Suspicious activity. How to find it?

Zecha

Level 2
Thread author
Mar 2, 2020
69
Hello MalwareTips forum!
This is my first time on this forum and I want to say that I dont know many things about viruses, malwares etc.

So in November/December 2019 I tried to search on Google for Top 5 best Electric Band Strips (or how is called) and I found the first website, I accessed and clicked on a button that says something about find this product and should go to a big Online Website for Shopping in my country.
Was a website with reviews about band strips for Gym.

So I accessed that website on my PC where I just deleted Bitdefender Total Security 2019 or 2020 with 2-3 days before to access the site. Everything looks ok.
Now I wanted to search for the same site on my phone, I did that and after I clicked the button right to the product to find the product, I got a message on my phone that I have 5 or 10 mins to pay a tax to get the malware/virus away from my phone.
After few days or weeks I got emails with different accounts about code verification, suspect activity on my yahoo mail etc.
And every 1-3 weeks I received these emails. Nothing was stoled yet.
Now today when I woke up I received 3 emails from Yahoo that says about a Code Verification and that I want to access the account from Vietnam.

I bought a high end PC in August 2019 and I have lag spikes on games that I should not have with this pc.
I tried different things to do. I downloaded anti malwarebytes trial for 14 days, I scanned on both safe mode and normal mode and I found 25-35 files every 2-3 hours I scanned. Malwarebytes I used after Rogue Killer.
I used HitmanPro, semana or something.
So every 2-4 hours or something like that, I could find almost same infected files, I deleted them and reappear until I was going to my Google Account and put the sync to off and after malwarebytes didnt found anything suspicious. I tried the program in 7-10 different days and still 0 infected files.
Im not sure if is because the off-sync and deleted all the data from the google account or pure coincidence.
I reinstalled windows on my PC about 2-3 times since November/December but I think the problem is that the USB Stick was made on my infected PC. Should I try to make one from one of my friends PC?

How should I proceed in this case? I sent emails to Yahoo, they gave me solutions few months ago, I tried them but I still receive suspicious emails from different accounts and from Yahoo.

Thanks! I hope I can do something about this.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
So I accessed that website on my PC where I just deleted Bitdefender Total Security 2019 or 2020 with 2-3 days before to access the site. Everything looks ok.
Now I wanted to search for the same site on my phone, I did that and after I clicked the button right to the product to find the product, I got a message on my phone that I have 5 or 10 mins to pay a tax to get the malware/virus away from my phone.
Hi Zecha, the threatening message is a fake one and is common on sub-standard websites or websites that are compromised.
In such case, you should directly close the popup/browser tab so that it does not come back or redirect you any further again.
One should just not press the 'back' or 'home' button on phone, chances are that that fake alert will stay and come again.
Have you provided your email ID to that website or any popup that you encountered at that time? Chances are that it is being misused.

Also, keep a spare email id (not used for important personal or professional work) to provide to any unknown websites.
Let's talk about the future remedies, assuming you're using Chrome on phone.
  1. If you've mistakenly disabled an important Chrome setting, we need to enable it back. Go to Chrome >> Settings >> Site settings >> 'Pop-ups and Redirects' and disable the toggle button (to block popups). Also, make sure that no sites are allowed. You can confirm this in the 'Pop-ups and Redirects' screen itself.
  2. Another thing you can do is use a browser that has ad-blocking like Opera (built-in), Firefox or Yandex (add-ons available).
Also, you could have given your email id through your PC browser, to a malicious page in the few days you didn't have antivirus, or even before that. Use a good adblocker desktop-browser extension like Adguard or uBlock Origin to minimize such fake alerts and ads. You can learn from searching this forum.
You should also NEVER leave your computer without a good Internet Security program, and always keep your Windows OS and apps updated.

After few days or weeks I got emails with different accounts about code verification, suspect activity on my yahoo mail etc.
And every 1-3 weeks I received these emails. Nothing was stoled yet.
Now today when I woke up I received 3 emails from Yahoo that says about a Code Verification and that I want to access the account from Vietnam.
By 'different accounts', do you mean you're receiving emails from different A/Cs OR that you're receiving alerts on your different A/Cs?
If you're getting that alert from different accounts, do NOT click on any links or buttons in those emails.

