Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Bundled PuPs/Cryptojacker/Backdoor/Services alteration

Solved 
960 views 9 replies 2 participants last post by  DR.M 
#1 ·
Greetings to whoever will assist me - I appreciate it. I will keep this as simple and clear as possible. Apologies for the amount of data. IT here.

Tech Support Guy System Info Utility version 1.0.0.9
OS Version: Microsoft Windows 10 Pro, 64 bit, Build 18363, Installed 20200316163655.000000-300
Processor: AMD Phenom(tm) II X4 965 Processor, AMD64 Family 16 Model 4 Stepping 3, CPU Count: 4
Total Physical RAM: 16 GB
Graphics Card: NVIDIA GeForce GTX 1050
Hard Drives: C: 573 GB (270 GB Free); E: 95 GB (95 GB Free); F: 26 GB (26 GB Free);
Motherboard: Gigabyte Technology Co., Ltd. GA-890FXA-UD5
System: Award Software International, Inc., ver GBT - 42302e31
Antivirus: Spybot - Search and Destroy, Enabled and Updated

*Feb 12th: OS highjacked via Malware 'suite', following a risky download/install from a Korean fileserver. [Didn't scan archive before unpacking] Here are some of the Pups I remember encountering day 1, and steps taken for removal.

- Idle Buddy: Installed the files and scripts necessary to start/stop data-mine hardware. I have logs/ IPs / action performed. If required.
- Bridlebuddleservices: Created copies of files everywhere in HKEY with a encrypted value added to the file name. Also a keylogger and audio audit.
- AVG antivirus 2001: - LocalUser >[Read/Execute only+Remove Admin] - Created new Usergroup with 'Special Permission'.
- Fake Windows Defender UI override settings and anti virus activation options removed -> Qvo6 Browser Redirection + Fake certificates aquisition.
- ChangZhi-LDPlayer\adb.exe : Another Cryptominer.
- Zedo : Tracker I think.
-Adobe AIM : ??

* Actions taken *
- MMBAM Full Scan after update + Quarantine ( 68 + Pups ) > Reboot in Safemode > Spybot 2 Seekn'Destroy Full Scan + Quarantine > Config.msg remove affected apps on startup. > BitDefender Scan Only ( Paywall ) > REBOOT IN NORMAL > Security Task Manager > Regedit HKEY LOCAL MACHINE & SOFTWARE clean up of every file affected as per Bitdefender log. Verification of what is still being affected. .. CPU Usage through the roof.

+Service are now still changed, Windows defender cloned itself, one is ON as anti virus, other stuck at OFF (requesting admin rights). Same size and filepath. Turned net security to high and enabled screening proctection
+BiddleBluddleservices seems mostly removed. perhaps some traces remain as hidden.
+ChangZhi-LDPlayer\adb.exe removed unless registry and hidden files
+IdleBuddy: Backdoor remains. Traces avail. Remote commands are being pushed through
+Zedo 100% removed
+AVG Antivir: 100% removed, BUT Unable to install McAffe or Esset or Kasperky since.
+Qvo6: Removed every registry key and file linked to it in C: I belive it to be contained.
And that is it. here below are the 2 files requested. Seeking guidance from there.. Thanks again!.
 

Attachments

See less See more
#2 ·
Hi, Graemio.

Welcome to TSG Forums.


I will be assisting you regarding your computer's issues. Here, we will check your computer for malware.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

4. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

=====================

My first comments/instructions, regarding your logs:

1. Hard Disk

There are signs that the disk has bad blocks. We are going to check that, but I recommend you, before you proceed to my instructions below, to backup your personal files, just in case.

2. P2P program

You have μtorrent installed in your computer. This is a P2P program. P2P programs form a direct conduit on to a computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. If you don't uninstall it, your computer will probably get infected again, as soon as you use it again. But it is your computer and of course your decision.
  • If you decide to keep it, DON'T use it during the cleaning procedure.
  • If you decide to uninstall it:
    • Press the Windows Key + R.
    • Type appwiz.cpl in the Run box and click OK.
    • The Add/Remove Programs list will open. Locate the following program on the list:
      Code:
      μtorrent
    • Select the above program and click Uninstall.
    • Restart the computer.

3. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
HKLM\...\StartupApproved\Run32: => "YixSpeedup"
FirewallRules: [UDP Query User{6CFB706B-5038-4A4B-A200-39557700FF7F}C:\games\pyre\x64\pyre.exe] => (Allow) C:\games\pyre\x64\pyre.exe => No File
FirewallRules: [TCP Query User{879F469D-6F73-4E08-B681-AF7184DE0911}C:\games\pyre\x64\pyre.exe] => (Allow) C:\games\pyre\x64\pyre.exe => No File
FirewallRules: [{4570A8A5-30E0-435B-82E0-F8C394BB0D0C}] => (Block) %SystemDrive%\GOG Games\Grim Dawn\Grim Dawn.exe => No File
FirewallRules: [UDP Query User{09D84702-8E4A-4F8E-8170-461893A00504}C:\program files (x86)\wizards of the coast\mtga\mtga.exe] => (Allow) C:\program files (x86)\wizards of the coast\mtga\mtga.exe => No File
FirewallRules: [TCP Query User{8A31653B-3E77-420C-A5F0-7971F1CF7EF5}C:\program files (x86)\wizards of the coast\mtga\mtga.exe] => (Allow) C:\program files (x86)\wizards of the coast\mtga\mtga.exe => No File
FirewallRules: [{E280166D-C0EA-4A27-9816-2134E62F8736}] => (Allow) C:\Program Files (x86)\Nox\bin\Nox.exe => No File
FirewallRules: [{22C69F4C-7389-4A25-8FEF-6C9C9AAE2CA2}] => (Allow) C:\Program Files (x86)\Bignox\BigNoxVM\RT\NoxVMHandle.exe => No File
FirewallRules: [TCP Query User{3A82864B-A477-46E4-8D51-1FF2ADB26C85}C:\games\divinity original sin 2 definitive edition\defed\bin\eocapp.exe] => (Allow) C:\games\divinity original sin 2 definitive edition\defed\bin\eocapp.exe => No File
FirewallRules: [UDP Query User{323C8988-0746-4BB8-A436-9094E34607FF}C:\games\divinity original sin 2 definitive edition\defed\bin\eocapp.exe] => (Allow) C:\games\divinity original sin 2 definitive edition\defed\bin\eocapp.exe => No File
FirewallRules: [{DE68BD01-5292-4172-A5D8-80676845689A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe => No File
FirewallRules: [{AAE38634-7BDB-43E3-91DE-2A74EFF87539}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Divinity Original Sin Enhanced Edition\Shipping\EoCApp.exe => No File
FirewallRules: [{54BEA67B-D0BF-4063-BE2F-CCF7C3C4E5C9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Lone Survivor\LoneSurvivor\LoneSurvivor.exe => No File
FirewallRules: [{54096F67-FDBA-4473-A9A4-A2D9BF62AD72}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Lone Survivor\LoneSurvivor\LoneSurvivor.exe => No File
FirewallRules: [TCP Query User{B8C701F1-CC29-44A9-92DC-44C11A14D99A}C:\program files (x86)\heroes of the storm\versions\base80333\heroesofthestorm_x64.exe] => (Allow) C:\program files (x86)\heroes of the storm\versions\base80333\heroesofthestorm_x64.exe => No File
FirewallRules: [UDP Query User{2AB77D22-C7FA-45D0-B42C-0714A780EE5A}C:\program files (x86)\heroes of the storm\versions\base80333\heroesofthestorm_x64.exe] => (Allow) C:\program files (x86)\heroes of the storm\versions\base80333\heroesofthestorm_x64.exe => No File
FirewallRules: [TCP Query User{FF2F9E53-3192-4608-91D9-FA49946E3F38}C:\program files (x86)\diablo iii\x64\diablo iii64.exe] => (Allow) C:\program files (x86)\diablo iii\x64\diablo iii64.exe => No File
FirewallRules: [UDP Query User{629C66F9-09F4-41EB-A644-86ECA8B0FE2E}C:\program files (x86)\diablo iii\x64\diablo iii64.exe] => (Allow) C:\program files (x86)\diablo iii\x64\diablo iii64.exe => No File
FirewallRules: [TCP Query User{01728578-334E-4119-9EC0-B8B939963B5A}C:\program files (x86)\pokemon showdown\pokemonshowdown.exe] => (Allow) C:\program files (x86)\pokemon showdown\pokemonshowdown.exe => No File
FirewallRules: [UDP Query User{8AE32D7A-1A47-4264-A22F-40F6D3A83726}C:\program files (x86)\pokemon showdown\pokemonshowdown.exe] => (Allow) C:\program files (x86)\pokemon showdown\pokemonshowdown.exe => No File
FirewallRules: [TCP Query User{F4998C5C-7713-4F49-9D0C-C780AD3F66B4}C:\gog games\baldurs gate 3\bin\bg3.exe] => (Block) C:\gog games\baldurs gate 3\bin\bg3.exe => No File
FirewallRules: [UDP Query User{39FA5421-AFA6-4086-9F3F-D62FB7A0FB30}C:\gog games\baldurs gate 3\bin\bg3.exe] => (Block) C:\gog games\baldurs gate 3\bin\bg3.exe => No File
FirewallRules: [TCP Query User{44EFCED5-5DB1-4291-B8B9-F58C22C443E7}C:\gog games\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) C:\gog games\baldurs gate 3\bin\bg3_dx11.exe => No File
