Hi, Graemio.
Welcome to TSG Forums.
I will be assisting you regarding your computer's issues. Here, we will check your computer for malware.
Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:
1.
Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!
2.
Do not run any tools unless instructed to do so. Also,
do not uninstall or install any software during the procedure, unless I ask you to do so.
3.
If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.
4. You have to reply to my posts
within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least
once per day so that we can resolve your issues effectively and efficiently.
5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post.
Please, be patient, while I analyze your logs.
=====================
My first comments/instructions, regarding your logs:
1. Hard Disk
There are signs that the disk has bad blocks. We are going to check that, but I recommend you, before you proceed to my instructions below, to backup your personal files, just in case.
2. P2P program
You have
μtorrent installed in your computer. This is a
P2P program. P2P programs form a direct conduit on to a computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. If you don't uninstall it, your computer will probably get infected again, as soon as you use it again. But it is your computer and of course your decision.
- If you decide to keep it, DON'T use it during the cleaning procedure.
- If you decide to uninstall it:
- Press the Windows Key + R.
- Type appwiz.cpl in the Run box and click OK.
- The Add/Remove Programs list will open. Locate the following program on the list:
- Select the above program and click Uninstall.
- Restart the computer.
3. FRST fix
Please do the following to run a FRST fix.
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
- Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
HKLM\...\StartupApproved\Run32: => "YixSpeedup"
FirewallRules: [UDP Query User{6CFB706B-5038-4A4B-A200-39557700FF7F}C:\games\pyre\x64\pyre.exe] => (Allow) C:\games\pyre\x64\pyre.exe => No File
FirewallRules: [TCP Query User{879F469D-6F73-4E08-B681-AF7184DE0911}C:\games\pyre\x64\pyre.exe] => (Allow) C:\games\pyre\x64\pyre.exe => No File
FirewallRules: [{4570A8A5-30E0-435B-82E0-F8C394BB0D0C}] => (Block) %SystemDrive%\GOG Games\Grim Dawn\Grim Dawn.exe => No File
FirewallRules: [UDP Query User{09D84702-8E4A-4F8E-8170-461893A00504}C:\program files (x86)\wizards of the coast\mtga\mtga.exe] => (Allow) C:\program files (x86)\wizards of the coast\mtga\mtga.exe => No File
FirewallRules: [TCP Query User{8A31653B-3E77-420C-A5F0-7971F1CF7EF5}C:\program files (x86)\wizards of the coast\mtga\mtga.exe] => (Allow) C:\program files (x86)\wizards of the coast\mtga\mtga.exe => No File
FirewallRules: [{E280166D-C0EA-4A27-9816-2134E62F8736}] => (Allow) C:\Program Files (x86)\Nox\bin\Nox.exe => No File
FirewallRules: [{22C69F4C-7389-4A25-8FEF-6C9C9AAE2CA2}] => (Allow) C:\Program Files (x86)\Bignox\BigNoxVM\RT\NoxVMHandle.exe => No File
FirewallRules: [TCP Query User{3A82864B-A477-46E4-8D51-1FF2ADB26C85}C:\games\divinity original sin 2 definitive edition\defed\bin\eocapp.exe] => (Allow) C:\games\divinity original sin 2 definitive edition\defed\bin\eocapp.exe => No File
FirewallRules: [UDP Query User{323C8988-0746-4BB8-A436-9094E34607FF}C:\games\divinity original sin 2 definitive edition\defed\bin\eocapp.exe] => (Allow) C:\games\divinity original sin 2 definitive edition\defed\bin\eocapp.exe => No File
FirewallRules: [{DE68BD01-5292-4172-A5D8-80676845689A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe => No File
FirewallRules: [{AAE38634-7BDB-43E3-91DE-2A74EFF87539}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe => No File
FirewallRules: [{54BEA67B-D0BF-4063-BE2F-CCF7C3C4E5C9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Lone Survivor\LoneSurvivor\LoneSurvivor.exe => No File
FirewallRules: [{54096F67-FDBA-4473-A9A4-A2D9BF62AD72}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Lone Survivor\LoneSurvivor\LoneSurvivor.exe => No File