Malvertisers and phishing pages take your email address (among other data) and try to break in to your mail (and connected services) by various methods
. You are getting the 'verification codes' and login attempt (alert) mails because some wicked person (eg. one from Veitnam, or someone using Vietnamese proxy server) is trying to break in. That simple. Just do NOT approve if asked in the mail.
Whether or not the mail says that login was done, immediately do the following
  1. change your email account password (and periodically keep changing)
  2. backup (download) any crucial data and preferrably delete that from the google account (if it's really that sensitive)
  3. always use 2 Factor Authentication. Add it if you haven't
  4. secure your alternate email id and contact number
I cannot say if you have 2 FA. The verification code, instead of being 2FA driven, might just be because your login location is different (Vietnam) that usual.
One cannot directly assume that their account has not been broken in in such case. Possibility is that the hacker broke in and deleted any suspicious login alerts. Do not worry much about it, that is a small possibility. If you carry out the 3 points above and do Not approve logins, you should be good. Good that you're getting verification codes, that's Yahoo's protection for you.

A l'il exercise, go to this link to check if your account credentials have been leaked earlier.
Alerting Yahoo about frequent suspicious activities will be very helpful!


I bought a high end PC in August 2019 and I have lag spikes on games that I should not have with this pc.
I tried different things to do. I downloaded anti malwarebytes trial for 14 days, I scanned on both safe mode and normal mode and I found 25-35 files every 2-3 hours I scanned. Malwarebytes I used after Rogue Killer.
I used HitmanPro, semana or something.
So every 2-4 hours or something like that, I could find almost same infected files, I deleted them and reappear until I was going to my Google Account and put the sync to off and after malwarebytes didnt found anything suspicious. I tried the program in 7-10 different days and still 0 infected files.
Im not sure if is because the off-sync and deleted all the data from the google account or pure coincidence.
I would have asked you to post any available scan result screenshots, but now you're saying that there are no detections.
I do not remember the kind of detections Malwarebyte makes, but if the results are 'cookies', you need not worry.
I have a vague suspicion that the Google account issue has to do with cookies. Syncing should do no issue though. Are you syncing Google Drive on your computer (not browser)?
For peace of mind, let's run a few scans.
  1. Enable that Google account sync and reboot
  2. Download Emsisoft Emergency Kit and run a scan. Perform the required actions on detections
  3. Download Zemana (semana :) Portable and run a scan. Again, do the needful
Let us know the results. You might want to run a Zemana scan again after a reboot for verification.

About the Lag, there can be multiple reasons. Chances are that your PC is not infected but other culprit processes are taking up your resources, or there's too much junk (lesser chances for such lags). You can use PC cleaners for the latter, though the use is a topic of debate. You could remove any unwanted heavy apps.
Let's search for culprits
Screenshot (1550).png
  1. Open your task manager using Ctrl+Shift+Esc
  2. Click on Show More details if you do not have a dense view like in the above pic
  3. In Options, select 'Always on Top'
  4. Now, when you face lags, check this window
  5. Click on CPU (the arrow should be pointing down as purpled in image). This will show what apps/processes are using high amounts of CPU (desc order)
  6. Do the same for Memory and Disk columns too and take a few screenshots when the % numbers are high for each. This will let us know which of the 3 parameters is (if) significantly causing a slowdown and which apps are causing it.
  • Gaming will surely keep all of them up, but we can see if there's some other culprit.
  • You can also use a tool like SysInternals Process Explorer and check the CPU and Working Set (related to memory) utilization by sorting in a similar fashion therein.
  • Enable VirusTotal in Process Explorer as shown in below pic. See if any of listed processes have a VirusTotal score of >0. Let us know here.
  • SysInternals Autoruns app can also be used to check for any ususual suspicious app starting in your PC, in the 'Logon' section of the app. You can post a screenshot of the 'Logon' and 'TaskScheduler' tabs here for us to inspect.
Screenshot (1551).png

I reinstalled windows on my PC about 2-3 times since November/December but I think the problem is that the USB Stick was made on my infected PC. Should I try to make one from one of my friends PC?
If you suspect this, ofcourse run a scan on it. Please reinstall your antivirus software you own and enable scans on removable media.
Install this NoVirusThanks app so as to prevent auto-run virus from connected USB from infecting your PC. Also, a reason of USB infection can be that you're running any cracked games/apps or other suspicious applications from that USB.

In the end, if you still find any anomaly that affects your PC and you suspect of any viruses, you can post at Malware Removal Support on this site.
Clean (re-)installing Windows is a good way to make a fresh start. However, what follows is what kind of applications you run and sites you visit. Your safe or unsafe habits.
You can explore this site to learn more about how to stay secure online. Good luck :)
 
Last edited:

Zecha

Level 2
Thread author
Mar 2, 2020
69
PS: I use uBlock by 1 month with Kaspersky addon on chrome + Kaspersky trial and malwarebytes trial at the same time.
I can give you name of the files found on malwarebytes on 15/02/2020 but I dont think this is the cause of emails being broken.
Name : Adware.Elex.ShrtCln / Type : File / Location : C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\0000004.log / Action : Quarantined
Another 9-12 Adware.Elex.ShrtCln

After that :
Name : PUP.Optional.Ask / Type : some are Folder another are File / Location : Almost the same with Elex on Google\Chrome
Name : PUP.Optional.BuenoSearch / Type : File/Folder / Location : Google Chrome
Name : PUP.Optional.Conduit / File/Folder / Google Chrome
Name : PUP.Optional.Trovi / File/Folder / Google Chrome

Sry because I edited my post several times. I thinked now to post these.
These infections are not the only ones from 2019 I think but this is the largest report I found with 29 infections.
All were moved in quarantine and removed.

