Solved Trojan.Tasker.TP Infection

[joelCAMEL]

Hello:

In December 2024, my PC became infected with a Trojan, in 1 file and 3 registry keys. Malwarebytes removes and quarantines it but it returns daily. i also cannot visit certain websites because Cloudflare has banned the IP. However, i have a cellphone and another PC on the same router that can visit those websites. If I restart this PC, I am able to visit those websites for a few minutes, then Cloudflare boots me out again. Even visiting this forum, I am unable to get past Cloudflare until I reboot the PC again.

forums.malwarebytes.com​

Verifying you are human. This may take a few seconds.
forums.malwarebytes.com needs to review the security of your connection before proceeding.

Thank you for assisting,
joelCAMEL

 

[joelCAMEL]

Please disregard the original FRST texts, as i failed to run as Admin. The proper texts are attached here.

 

[icotonev]

Hello..! Welcome to MalwareTips..!

Let's start with this.

Uninstalling Adobe Flash Player

Note: Adobe Flash Player is no longer supported and is a security risk.

• Download Adobe Flash Player Uninstaller and save it to your Desktop
• Right click on the icon and select Run as administrator
• Click Uninstall then Done to reboot your computer

===================================================================

• Download the Revo Uninstaller (Free Download) and save it on your Desktop.
• Double click on the exe file created on your Desktop to run the installer, and follow the instructions to install the program.
• Double click the program's icon to open it.
• Write in the search area, on the top left, the following program:

Advanced SystemCare
Avast Update Helper

• Choose the Uninstall tab from the menu and let the program to create a Restore point.
• Choose Scan, and then the Advanced mode scan.
• Select all the Online Services items found, Delete and Next.
• Let the procedure be completed and click on Finish.
• Restart the computer.

Next ....:

Farbar Recovery Scan Tool - Fix

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone

Please download the attached file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.


In your next reply, please include:

• Fixlog.txt

 

[joelCAMEL]

Adobe Flash has been uninstalled.
Revo Uninstaller uninstalled Advanced SystemCare.
Avast Update Helper was not found. I know it is listed in the text as being enabled but it was uninstalled several months ago.

Farbar fixlist text: Am I to insert the fixlist to the frst file on line 3 and delete the existing lines, or just insert?

 

[icotonev]

No..! Simply download the fixlist file and place it where the Farbar tool is..!

 

[joelCAMEL]

Fixlog attached

 

[icotonev]

Hello, joelCAMEL..! Very good..!



Malwarebytes

Open Malwarebytes you have already installed.
Click the little gear on the top right (Settings) and when it opens, click the General tab. Under the title Windows Security Center, make sure the option is disabled.
Click the Scan and Detections tab and under the Scan options title, enable Scan for rootkits option. Do not change any other option.
Return to the Dashboard and choose Scan.
When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.
If threats are found, make sure that all threats are selected, and click on Quarantine/Remove selected.

• You may need to restart the computer.
• Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
• Click on Export and then Copy to Clipboard.
• Paste its content here, in your next reply.

Malwarebytes AdwCleaner

• Please download AdwCleaner and save it to your Desktop
• Close all open programs and browsers
• Right click on the icon and select Run as administrator
• Click Scan now
• Uncheck any detected items you would to keep then click Next
• If a Preinstalled software was found! screen appears review it if you'd like then click OK

The section at the bottom under Pre-Installed Software is software that was apparently installed when the device was new by your PC manufacturer.Personally, I don't keep anything from this software that I don't use/need. But it's your computer, so the decision is yours.

