Jump to content

SQx

Trusted Advisors
 View Profile  See their activity

  • Posts

    208

  • Joined

  • Last visited

 Content Type 

Posts posted by SQx

    I suspect my Pc is infected: random cmd screen popping

    in Resolved Malware Removal Logs

    Posted

    Also It looks like the schedule task that related to Autodesk is a part of the crack regarding the following discussion in the Autodesk forum: https://forums.autodesk.com/t5/installation-licensing/service-vbs-script-issue/td-p/10614551

    Please read about Piracy on the forum.  

    We do not recommend installing or using any pirated programs (cracks, keygens, etc.).
    Please remove the pirated programs (like Autodesk, and so on) otherwise our help will be useless.

    I found this task which can pop-up cmd window that related to Autodesk (a part of crack) on your logs: 

    Task: {3E970D85-A300-48AB-84B6-A346ED80D134} - System32\Tasks\Microsoft\Windows\Autodesk\Autodesk => C:\Windows\system32\wscript.exe [170496 2021-09-16] (Microsoft Windows -> Microsoft Corporation) -> "%CommonProgramFiles(x86)%\Autodesk Shared\Network License Manager\Service.vbs" "%CommonProgramFiles(x86)%\Autodesk Shared\Network License Manager\Service.bat"

    Please let me know if you need help removing the mentioned above schedule task?

    I suspect my Pc is infected: random cmd screen popping

    in Resolved Malware Removal Logs

    Posted · Edited by SQx

    Greetings,

    Could you please clarify if this started after installing Audodesk?

    Please do the following to run a FRST fix.

    NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

    • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere. 
      Start::
CreateRestorePoint:
ExportKey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
ExportKey: HKLM\SOFTWARE\Policies\Google
Task: {AD739F7D-7724-4EE3-8710-822D5BE6325D} - System32\Tasks\Microsoft\Office\Office Serviceability Manager => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\officesvcmgr.exe  /checkin (No File)
Task: {1A0ADBD1-0C64-469F-9500-464FFB9B61A7} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {407FF390-2B3D-4145-86D4-849FAB947DBB} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
File: C:\WINDOWS\system32\drivers\dfx11_1x64.sys
CMD: type C:\Users\Nicolás\AppData\Local\r18fpz9gq0
2017-12-16 00:54 - 2017-12-16 00:54 - 000000052 _____ () C:\Users\Nicolás\AppData\Local\r18fpz9gq0
AlternateDataStreams: C:\Users\Nicolás\Application Data:00e481b5e22dbe1f649fcddd505d3eb7 [394]
AlternateDataStreams: C:\Users\Nicolás\AppData\Roaming:00e481b5e22dbe1f649fcddd505d3eb7 [394]
AlternateDataStreams: C:\Users\Public\AppData:CSM [472]
FirewallRules: [{0A519432-22C6-4225-831C-6476B5DFB199}] => (Allow) D:\Games Location\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [{3C347766-F288-498E-BC88-97C45BC21810}] => (Allow) D:\Games Location\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [UDP Query User{976EE374-266B-482D-9E2C-B5717AC2CCD3}D:\games location\black mesa\bms.exe] => (Allow) D:\games location\black mesa\bms.exe => No File
FirewallRules: [TCP Query User{9DCDDBF1-A0B7-48C2-B193-5BBE34C77756}D:\games location\black mesa\bms.exe] => (Allow) D:\games location\black mesa\bms.exe => No File
FirewallRules: [UDP Query User{ABE97CF6-0557-4B8A-A24A-B79362D26E9D}D:\games location\subnautica.v58064\subnautica.exe] => (Allow) D:\games location\subnautica.v58064\subnautica.exe => No File
FirewallRules: [TCP Query User{879BE949-3A80-4D87-95B7-CED5240BB572}D:\games location\subnautica.v58064\subnautica.exe] => (Allow) D:\games location\subnautica.v58064\subnautica.exe => No File
FirewallRules: [UDP Query User{67E9AD75-12CC-4DD6-81CB-DDE5AD088B62}D:\games location\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) D:\games location\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File
FirewallRules: [TCP Query User{E617877B-E9EC-48CD-B660-6C8063DF46A7}D:\games location\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) D:\games location\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File
BHO: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
End::

       

    • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt on your Desktop.
    • Post the log in your next reply.
       

    Help with Onelaunch infection

    in Resolved Malware Removal Logs

    Posted

    Greetings,
     

    Please do the following to run a FRST fix.

    NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

    • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere. 
      Start::
CreateRestorePoint:
Task: {56F3FA41-8407-47DE-A3E1-6EAD5E0C8063} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-643858719-1823263509-3636400489-1001 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  (No File)
Task: {E718D044-8F6E-48E7-953D-85D8F0FF19E2} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-643858719-1823263509-3636400489-500 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  (No File)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
File: C:\Users\Tim\AppData\Local\Temp\853C6CBF-E323-48B2-A9C0-7B874AC559D2\DismHost.exe
File: C:\Windows\Temp\MUBSTemp\BCILauncher.exe
Folder: C:\Users\Tim\appdata\local\OneLaunch
ExportKey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
ExportKey: HKCU\Software\OneLaunch
ExportKey: HKCU\SOFTWARE\Classes\OneLaunchHTML
ExportKey: HKCU\SOFTWARE\RegisteredApplications
ExportKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TREE
End::
    • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt on your Desktop.
    • Post the log in your next reply.

    Website blocked due to Trojan

    in Resolved Malware Removal Logs

    Posted

    Perfect, thank you for the details.

    If all is well then we can proceed with cleanup of tools we used.

    1. To remove the FRST64.exe tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on 

    FRST64.exe

    & select 

    RENAME

    & then change it to 

    UNINSTALL.exe

    .
    Then run that ( double click on it) to begin the cleanup process.

    2. Any other download file I had you download, you may delete.

    3.  The following information will help you to keep your computer and data safer as well as improve your overall privacy

    1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
      https://www.howtogeek.com/780233/best-password-manager/
    2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
    3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
    4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
    5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
    6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

    Malwarebytes Browser Guard

    uBlock Origin

     

    Cybersecurity basics & protection
    Everything you need to know about cybercrime
    https://www.malwarebytes.com/cybersecurity

     

    Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

    Hopefully, we've been able to assist you with correcting your system issues.

    Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal

    RiskWare through Powershell // counter.wmail-service.com

    in Resolved Malware Removal Logs

    Posted

    Perfect, thank you for the details.

    If all is well then we can proceed with cleanup of tools we used.

    1. To remove the FRST64.exe tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on 

    FRST64.exe

    & select 

    RENAME

    & then change it to 

    UNINSTALL.exe

    .
    Then run that ( double click on it) to begin the cleanup process.

    2. Any other download file I had you download, you may delete.

    3.  The following information will help you to keep your computer and data safer as well as improve your overall privacy

    1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
      https://www.howtogeek.com/780233/best-password-manager/
    2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
    3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
    4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
    5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
    6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

    Malwarebytes Browser Guard

    uBlock Origin

     

    Cybersecurity basics & protection
    Everything you need to know about cybercrime
    https://www.malwarebytes.com/cybersecurity

     

    Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

    Hopefully, we've been able to assist you with correcting your system issues.

    Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal

    Website blocked due to Trojan

    in Resolved Malware Removal Logs

    Posted

    Looks like all went good.

    Please run AV scanner just to be sure.

    Dr.Web CureIt!

    Please download the Dr.Web CureIt! anti-virus utility
    https://free.drweb.com/

    You will need to send them an email to obtain a link to download the scanner, please do so

    • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
    • Close all open applications and locate the downloaded file and double-click to run it
    • The program will take a moment to launch and bring up the License and Update screen
    • Place a check mark to agree to the terms and then click on the Continue button
    • Click the underlined link Select objects for scanning
    • On the top left click the Scanning objects that should automatically check all objects
    • Click the small wrench and make sure there is a check on Automatically apply actions to threats
    • Then click the large button on bottom right Start scanning
    • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
    • The log is saved in the folder named Doctor Web in the top of your user profile folders
    • Please attach that log on your next reply

    Website blocked due to Trojan

    in Resolved Malware Removal Logs

    Posted · Edited by SQx

    Greetings,
     

    Please do the following to run a FRST fix.

    NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

    • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere. 
      Start::
CreateRestorePoint:
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
Task: {33a255f3-1fbb-4d1a-a27b-2f2ed52956a7} - no filepath. <==== ATTENTION
Task: {96523e47-4e35-44b3-8149-f0aab7345091} - no filepath. <==== ATTENTION
Task: {cd4012b0-26a2-4303-9b4f-957ae6e13c94} - no filepath. <==== ATTENTION
Unlock: C:\Program Files\Google\Libs\WR64.sys
File: C:\Program Files\Google\Libs\WR64.sys
C:\Program Files\Google\Libs\WR64.sys
StartBatch:
DISM.exe /Online /Cleanup-image /Restorehealth
sfc /scannow
Endbatch:
Folder: C:\PROGRAM FILES\WINDOWSMALWAREPROTECTION\CONFIG
Folder: C:\Users\Logan Damme\AppData\Google\Libs
FirewallRules: [{4E476F36-17F0-48DB-8E59-A517CF6460EB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\The Witcher 3\bin\x64\witcher3.exe => No File
FirewallRules: [{6B29F115-262A-4961-BCAC-7918E54CD939}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\The Witcher 3\bin\x64\witcher3.exe => No File
FirewallRules: [TCP Query User{4EE74976-7779-4BD6-AECF-65B74B924E72}C:\program files\epic games\gtav\gta5.exe] => (Allow) C:\program files\epic games\gtav\gta5.exe => No File
FirewallRules: [UDP Query User{4900FE1E-C40E-4C42-9320-D0FE97E0BF94}C:\program files\epic games\gtav\gta5.exe] => (Allow) C:\program files\epic games\gtav\gta5.exe => No File
FirewallRules: [TCP Query User{C76BD27B-BD9A-4718-BF80-A8A7DA9D99D6}C:\program files (x86)\steam\steamapps\common\ready or not\readyornot\binaries\win64\readyornot-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\ready or not\readyornot\binaries\win64\readyornot-win64-shipping.exe => No File
FirewallRules: [UDP Query User{5F9CC8CD-64C6-4220-8807-1B0FDEE802F4}C:\program files (x86)\steam\steamapps\common\ready or not\readyornot\binaries\win64\readyornot-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\ready or not\readyornot\binaries\win64\readyornot-win64-shipping.exe => No File
FirewallRules: [TCP Query User{325BF6CC-4EB8-4E7A-A6A1-41CC32CF8E61}C:\program files (x86)\overwatch\_retail_\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\_retail_\overwatch.exe => No File
FirewallRules: [UDP Query User{5BC14DFF-4C04-4F4D-911F-F7B01166A4EF}C:\program files (x86)\overwatch\_retail_\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\_retail_\overwatch.exe => No File
FirewallRules: [{467278F5-7124-4906-AD8D-480FE6FE2A3F}] => (Allow) C:\Program Files\VMware\VMware Horizon View Client\vmware-remotemks.exe => No File
FirewallRules: [{4688B6B5-AAB0-4515-8B9D-91869FE7550A}] => (Allow) C:\Program Files\VMware\VMware Horizon View Client\vmware-remotemks.exe => No File
FirewallRules: [TCP Query User{0BAF186C-C7A9-4387-871D-68B080BCAF87}C:\users\logan damme\appdata\local\discord\app-1.0.9006\discord.exe] => (Allow) C:\users\logan damme\appdata\local\discord\app-1.0.9006\discord.exe => No File
FirewallRules: [UDP Query User{8DD4C96B-A968-41C8-9D79-4289147C599E}C:\users\logan damme\appdata\local\discord\app-1.0.9006\discord.exe] => (Allow) C:\users\logan damme\appdata\local\discord\app-1.0.9006\discord.exe => No File
FirewallRules: [{7C37C4DA-FFE3-4D22-B604-FE21AD722DAE}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Ready Or Not\Engine\Binaries\Win64\CrashReporter.exe => No File
FirewallRules: [{C5B10CD6-01CB-4A41-9986-FEE56DE88AFB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Ready Or Not\Engine\Binaries\Win64\CrashReporter.exe => No File
FirewallRules: [TCP Query User{1585A8F1-D5FF-4974-B09D-78758E247886}D:\secondextinction\secondextinctioneos.exe] => (Allow) D:\secondextinction\secondextinctioneos.exe => No File
FirewallRules: [UDP Query User{522D26A5-EB0B-4FA8-ADA7-28605463E5C7}D:\secondextinction\secondextinctioneos.exe] => (Allow) D:\secondextinction\secondextinctioneos.exe => No File
End::

       

    • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt on your Desktop.
    • Post the log in your next reply.

    Request for information/ resources

    in Resolved Malware Removal Logs

    Posted · Edited by SQx

    2 hours ago, Henri123 said:

    My router is rented from my ISP and uses a coaxial cable. I haven't found secure options for a router that uses the cable yet.

    Then it's better to work with your ISP to find the right solution. If bad actor gains access to your router and manipulates routes (like dns spoofing, cache poisoning, etc) the second (intermediate) router will not help in this case.
    Please ensure that you follow the guidelines provided above. 