Ok so I tried to uncheck that toggle button but I saw is already unchecked and I tried to check and go back and I realised after I read again what you said, that is good to uncheck and not to check.
When is unchecked it says (Recommended) and I thought if I check it will be Recommended.
But if I download another browser on my phone, and I still have Google Chrome installed, is not that a problem?
I did exactly what you said to dont. On my PC I closed the tab I think after I clicked on that redirect button and on phone I pressed back I think and closed the tab after that.
I did not enter any email ID or username or something on that pop-up window that appeared with infection and tax.
I just enter email IDs and to my accounts after few days, weeks etc by browsing the PC normally.
Im okey if I checked that toggle button on browser settings on my phone, press back and after unchecked again?

By 'different accounts', do you mean you're receiving emails from different A/Cs OR that you're receiving alerts on your different A/Cs?
If you're getting that alert from different accounts, do NOT click on any links or buttons in those emails.

I mean I get emails about different accounts : I have created accounts on different platforms, games etc and now I receive emails from those companies where I have account on them.
Emails are about code verification, activity etc.
Emails looks legit, they have icon, same font, not .ro.com for example or something like that and when I asked Yahoo if is official email adress (From Yahoo that said I have suspicious activity) they said is the Official yahoo adress from where I received the email.

I tried to change my Email password on my main Email address, I changed that security thing with phone and put instead the two-factor autheticator.
And I have second email adress linked to my main Email.
Is this a bad thing to have 2 emails linked?
So if I make a new email, I change the emails on my accounts, I delete these 2 old emails, the hacker can still have access to my emails because maybe I have a keylogger on my PC/Phone?

About lag spikes, I tried to dont move my cursor and with task manager open to look at Cpu Usage and I could not find anything. When I was in the game I didnt try to open task manager exactly at lag spikes but I tried without and I had high cpu usage at extensions that seems to be from windows 10.

First of all I want to resolve with my keylogger/suspicious activity/malwares etc and after that the lag spikes :)

I think I can put the images from malwarebytes from the reports tab. I think I still have them.
One thing was Trovi which I dont think is resposible for the activity and I dont have any pop-out on my browsers. I tried from this website a guide to remove trovi and I couldnt and after I synced-off my google account and it dissapear.

backup (download) any crucial data and preferrably delete that from the google account (if it's really that sensitive)
How to delete data from google account? Or to make a backup and after I load up the files to not get the infection?

Im sorry about my english.
 
Last edited:

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
I can give you name of the files found on malwarebytes on 15/02/2020 but I dont think this is the cause of emails being broken.
Name : Adware.Elex.ShrtCln / Type : File / Location : C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\0000004.log / Action : Quarantined
Another 9-12 Adware.Elex.ShrtCln

After that :
Name : PUP.Optional.Ask / Type : some are Folder another are File / Location : Almost the same with Elex on Google\Chrome
Name : PUP.Optional.BuenoSearch / Type : File/Folder / Location : Google Chrome
Name : PUP.Optional.Conduit / File/Folder / Google Chrome
Name : PUP.Optional.Trovi / File/Folder / Google Chrome

These infections are not the only ones from 2019 I think but this is the largest report I found with 29 infections.
Ah, that was what I was missing. Adware, PUPs (Potentially Unwanted Programs) and cookies sometimes.
  1. Enable your sync so that the changes we will do get synced
  2. Run Malwarebytes and Zemana to remove Adware/PUPs, restart Windows
  3. Reset your web browser using this guide. Don't forget to also read the 'Remove unwanted programs (Windows, Mac)' section. Follow the entire guide
  4. Restart Windows
This should get you through the recurrence of unwanted detections you've been having when you sync your google account. Btw, these are not viruses but unwanted and potentially risky content.

Ok so I tried to uncheck that toggle button but I saw is already unchecked and I tried to check and go back and I realised after I read again what you said, that is good to uncheck and not to check.
When is unchecked it says (Recommended) and I thought if I check it will be Recommended.
But if I download another browser on my phone, and I still have Google Chrome installed, is not that a problem?
Yeah, keep it UNchecked, as recommended. Downloading another browser is like having another garage for your second car. No concern with relation to the first car or garage. Read garage as browser and your cars as your browsing tabs/activity and browser settings. You can have two, though not needed. One well configured browser is enough.

