Solved Two Malware keep coming back

ronakb

Thread Starter
Joined
Jun 18, 2020
Messages
15
I used MalwareBytes as suggested by many people online to remove the malware before. However there are two types which keep coming back right after I remove them. One is named Adware.Elex.ShrtCln and the other one is PUP.Optional.QuickSearcher.ChrPRST. There is no apparent hindrance in regular PC usage because of these but I would like to remove them as they seem to increase in number if not removed regularly. I am attaching the log of a recent MalwareBytes cleanup I performed. I am using Windows 10 OS.
 

Attachments

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
383
Hello, ronakb.

Welcome to TSG.

I am DR M and I will be assisting you with your computer's issues. I am still in training and my fixes have to be approved by my instructor, so there may be a slight delay in my replies. Look at it as a good thing though, since you will have two people looking at your problem.

Adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. You have to reply to my posts within four days. If you need some additional time, just let me know. If I don't get any reply from you within these four days, the topic will be closed. You can send me a PM if you still want help, after this period of time.

2. Always ask before act! Do not continue if you are not sure, or if something unexpected happens!

3. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the proceedure, unless I ask you to do so.

4. Please, copy all the content of the required logs and paste it inside your post. Do not attach any log or other file, unless directed otherwise.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs. I will be with you, as far as I can.

====================================================

Let's start now.

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please copy and paste the content of these two logs in your next reply.
 

ronakb

Thread Starter
Joined
Jun 18, 2020
Messages
15
hey! Unable to copy the data on the reply as each message exceeds the character limit of the reply. What should I do?
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
383
In that case, you can attach them.

Press the Attach files button and attach them.

Thank you.
 

ronakb

Thread Starter
Joined
Jun 18, 2020
Messages
15
Hey! Just checking in. How much time on average would be required to check the logs? Not being impatient, but I want to be able to use my laptop and I am afraid of doing further damage due to the malware. Just want to know the approximate time that you might need.

Thank you!
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
383
Hi!

I understand that you want to use the computer and I'm doing my best to check your logs right now.

Meanwhile, you can use the computer, but not download anything or run any tools to fix it.
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
383
Hi, ronakb.

I’m sorry for the delay.

The logs indicate a non legal activity to use some programs. My fix will remove this activity, meaning that you will lose access on the pirated/cracked programs. Tell me if you agree with that, so the cleaning process will continue. Otherwise, I will close the topic here.
 

ronakb

Thread Starter
Joined
Jun 18, 2020
Messages
15
Yes, I am fine with that. I can uninstall the program if you want me to
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
383
If you do uninstall them it would be on your computer’s benefit.

In case you uninstall the programs and/or remove the method to keep them activated, I will need fresh FRST logs (FRST and Addition).

Thank you.
 

ronakb

Thread Starter
Joined
Jun 18, 2020
Messages
15
In that case, I think I would remove the program after the fix...
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
383
Hi, ronakb.

We apologize for the delay.

1. Proxies

Do you use recognize these proxies appeared in your logs?

ProxyServer: [S-1-5-21-967612687-317417442-2657877818-1002] => http=127.0.0.1:58578;https=127.0.0.1:58578;socks=127.0.0.1:58577
ProxyServer: [S-1-5-21-967612687-317417442-2657877818-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-06182020150614874] => http=127.0.0.1:58578;https=127.0.0.1:58578;socks=127.0.0.1:58577

2. Hosts file intervention

You have many entries in the Hosts file. This indicates a non legal activity to use some programs. My fix at a later step will remove those entries from the Hosts file, meaning that you will lose access on them.

3. Remove unwanted programs

You have an out of date version installed in your computer. If you really want it, you should download the newest version from here, after the cleaning procedure.
  • Press the Windows key together with the R key on the keyboard at the same time, to open the Control Panel.
  • Type appwiz.cpl in the window open and click OK.
  • In the list of programs look for Java 8 Update 191, right-click the entry and click Uninstall.
  • Restart if you are asked for.
Do the same for the following:

Code:
BlueStacks App Player
McAfee WebAdvisor
  • After restarting, use the McAfee removal tool, and follow the instructions to uninstall its remnants.

4. Remove Chrome extensions

1. Open Chrome.
2. At the top right choose More (the three vertical dots) > More Tools > Extensions
3. Find McAfee® WebAdvisor, and remove it, clicking on Remove.
4. Confirm the action by clicking Remove once again.

Do the same, for all the Chrome profiles you have (Default, Profile1, Profile2).

5. Run FRST again.
  • Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please copy and paste the content of these two logs in your next reply.
 
Last edited:

ronakb

Thread Starter
Joined
Jun 18, 2020
Messages
15
1. I do use Psiphon VPN sometimes. So maybe its because of that
2. I have uninstalled any pirated programs that I knew of.
3. I kept bluetsacks and uninstalled the other two
4.Done
5. Attached the logs here
 

Attachments

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
383
Hi, ronakb.