• Review the list of Preinstalled software and place a check mark in those you do not wish to keep
• Click Quarantine, then Continue
• When completed click View Log File
• Copy and paste the contents in your reply
• Close the AdwCleaner window

In your next reply, please post:

• The Malwarebytes report
• AdwCleaner reprort

 

[joelCAMEL]

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/18/2025
Scan Time: 12:48 PM
Log File: 8b60d9d6-d5dd-11ef-bc5b-309c2323e2a4.json

-Software Information-
Version: 5.2.4.157
Components Version: 1.0.5116
Update Package Version: 1.0.94646
License: Free

-System Information-
OS: Windows 10 (Build 18363.1556)
CPU: x64
File System: NTFS
User: DESKTOP-J2J3S28\User

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Cancelled
Objects Scanned: 172868
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 43 min, 33 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
File system: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 3
Trojan.Tasker.TP, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Google_Maintenance_Worker, Quarantined, 7324, 1273521, 1.0.94646, , ame, , ,
Trojan.Tasker.TP, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{AD4734E6-0005-4514-8777-BBADB8FE8B07}, Quarantined, 7324, 1273521, 1.0.94646, , ame, , ,
Trojan.Tasker.TP, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{AD4734E6-0005-4514-8777-BBADB8FE8B07}, Quarantined, 7324, 1273521, 1.0.94646, , ame, , ,

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Trojan.Tasker.TP, C:\WINDOWS\SYSTEM32\TASKS\Google_Maintenance_Worker, Quarantined, 7324, 1273521, 1.0.94646, , ame, , D3DD0469388B6D933156BC51CE449AE8, 1B694E8D8209D4070CED4B814D6F4E2909A33C68725ACBEAA1D61C4B80324502

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)



# -------------------------------
# Malwarebytes AdwCleaner 8.4.2.0
# -------------------------------
# Build: 03-04-2024
# Database: 2024-10-23.4 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 01-18-2025
# Duration: 00:00:01
# OS: Windows 10 (Build 18363.1556)
# Cleaned: 30
# Failed: 0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted C:\ProgramData\Application Data\Lavasoft\Web Companion
Deleted C:\ProgramData\Lavasoft\Web Companion
Deleted C:\ProgramData\SecuritySuite
Deleted C:\Users\User\AppData\Roaming\Tencent
Deleted C:\Users\User\Documents\TotalAV
Deleted C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare
Deleted C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\TotalAV

***** [ Files ] *****

Deleted C:\END
Deleted C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\lbhfh77v.default-release\invalidprefs.js

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted HKCU\Software\Lavasoft\Web Companion
Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
Deleted HKCU\Software\SSProtect
Deleted HKLM\SOFTWARE\CLASSES\DIRECTORY\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
Deleted HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
Deleted HKLM\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
Deleted HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Advanced SystemCare
Deleted HKLM\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\Advanced SystemCare
Deleted HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.totalav.passwordvaultassistant
Deleted HKLM\SOFTWARE\Microsoft\Edge\NativeMessagingHosts\com.totalav.passwordvaultassistant
Deleted HKLM\SOFTWARE\Mozilla\NativeMessagingHosts\com.totalav.passwordvaultassistant
Deleted HKLM\Software\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}
Deleted HKLM\Software\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}
Deleted HKLM\Software\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}
Deleted HKLM\Software\Classes\totalav
Deleted HKLM\Software\Wow6432Node\IOBIT\ASC
Deleted HKLM\Software\Wow6432Node\IObit\Advanced SystemCare
Deleted HKLM\Software\Wow6432Node\IObit\RealTimeProtector
Deleted HKLM\Software\Wow6432Node\\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}
Deleted HKLM\Software\Wow6432Node\\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}
Deleted HKLM\System\CurrentControlSet\Services\EventLog\Application\SecurityService

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1542 octets] - [22/11/2021 00:30:52]
AdwCleaner[C00].txt - [1674 octets] - [22/11/2021 00:31:04]
AdwCleaner[S01].txt - [1528 octets] - [22/11/2021 00:32:09]
AdwCleaner[C01].txt - [1718 octets] - [22/11/2021 00:32:24]
AdwCleaner[S02].txt - [1650 octets] - [22/11/2021 00:36:31]
AdwCleaner[S03].txt - [1711 octets] - [22/11/2021 18:58:34]
AdwCleaner[C03].txt - [1901 octets] - [22/11/2021 18:58:47]
AdwCleaner[S04].txt - [4631 octets] - [18/01/2025 13:47:20]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C04].txt ##########

 

[icotonev]

Hello, joelCAMEL..! Excellent work..!