FirewallRules: [UDP Query User{6D5CF9F9-6A8B-4611-A53A-70EB767FB5F6}C:\gog games\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) C:\gog games\baldurs gate 3\bin\bg3_dx11.exe => No File
FirewallRules: [TCP Query User{BA3E343B-7A48-401E-8BBC-909C452C28DF}C:\gog games\divinity - original sin 2\defed\bin\eocapp.exe] => (Allow) C:\gog games\divinity - original sin 2\defed\bin\eocapp.exe => No File
FirewallRules: [UDP Query User{A58AC757-5DA9-48E2-A171-2143FC9805F6}C:\gog games\divinity - original sin 2\defed\bin\eocapp.exe] => (Allow) C:\gog games\divinity - original sin 2\defed\bin\eocapp.exe => No File
FirewallRules: [TCP Query User{63A42D03-FB22-450F-AD19-AF1353C2339E}C:\gog games\the dungeon of naheulbeuk - the amulet of chaos\naheulbeuk.exe] => (Allow) C:\gog games\the dungeon of naheulbeuk - the amulet of chaos\naheulbeuk.exe => No File
FirewallRules: [UDP Query User{E1BEE190-B32C-4D60-9C78-273865FDB114}C:\gog games\the dungeon of naheulbeuk - the amulet of chaos\naheulbeuk.exe] => (Allow) C:\gog games\the dungeon of naheulbeuk - the amulet of chaos\naheulbeuk.exe => No File
FirewallRules: [TCP Query User{632FEB9A-13BE-4B73-BC74-2EF5A3D020A3}C:\games\pathfinder kingmaker definitive edition\kingmaker.exe] => (Block) C:\games\pathfinder kingmaker definitive edition\kingmaker.exe => No File
FirewallRules: [UDP Query User{761B0713-D8F4-4597-8823-69C8F3B3B902}C:\games\pathfinder kingmaker definitive edition\kingmaker.exe] => (Block) C:\games\pathfinder kingmaker definitive edition\kingmaker.exe => No File
FirewallRules: [{E372E003-14D9-4126-9C95-F12252A0F4DA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\TreeOfSavior\release\patch\tos.exe => No File
FirewallRules: [{D0D9C276-1C57-4235-ACBF-4692D20F4EEA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\TreeOfSavior\release\patch\tos.exe => No File
FirewallRules: [TCP Query User{00E3F09E-9BFF-4B99-8560-EBE94CC9AC5F}C:\program files (x86)\steam\steamapps\common\divinity original sin 2\defed\bin\eocapp.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\divinity original sin 2\defed\bin\eocapp.exe => No File
FirewallRules: [UDP Query User{910C5D6F-36C6-44D8-8E09-F823A8E16406}C:\program files (x86)\steam\steamapps\common\divinity original sin 2\defed\bin\eocapp.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\divinity original sin 2\defed\bin\eocapp.exe => No File
FirewallRules: [{45B3319B-212C-4ED6-90A7-A1CE13E0B1E4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Troubleshooter\Release\bin\ProtoLion.exe => No File
FirewallRules: [{647EF5B0-3C0B-4455-BA12-A7F5323C9BAF}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Troubleshooter\Release\bin\ProtoLion.exe => No File
FirewallRules: [TCP Query User{FFCFFCD3-078F-47B8-9846-1A9A445D2371}C:\program files (x86)\steam\steamapps\common\ruiner\ruiner\binaries\win64\ruiner-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\ruiner\ruiner\binaries\win64\ruiner-win64-shipping.exe => No File
FirewallRules: [UDP Query User{B7EB1A6B-CD91-4AA2-85D0-16C1EAB1A493}C:\program files (x86)\steam\steamapps\common\ruiner\ruiner\binaries\win64\ruiner-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\ruiner\ruiner\binaries\win64\ruiner-win64-shipping.exe => No File
FirewallRules: [TCP Query User{A17DFF11-778C-4C1B-8AB0-B75B751B7FFC}C:\program files (x86)\overwatch\_retail_\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\_retail_\overwatch.exe => No File
FirewallRules: [UDP Query User{ADFAF234-BEA5-42B1-911E-B57B1A4FF0B7}C:\program files (x86)\overwatch\_retail_\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\_retail_\overwatch.exe => No File
FirewallRules: [TCP Query User{705A7E68-491B-4A25-BAB8-7629D25B0317}C:\users\gamed\appdata\local\crossout\launcher.exe] => (Allow) C:\users\gamed\appdata\local\crossout\launcher.exe => No File
FirewallRules: [UDP Query User{283B1647-DD79-4D83-9B7E-A7FA1C97CC55}C:\users\gamed\appdata\local\crossout\launcher.exe] => (Allow) C:\users\gamed\appdata\local\crossout\launcher.exe => No File
FirewallRules: [{680C6ED8-18F8-4DD8-A246-435889BE360B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Grim Dawn\x64\Grim Dawn.exe => No File
