersecurity either. Microsoft makes a much more advanced version called Process Explorer.

 

How  to use: In file, select show details from all processes. In options turn on verify image signatures and virus total, and optionally, enable unknown executable submission if you want VT to get samples of unknown processes. 

 

It doesnt scan your proceses with 60 different antiviruses, but compares the MD5 hash of the running processes against VT(owned by google) database which does scan files with 60 different AV engines.

 

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

 

Youll be able to get much more detailed info using that.

 

DO NOT reinstall windows for something this simple. A nasty rootkit, sure, but this is probs just a low tech browser hijacker.

 

ALSO something to check once youve cleaned all the malware.

 

Hit Windows key + R. Type gpedit.msc and itll open your group policy editor. Go to computer configuration, administrative templates, system.

 

In the right pane, double click: specify settings for optional component installation and component repair.

 

Set it to Enabled. Then enable the contact windows update option, so you can just repair using windows update easily. 

 

Then run DISM and sfc again if you like.

 

P.S. This is NOT persistent malware. Persistent malware gets in your firmware and you have to discard the whole device