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
start::
createrestorepoint:
closeprocesses:
AlternateDataStreams: C:\ProgramData:iSpring Solutions [128]
AlternateDataStreams: C:\Users\All Users:iSpring Solutions [128]
AlternateDataStreams: C:\ProgramData\Application Data:iSpring Solutions [128]
AlternateDataStreams: C:\Users\Public\AppData:CSM [468]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [482]
AlternateDataStreams: C:\Users\ronak\Application Data:fbd50e2f7662a5c33287ddc6e65ab5a1 [394]
AlternateDataStreams: C:\Users\ronak\Application Data:iSpring Solutions [128]
AlternateDataStreams: C:\Users\ronak\AppData\Roaming:fbd50e2f7662a5c33287ddc6e65ab5a1 [394]
AlternateDataStreams: C:\Users\ronak\AppData\Roaming:iSpring Solutions [128]
HKU\S-1-5-21-967612687-317417442-2657877818-1002\Software\Classes\.scr: EAGLESCR =>  <==== ATTENTION
FirewallRules: [UDP Query User{9A5EA710-BCD1-4085-9842-F8FD71ED88BD}C:\program files\v-rep3\v-rep_pro_edu\rcsserver.exe] => (Allow) C:\program files\v-rep3\v-rep_pro_edu\rcsserver.exe => No File
FirewallRules: [TCP Query User{61D1D00C-7B07-4EDD-9A89-B467E370D90F}C:\program files\v-rep3\v-rep_pro_edu\rcsserver.exe] => (Allow) C:\program files\v-rep3\v-rep_pro_edu\rcsserver.exe => No File
FirewallRules: [UDP Query User{D71FD7C5-F6ED-4563-BEDC-85510CB838CF}C:\program files\v-rep3\v-rep_pro_edu\vrep.exe] => (Allow) C:\program files\v-rep3\v-rep_pro_edu\vrep.exe => No File
FirewallRules: [TCP Query User{574DB7EE-0FC2-4347-AAB7-3C72AEB9BFE5}C:\program files\v-rep3\v-rep_pro_edu\vrep.exe] => (Allow) C:\program files\v-rep3\v-rep_pro_edu\vrep.exe => No File
FirewallRules: [{018A1ADC-00A0-4BF2-BCBB-6E6515E6750B}] => (Allow) G:\Grand Theft Auto V\GTA5.exe => No File
FirewallRules: [{4861E3F2-3875-451A-985A-4CB9C81CEC97}] => (Allow) G:\Grand Theft Auto V\GTA5.exe => No File
FirewallRules: [{0AA5F0D6-EDBC-47B6-9AAC-91A4E3356B88}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe => No File
FirewallRules: [{5F79000E-0C12-4592-869B-C80145592D5D}] => (Allow) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHost.exe => No File
FirewallRules: [{A959F09A-D03C-47D5-97C8-28018BB1243A}] => (Allow) F:\Grand Theft Auto V\GTA5.exe => No File
FirewallRules: [{922A251D-4AC0-4A44-9810-26B642C4DC85}] => (Allow) F:\Grand Theft Auto V\GTA5.exe => No File
FirewallRules: [{1D305C9D-B499-41ED-A95C-113C6D4127B9}] => (Allow) D:\Program Files\Nox\bin\Nox.exe => No File
FirewallRules: [{FD3DD8D1-F30C-44B9-869D-547BE02BF49A}] => (Allow) C:\Program Files (x86)\Bignox\BigNoxVM\RT\NoxVMHandle.exe => No File
HKU\S-1-5-21-967612687-317417442-2657877818-1002\...\Policies\Explorer: [] 
Task: {FEF3C79D-4AB6-46A2-AD7D-C9AA3B377C92} - System32\Tasks\App Explorer => C:\Users\ronak\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe [7499944 2020-05-13] (SweetLabs Inc. -> SweetLabs, Inc) <==== ATTENTION
SearchScopes: HKU\S-1-5-21-967612687-317417442-2657877818-1002 -> DefaultScope {213A0E1F-19B8-4255-9C97-20F8695A8C2B} URL = 
SearchScopes: HKU\S-1-5-21-967612687-317417442-2657877818-1002 -> {213A0E1F-19B8-4255-9C97-20F8695A8C2B} URL = 
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll No File
R2 McAfee WebAdvisor; C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe [905472 2019-08-23] (McAfee, LLC -> McAfee, Inc.)
S3 McSecDashboardService; C:\Program Files\McAfeeDashboard\McSecDashboardService.exe [1270536 2019-02-26] (McAfee, Inc. -> McAfee, Inc.)
S3 EasyAntiCheat; C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe [X]
C:\ProgramData\McAfee
C:\program files\v-rep3
C:\Program Files (x86)\Common Files\Mcafee
C:\Program Files (x86)\Bignox
C:\Users\ronak\AppData\Local\Host App Service
c:\PROGRA~2\mcafee
C:\Program Files\McAfee
C:\Program Files\McAfeeDashboard
C:\Program Files (x86)\EasyAntiCheat
hosts:
emptytemp:
end::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.
 

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top