Solved Malware/PUPs remaining on laptop

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

JoshKing320

Thread Starter
Joined
Jul 10, 2021
Messages
38
I had recently cleaned a computer on this site (hp pavilion x360) and got rid of any PUPs and malware that could have been on my laptop. While looking at the logs that I was sending here I noticed that a lot of the bad stuff was coming from google chrome and I am suspecting my search engines. I had also recently gone to microsoft defender and removed any viruses that I could find on the scan ( had to remove a lot of backdoor) then reset my pc (deleted all the partitions) and scanned again and removed any remaining backdoor. I now want to know if I still have any remaining PUPs or if I still have any malware remaining.

( For this laptop I have not signed in to a Microsoft account as I did not select a WIFI and just made a local account just to be cautious, so if you want me to sign into my Microsoft account then I will. I also have not turned on google sync.)
 

Attachments

DR.M

Malware Specialist
Joined
Sep 4, 2019
Messages
2,235
Hi, JoshKing.

Thanks.

I will review your logs about this computer too, within the day.
 
Last edited:

DR.M

Malware Specialist
Joined
Sep 4, 2019
Messages
2,235
Hi, JoshKing.

1. Remove a Chrome extension
  • Open Chrome.
  • At the top right choose More (the three vertical dots) > More Tools > Extensions
  • Find Chromium browser automation, and remove it, clicking on Remove.
  • Confirm the action by clicking Remove once again.

2. Search files
  • Double-click FRST.exe/FRST64.exe to run it.
  • Copy and paste the following into the Search box:
Code:
svcthost.exe;svc.exe;IconLib.dll;AnyDesk
  • Press the Search Files button.
  • When complete, FRST will generate a log, named Search.txt, in the same location it was run from.
  • Please copy and paste its contents into your reply.
 

JoshKing320

Thread Starter
Joined
Jul 10, 2021
Messages
38
Farbar Recovery Scan Tool (x64) Version: 14-07-2021
Ran by Swabhav (17-07-2021 14:26:34)
Running from C:\Users\Swabhav\Desktop
Boot Mode: Normal

================== Search Files: "svcthost.exe;svc.exe;IconLib.dll;AnyDesk" =============

C:\Users\Swabhav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IconLib.dll
[2021-07-09 20:17][2021-07-09 20:17] 000060928 _____ () 45ECAF5E82DA876240F9BE946923406C [File not signed]


====== End of Search =====
 

DR.M

Malware Specialist
Joined
Sep 4, 2019
Messages
2,235
Thanks, JoshKing.

Moving on.

1. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
FirewallRules: [TCP Query User{67055646-0A55-4EB9-92F6-6B96C9D93CD7}C:\users\swabhav\downloads\anydesk.exe] => (Allow) C:\users\swabhav\downloads\anydesk.exe => No File
FirewallRules: [UDP Query User{AF331F82-F060-444E-8623-844D22FD64D7}C:\users\swabhav\downloads\anydesk.exe] => (Allow) C:\users\swabhav\downloads\anydesk.exe => No File
HKU\S-1-5-21-2982190313-1709672991-345903074-1001\...\MountPoints2: {1916196f-e13f-11eb-9f7f-806e6f6e6963} - "E:\autostart.exe"
CHR HomePage: Default -> hxxp://search.startnow.com/s/?src=startpage&provider=&provider_name=startnow&provider_code=&partner_id=999&product_id=10&affiliate_id=&channel=&toolbar_id=&toolbar_version=&install_country=&install_date=20130322&user_guid=&machine_id=cedaaf15c1b1230ab7c5c3dc07bd7e13&browser=CR&os=win&os_version=6.1-x64-SP1
CHR StartupUrls: Default -> "hxxp://search.startnow.com/s/?src=startpage&provider=&provider_name=startnow&provider_code=&partner_id=999&product_id=10&affiliate_id=&channel=&toolbar_id=&toolbar_version=&install_country=&install_date=20130322&user_guid=&machine_id=cedaaf15c1b1230ab7c5c3dc07bd7e13&browser=CR&os=win&os_version=6.1-x64-SP1","hxxps://www.google.com/","hxxps://www.google.com/","hxxp://www.msn.com/?pc=UP97&ocid=UP97DHP"
C:\Users\Swabhav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcthost.exe
C:\Users\Swabhav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svc.exe
C:\Users\Swabhav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IconLib.dll
[2021-07-09 20:17][2021-07-09 20:17] 000060928 _____ () 45ECAF5E82DA876240F9BE946923406C [File not signed]
EmptyTemp:
End::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.

