kompot

OK, thanks a lot again!

The issue went away! Thank you very much! I did notice a few entries for SW I no longer have, can or should I delete those? E.g. Maxthon web browser, controversially I think it was spying it's users back in the days or other entires highlighted in yellow in autoruns.

Hi Maurice. Many thanks for your help again. I've adjusted MB settings as per your instructions. I attach the Autoruns.zip file. One thing to note - my autorun.exe settings were a bit different to yours, see below the setting I've run it in. I've tried to replicate what you said, let me know if I need to re-run it again with another setup. Best regards. Autoruns.zip

No problem. I did switch it back on, but thanks for the reminder!

I need to read about all these analysis softwares one day! Thanks Maurice, I did disable ESET protection for this scan, two files are attached. Best regards dds.txt attach.txt

Done, please see attached. info.txt log.txt

Thanks Maurice. On every Windows startup I have this prompt to select a program to open the file with. I've opened it with Notepad, here's what I see (I've blanked some of that but not sure if it's required, I can show it of it's not harmful) The file is stored in C:\Users and has a file name same as my user account, it has no extension. I wonder what the characters at the bottom are... Quick translate from polish: >Interface list ><list> >IPv4 route table >active routes: >none >persistent routes: >none >IPv6 route table >active routes: >none >persistent routes: >none >Asian characters... Google translate isn't really helpful. Thank you.

I could not find these partical menus, but I went to user accounts in control panel and it only lits my and guest accound so I guess it's OK? I also have done two MB scans, 1st with sync still off, then I switched it on, waited a few minutes and tun scan again. Both found 0 problems. I guess we're OK here? Huge thanks for your help Maurice!

I found this https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems Perhaps it's a leftover from this being an SSD clone from my system of the HDD?

Thank you Maurice. Bizzare user accounts are visible when I go to: C:\Users\Public -> Right Click -> Properties -> Security -> Group or user names If I do that on another folder or on a local drive 'folder' I get something more like this (screenshot off the Internet, but I get 'equivalent' content)

Shall I turn the Chrome sync on and run these scripts? I've run the FRST, logs are attached. Thank you Addition.txt FRST.txt

No problems with Chrome in general Maurice. I've run the scripts. First one worked, the other two did not. Second - name of folder incorrect, I also can't find this folder manually. Third one - 'can't find C:\...', same I can't find this folder manually. What do you think about the user account and also the Windows prompt asking which program to use, when trying to 'Run...' a folder path? Regards

OK, so here's what's happening. My cmd line or 'Run' won't run this folder C:\Users\Patryk H\ or subfolders of it. When I do try it, it opens Windows Prompt "To open this file, Windows needs to know what program you want to use?"... I've tried selecting explorer.exe but it just comes back with the same prompt. I can run any other random path outside this, for example this works fine: C:\Users\Public Other folders on other drives also work OK. I suspect this is the reason for fix not working in the first place. Another worrying bit is I've discovered a new user, when going to Properties>Security user list What is that one in the bottom with a red question mark? Name is "account unknown" It has no rights set or blocked: Apart from the bottom one, "special rights" I've chedked in "User accounts" it only lists my account and "guest". Many thanks...

I've struggled with some Windows Updates. After googling it my Temp variable was set incorrectly, I've managed to fix it. No change with this script though. Do you want me to delete the contents of folders from the script manually? Thank you

I don't see any problems eith my machine. I've just tried to run the ENGLISHFRST64 script again, with Chrome sync off and Chrome closed, log attached. Fixlog.txt

Hello, I've run a local ESET scan, log is attached. Many thanks for your help! ESET_scan.txt

Hi, I might have just done the reset, not sync off by accident. I've reseted it and switched it off now. I have ESET installed, full proper copy of ESET Internet Security I've bought. Can I run it instead of the online scan?