    • Like 1
    • Thanks 1

    RiskWare through Powershell // counter.wmail-service.com

    in Resolved Malware Removal Logs

    Posted

    Hello _hv,

    No malware was found, just leftovers.

    1. Please do the following to run a FRST fix.

    NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

    • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere. 
      Start::
CreateRestorePoint:
C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Management\Provisioning\21MUdbtLYt
C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Management\Provisioning\jklKe
C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Management\Provisioning\kmPxbS
C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Management\Provisioning\zs2trQF69
C:\WINDOWS\system32\Drivers\etlhMkW04
C:\WINDOWS\system32\Drivers\bSjD0l
C:\WINDOWS\system32\Drivers\VPfvJcrgRY
C:\WINDOWS\system32\Drivers\btLYtVYV
End::
    • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt on your Desktop.
    • Post the log in your next reply.

    2. please run AV scanner just to be sure.

    Dr.Web CureIt!

    Please download the Dr.Web CureIt! anti-virus utility
    https://free.drweb.com/

    You will need to send them an email to obtain a link to download the scanner, please do so

    • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
    • Close all open applications and locate the downloaded file and double-click to run it
    • The program will take a moment to launch and bring up the License and Update screen
    • Place a check mark to agree to the terms and then click on the Continue button
    • Click the underlined link Select objects for scanning
    • On the top left click the Scanning objects that should automatically check all objects
    • Click the small wrench and make sure there is a check on Automatically apply actions to threats
    • Then click the large button on bottom right Start scanning
    • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
    • The log is saved in the folder named Doctor Web in the top of your user profile folders
    • Please attach that log on your next reply

    RiskWare through Powershell // counter.wmail-service.com

    in Resolved Malware Removal Logs

    Posted · Edited by SQx

    Greetings,

    1. Malwarebytes forum does not support piracy, please remove all piracy software, otherwise our help will be useless. See example below: 

    https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/crack&threatid=2147734096&enterprise=0
Name: HackTool:Win32/crack

    2. I found torrent app in your logs. Please note, almost all of the Torrent Clients have multiple detections and should not be installed on your system. However, if you choose to do so, you're increasing your system's attack surface area, which can increase the risk of infection.

    3. Please do the following to run a FRST fix.

    NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

    • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere. 
      Start::
CreateRestorePoint:
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
File: C:\WINDOWS\System32\drivers\hanvonugeemfilter.sys
Folder: C:\Windows\System32\Tasks_Migrated
Folder: C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Management\Provisioning
Folder: C:\WINDOWS\system32\Drivers\etlhMkW04
Folder: C:\WINDOWS\system32\Drivers\bSjD0l
Folder: C:\WINDOWS\system32\Drivers\VPfvJcrgRY
Folder: C:\WINDOWS\system32\Drivers\btLYtVYV
End::
    • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt on your Desktop.
    • Post the log in your next reply.

    Issues With Malwarebytes PuP (google chrome synced data)

    in Resolved Malware Removal Logs

    Posted · Edited by SQx

    Perfect, thank you for the details.

    We can proceed with cleanup of tools we used.

    1. To remove the FRSTENGLISH tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on 

    FRSTENGLISH.exe

    & select 

    RENAME

    & then change it to 

    UNINSTALL.exe

    .
    Then run that ( double click on it) to begin the cleanup process.

    2. Any other download file I had you download, you may delete.

    3.  The following information will help you to keep your computer and data safer as well as improve your overall privacy

    1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
      https://www.howtogeek.com/780233/best-password-manager/
    2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
    3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
    4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
    5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
    6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

    Malwarebytes Browser Guard

    uBlock Origin

     

    Cybersecurity basics & protection
    Everything you need to know about cybercrime
    https://www.malwarebytes.com/cybersecurity

     

    Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

    Hopefully, we've been able to assist you with correcting your system issues.

    Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal

    Issues With Malwarebytes PuP (google chrome synced data)

    in Resolved Malware Removal Logs

    Posted · Edited by SQx

    Please confirm that you don't have other devices and you have followed the following instructions?
    1.Sign out & turn off sync. 

    To delete synced info from your Google Account:

On your Android device/computer, open Chrome Chrome.
Go to chrome.google.com/sync.
Scroll to Clear Data and click it.

    Please note: that all sync data  will be deleted from your Google Account.

     

    2.Reset the Chrome setting and clean the data in Chrome if you don't need them, otherwise ignore this.