I did exactly what you said to dont. On my PC I closed the tab I think after I clicked on that redirect button and on phone I pressed back I think and closed the tab after that.
Important is to close those irritating tabs entirely. You did that, so you shouldn't face them on next browser launch, unless you're infected (not the case here) or you visit that webpage again.

I did not enter any email ID or username or something on that pop-up window that appeared with infection and tax.
I just enter email IDs and to my accounts after few days, weeks etc by browsing the PC normally.
The popup may not necesarily be about taxes or such. You could have entered it at any site that asked for it and has bad intentions, or has been hijacked.
BTW, are you using any VPNs? That may change your login location and alert mails may follow.

I mean I get emails about different accounts : I have created accounts on different platforms, games etc and now I receive emails from those companies where I have account on them.
Emails are about code verification, activity etc.
Emails looks legit, they have icon, same font, not .ro.com for example or something like that and when I asked Yahoo if is official email adress (From Yahoo that said I have suspicious activity) they said is the Official yahoo adress from where I received the email.
If you've voluntarily created accounts on various platforms/sites and you're receiving their mails
  • login mails will follow before or after you logged in to their portal/app
  • Code verification may be required when first creating accounts or for successive logins and important account actions
  • Activity mails will reflect your activity on those portals, or updates from other members w.r.t. your activity
If the mails have relevant content at proper times, then they should be good. If you have a doubt, check with the respective sites, whether the mail id from which you are getting mails is official. And if the mails are relevant and meaningful, then its fine.

Also, the gmail and yahoo incidents are two different problems, from what I understand.
If you're getting mails of login alerts of times you did NOT login, that's suspicious. Yet, the one who's trying to break into your account doesn't have your Auth codes, so no worries.

Is this a bad thing to have 2 emails linked?
So if I make a new email, I change the emails on my accounts, I delete these 2 old emails, the hacker can still have access to my emails because maybe I have a keylogger on my PC/Phone?
No problem. Just make sure the linked emails are secured as well.
When you freshly login to your Yahoo account, does it ask 'email id+authentication code' or 'email id+password'. Does it ask you for any auth code or OTP?

You've run scans with good tools already. If they don't detect keyloggers, there are high chances that there aren't.
Still you can try Emsisoft Emergency Kit, Zemana and HitmanPro Alert scans for peace of mind... after completing above actions. A clean Windows install 9that you said you did) erases such common threats.
Also, you can share the Process Explorer and Autoruns screenshots the way I mentioned about earlier - for usage and detecting anything suspicious.

About lag spikes, I tried to dont move my cursor and with task manager open to look at Cpu Usage and I could not find anything. When I was in the game I didnt try to open task manager exactly at lag spikes but I tried without and I had high cpu usage at extensions that seems to be from windows 10.
First of all I want to resolve with my keylogger/suspicious activity/malwares etc and after that the lag spikes :)
You could try keeping the Task Manager open and then run the game full-screen. Extensions? 3 screenshots each showing high use of CPU, Memory and I/O respectively will help one understand things better.

How to delete data from google account? Or to make a backup and after I load up the files to not get the infection?
There's seems no risk for your google account by your explanation. I suggested that in case we were led to believe that your account is really compromised. It is rather just adware bundles syncing with your account.
 

Zecha

Level 2
Thread author
Mar 2, 2020
69
The popup may not necesarily be about taxes or such. You could have entered it at any site that asked for it and has bad intentions, or has been hijacked.
BTW, are you using any VPNs? That may change your login location and alert mails may follow.
Yes, that is what I mean. I put my username and passwords to real websites and somehow my username and passwords were known by the hacker. This is not a keylogger? Im not very familiar with terms and tech etc.
If you've voluntarily created accounts on various platforms/sites and you're receiving their mails
  • login mails will follow before or after you logged in to their portal/app
  • Code verification may be required when first creating accounts or for successive logins and important account actions
  • Activity mails will reflect your activity on those portals, or updates from other members w.r.t. your activity
Emails I received were 8h ago, 6h ago and 1h ago If I remember corectly and were on my secondary email. On that time I was sleeping.
I dont use any VPN to hide my location.
Also, the gmail and yahoo incidents are two different problems, from what I understand.
If you're getting mails of login alerts of times you did NOT login, that's suspicious. Yet, the one who's trying to break into your account doesn't have your Auth codes, so no worries.
I think that the person doesnt have Auth codes because I receive these types of emails by few months but still... I dont want to one day be compromised and he stole all of my accounts. I want to be sure and to identify the problem and causes to this.
No problem. Just make sure the linked emails are secured as well.
When you freshly login to your Yahoo account, does it ask 'email id+authentication code' or 'email id+password'. Does it ask you for any auth code or OTP?
I think first time after I install windows or new PC etc , Yahoo is asking for confirmation on phone and code. Not sure.
Still you can try Emsisoft Emergency Kit, Zemana and HitmanPro Alert scans for peace of mind... after completing above actions. A clean Windows install 9that you said you did) erases such common threats.
I already tried Emsisoft, Zemana and HitmanPro scans and every program did found 25-33 PUP and other things when I had sync-on.
But is not risky to put sync-on on my Google Chrome browser and restart my computer?
I dont think I have on PC only Pup, Adware or things about pop-outs and addons.
I think I have malwares or ransomware (im not sure if ransom means spy).