We continue...:

Fresh FRST logs

Please run FRST tool once more, and attach for me fresh logs:

• Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produce two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach these two logs in your next reply.

In your next reply, please post:

• Fresh FRST logs

 

[joelCAMEL]

Hello icotonev:

Web sites previously banned by Cloud Flare are open to me without incident now.
Fresh FRST logs attached

 

[icotonev]

Notifications from Chrome:

Did you intentionally have Chrome getting notifications from the following sites?

hxxps://advnottech.com;
hxxps://agabreloomr.com;
hxxps://buyadvupfor24.com;
hxxps://ca.bestdeals.today;
hxxps://ca.bestreviews.guide;
hxxps://ca.jobdiagnosis.com;
hxxps://computeradsglobal.com;
hxxps://ddtop.moltenforger.com;
hxxps://ddtop.titaniumveinshaper.com;
hxxps://disjuncove.com;
hxxps://en3.onlinevideoconverter.pro;
hxxps://grakorte.com;
hxxps://hdjlz.check-tl-ver-94-2.com;
hxxps://hzgsp3.jammennaps.com;
hxxps://investorplace.com;
hxxps://linkforcaptcha.top;
hxxps://mail.yahoo.com;
hxxps://makanifoods.com;
hxxps://malwaretips.com;
hxxps://mtatradeoftheday.com;
hxxps://nativesmokes4less.com;
://nomarmaconded.com;
hxxps://online.simplii.com;
hxxps://onlymp3.app;
hxxps://paraboobs.xyz;
hxxps://percumannue.com;
hxxps://pffmn.check-tl-ver-54-1.com;
hxxps://positiveweb.org;
hxxps://re-captha-version-3-51.top;
hxxps://re-captha-version-3-58.top;
hxxps://reviewed.usatoday.com;
hxxps://rgx54z.jammennaps.com;
hxxps://savorjapan.com;
hxxps://speedtest.internetspeedfree.com;
hxxps://tradingeconomics.com;
hxxps://tubesafari.com;
hxxps://txxx.com;
hxxps://voyeurhit.com;
hxxps://wealthyretirement.com;
hxxps://web.whatsapp.com;
hxxps://www.adweek.com;
hxxps://www.aliexpress.com;
hxxps://www.allmusic.com;
hxxps://www.ask.com;
hxxps://www.chicagotribune.com;
hxxps://www.consumersearch.com;
hxxps://www.eurogamer.net;
hxxps://www.facebook.com;
hxxps://www.findinfoonline.com;
hxxps://www.forbes.com;
hxxps://www.gamesradar.com;
hxxps://www.goelks.com;
hxxps://www.hofungrestaurant.ca;
hxxps://www.houseful.ca;
hxxps://www.hp.com;
hxxps://www.infotoask.com;
hxxps://www.instagram.com;
hxxps://www.iwastesomuchmoney.com;
hxxps://www.messenger.com;
hxxps://www.newsearchtoday.co;
hxxps://www.readytodistribute.com;
hxxps://www.reddit.com;
hxxps://www.searchinfotoday.com;
hxxps://www.smartresultsnow.net;
hxxps://www.soscip.org;
hxxps://www.sportingnews.com;
hxxps://www.thespruce.com;
hxxps://www.thesun.co.uk;
hxxps://www.tomsguide.com;
hxxps://www.you-buy.ca;
hxxps://www.youtube.com;
hxxps://www.zolo.ca;
hxxps://y2mate.nu;
hxxps://ytmp3.nu;
hxxps://ytmp3s.nu

 

[icotonev]

Farbar Recovery Scan Tool SearchAll

• Right click on FRST and select Run as administrator
• Copy/paste the following in the Search: box

SearchAll: Avast Update Helper

• Click Search Files
• When completed click OK and a Search.txt document will open on your desktop
• Zip and upload the file here

 

[joelCAMEL]

Just now, I have attempted to stop Chrome from getting notifications.

FRST run as administrator and searching for: SearchAll: Avast Update Helper

 

[icotonev]

Just now, I have attempted to stop Chrome from getting notifications.

