Malware I can't remove (PWS:Win32/OnLineGames)

Forums › Desktop computing › Malware I can't remove (PWS:Win32/OnLineGames)

KevinTheGerbil

4 posts

Wannabe Geek
+1 received by user: 1

#311781 14-Feb-2024 14:42

Hi All

I'm new to the forums and am looking for some help.

My son came home from Uni for the holidays and used my PC to play Steam games. I now find I have Windows Security saying that my PC is infected with a trojan called PWS:Win32/OnLineGames.L!dll. I have tried all of the online instructions on how to get rid of this item but it keeps coming back once the PC restarts.

I would really appreciate some help with this...😬

Cheers Kevin

1 | 2

32 posts

Geek
+1 received by user: 22

Trusted

#3195221 14-Feb-2024 17:33

Sounds like something could be running on logon - are you able to check the startup items from task manager and see if anything stands out?

Also, I assume you have attempted to remove all traces of the games from the computer?

xpd

Geek of Coastguard
14116 posts

Uber Geek
+1 received by user: 4579

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#3195223 14-Feb-2024 17:55

Malwarebytes Antimalware should help.

https://www.malwarebytes.com/mwb-download

XPD / Gavin

LinkTree

xpd

Geek of Coastguard
14116 posts

Uber Geek
+1 received by user: 4579

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#3195224 14-Feb-2024 17:56

Also if comfortable with regedit, check here :

[HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run]

XPD / Gavin

LinkTree

gzt

18684 posts

Uber Geek
+1 received by user: 7826

Lifetime subscriber

#3195227 14-Feb-2024 18:04

Tried the Windows Defender offline scan already?

KevinTheGerbil

4 posts

Wannabe Geek
+1 received by user: 1

#3195234 14-Feb-2024 18:29

Hi All

Thanks for the replies. I have tried MalwareBytes, the Windows Defender low-level tool and checked the Registry and there doesn't seem anything untoward.

The Windows Defender message implies that files in my day-to-day programs have been infected (see picture attached). Thoughts appreciated...

Cheers Kevin

KevinTheGerbil

4 posts

Wannabe Geek
+1 received by user: 1

#3195241 14-Feb-2024 18:35

REGEDIT information as below. I'm not to sure what the entries refer to:

Cheers Kevin

Dyson

Shop now for Dyson appliances (affiliate link).

Azzura

609 posts

Ultimate Geek
+1 received by user: 224

ID Verified

#3195296 14-Feb-2024 19:06

Maybe this is old fashion....I'd be using a virus scan boot disk/usb stick....or don't people use those anymore? If that didn't work...format reinstall....delete the partition and install from there.

cddt

1970 posts

Uber Geek
+1 received by user: 1904

#3195317 14-Feb-2024 21:21

If an anti-virus software can't help you, and you've tried a couple, then you're unlikely to be able to remove it yourself. That leaves only the option of a reimage - suggest you go ahead with this, while changing passwords.

Rickles

3108 posts

Uber Geek
+1 received by user: 445

Trusted

#3196063 16-Feb-2024 08:00

FWIW, I've encountered similar problem, ironically with a well know anti-virus brand.

I've always tended to find this process to works well -

Run Revo Uninstaller on the program itself ... revo has a feature whereby it searches for Registry entries too

Then run MalwareBytes,

Then search C: drive using unique terms for the offending program, e.g. "OnLineGames", and delete all found instances

For those instances where its reported that file cannot be deleted, I use LockHunter to delete them

Only after all the above do I re-boot machine.

bagheera

544 posts

Ultimate Geek
+1 received by user: 189

#3196109 16-Feb-2024 09:49

in the past, I have had some very old school files that date back to msdos days reload virus for me.

have a look at this, it cover every thing

https://superuser.com/questions/1413524/how-do-anti-virus-programs-start-at-windows-boot

cddt

1970 posts

Uber Geek
+1 received by user: 1904

#3196202 16-Feb-2024 12:01

You guys are scaring me with these suggestions.

If I had a known password stealer on my PC, which was unable to be removed by Windows Defender or Malwarebytes, I wouldn't do anything short of a reinstall. If you perservere in trying to remove it yourself, there is a significant risk that you either won't be able to do it or there is other malware you're not aware of.

Dyson

Shop now for Dyson appliances (affiliate link).

freitasm

BDFL - Memuneh
80654 posts

Uber Geek
+1 received by user: 41050

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3196254 16-Feb-2024 12:14

cddt:

If I had a known password stealer on my PC, which was unable to be removed by Windows Defender or Malwarebytes, I wouldn't do anything short of a reinstall. If you perservere in trying to remove it yourself, there is a significant risk that you either won't be able to do it or there is other malware you're not aware of.

This. QFT.

This PC is compromised and nothing you do short of a reinstall will save it - and in some cases not even that.

Nuke the install. If it's Windows 10 or Windows 11 use the Refresh option.

If it still reports the virus after a fresh install, do an offline install from a Read Only media.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

ratsun81

516 posts

Ultimate Geek
+1 received by user: 183

#3196270 16-Feb-2024 12:39

freitasm:

cddt:

If I had a known password stealer on my PC, which was unable to be removed by Windows Defender or Malwarebytes, I wouldn't do anything short of a reinstall. If you perservere in trying to remove it yourself, there is a significant risk that you either won't be able to do it or there is other malware you're not aware of.

This. QFT.

This PC is compromised and nothing you do short of a reinstall will save it - and in some cases not even that.

Nuke the install. If it's Windows 10 or Windows 11 use the Refresh option.

If it still reports the virus after a fresh install, do an offline install from a Read Only media.

I might even consider doing a proper disk wipe not just the typical File Allocation Table format that windows does.

KevinTheGerbil

4 posts

Wannabe Geek
+1 received by user: 1

#3197017 18-Feb-2024 13:08

Hi All

Thanks for all of your suggestions. I tried them all but eventually ended up doing a RESET on Windows 11 (not a Refresh, which only works on the screen). Trojan is gone now but it has taken me a day to get all of my software reinstalled.

Cheers Kevin

freitasm

BDFL - Memuneh
80654 posts

Uber Geek
+1 received by user: 41050

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3197018 18-Feb-2024 13:10

Good job.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | 2