I will try to put sync on and scan with those programs at evening if you make me sure that is safe to do that.
Now is 14:50 PM and I can after 19:00 maybe if is okay for you.

EDIT: Malwarebytes just expired. And if I scan with that program, how do I send log or I just have to do screenshots?
Should I reinstall windows and install malwarebytes trial again to have 14 days free?
 
Last edited:

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
Your google account is corrupted, every time you log-in the adware will come back
If you want to have clean pc , do clean install and avoid syncing to browser...use firefox from now?

I had my gmail account corrupted some years ago, everything was fine as i stopped syncing to google chrome..after that i secured the account ( 2 factor authentication + go throught every settings on google + clean up wit their tool ) Since then i have never synced my google account into chrome, but im using that google account as my main gmail account on my mobile and never had any problems since then
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
I put my username and passwords to real websites and somehow my username and passwords were known by the hacker. This is not a keylogger? Im not very familiar with terms and tech etc.
There's no easy way to know how your email fell in hands off someone unwanted, if that's really the case.
For the sake of understanding, you can search for terms like keylogger, adware, PUP, viruses... here.
Emails I received were 8h ago, 6h ago and 1h ago If I remember corectly and were on my secondary email. On that time I was sleeping.
I dont use any VPN to hide my location.
You should double-check the time of login that is mentioned inside the login alert mail.. if that matches your login/activity time. The mails do sometimes come later than the activity.
I think that the person doesnt have Auth codes because I receive these types of emails by few months but still... I dont want to one day be compromised and he stole all of my accounts. I want to be sure and to identify the problem and causes to this.
You can use Bitdefender SafePay or Kaspersky SafeMoney to login to avoid fear of keyloggers. Since you formatted Windows multiple times and apparently the scanners are not detecting any keyloggers, you need to relax.
You changed your password. You have 2FA enabled. That is enough. No one can steal your 2FA unless you hand it over to them somehow. And if someone can bypass that 2FA mechanism, not only you, but other users are also prey.
I already tried Emsisoft, Zemana and HitmanPro scans and every program did found 25-33 PUP and other things when I had sync-on.
But is not risky to put sync-on on my Google Chrome browser and restart my computer?
I dont think I have on PC only Pup, Adware or things about pop-outs and addons.
I think I have malwares or ransomware (im not sure if ransom means spy).
Ransomware are software that lock out your files by encrypting them. You cannot read those locked out files unless you pay a ransom amount to the hacker. And it's not guaranteed that you'll get your files back. Again, that's not your case, is it?!
The ones you stated till now are not malware.
When you enable sync, the old PUPs and adware will come over, probably. You know, in worst case, you can again remove them and disable sync.
There are 3 options
  1. either Sync, remove those PUPs using scanners, then reset browser (steps I described in my previous post)
  2. or simply use another Google account
  3. or switch browser
And make sure that
  • you do not visit shady sites that force these PUPs onto your machine
  • do not allow their installation if asked (most modern browsers alert about such installation attempts/requests)
  • block ads using extensions I suggested in 1st post
  • make sure to perform 'custom' installation instead of 'default' mode when installing apps. Un-check any extras offered during installation. That's the usual cluprit
  • download apps and browsers from official site only and extensions too from official site
Your google account is corrupted, every time you log-in the adware will come back
If you want to have clean pc , do clean install and avoid syncing to browser...use firefox from now?
Resetting the browser should also remedy. Google have suggested this against recurring adware and PUPs.
@Zecha as @Moonhorse suggests, you can switch to another browser and export your bookmarks from Chrome to the other browser, if that's fine with you.

