Malware that won't go away (text file included)

pjmcguirk85 · 18 Sep 2017

I have this malware that keeps saying Windows has an update and I foolishly went to click it because it looked official and Malwarebytes blocked access. I can't find the program anywhere in Revo Uninstaller but I do have the log of what Malwarebytes blocked that I saved to a text file.

This program is so mysterious and I'm having trouble. I did delete some .exe called BIGUBIK or something along those lines from the computer because User Account Control asked if I want to run that program when I clicked OK on this updater thing. But the pop up still comes up and it makes it so I can't click X and it shows up over any other program so the only way to deal with it is to click OK. Fortunately it doesn't do anything because it gets blocked. My nephew installed some crap with some Teamspeak like service against my wishes and I think he put it on there. Any help? I'm assuming this mshta.exe that shows up is the culprit.

chromium text.txt

Caledon Ken · 18 Sep 2017

Hi pjmcquirk85

Have you launched a full Malwarebytes scan. Please ensure root kits is selected.

I would also try their other procdut ADWCleaner.

https://www.malwarebytes.com/adwcleaner/

Some of these products will work better from Safe Mode. Please access through the Advance Startup Options.

Easiest way to start, hold shift key down and click restart.

Boot to Advanced Startup Options in Windows 10

In future provide nephew with a Standard account and do not supply admin password.

Good luck

Ken

Samuria · 18 Sep 2017

Look in username/appears/local and any folders below you should find a file setup.log it's the problem then note the time the pop happens and check scheduled task for that time that's what starts it

pjmcguirk85 · 21 Sep 2017

Ok guys thanks. I'll try both those things.

Caledon Ken · 21 Sep 2017

I assume no joy.

Sounds like you might have something in your registry that is kicking it off.

If you download and run autoruns you maybe able to find it. I say maybe as it is going to show you a ton of info.

With autoruns you have the power to seriously mess up Windows but no harm looking.

https://docs.microsoft.com/en-us/sys...loads/autoruns

Before deleting or disabling anything please ensure you have a restore point. I also strongly recommend you create an Image with a tool like Macrium Reflect and finally have bootable media so you can start windows. Simplest way to get is to type Recovery Drive in Cortana and start app. USB key size could be between 4GB and 16GB. If you start app with no key installed it will tell you key size you need. Cancel app, buy key and start again. If it asks should you delete recovery partition the answer is No.

Backup and Restore with Macrium Reflect

Ken

pjmcguirk85 · 05 Oct 2017

Samuria said:

Look in username/appears/local and any folders below you should find a file setup.log it's the problem then note the time the pop happens and check scheduled task for that time that's what starts it

I did just that using task manager when the thing popped up again. It was an appdata local folder and it had a setup.log in it. It didn't show up under scheduled tasks but I don't quite know how to navigate scheduled tasks. I'll keep you posted. Is it ok to DM you on here if it pops up again?

Thanks

Caledon Ken · 05 Oct 2017

When you open task manager go to the top item in the navigation pane, very left. Click on it.

In the right Window in the section labelled Task Status you will see a drop down, likely with the words "Last 24 Hours". Switch to last hour right after you see it. Shouldn't be more than one or two.

Ken

FreeBooter · 06 Oct 2017

Please open the Command Prompt as a administrator and type following command:

Code:

cd /

dir /s /a /b chdrm.com | Clip

When Dir command finish executing right click your next post and select Paste this will paste the Windows clipboard to your next post. Please post the result of dir command.