Windows 10: Infected by mail.ru virus

cookies1,

*Arrow First, follow up with the Zemana instructions:
How to remove Mail.ru (Chrome, Firefox, IE, Edge)

*Arrow Also, try clearing browsing data:
Clear browsing data - Computer - Chromebook Help

*Arrow Next, please run Malwarebytes Anti-Malware in >> Safe Mode:

Hold down the Shift key while clicking on Power > Restart
Following the prompts, go to Troubleshoot > Advanced Options > Windows Startup Settings > Press the Restart button
After the computer restarts, select: Safe Mode

Find Malwarebytes Anti-Malware, and give it a run.

*Arrow Last, if mail.ru is still present, do the following:

Please use the Farbar Recovery Scan Tool Download
Save FRST to your Desktop.

[Note: You need to run the version compatible with your system: 32 bit or 64 bit]

Double-click FRST to run it.

When the tool opens click Yes to the disclaimer.

Next, press the Scan button.

When done, the tool makes a log (FRST.txt) on the Desktop.
Also, the first time the tool is run, it makes another log: (Addition.txt).

Please attach the results of both reports in your reply.

 

cookies1,

Have a change of mind. Just work with running FRST (Farbar Recovery Scan Tool), attaching the results, and do not do anything else.

Suspecting that FRST may show some Group Policy changes, and, if so, until those are removed, we will get nowhere in a hurry.

Also, are you running Windows 10 Home, or Pro?

Hang in there!!

 

Have you checked the Chrome's shortcut? Potentially unwanted programs usually modify your browser shortcuts to automatically load extra web pages or files, hijack your search results, redirect you to unsafe websites, and display endless pop up ads on your webpage are the common thing.
mail.ru virus may modify your browser shortcuts by adding its harmful files to the shortcut target. So, you should navigate to delete the baleful arguments.
Right-click your Chrome shortcuts on your desktop and choose Properties option.
In the opened window, select Shortcuts tab. Locate to the Target field, remove the unwanted homepage link behind exe and then click Apply > OK button after deleting.

 

cookies1,

Thanks for the reports.

For some reason, did not get notified of your post.

As you can see, the logs are lengthy, so it will take me a while to go through them. The old eyes are not what they used to be! *Confused

Will get back with the next step later this PM, maybe evening, but will try to do so sooner.

Thanks for your patience.

 

cookies1,

Any reason why this was run from D:\ vs. the Desktop in C:\?
Is D:\ an external hard drive?


Please do the following:

Press the Windows and R keys at the same time. This opens the Run box.
Type Notepad and click OK.

Next, please copy the entire contents inside the code box below to Notepad:

Code: Start CreateRestorePoint: EmptyTemp: CloseProcesses: ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File GroupPolicy: Restriction <======= ATTENTION GroupPolicy\User: Restriction <======= ATTENTION Toolbar: HKU\S-1-5-21-2070039639-675289181-3059388584-1001 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - No File Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor => not found FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor => not found FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File] CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx <not found> U0 Partizan; system32\drivers\Partizan.sys [X] S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X] C:\WINDOWS\system32\?????????????p? Task: {1E0D895E-CBD8-4B74-95E8-89FE72A5BC2E} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {5D54704B-07C6-4DD9-BA73-4F70C02A78BC} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {606D6271-6DB6-44CC-8995-BE47D99D40C1} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {4EF3A0FD-DDA3-4300-93F8-2214455DA24B} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {8BC4482F-56A2-45F6-915B-F5E6AC363436} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {9F7C5B31-607E-46B3-9841-3B7576C15C74} - \WPD\SqmUpload_S-1-5-21-2070039639-675289181-3059388584-1001 -> No File <==== ATTENTION Task: {AE2FF9F2-5335-49CE-ACA4-98F1452D1E5E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {B555BD07-33B4-4CD3-8AF0-0A2C0A4AD2E8} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION Task: {B72F8083-C6F8-45DA-9801-5D3513DEFD50} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {C52A25B4-FF50-4284-97DE-D5069563EAB4} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {CBAD0ABA-EE4F-4D62-B211-2559BFFB9939} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {F5AF3A77-3265-4B5A-8582-71A7DD870732} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Reboot: End[/quote] Save the file as fixlist.txt in the same folder where the FRST is running from. It appears to be running from D:\INDIRILENLER vs. the Desktop. They both need to be in the same place, preferably the Desktop.

Next, run FRST and click Fix only once, and wait.

When done, the tool creates a log: (Fixlog.txt)
Please attach it to your reply.

Also, let us know how it is going.

 

cookies1,

How is it going?

Running FRST with the fixlist presented above is in your best interest.

Mail.ru has a modus operandi of its own, and we need to do our best to keep it off the computer.
Creators of this browser hijacker (and others) can manipulate Group Policy to change some settings so they cannot be easily removed or disabled. There are two entries in the FRST report which point to Group Policy restriction.
They need to be removed.

 

send original file to Kaspersky, avast etc. after couple a days they're found solution how to delete it.

 

Hello,

I have attached the results.
D\INDIRILENLER file is my Downloads file from Chrome. When I download a file in Chrome, it goes to D\INDIRILENLER file. I didn't think there is no different C: or D:, so I ran FRST64.exe from D\INDIRILENLER. C is SSD for Windows, D is HDD for storage.
For fixlist.txt, I copied FRST64 to Desktop and ran from there.

Thanks.

 

cookies1,

How is the system running?

Also, please download CKScanner:
http://downloads.malwareremoval.com/CKScanner.exe
Save the file to the Desktop.

To run the program, right-Click CKScanner.exe and select: Run as administrator

Next, click: Search For Files

When done, click: Save List To File
A message verifies the file saved.

A log (CKFiles.txt) is created on the Desktop.
Press: Exit

Then, attach the contents of CKFiles.txt in your reply.

Thanks!

 

I have attached the results of ckfiles.txt
I think my internet is faster now.
I'm trying to do what you say. Is there any residual file of this virus in my PC now?

Thanks.

 

cookies1,

We got rid of some items of concern with the FRST fixlist. Didn't see any additional malware, and the CKScanner came out clean. That is good! It scans for cracked software, etc., which you do not want.


The program that follows checks for the installed and running security programs on your computer.
We need to make sure you are good to go.

Please download Security Check:
SecurityCheck Download
Save the downloaded file to the Desktop.

Right-click SecurityCheck.exe and select: Run as Administrator
Follow the onscreen instructions.

When the program is done, a Notepad document opens, called: checkup.txt

Please attach the contents of checkup.txt in your reply.

 

Do a System Restore to restore Windows back to an earlier point in time. I had the same problem on a laptop of a friend, and i can't get rid of Russian mail.ru virus, malware, adware... or whatever. The only solution was to restore Windows to an earlier point, before the mail.ru infection.

System Restore Windows 10

 

luarpc,

As mentioned before, mail.ru may implement Group Policy changes.
If so, until those are removed, anyone will get nowhere in a hurry.

 

I have attached the results of checkup.txt
I thought to do a System Restore. But when I click to System Restore, I remembered I deactived it 1 year ago. So there was no System Restore point, I couldn't do a System Restore. Even so, if it was possible I can't trust it. I think there can be some relidual files in my PC again.
Thanks.

 

cookies1,

Java version 32-bit out of Date!
Please check for Java versions on your computer, and remove them:
Java Uninstall Tool

Can you provide some file names, and their full address?
Example: C:\Users\Home\AppData\name of file, etc.

If not, what makes you think you are still infected?
Please explain.

Thanks!