FirewallRules: [{0D937B7D-EA48-4AA3-8538-2B390DD01C4B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Grim Dawn\x64\Grim Dawn.exe => No File
FirewallRules: [TCP Query User{2E2EE5FD-E1A8-4D8E-9481-282D7138B325}C:\program files (x86)\steam\steamapps\common\phantasystaronline2_na_steam\pso2_bin\pso2.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\phantasystaronline2_na_steam\pso2_bin\pso2.exe => No File
FirewallRules: [UDP Query User{AEBAAF70-C6AA-4398-B123-C4B7BCBE2A85}C:\program files (x86)\steam\steamapps\common\phantasystaronline2_na_steam\pso2_bin\pso2.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\phantasystaronline2_na_steam\pso2_bin\pso2.exe => No File
FirewallRules: [{672D01BE-EA1D-4776-9103-01CE0C9AE98A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Albion Online\launcher\AlbionLauncher.exe => No File
FirewallRules: [{593BD64E-7274-4237-AA0F-26CD3C1E61D4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Albion Online\launcher\AlbionLauncher.exe => No File
FirewallRules: [{FE45794A-D370-40FA-ACCE-7F7BC2951808}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
FirewallRules: [{C21FC38B-EBAD-4858-95CC-CACCA940FCEB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
FirewallRules: [{77D55C76-DB72-4E94-B32E-F736157E4EA7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dont_starve\bin\dontstarve_steam.exe => No File
FirewallRules: [{277CC9B9-199F-41CA-A4B9-EFD1F506DCC4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dont_starve\bin\dontstarve_steam.exe => No File
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {0A4F64DC-B6C3-4C75-BFD3-F76BD7FC240F} - System32\Tasks\{5E9C47D5-C2A3-4B5B-9646-23F9F5362F1A} => C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe -> /i "C:\Users\gamed\AppData\Local\Temp\MTGAinstall\MTGAInstaller.msi" AI_SETUPEXEPATH="C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe" SETUPEXEDIR="C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\" ADDLOCAL=MainFeature,B35B3203FEB4CFFA576A27CB835D3E6 ALLUSERS="1" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQFILES="C:\Users\gamed\AppData\Roaming\Wizards of the Coast\MTGA Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2019\VC_redist.x86.exe" AI_PREREQDIRS="C:\Users\gamed\AppData\Roaming" AI_MISSING_PREREQS="Visual C++ Redistributable for Visual Studio 2017 x86" AI_SETUPEXEPATH="C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe" SETUPEXEDIR="C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\" AI_INSTALL="1" BIPROCESSTIME="2020-05-22T18:12:12.0266712Z" TARGETLOCKED="TRUE" TARGETDIR="C:\" APPDIR="C:\Program Files (x86)\Wizards of the Coast\MTGA\" AI_SETUPEXEPATH_ORIGINAL="C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe"
Task: C:\WINDOWS\Tasks\{5E9C47D5-C2A3-4B5B-9646-23F9F5362F1A}.job => C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exeѳ/i C:\Users\gamed\AppData\Local\Temp\MTGAinstall\MTGAInstaller.msi AI_SETUPEXEPATH=C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe SETUPEXEDIR=C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\ ADDLOCAL=MainFeature,B35B3203FEB4CFFA576A27CB835D3E6 ALLUSERS=1 PRIMARYFOLDER=APPDIR ROOTDRIVE=C:\ AI_PREREQFILES=C:\Users\gamed\AppData\Roaming\Wizards of the Coast\MTGA Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2019\VC_redist.x86.exe AI_PREREQDIRS=C:\Users\gamed\AppData\Roaming AI_MISSING_PREREQS=Visual C++ Redistributable for Visual Studio 2017 x86 AI_SETUPEXEPATH=C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe SETUPEXEDIR=C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\ AI_INSTALL=1 BIPROCESSTIME=2020-05-22T18:12:12.0266712Z TARGETLOCKED=TRUE TARGETDIR=C:\ APPDIR=C:\Program Files (x86)\Wizards of the Coast\MTGA\ AI_SETUPEXEPATH_ORIGINAL=C:\Program Files (x86)\Wizards of the Coast\MTGA\MTGALauncher\Updates\MTGAInstaller_1.0.64.exe <==== ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [aegnopegbbhjeeiganiajffnalhlkkjb]
CHR HKLM-x32\...\Chrome\Extension: [mfhcmdonhekjhfbjmeacdjbhlfgpjabp]
S2 BridleBuddlesService; C:\Program Files (x86)\BridleBuddles\BridleBuddlesService.exe -service [X]
EmptyTemp:
End::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.