EDIT: You can go to Sign in - Google Accounts and checkout he 'Security Issues found' card.
This is to check and further secure your account. You can do something similar for Yahoo as well.
Screenshot (1556).png
 
Last edited:

Zecha

Level 2
Thread author
Mar 2, 2020
69
Ransomware are software that lock out your files by encrypting them. You cannot read those locked out files unless you pay a ransom amount to the hacker. And it's not guaranteed that you'll get your files back. Again, that's not your case, is it?!
The ones you stated till now are not malware.
When you enable sync, the old PUPs and adware will come over, probably. You know, in worst case, you can again remove them and disable sync.
There are 3 options
Ok, lets say they are just PUP. But I dont have any pop-out on my browsers, and I didnt have one when sync was on. Not even search bars, toolbars, or search engines.
If they are trying to steal my data, passwords, accounts, they are not malwares?

I use my Google Account only for storage the passwords. Thats all I need from my Gmail account. And maybe to put it on my phone so I have access to Google Play Store.

I already tried to Reset my Chrome Browser and I still found the pups. (Before sync off)

But if they have access to my devices, they cannot go into my 2FA and get those codes by themselves?
I dont say im at risk now, but I want to get rid of all of these notifications, scans etc.

So I can save my passwords somehow instead using google chrome account and delete that account? Im not sure what accounts I have linked to that Google acc. I made many accounts over the past few years. On phone and PC.
Maybe I can write on a paper some useful passwords and then delete Gmail? Should I be good after doing that?

But one more question. If I synced already off my account, searched for Google Dashboard and delete all data, I still have passwords saved.
Those lets say "Malwares" (Im not sure if is the case) are not going into my pc with sync off? Because I synced off 2-4 weeks ago and today I just received email with code verification request on my second email.
Not sure if is only Google compromised or they are many things on my PC that let the hacker steal my data.
 

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
Not sure if is only Google compromised or they are many things on my PC that let the hacker steal my data.
there is setting on google chrome wich allows you to use gmail without syncin to browser itself,
But as you i would make new ISO. on usb on your friends pc, everything you have connected to your computer like router, you should reset it completely and make sure computer is completely clean

After that you either use google chrome without sync, old edge or firefox and go throught the google account settings, remove everything from there if possible , set up that 2 -factor .etc....theres no way malware is going to jump randomly from firefox gmail to your desktop and mess everything up . ps you can see all saved passwords from your google account and remove them aswell and in future move to password manager like bitwarden and secure it with 2 factor ( secure everything with 2 factor)

And clean install with usb stick, with most recent ISO, you have to completely wipe out everything, if your router is corked up just reset it and change passwords etc
 

Zecha

Level 2
Thread author
Mar 2, 2020
69
there is setting on google chrome wich allows you to use gmail without syncin to browser itself,
But as you i would make new ISO. on usb on your friends pc, everything you have connected to your computer like router, you should reset it completely and make sure computer is completely clean

After that you either use google chrome without sync, old edge or firefox and go throught the google account settings, remove everything from there if possible , set up that 2 -factor .etc....theres no way malware is going to jump randomly from firefox gmail to your desktop and mess everything up . ps you can see all saved passwords from your google account and remove them aswell and in future move to password manager like bitwarden and secure it with 2 factor ( secure everything with 2 factor)

And clean install with usb stick, with most recent ISO, you have to completely wipe out everything, if your router is corked up just reset it and change passwords etc
Oh yees. I wanted to ask about my router.
I reseted 1-2 times few months ago because I had ping and I thought is DDOS attack or something. (The game itself had DDOS as I searched on internet).
Now I have to ask, what should I do first? Reset the router or install windows?
I have 3 phones, 2 laptops and 1 PC.
Should I for example, reset my router, and after install windows on every laptop and PC? How do I proceed with my phones? (And again I just put an example. I dont know if I should reset first or install).