Yes, I can confirm I run same google account with Chrome on my android phone. What are these 14 PUP.Optional.SmartCoupon items? Thank you for the script, log is attached. Fixlog.txt

Hello, many thanks for the reply. I've followed all 5 steps. Two things to clarify after I've cloned the system from HDD to SDD (as described in post #1) BSoD issue went away immediately back then, because my broken system on SSD was overwritten by an old working copy from HDD start menu problem also went away back then so no technical issues any more, just need to get rid of malware etc A couple of questions I have: Shall I uninstall the S*A*S? I use the browser function to open the last closed session quite a lot, can I use it again? MB has run an automatic scan when I switched my machine on and has found 14 items again... I attach the report. Do I need antimalware software on top of ESET internet security? Best regards. MWB_20200630.txt

Thanks again. I've run the MB again with the requested settings and attached the report below. Sorry the start menu is in Polish, I was just trying to indicate which part of it was empty (shown in white). MWB_20202906.txt

Hello, many thanks for the reply. With the Start menu it might have been just the "recently used programmes" that disappeared (due to SAS cleanup?), I never opened Start menu programmes fully so can't say if they disappeared as well, perhaps not. I do not have an actual screenshot from when the problem appeared so I'll try to invent something from memory using MS Paint. See attachment 2.PNG. Secondly I shall clarify that when I've posted the thread originally, after I've run the Malwarebytes scan (which found problems) I took no action, just left MB open, and I've run a scan with FRST. So the FRST and Addition attachments in post #1 are before Malwarebytes cleanup. Only after FRST finished I clicked the Malwarebytes "cleanup". Confusing I know, sorry. I attach the fixlog as requested. I attach the C log from Adwcleaner. I had the K-Lite codec pack installed for over 5 years, but I've uninstalled it as requested. For the moment I have the ESET + MB + SAS installed, I'll wait with SAS uninstall unit explicitly told to do so. Normally I was only using ESET without any antimalware. Many thanks for your help. AdwCleaner[C00].txt Fixlog.txt