4. AdwCleaner (Scan mode)

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

5. Malwarebytes (Scan mode)
  • Open Malwarebytes you have already installed in your computer.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) the option is NOT checked.
    Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

In your next reply, please post:
  1. The fixlog.txt
  2. The AdwCleaner[S0*].txt
  3. The Malwarebytes report
 
#3 ·
Hi DR.M
Here are the requested logs

MBAM:
-Log Details-
Scan Date: 17/02/2021
Scan Time: 19:28
Log File: 3e545886-7180-11eb-9d80-1c6f65928996.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.37245
Licence: Free

-System Information-
OS: Windows 10 (Build 18363.1316)
CPU: x64
File System: NTFS
User: DESKTOP-6JDRMOJ\gamed

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 285539
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 11 min, 46 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
 

Attachments

#4 ·
Hi, Graemio.

1. AdwCleaner (Clean mode)
  • Double click AdwCleaner.exe on your Desktop, to run it as you did before.
  • Click Scan Now.
  • When the scan has finished a Scan Results window will open.
  • Please check all threads found and then click Quarantine.
  • Click Next.
    • If any pre-installed software was found on your machine, a prompt window will open (Note: previous scan showed no pre-installed software in your machine, so you can skip these sub steps).
      • Click OK to close it.
    • Check any pre-installed software items you want to remove (previous scan showed no pre-installed software in your machine, so you can skip this).
    • Click Quarantine.
  • A prompt to save your work will appear.
    • Click Continue when you're ready to proceed.
  • A prompt to restart your computer will appear.
    • Click Restart Now.
  • Once your computer has restarted:
    • If it doesn't open automatically, please start ADWCleaner.
    • Click the Log Files tab.
    • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
    • A Notepad file will open containing the results of the removal.
    • Please post the contents of the file in your next reply.

2. Fresh FRST logs
  • Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please copy and paste the content of these two logs in your next reply.

In your next reply, please post:
  1. The AdwCleaner[C0*].txt
  2. The fresh logs, FRST.txt and Addition.txt
 
#6 ·
Hi, Graemio.

The computer is clean from malware. The first step below will just make some tidiness. The next steps' purpose is to check the hard disk, since there are signs that it has bad blocks. I recommend you to backup all your personal data, in case you didn't do that already.

1. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
FirewallRules: [{592965DC-AADF-44FD-9704-EE0EA0CE0CBB}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [{C691219A-CC96-49C0-8B47-F7A300BCDA6C}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [{7433BD01-0E71-4880-8000-BE45D0553F1A}] => (Allow) C:\Users\gamed\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{78CFFCE3-8E06-4545-BFE5-2A57C915CE0E}] => (Allow) C:\Users\gamed\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [{587D847E-BCF6-43A4-8982-E4EA8AD5892E}] => (Allow) C:\Users\gamed\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [{8FAFC210-4B77-4095-A749-8A8D844E4DFF}] => (Allow) C:\Users\gamed\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [{878CB403-BA93-4A41-A46B-3B3CB1ED5CDF}] => (Allow) C:\Users\gamed\AppData\Roaming\uTorrent\uTorrent.exe => No File
EmptyTemp:
End::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.