Deleting Chrome Notifications

• Launch Chrome
• Type chrome://settings/content/notifications and hit Enter
• Scroll down to Allowed to send notifications
• For any entry you are not familiar with or do not want click on the 3 horizontal dots to the right and select Remove

How to delete chrome notifications? - GB Times

How to Delete Chrome Notifications: A Step-by-Step Guide Chrome notifications can be both helpful and annoying. While they provide important […]

gbtimes.com

 

[icotonev]

Farbar Recovery Scan Tool - Fix

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone

Please download the attached file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply

in your next reply, please include:

• Fixlog.txt

 

[joelCAMEL]

Thank you for the Chrome instructions.
fixlog attached

 

[icotonev]

Hello, joelCAMEL..! Great..! The system looks clean..! However, I would like to do more checks to make sure everything is fine..! Are you observing any problems with your computer..?

ESET Online Scan - ESET Online Scan - Eset Online Scanner will take some time, so be prepared.

ESET Online Scanner

• Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
• When the tool opens, click Get Started.
• Read and accept the license agreement.
• At the Welcome to ESET Online Scanner window, click Get Started.
• Select whether you would like to send anonymous data to ESET
• Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
• Click on the Full Scan option.
• Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
• ESET will now begin scanning your computer. This may take some time.
• When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
• ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
• On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
• Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply

 

[joelCAMEL]

PC is working fine:

Eset txt:

1/20/2025 14:13:19 PM
Scanned files: 628165
Detected files: 2
Cleaned files: 0
Total scan time 02:04:23
Scan status: Finished
D:\Documents and Settings\All Users\Application Data\VistaCodecs\{A9DF2DCA-9A5C-49FD-8FEC-91DC0CD1072D}\Vista Codec Package.msi a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application unable to clean

D:\Documents and Settings\User\Application Data\Baidu\BaiduBrowser\plugin\extends\{6621B6C5-7C33-48AB-B124-735D58A68A10}\1.0.0.65_new\bdzc_Setup.dll a variant of Win32/Baidu.O potentially unwanted application unable to clean

 

[icotonev]

PC is working fine:

Great...!

Try deleting these two files manually:

D:\Documents and Settings\All Users\Application Data\VistaCodecs\{A9DF2DCA-9A5C-49FD-8FEC-91DC0CD1072D}\Vista Codec Package.msi a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application unable to clean
D:\Documents and Settings\User\Application Data\Baidu\BaiduBrowser\plugin\extends\{6621B6C5-7C33-48AB-B124-735D58A68A10}\1.0.0.65_new\bdzc_Setup.dll a variant of Win32/Baidu.O potentially unwanted application unable to clean

If you can't...:

Malwarebytes

Open Malwarebytes you have already installed.
Click the little gear on the top right (Settings) and when it opens, click the General tab. Under the title Windows Security Center, make sure the option is disabled.
Click the Scan and Detections tab and under the Scan options title, enable Scan for rootkits option. Mark Drive c and Drive d ..Take a full scan
Return to the Dashboard and choose Scan.
When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.
If threats are found, make sure that all threats are selected, and click on Quarantine/Remove selected.

• You may need to restart the computer.
• Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
• Click on Export and then Copy to Clipboard.
• Paste its content here, in your next reply.

 

[joelCAMEL]

Hello icotonev:

I was able to delete Baidu but could not locate VistaCodecs. Drive D are the contents of my old hard drive from 2016. I was supposed to save any needed files, then delete the remaining files. I will do that very soon.

Malwarebytes report is listed below:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/21/2025
Scan Time: 3:17 PM
Log File: debc9094-d84d-11ef-952a-309c2323e2a4.json

-Software Information-
Version: 5.2.4.157
Components Version: 1.0.5116
Update Package Version: 1.0.94794
License: Free

-System Information-
OS: Windows 10 (Build 18363.1556)
CPU: x64
File System: NTFS
User: DESKTOP-J2J3S28\User

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 320513
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 52 min, 42 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
File system: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)