Thanks! And sorry for stupid questions.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Ok, lets say they are just PUP. But I dont have any pop-out on my browsers, and I didnt have one when sync was on. Not even search bars, toolbars, or search engines.
If they are trying to steal my data, passwords, accounts, they are not malwares?
I do not have your screenshots or clear timeline. The detections were of famous adware and PUPs bundled in programs and that get added to browsers. Maybe they were hidden manually or they got corrupted after scanning and removal and so you couldn't see.
We cannot conclude that these detections (still we do not know, you just shared a small list of adware and PUP detections) are responsible for your email id leak. Could be something else. Could be they got the email from some web forms you filled, could be something else. And you haven't yet verified the alert emails the way we discussed previously. We should not just keep speculating.
If you're very concerned, simply switch the id as @Moonhorse recommended.
I already tried to Reset my Chrome Browser and I still found the pups. (Before sync off)
We discussed about enabling sync and doing again -- a set of actions, scans, browser reset as explained in the guide, and then verifying. Again, mere discussions won't help. Trying the discussed fixes and then observing how things change might help understand the gravity of the problem.
But if they have access to my devices, they cannot go into my 2FA and get those codes by themselves?
I dont say im at risk now, but I want to get rid of all of these notifications, scans etc.
They won't have access to your phone just because of some popups. Only if you've installed unknown or risky mobile apps and you allowed permissions like 'can read your messages' or 'appear on top' or allowed them 'notification access' or allow them to 'appear on top', then someone might be able to read the sensitives. Try Norton and Zemana scans on your phone to check for any suspicious apps. Again, I do not see a link with your issue.
For Windows, you've already reinstalled OS. You can abandon this google account, get a new one, reinstall Windows and maybe switch browser (though this is not necessary then). Follow safe habits discussed earlier.
So I can save my passwords somehow instead using google chrome account and delete that account? Im not sure what accounts I have linked to that Google acc. I made many accounts over the past few years. On phone and PC.
Maybe I can write on a paper some useful passwords and then delete Gmail? Should I be good after doing that?
But one more question. If I synced already off my account, searched for Google Dashboard and delete all data, I still have passwords saved.
Those lets say "Malwares" (Im not sure if is the case) are not going into my pc with sync off? Because I synced off 2-4 weeks ago and today I just received email with code verification request on my second email.
If you delete your google account, all passwords of accounts you logged in with your google id will become futile.
You can also change email id of your account on various portals, from current google id to a new one.
Then, delete all passwords rather, from chrome and save them in a 3rd party password manager.

Regarding the infections you're mentioned, coming back after scan... I found a similar case. You might want to look into it.
And there are already published MalwareTips guides that more or less state the same to remove the concerned detections. These might help your understanding about the detections and what not do they do.
  1. How to remove Adware.Elex.ShrtCln (Virus Removal Guide)
  2. How to remove PUP.Optional.Ask adware (Virus Removal Guide)
  3. Remove PUP.Optional.Trovi.A (Virus Removal Guide)
  4. How to remove PUP.Optional.Conduit (Removal Guide)
  5. Remove Bueno Search (Removal Guide)
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Oh yees. I wanted to ask about my router.
I reseted 1-2 times few months ago because I had ping and I thought is DDOS attack or something. (The game itself had DDOS as I searched on internet).
Now I have to ask, what should I do first? Reset the router or install windows?
I have 3 phones, 2 laptops and 1 PC.
Should I for example, reset my router, and after install windows on every laptop and PC? How do I proceed with my phones? (And again I just put an example. I dont know if I should reset first or install).

Thanks! And sorry for stupid questions.
Reset the router and then clean reinstall your Windows on the concerned machine (and then reset the router quickly once again, for peace of mind).
Also, it will be good to perform a firmware upgrade of your router if possible. You should get a guide to do that inside your router console or on the router's official site.
You do not need to format your phones. Still if you want, you can do it after you've reset the router.
However it's a slightly different DDOS story with droids :)
 

Zecha

Level 2
Thread author
Mar 2, 2020
69
I can try to do this but after few days unfortunately. He has something to do this week.
Code Verification are sent to my email and not phone as I see. So he dont need my phone to have access.
And I forgot something about activity. First time in december when I got notification from Yahoo, the location was Russia and last time, yesterday was Vietnam.
But I cant remember if was multiple times when I got these emails.
Yesterday I got email about code verification because I put 2FA on my main email and first time i didnt have it so he just said the new location from where I was connected.

I will try this step with router + Clean Install but in few days. Should I try another step after this? I dont know the order :)
Should I make 3 USB Sticks with Windows at my Friend PC? Just to clean install my PCs at the same time.
And what should I do to dont infect my USB Stick? Should I restart my computers and after that to press F2 ,F6 etc to go to BOOT Menu, put Stick into my PC and press Save and Exit, PC will restart and press another key F11 or what is the good key for selecting the USB Stick with Windows?
I dont know if the stick can be infected if Im on desktop and I restart after I connect it. But I want to be safe haha.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Change the passwords and just secure the email in which you're getting Code Verifications, with 2FA. From what I know, you're already using 2FA for all emails now.

No need of multiple sticks. Make the USB stick has the version of Windows matching the one currently installed on the concerned PC you're formatting (one-by-one, if you want to reset all PCs).
Doesn't seem necessary at all, but if you think all of them need to be reinstalled, keep other PCs off when reinstalling on one of them. Then, after completion of reinstall on 1, directly begin reinstall on another (by booting to USB) ...
  1. burn Windows 10 ISO to USB stick (on a machine you believe is clean)
  2. backup data that will be lost in Windows re-install
  3. disconnect WiFi/LAN to make PC offline
  4. disable Secure Boot for time-being
  5. plug-in the USB to the PC and boot to it, by selecting USB in the Boot Menu
  6. reinstall Windows on the System drive (you'll get many online guides for this, and for troubleshooting related issues)
  7. after Windows is fully installed and reaches screen asking to create PIN, remove the USB
  8. connect to WiFi/LAN and update Windows first (this also updates built-in antivirus)
  9. re-enable Secure Boot in BIOS (next time when starting Windows)
  10. download & install your desired 3rd party Antivirus
  11. restore your data you backed up before reinstall
  12. download other required apps from their official websites
  13. add adguard/avira/malwarebytes extensions in your browser
  14. keep a few scanners (EEK/Zemana/MB) in a folder, run scans periodically/when in doubt
  15. setup automatic/manual data and system backup using popular utilities (view this forum homepage)
 