2. Check disk > chkdsk
  • Click on the Start button and in the search box, type Command Prompt.
  • When you see Command Prompt on the list, right-click on it and select Run as administrator.
  • Enter the command below and press on Enter and wait for it to finish (~15 minutes to many hours depending on the disk's condition).
    Code:
     chkdsk C: /r
  • You will receive a message that the operation cannot be performed while the system is in use and ask if you want to check when you restart your computer. Choose Yes, and then restart the computer, allowing disk check to run at startup.
  • The process will take some time, depending on the disk condition.
  • Download ListChkdskResult by SleepyDude and save it on your Desktop.
  • Double click on the created icon.
  • A notepad file will open. Copy its content and paste it in your next reply.

3. Check disk > CrystalDiskInfo

Since you got the first sign that the disk started having bad blocks, it would be good to have a disk check now and from time to time using a free third party software, so you can take precautions if there is a further failure sign. Of course, making a back up of your documents regularly is always a priority.
  • Download CrystalDiskInfo from here and save it to your Desktop.
  • Run the installer to install the program.
  • When finished, open the installed program by double clicking on it.
  • If everything is working properly, you should see the status "Good" displayed. Other statuses you might see include "Bad" (which usually indicates a drive that's dead or near death), "Caution" (which indicates a drive that you should most likely be thinking about backing up and replacing), and "Unknown" (which just means that information could not be obtained).
  • The program will also show the disk temperature, so please take a note of that too.
  • Take a screenshot of the result you got. In case you need help regarding taking screenshot, this article is helpful (Method 2).

In your next reply please post:


1. The fixlog.txt
2. The chkdsk result
3. The CrystalDiskInfo screenshot
 
#8 ·
Hi, Graemio.

Caution indication means that you have to backup your files and have in mind that the disk will need a replacement. When? I can't say. Perhaps in a week, a month, a year... The chkdsk utility fixed some corruptions for now, but the CrystalDiskInfo indication is still Caution. That's why the backup is important. Also, running CrystalDiskInfo every day would be a good idea.

What we do now...

1. Backup your files in an external disk
2. Buy/order a new internal hard disk
3. Continue using this old disk, running the CrystalDiskInfo in a daily basis. As soon as the indication changes to Bad, you will have to replace immediately your hard disk.

What you have to take in mind when you will order a new disk.
  • The brand > WD
  • Transfer mode > SATA/300
  • Buffer size > 32 MB
  • Rotation rate > ?
  • Capacity > 750GB
Take notes about your disk now from the CrystalDiskInfo window, and any improvement regarding the specifications is welcome.

It doesn't need to be WD again.

It's also the option of SSD instead of a hard disk, but although these are faster, they are more expensive and have less capacity.

It's a laptop I guess? This matters, because you need a 2.5" and not 3.5" disk.

Make some Amazon search to get a personal idea on the subject, see prices etc..

4. Upgrade your operating system


Considering that you took care of all the above, you may consider upgrade your operating system. You have version 1909, two critical upgrades behind the latest one which is 20H2. It is important always to keep current with the latest security fixes from Microsoft. This can patch many of the security holes through which attackers can infect your computer.

To upgrade:
  • Go to this Microsoft page and under the title Create Windows 10 installation media press on Download tool now.
  • Save the tool on your Desktop and double click to run it.
  • On the License terms page, if you accept the license terms, select Accept.
  • On the What do you want to do page, select Upgrade this PC now, and then select Next.
  • Follow the instructions and select Keep personal files and apps, when you are asked to.
  • It might take a couple of hours, depending on your wifi speed connection, to install Windows 10. Your PC will restart a few times. Make sure you don't turn off your PC.
  • After downloading and installing, the tool will walk you through how to set up Windows 10 on your PC.

Any questions/concerns?
 
#10 ·
It appears that this issue is resolved, and therefore this topic has been marked as such.

If you are the topic starter and still need assistance, please reply back to the thread. Everyone else, please start a new topic by following the instructions here.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top