FirewallRules: [TCP Query User{B8C701F1-CC29-44A9-92DC-44C11A14D99A}C:\program files (x86)\heroes of the storm\versions\base80333\heroesofthestorm_x64.exe] => (Allow) C:\program files (x86)\heroes of the storm\versions\base80333\heroesofthestorm_x64.exe => No File
FirewallRules: [UDP Query User{2AB77D22-C7FA-45D0-B42C-0714A780EE5A}C:\program files (x86)\heroes of the storm\versions\base80333\heroesofthestorm_x64.exe] => (Allow) C:\program files (x86)\heroes of the storm\versions\base80333\heroesofthestorm_x64.exe => No File
FirewallRules: [TCP Query User{FF2F9E53-3192-4608-91D9-FA49946E3F38}C:\program files (x86)\diablo iii\x64\diablo iii64.exe] => (Allow) C:\program files (x86)\diablo iii\x64\diablo iii64.exe => No File
FirewallRules: [UDP Query User{629C66F9-09F4-41EB-A644-86ECA8B0FE2E}C:\program files (x86)\diablo iii\x64\diablo iii64.exe] => (Allow) C:\program files (x86)\diablo iii\x64\diablo iii64.exe => No File
FirewallRules: [TCP Query User{01728578-334E-4119-9EC0-B8B939963B5A}C:\program files (x86)\pokemon showdown\pokemonshowdown.exe] => (Allow) C:\program files (x86)\pokemon showdown\pokemonshowdown.exe => No File
FirewallRules: [UDP Query User{8AE32D7A-1A47-4264-A22F-40F6D3A83726}C:\program files (x86)\pokemon showdown\pokemonshowdown.exe] => (Allow) C:\program files (x86)\pokemon showdown\pokemonshowdown.exe => No File
FirewallRules: [TCP Query User{F4998C5C-7713-4F49-9D0C-C780AD3F66B4}C:\gog games\baldurs gate 3\bin\bg3.exe] => (Block) C:\gog games\baldurs gate 3\bin\bg3.exe => No File
FirewallRules: [UDP Query User{39FA5421-AFA6-4086-9F3F-D62FB7A0FB30}C:\gog games\baldurs gate 3\bin\bg3.exe] => (Block) C:\gog games\baldurs gate 3\bin\bg3.exe => No File
FirewallRules: [TCP Query User{44EFCED5-5DB1-4291-B8B9-F58C22C443E7}C:\gog games\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) C:\gog games\baldurs gate 3\bin\bg3_dx11.exe => No File
FirewallRules: [UDP Query User{6D5CF9F9-6A8B-4611-A53A-70EB767FB5F6}C:\gog games\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) C:\gog games\baldurs gate 3\bin\bg3_dx11.exe => No File
FirewallRules: [TCP Query User{BA3E343B-7A48-401E-8BBC-909C452C28DF}C:\gog games\divinity - original sin 2\defed\bin\eocapp.exe] => (Allow) C:\gog games\divinity - original sin 2\defed\bin\eocapp.exe => No File
FirewallRules: [UDP Query User{A58AC757-5DA9-48E2-A171-2143FC9805F6}C:\gog games\divinity - original sin 2\defed\bin\eocapp.exe] => (Allow) C:\gog games\divinity - original sin 2\defed\bin\eocapp.exe => No File
FirewallRules: [TCP Query User{63A42D03-FB22-450F-AD19-AF1353C2339E}C:\gog games\the dungeon of naheulbeuk - the amulet of chaos\naheulbeuk.exe] => (Allow) C:\gog games\the dungeon of naheulbeuk - the amulet of chaos\naheulbeuk.exe => No File
FirewallRules: [UDP Query User{E1BEE190-B32C-4D60-9C78-273865FDB114}C:\gog games\the dungeon of naheulbeuk - the amulet of chaos\naheulbeuk.exe] => (Allow) C:\gog games\the dungeon of naheulbeuk - the amulet of chaos\naheulbeuk.exe => No File
FirewallRules: [TCP Query User{632FEB9A-13BE-4B73-BC74-2EF5A3D020A3}C:\games\pathfinder kingmaker definitive edition\kingmaker.exe] => (Block) C:\games\pathfinder kingmaker definitive edition\kingmaker.exe => No File
FirewallRules: [UDP Query User{761B0713-D8F4-4597-8823-69C8F3B3B902}C:\games\pathfinder kingmaker definitive edition\kingmaker.exe] => (Block) C:\games\pathfinder kingmaker definitive edition\kingmaker.exe => No File
FirewallRules: [{E372E003-14D9-4126-9C95-F12252A0F4DA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\TreeOfSavior\release\patch\tos.exe => No File
FirewallRules: [{D0D9C276-1C57-4235-ACBF-4692D20F4EEA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\TreeOfSavior\release\patch\tos.exe => No File
FirewallRules: [TCP Query User{00E3F09E-9BFF-4B99-8560-EBE94CC9AC5F}C:\program files (x86)\steam\steamapps\common\divinity original sin 2\defed\bin\eocapp.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\divinity original sin 2\defed\bin\eocapp.exe => No File
