Computer is hijacked online remotely.

[MarkJohnson]

My friend brought over his PC, and it had a background picture (king) that was a screen shot of MS Trojan picture and scam phone numbers added for further help.

He called me right away and told me, so he dropped it off for me in hopes I could save it for him.

First I installed MBAM and it reported 50ish pups and other harmless items.

Then I did a backup with his Norton's security with Lifelink and 30 minutes or so later it looked like it started to go to sleep, then I see the mouse cursor moving on it's own and clicking things.  i quickly shut it down, then unplugged the internet.

Then booted normally, then I ran norton's and did both a quick scan and full system scan with no issues reported.

Then I download FRST and put it on USB and ran it on infected system and here are the log files, plus reran MBAM as per guide on main menu.

[MarkJohnson]

Bummer, a full day with 177 views and no advice.

I did a couple extra thinbgs and removed the remote log-in apps.  Log me in, Teamviewer and AnyDesk (if that is the right name, it was Any-something or other)

I also notice ZUpdater in startup of task manager, but nowhere on the control panel or app section of settings.  Google said a possible dataminer program.

After I reboot, I get to the desktop and the online Simple Solitaire app opens in a firefox browser and I can do anything. it appears locked up.  I even hit the start burron and nothing happens.  I then hot [Win]+ R for command prompt, and a tiny search box looking rectangle appear inside the Simple Solitaire game, but as soon as I try to type in it, it disappears.

I had checked the firfox add-ons yesterday, and there were a lot of them.  I got locked out before I could remove them all.

If anyone can take a look, I would be very grateful.
-=Mark=-

[jperl13]

Have you deleted what MBAM detected? Well, now try: https://toolslib.net/downloads/viewdownload/1-adwcleaner/
Mark the necessary options in the expert configuration.

Run:https://www.kaspersky.es/downloads/thank-you/free-virus-removal-tool

eliminate unknown programs or dubious reputation.

If nothing changes after restarting, wait for the response from the specialists

[Michael (alan1998)]

Hey mate,

You haven't been ignored. Please do not listen to jperl, and wait for a qualified malware analyst. I've asked Sass Drake to attend to your needs.

Cheers,
Mike

Edit: Just to add,

AnyDesk is similar to Teamviewer and is used in remote support. ZUpdater is linked to a bitcoin miner and can be removed.

[MarkJohnson]

Hey mate,

You haven't been ignored. Please do not listen to jperl, and wait for a qualified malware analyst. I've asked Sass Drake to attend to your needs.

Cheers,
Mike

Edit: Just to add,

AnyDesk is similar to Teamviewer and is used in remote support. ZUpdater is linked to a bitcoin miner and can be removed.

Thank you for your help.  It is appreciated.
-=Mark=-

[MarkJohnson]

An update, I removed all drives and inserted them in my other rig and scanned then with windows defender yesterday and found more stuff.

I just now put the boot drive back in and launched mbam and frst again and will post new logs.

I hope this does it.  Zupdater is still in the task manager under startup, but it is still disabled.  If that even matters.  It's running much better, but it will be good to know it is clean.  Also, SFC /scannow reports no problems.

[Sass Drake]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

HKU\S-1-5-21-2167592917-544379194-3805269371-1001\...\Run: [ZUpdater] => C:\Users\Ron\AppData\Roaming\ZUpdater\ZUpdater.exe do://zupdater
Task: {CB170414-34F2-4631-B915-455BD375E159} - no filepath
FF Extension: (my first sentence) - C:\Users\Ron\AppData\Roaming\Mozilla\Firefox\Profiles\c83rtifh.default-1582418822860\Extensions\{8996d590-8960-4a35-a58c-4dbf1181b686}.xpi [2020-02-22]
C:\Users\Ron\AppData\Roaming\ZUpdater

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

[MarkJohnson]

Here s the FRST log file.

Aslso, Norton's Security was blocking FRST.  I allowed it, but then when I clicked FIX button of FRST, noton was blocking it.  FRST finished anyway, so I'm not sure if it did it correctly.

Thank you for your help
-=Mark=-

[Sass Drake]

That should be it. Please rename FRST64 to uninstall. That should uninstall FRST.

[MarkJohnson]

Awesome.  Now I got my speed back.  Everything seems normal again.

Thank you so much!
-=Mark=-

FYI - Where is the donate button to show you my thanks?