2. Run AdwCleaner (Scan mode)

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

3. Run Malwarebytes (Scan mode)
  • Download Malwarebytes and save it to your Desktop.
  • Once downloaded, close all programs and Windows on your computer.
  • Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
  • Follow the instructions to install the program.
  • When finished, double click the program's icon created on your Desktop.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) the option is NOT checked.
    Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Thread Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

In your next reply, please post:
  1. The fixlog.txt
  2. The AdwCleaner[S0*].txt
  3. The Malwarebytes report
 
Last edited:

JoshKing320

Thread Starter
Joined
Jul 10, 2021
Messages
38
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/18/21
Scan Time: 8:26 PM
Log File: 0ff8d9e8-e841-11eb-b050-3863bba24ffd.json

-Software Information-
Version: 4.4.3.125
Components Version: 1.0.1387
Update Package Version: 1.0.43253
License: Trial

-System Information-
OS: Windows 10 (Build 19043.928)
CPU: x64
File System: NTFS
User: DESKTOP-8MU8VLE\Swabhav

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 278359
Threats Detected: 8
Threats Quarantined: 0
Time Elapsed: 10 min, 17 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 3
Backdoor.NanoCore.StolenData.Generic, C:\Users\Swabhav\AppData\Roaming\38BFF72E-C58E-4A63-8049-32E2DC7DF35F\Logs\Swabhav, No Action By User, 3867, 677862, , , , , ,
Backdoor.NanoCore.StolenData.Generic, C:\Users\Swabhav\AppData\Roaming\38BFF72E-C58E-4A63-8049-32E2DC7DF35F\Logs, No Action By User, 3867, 677862, , , , , ,
Backdoor.NanoCore.StolenData.Generic, C:\USERS\SWABHAV\APPDATA\ROAMING\38BFF72E-C58E-4A63-8049-32E2DC7DF35F, No Action By User, 3867, 677862, 1.0.43253, , ame, , ,

File: 5
Backdoor.NanoCore.StolenData.Generic, C:\USERS\SWABHAV\APPDATA\ROAMING\38BFF72E-C58E-4A63-8049-32E2DC7DF35F\run.dat, No Action By User, 3867, 677862, 1.0.43253, , ame, , 0B4A522B5B55CE3863ADFB83FB6AC262, EE5AB23086689A02B5E0C6E276AE7FA2B0FE7F20614F114FE35F2C5C2C204634
Backdoor.NanoCore.StolenData.Generic, C:\Users\Swabhav\AppData\Roaming\38BFF72E-C58E-4A63-8049-32E2DC7DF35F\Logs\Swabhav\KB_3623859.dat, No Action By User, 3867, 677862, , , , , ADC0F924B6081DFDEAC0DB7261AAE16B, A3A3AED595E136164F644DC28F262875A9124421464404E0B95F4EFFD3F9D94A
Backdoor.NanoCore.StolenData.Generic, C:\Users\Swabhav\AppData\Roaming\38BFF72E-C58E-4A63-8049-32E2DC7DF35F\catalog.dat, No Action By User, 3867, 677862, , , , , 9E7D0351E4DF94A9B0BADCEB6A9DB963, AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
Backdoor.NanoCore.StolenData.Generic, C:\Users\Swabhav\AppData\Roaming\38BFF72E-C58E-4A63-8049-32E2DC7DF35F\settings.bin, No Action By User, 3867, 677862, , , , , 4E5E92E2369688041CC82EF9650EDED2, F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
Backdoor.NanoCore.StolenData.Generic, C:\Users\Swabhav\AppData\Roaming\38BFF72E-C58E-4A63-8049-32E2DC7DF35F\storage.dat, No Action By User, 3867, 677862, , , , , 653DDDCB6C89F6EC51F3DDC0053C5914, 83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
 

Attachments

DR.M

Malware Specialist
Joined
Sep 4, 2019
Messages
2,235
Hi, JoshKing.

Things here are serious. A backdoor infection has been detected in the computer. Specifically, Backdoor.NanoCore is a Trojan capable of gathering information from Windows systems as a remote access tool (RAT). In most cases, this malware is proliferated using spam email campaigns. Criminals send thousands of deceptive emails that contain malicious attachments. Once opened, these files immediately infect computers with viruses such as NanoCore. The presence of this malware can cause serious issues, since the malware distributor gains remote access to the infected system.

More info here:
NanoCore: Backdoor.NanoCore | Malwarebytes Labs | Detections
NANOCORE Malware Information (trendmicro.com)

Recommendations:
  • Disconnect this PC from the Internet immediately.
  • If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable.
  • Contact those financial institutions to apprise them of your situation.
Although the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. The choices are two:

a) Clean this machine but I can't guarantee that it will be 100% secure afterwards, and
b) Reinstall your Windows OS.

Let me know what you decide to do.
 