Zecha

Level 2
Thread author
Mar 2, 2020
69
Today I was playing a game and after 2-3 hours I had ping and lag spikes but similar to ping. I dont have these too often.
And pages are loading slow on internet.
I scanned with malwarebytes but did not found anything. I dont see anything on task manager too.
I have to mention that I didnt reinstall windows because I cant make the stick right now :(

And I cant send instantly messages on phone.

Edit: Can someone help me to check what accounts I have created and linked to my Google Account? Because I think I will delete the account and stay for 5-6 months without to see if I still receive emails with code verifications codes and what I get right now.
I checked from my account Linked accounts and I have 0 and what accounts I use to connect to Google and I have only 5. For sure they are not all. I have several.

So what I lose if I delete this account? Access to games on Android Phone, Passwords and what more? I lose accounts that I created with this G Account?

Edit2: Ok so I deleted the Google Account. Now I still have saved the password into my google chrome browser at 3 dots, settings and passwords.
Before deleting the account I did a clean and he did not found anything and after a Reset to my Browser.
So somewhere I have still saved some data if I still have passwords. Im not sure from where they are saved.
Maybe until the G acc will be deteled I will still have those passwords saved. (For few hours/days maybe). But I dont think this is the thing.
 
Last edited:

Zecha

Level 2
Thread author
Mar 2, 2020
69
Doesnt exist a method to detect viruses and malwares?
Because I cant make the USB stick with windows and my PC is not running well.
I have ping in games, pages are loading slow on browser etc.
I scanned with Kaspersky (trial), Bitdefender (paid), Malwarebytes (trial), Avast (Trial) and others and I couldnt find the problem.
My PC is running well sometimes but after some time Is slow without any reason.
And I dont think I have PUP. My PC is harming by something else.
I still received email notification about Code Verification even after deleting my Google Account.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
@Zecha your Yahoo account you said has been often misused is still active... so you might continue to get code verification mails. Better report to Yahoo (again), and report to the services from which you're getting verification emails, and seek their assistance... as this nuisance has been a long time deal.

Reinstall your Windows without needing a DVD/USB in either ways:
  1. How To Clean Install Windows 10 From ISO File (Without USB/DVD)
  2. How to Reset Your Windows 10 PC
The best way to clean install without DVD/USB is option 1 above. If that is not possible for whatever reason, go for option 2.
This should solve your unexpected Windows performance issues in everyday usage.
 

Zecha

Level 2
Thread author
Mar 2, 2020
69
I tried to Reset my PC few weeks ago but I couldnt.
I forgot what was the issue but I think an error after process was complete or partialy complete and my PC was open without programs but with an error that said my PC couldnt Reset properly or something like that.
Before I tried to Reset my PC I had a problem when I tried to open it. Something about Repair Diagnostic Tool before PC loaded.

Maybe I have a problem with my Hard Disk or SSD and I cant Reset it properly without that error. (I tried to reset it from settings of windows and from that screen when you open PC, both were failed).

And I checked my activity on yahoo emails and I saw 2 IPs but both from my country. I dont think someone was logged into my emails but I still get those emails from Yahoo.
I contacted Yahoo several times but they gave me generic messages or something that is not that useful.

Thanks for reply.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Sometimes resetting Windows fails due to varied reasons, a common one being corrupt System image file stored by Windows.
That's why the 1st option from my previous post uses an external (clean) Windows image for recovery. If your Windows is currently working (you can log in), this can be done. Just have a look!
In case that doesn't work out for you, then get a Windows 10 USB prepared from any of your trusted colleague's PC when possible.
You can try disconnecting 3rd party apps access to your Yahoo account. There is a slight possibility that the account is being attempted for a misuse by some entity who has partial access. This is just a speculation among other possibilities.
Have you shared your credentials with anyone you know?
And as I said previously, also try contacting services from whose websites/apps you're receiving login request verifications.
Say you're getting login requests to Twitter using your Yahoo account, contact Twitter support for assistance. They might be able to analyse the pattern and do something on their part or ask you to secure your account for better.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top