    Issues With Malwarebytes PuP (google chrome synced data)

    in Resolved Malware Removal Logs

    Posted · Edited by SQx

     

    3 hours ago, b0xvera56 said:

     would that interfere with the reason why even tho i am clearing synced data its always coming back?

    Yes, if you are using the same account (email) and most likely because of this, sync restores data on the computer, so you could check this by temporarily disabling sync on your phone, clearing the sync data in google account and checking if the issue returns.

    1. Please go to Control Panel, Programs, Programs and Features, Uninstall a program

    Then right-click and uninstall the following: 

    Driver Booster 11 (HKLM-x32\...\Driver Booster_is1) (Version: 11.3.0 - IObit)

     

    2.Please do the following to run a FRST fix.

    NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

    • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere. 
      Start::
CreateRestorePoint:
Task: {FADBF632-2756-44CD-A9D6-C0721504FF02} - System32\Tasks\Driver Booster Update => C:\Program Files (x86)\IObit\Driver Booster\11.3.0\AutoUpdate.exe [2525160 2024-02-27] (IObit CO., LTD -> IObit)
File: C:\Windows\System32\drivers\BthA2dp.sys
File: C:\Windows\System32\drivers\bthhfenum.sys
2024-03-08 15:03 - 2024-03-08 15:04 - 000002356 _____ C:\Users\Public\Desktop\Driver Booster 11.lnk
2024-03-08 15:03 - 2024-03-08 15:03 - 000003272 _____ C:\Windows\system32\Tasks\Driver Booster SkipUAC (SMD)
2024-03-08 15:03 - 2024-03-08 15:03 - 000003150 _____ C:\Windows\system32\Tasks\Driver Booster Update
2024-03-08 15:03 - 2024-03-08 15:03 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Booster 11
2024-02-26 17:37 - 2024-03-15 04:04 - 000000000 ____D C:\Users\PCZONE.GE\AppData\Roaming\IObit
2024-02-26 17:37 - 2024-03-08 15:03 - 000000000 ____D C:\ProgramData\ProductData
2024-02-26 17:37 - 2024-02-26 20:20 - 000000000 ____D C:\ProgramData\IObit
2024-02-26 17:37 - 2024-02-26 20:20 - 000000000 ____D C:\Program Files (x86)\IObit
2024-02-26 17:37 - 2024-02-26 17:37 - 000000000 ____D C:\Users\PCZONE.GE\AppData\LocalLow\IObit
End::
    • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt on your Desktop
    • Post the log in your next reply.

    Issues With Malwarebytes PuP (google chrome synced data)

    in Resolved Malware Removal Logs

    Posted · Edited by SQx

    Thank you for the fixlog.txt log.

    Please reply this:

    On 3/16/2024 at 9:05 AM, SQx said:

    Please let me know if you are using sync in your android smartphone as well?

     

    On 3/16/2024 at 2:47 PM, b0xvera56 said:

    also could a iobit uninstaller be malware itself?

    it's a PUP(potentially unwanted program), that may negatively affect to the computer's performance.

    Could you please provide new FRST logs (frst.txt and addition.txt)?

    Issues With Malwarebytes PuP (google chrome synced data)

    in Resolved Malware Removal Logs

    Posted · Edited by SQx

    Greetings,

    Please let me know if you are using sync in your android smartphone as well?

    1. Malwarebytes forum does not support piracy, please remove all piracy software, otherwise our help will be useless. See example below: 

    Name: HackTool:Win32/Keygen!MSR
Severity: High
Category: Tool
Path: file:_C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\EDRW v13 Activator v2.1 - De!.exe; process:_pid:28068,ProcessStart:133538071495232311
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\EDRW v13 Activator v2.1 - De!.exe


    2. Please go to Control Panel, Programs, Programs and Features, Uninstall a program

    Then right-click and uninstall the following: 

    IObit Uninstaller 13 (HKLM-x32\...\IObitUninstall) (Version: 13.3.0.2 - IObit)