JoshKing320

Thread Starter
Joined
Jul 10, 2021
Messages
38
Thank you for identifying the problem. My question is can I just throw away the laptop or do I have to sign out from anyrhing that was on my laptop? And does this mean my other devices on my laptop are infected or if it is simply just on this laptop
 

JoshKing320

Thread Starter
Joined
Jul 10, 2021
Messages
38
As I had previously reset my pc and deleted all the partitions and reinstalled windows os but maybe the virus is stuck on my laptop so I might as well not use it anymore.
 

JoshKing320

Thread Starter
Joined
Jul 10, 2021
Messages
38
Also I couldn't reset my pc before so I had to get a flash drive and download the reinstalltion for windows on that flasdrive. So maybe I also downloaded the nancore on that flash drive.
 

DR.M

Malware Specialist
Joined
Sep 4, 2019
Messages
2,235
Hi, JoshKing.

My question is can I just throw away the laptop or do I have to sign out from anyrhing that was on my laptop? And does this mean my other devices on my laptop are infected or if it is simply just on this laptop. As I had previously reset my pc and deleted all the partitions and reinstalled windows os but maybe the virus is stuck on my laptop so I might as well not use it anymore.
I'm not sure if I understood you.

Throw away the laptop? Of course not. You have these two options:

1. Let me clean it. As I said, the infection can be killed, but I had to tell you about the backdoor behavior.
2. Make a clean re-install of Windows.

In any case, you have to change passwords of any account used on this computer, using a clean computer.

Question: You mean you reset this specific computer and this is the result after the reset?

The first thing you need to do now, is relax and make a decision. When you take this decision, I can guide you about anything else. :)
 

JoshKing320

Thread Starter
Joined
Jul 10, 2021
Messages
38
To clarify on what I meant. I am using 2 laptops and the laptop that has malware is the one that I thought was broken a couple of years ago so I bought a new one (the one you cleaned) and then recently I found out that I can just plug in a wireless adapter to the broken one and still use it. However, now thay I found out that my laptop Is compromised I might as well not use laptop that is currently being cleaned.

To answer the question. I had reset my pc, deleted all the partitions, and reinstalled windows and result is my current situation.

Another question is can this backdoor affect my other devices on this internet.
 

DR.M

Malware Specialist
Joined
Sep 4, 2019
Messages
2,235
Another question is can this backdoor affect my other devices on this internet.
As far as I am concerned, no. But if you used external drives (e.g. a USB drive) in this computer it is possible for them to got infected and so on. As for the other computer we cleaned recently, there was not such an infection in it.

I had reset my pc, deleted all the partitions, and reinstalled windows and result is my current situation.
Clean install and reset are not the same things. However you said that you deleted the partitions, so this goes for the clean install. I think that after the clean install the computer was used. It doesn't matter if it was used months or a few hours. I don't believe that this is the result after the clean install, anyway.

So... how do we continue?
 

JoshKing320

Thread Starter
Joined
Jul 10, 2021
Messages
38
1. I recently got a new netgear wireless adapter and plugged in to both my cleaned laptop and the laptop with nancore. Will there be any problems on my cleaned laptop?

2. I actually do not mind not using the infected laptop as the hardware is already a problem (I believe as it is hard to shutdown and very slow as well as loud noises.) My only concern now is the passwords which I am currently trying to reset.

3. I do not really know how to continue as I do not really want to use that laptop anymore. So my question to you is what should I do if I do not want to use the infect laptop anymore? Do I still clean and not use it or do I just not associate myself with the laptop anymore.
 

DR.M

Malware Specialist
Joined
Sep 4, 2019
Messages
2,235
1. I recently got a new netgear wireless adapter and plugged in to both my cleaned laptop and the laptop with nancore. Will there be any problems on my cleaned laptop?
As I already told you, the new laptop is clean. So no worries about it now.

2. I actually do not mind not using the infected laptop as the hardware is already a problem (I believe as it is hard to shutdown and very slow as well as loud noises.) My only concern now is the passwords which I am currently trying to reset.
Yes, the passwords have to be changed. As for the laptop, it is infected. That's why it is slow etc.

3. I do not really know how to continue as I do not really want to use that laptop anymore. So my question to you is what should I do if I do not want to use the infect laptop anymore? Do I still clean and not use it or do I just not associate myself with the laptop anymore.
Since there is nothing important in it, and since you are worried about it, you can do a clean install of the operating system, and then provide fresh FRST logs here. If all is clean, I don't see a reason why not to use the computer.

Instructions about clean install:

How to do a Clean Install of Windows 10 the Easy Way (howtogeek.com)

See the first method, install Windows from scratch. When you reach the partition step, select all the partition and delete them (not just format them).
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top