FirewallRules: [UDP Query User{910C5D6F-36C6-44D8-8E09-F823A8E16406}C:\program files (x86)\steam\steamapps\common\divinity original sin 2\defed\bin\eocapp.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\divinity original sin 2\defed\bin\eocapp.exe => No File
FirewallRules: [{45B3319B-212C-4ED6-90A7-A1CE13E0B1E4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Troubleshooter\Release\bin\ProtoLion.exe => No File
FirewallRules: [{647EF5B0-3C0B-4455-BA12-A7F5323C9BAF}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Troubleshooter\Release\bin\ProtoLion.exe => No File
FirewallRules: [TCP Query User{FFCFFCD3-078F-47B8-9846-1A9A445D2371}C:\program files (x86)\steam\steamapps\common\ruiner\ruiner\binaries\win64\ruiner-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\ruiner\ruiner\binaries\win64\ruiner-win64-shipping.exe => No File
FirewallRules: [UDP Query User{B7EB1A6B-CD91-4AA2-85D0-16C1EAB1A493}C:\program files (x86)\steam\steamapps\common\ruiner\ruiner\binaries\win64\ruiner-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\ruiner\ruiner\binaries\win64\ruiner-win64-shipping.exe => No File
FirewallRules: [TCP Query User{A17DFF11-778C-4C1B-8AB0-B75B751B7FFC}C:\program files (x86)\overwatch\_retail_\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\_retail_\overwatch.exe => No File
FirewallRules: [UDP Query User{ADFAF234-BEA5-42B1-911E-B57B1A4FF0B7}C:\program files (x86)\overwatch\_retail_\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\_retail_\overwatch.exe => No File
FirewallRules: [TCP Query User{705A7E68-491B-4A25-BAB8-7629D25B0317}C:\users\gamed\appdata\local\crossout\launcher.exe] => (Allow) C:\users\gamed\appdata\local\crossout\launcher.exe => No File
FirewallRules: [UDP Query User{283B1647-DD79-4D83-9B7E-A7FA1C97CC55}C:\users\gamed\appdata\local\crossout\launcher.exe] => (Allow) C:\users\gamed\appdata\local\crossout\launcher.exe => No File
FirewallRules: [{680C6ED8-18F8-4DD8-A246-435889BE360B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Grim Dawn\x64\Grim Dawn.exe => No File
FirewallRules: [{0D937B7D-EA48-4AA3-8538-2B390DD01C4B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Grim Dawn\x64\Grim Dawn.exe => No File
FirewallRules: [TCP Query User{2E2EE5FD-E1A8-4D8E-9481-282D7138B325}C:\program files (x86)\steam\steamapps\common\phantasystaronline2_na_steam\pso2_bin\pso2.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\phantasystaronline2_na_steam\pso2_bin\pso2.exe => No File
FirewallRules: [UDP Query User{AEBAAF70-C6AA-4398-B123-C4B7BCBE2A85}C:\program files (x86)\steam\steamapps\common\phantasystaronline2_na_steam\pso2_bin\pso2.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\phantasystaronline2_na_steam\pso2_bin\pso2.exe => No File
FirewallRules: [{672D01BE-EA1D-4776-9103-01CE0C9AE98A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Albion Online\launcher\AlbionLauncher.exe => No File
FirewallRules: [{593BD64E-7274-4237-AA0F-26CD3C1E61D4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Albion Online\launcher\AlbionLauncher.exe => No File
FirewallRules: [{FE45794A-D370-40FA-ACCE-7F7BC2951808}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
FirewallRules: [{C21FC38B-EBAD-4858-95CC-CACCA940FCEB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
FirewallRules: [{77D55C76-DB72-4E94-B32E-F736157E4EA7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dont_starve\bin\dontstarve_steam.exe => No File
FirewallRules: [{277CC9B9-199F-41CA-A4B9-EFD1F506DCC4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dont_starve\bin\dontstarve_steam.exe => No File