    3. Please check this article: Turn notifications on or off - Google Chrome

    4. Please do the following to run a FRST fix.

    NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

    • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere. 
      Start::
CreateRestorePoint:
CloseProcesses:
ExportKey: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
Task: {2C958C1F-3B49-4402-AF03-C9E47B6A91E1} - System32\Tasks\GoogleUpdateTaskMachineCore{A530A92D-B741-45C3-B0B2-FD7BA8701B92} => "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"  /c (No File)
Task: {B949BF25-AA58-47AD-A793-55C858C103B7} - System32\Tasks\GoogleUpdateTaskMachineUA{6073D170-6BB9-42DF-A852-D169510A02DC} => "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"  /ua /installsource scheduler (No File)
S3 2BNO5Wpm; C:\Users\PCZONE.GE\AppData\Local\Temp\2BNO5Wpm [43216 2024-03-08] (PassMark Software Pty Ltd -> ) <==== ATTENTION
S3 CXFl7xm2; C:\Users\PCZONE.GE\AppData\Local\Temp\CXFl7xm2 [43216 2024-03-08] (PassMark Software Pty Ltd -> ) <==== ATTENTION
S3 MBK8elxp; C:\Users\PCZONE.GE\AppData\Local\Temp\MBK8elxp [43216 2024-03-08] (PassMark Software Pty Ltd -> ) <==== ATTENTION
S3 xmIkHRNt; C:\Users\PCZONE.GE\AppData\Local\Temp\xmIkHRNt [43216 2024-03-08] (PassMark Software Pty Ltd -> ) <==== ATTENTION
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
End::
    • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt on your Desktop
      Please note: The computer will reboot after execution
    • Post the log in your next reply.
       

    Issues With Malwarebytes PuP (google chrome synced data)

    in Resolved Malware Removal Logs

    Posted

    Greetings,
     

    Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

    Then follow each step in the order provided. Unless otherwise asked, please attach all logs

    Please make the following system changes:

    • If you have not done so already - Enable System Protection and create a NEW System Restore Point
    • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
    • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
    • Disable-Fast-Startup
    • Show-Hidden-Folders-Files-Extensions

    Please run the following scans:

    1. Click the following link and run a  Scan with AdwCleaner
    2. Click the following link and run a  Scan with Malwarebytes 
         RESTART the computer
    3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 
       

    Example image of where to click to attach files when posting your reply

    image.thumb.png.e208c182ff570799c53bcf57

    Thank you

    Unknown SRC File

    in Resolved Malware Removal Logs

    Posted

    Greetings,

    It is preferable to attach logs to the forum to get transparent assistance.


    As you have been told before, the only private information would be if you used your real name for your profile name.

    You can send me the logs via Private Message if you like @Resssss

     

    • Like 1

    WindowsDefender finds Trojan:Win32/Wacatac.B!ml but nobody else does

    in Resolved Malware Removal Logs

    Posted

    Greetings,

    Yeah, according your log Windows Resource Protection found corrupt files and successfully repaired them.

    Quote

    Windows Resource Protection found corrupt files and successfully repaired them.
    For online repairs, details are included in the CBS log file located at
    windir\Logs\CBS\CBS.log.

    So should be ok now. Please let me know otherwise.
     

    The following information will help you to keep your computer and data safer as well as improve your overall privacy

    1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
      https://www.howtogeek.com/780233/best-password-manager/
    2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
    3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
    4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
    5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
    6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

    Malwarebytes Browser Guard

    uBlock Origin

     

    Cybersecurity basics & protection
    Everything you need to know about cybercrime
    https://www.malwarebytes.com/cybersecurity

     

    Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

    Hopefully, we've been able to assist you with correcting your system issues.

    Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal

    WindowsDefender finds Trojan:Win32/Wacatac.B!ml but nobody else does

    in Resolved Malware Removal Logs

    Posted · Edited by SQx

    Hello Toastedsnow,

    Thank you for the info, please let's try the following.

     

    Please do the following to run a FRST fix.

    NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

    • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere. 
      Start::
CreateRestorePoint:
CloseProcesses:
cmd: DISM.exe /Online /Cleanup-image /Restorehealth
cmd: sfc /scannow
cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*.*"
cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log"
cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\results\quick\*.*"
cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\results\resource\*.*"
cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\results\system\*.*"
StartPowershell:
Set-MpPreference -ScanPurgeItemsAfterDelay 1
Update-MpSignature
Get-MpComputerStatus
Get-MpPreference
EndPowershell:
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
Folder: C:\Windows\System32\Tasks_Migrated
End::
    • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt on your Desktop.
    • Post the log in your next reply.

      Please note the computer will reboot.

    WindowsDefender finds Trojan:Win32/Wacatac.B!ml but nobody else does

    in Resolved Malware Removal Logs

    Posted

    Hello Toastedsnow,

    It looks like the defender's history needs to be cleaned up.

     

    Please do the following to run a FRST fix.

    NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

    • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere. 
      Start::
CreateRestorePoint:
CloseProcesses:
cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*.*"
cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log"
End::

       

    • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt on your Desktop.
    • Post the log in your next reply.

      Please note the computer will reboot.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.