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {0A4F64DC-B6C3-4C75-BFD3-F76BD7FC240F} - System32\Tasks\{5E9C47D5-C2A3-4B5B-9646-23F9F5362F1A} => C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe -> /i "C:\Users\gamed\AppData\Local\Temp\MTGAinstall\MTGAInstaller.msi" AI_SETUPEXEPATH="C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe" SETUPEXEDIR="C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\" ADDLOCAL=MainFeature,B35B3203FEB4CFFA576A27CB835D3E6 ALLUSERS="1" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQFILES="C:\Users\gamed\AppData\Roaming\Wizards of the Coast\MTGA Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2019\VC_redist.x86.exe" AI_PREREQDIRS="C:\Users\gamed\AppData\Roaming" AI_MISSING_PREREQS="Visual C++ Redistributable for Visual Studio 2017 x86" AI_SETUPEXEPATH="C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe" SETUPEXEDIR="C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\" AI_INSTALL="1" BIPROCESSTIME="2020-05-22T18:12:12.0266712Z" TARGETLOCKED="TRUE" TARGETDIR="C:\" APPDIR="C:\Program Files (x86)\Wizards of the Coast\MTGA\" AI_SETUPEXEPATH_ORIGINAL="C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe"
Task: C:\WINDOWS\Tasks\{5E9C47D5-C2A3-4B5B-9646-23F9F5362F1A}.job => C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exeѳ/i C:\Users\gamed\AppData\Local\Temp\MTGAinstall\MTGAInstaller.msi AI_SETUPEXEPATH=C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe SETUPEXEDIR=C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\ ADDLOCAL=MainFeature,B35B3203FEB4CFFA576A27CB835D3E6 ALLUSERS=1 PRIMARYFOLDER=APPDIR ROOTDRIVE=C:\ AI_PREREQFILES=C:\Users\gamed\AppData\Roaming\Wizards of the Coast\MTGA Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2019\VC_redist.x86.exe AI_PREREQDIRS=C:\Users\gamed\AppData\Roaming AI_MISSING_PREREQS=Visual C++ Redistributable for Visual Studio 2017 x86 AI_SETUPEXEPATH=C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe SETUPEXEDIR=C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\ AI_INSTALL=1 BIPROCESSTIME=2020-05-22T18:12:12.0266712Z TARGETLOCKED=TRUE TARGETDIR=C:\ APPDIR=C:\Program Files (x86)\Wizards of the Coast\MTGA\ AI_SETUPEXEPATH_ORIGINAL=C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe <==== ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [aegnopegbbhjeeiganiajffnalhlkkjb]
CHR HKLM-x32\...\Chrome\Extension: [mfhcmdonhekjhfbjmeacdjbhlfgpjabp]
S2 BridleBuddlesService; C:\Program Files (x86)\BridleBuddles\BridleBuddlesService.exe -service [X]
EmptyTemp:
End::
- Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
- Press the Fix button once and wait.
- FRST will process fixlist.txt
- When finished, it will produce a log fixlog.txt on your Desktop.
- Please post the log in your next reply.
4. AdwCleaner (Scan mode)
Download
AdwCleaner and save it to your desktop.
- Double click AdwCleaner.exe to run it.
- Click Scan Now.
- When the scan has finished, a Scan Results window will open.
- Click Cancel (at this point do not attempt to Quarantine anything that is found)
- Now click the Log Filestab.
- Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
- A Notepad file will open containing the results of the scan.
- Please post the contents of the file in your next reply.
5. Malwarebytes (Scan mode)
- Open Malwarebytes you have already installed in your computer.
- Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
Code:
Under the title Scan Options, all the options are checked.
Under the title Windows Security Center (Premium only) the option is NOT checked.
Under the title Potentially unwanted items all options are set to Always.
- Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
- When finished, you will see the Threat Scan Summary window open.
If threats are not found, click
View Report and proceed to the
two last steps below.
If threats are found, make sure that
all threats are not selected, close the program and proceed to the next steps below.
- Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
- Find the report with the most recent date and double click on it.
- Click on Export and then Copy to Clipboard.
- Paste its content here, in your next reply.
In your next reply, please post:
- The fixlog.txt
- The AdwCleaner[S0*].txt
- The Malwarebytes report