Hi All, Please bear with me as I'm new here and not an IT expert. I'll ty to give best description I can to aid this. ASUS K52 laptop, Windows 7, ESET internet security AV. Initially it had HDD holding the system, I've then added an SSD and cloned the system onto it and was using the SSD system. I've left the HDD files intact, which was useful lately, see below. I've bougth some USB receivers and downloaded a few bluetooth drivers, trying to find a working one. One driver/SW started causing windows prompts every minute or so about Windows not being able to display message from it, I've ignored them first, then after googling the issue decided to view it. I believe the message was about the driver not being able to finish the installation. After that I've uninstalled all downloaded bluetooth drivers/SW through the control panel and deleted all files from local drive. In the meantime in my local drivers properties/security/users I've noticed a username I did not recognise (system and laptop are very old, so it's not 100% impossible I didn't set it up years ago...). It did not have any rights really, and I've deleted this user from properties/security/users from all drives. At the same time, being afraid I might have malware I've run a known antimalware SW (don't want to do any advertising here, but can reveal name if necessary) and it found numerous issues including a couple instances of malware. I've let it fix all of them and then realised my Start menu has emptied. System was asking for a reboot but would not boot after that, I think it was BSoD saying msahci.sys was missing. I did have the old system on HDD so I've booted it and copied the msahci.sys from Windows folder on HDD to the SSD. Then booting SSD system would show another BSoD, this time "Stop: 0x0000007B". After googling I've checked switching AHCI/IDE in BIOS Windows defender offline (would not work actually due to impossibility of updating it, which I've managed to find confirmation for being a known issue) I've downloaded the said antimalware software again and installed on the HDD system I could always access files on the SSD, so it was working OK, it's only that the system was damaged and wouldn't boot. In the end I've wiped my SSD and cloned the system from HDD to it again (I shall highlight this means it's still installed and working). This is the state I'm in at the moment, working off the old clone on the SSD. I'd like to do this properly and have run the instructions to tackle any malware left. Log from Malewarebytes is below, the two files from FRST are attached. Many thanks for your help. Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 28/06/2020 Scan Time: 15:52 Log File: f1db24c4-b94e-11ea-9f36-20cf306d1e51.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.955 Update Package Version: 1.0.26109 Licence: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Patryk\Patryk H -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 268180 Threats Detected: 55 Threats Quarantined: 0 Time Elapsed: 11 min, 12 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 11 PUP.Optional.GetPrivate, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\GPUPDATECHECK, No Action By User, 5192, 238712, , , , PUP.Optional.GetPrivate, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{73A58F8B-AD92-4AF7-81E0-F1303BAA824D}, No Action By User, 5192, 238712, , , , PUP.Optional.GetPrivate, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{73A58F8B-AD92-4AF7-81E0-F1303BAA824D}, No Action By User, 5192, 238712, , , , PUP.Optional.FaceMoods, HKLM\SOFTWARE\CLASSES\APPID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}, No Action By User, 72, 392823, , , , PUP.Optional.FaceMoods, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}, No Action By User, 72, 392823, , , , PUP.Optional.FaceMoods, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{5B1881D1-D9C7-46df-B041-1E593282C7D0}, No Action By User, 72, 392823, 1.0.26109, , ame, PUP.Optional.V9.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\V9SOFTWARE\v9hp, No Action By User, 4329, 192831, 1.0.26109, , ame, Adware.Agent.OL, HKLM\SOFTWARE\CLASSES\Prod.cap, No Action By User, 6935, 830817, 1.0.26109, , ame, PUP.Optional.InstallCore, HKU\S-1-5-21-3985608894-3351105237-3686923162-1001\SOFTWARE\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I, No Action By User, 501, 352832, 1.0.26109, , ame, PUP.Optional.SmartTweak, HKU\S-1-5-21-3985608894-3351105237-3686923162-1001\SOFTWARE\SMARTTWEAK\UpdateMyDrivers, No Action By User, 3359, 438807, 1.0.26109, , ame, PUP.Optional.SweetIM, HKLM\SOFTWARE\WOW6432NODE\SweetIM, No Action By User, 447, 243762, 1.0.26109, , ame, Registry Value: 2 PUP.Optional.SmartCoupon, HKU\S-1-5-21-3985608894-3351105237-3686923162-1001\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|eonffnnfmbfnmjpaiigdclmfelolemah, No Action By User, 2418, 179643, , , , PUP.Optional.GetPrivate, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{73A58F8B-AD92-4AF7-81E0-F1303BAA824D}|PATH, No Action By User, 5192, 337036, 1.0.26109, , ame, Registry Data: 3 PUP.Optional.V9.ShrtCln, HKU\S-1-5-21-3985608894-3351105237-3686923162-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|DEFAULT_PAGE_URL, No Action By User, 4329, 291265, 1.0.26109, , ame, PUP.Optional.V9.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|DEFAULT_PAGE_URL, No Action By User, 4329, 291270, 1.0.26109, , ame, PUP.Optional.V9.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, No Action By User, 4329, 291270, 1.0.26109, , ame, Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.SmartCoupon, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EONFFNNFMBFNMJPAIIGDCLMFELOLEMAH, No Action By User, 2418, 179643, 1.0.26109, , ame, PUP.Optional.FFHotfix, C:\USERS\PATRYK H\APPDATA\ROAMING\MOZILLA\FIREFOX\EXTENSIONS\MOZILLAHOTFIX, No Action By User, 1357, 182009, 1.0.26109, , ame, PUP.Optional.Carambis, C:\Users\Patryk H\AppData\Roaming\Carambis\Driver Updater\drivers, No Action By User, 1031, 351300, , , , PUP.Optional.Carambis, C:\Users\Patryk H\AppData\Roaming\Carambis\Driver Updater\License, No Action By User, 1031, 351300, , , , PUP.Optional.Carambis, C:\Users\Patryk H\AppData\Roaming\Carambis\Driver Updater\temp, No Action By User, 1031, 351300, , , , PUP.Optional.Carambis, C:\USERS\PATRYK H\APPDATA\ROAMING\CARAMBIS\DRIVER UPDATER, No Action By User, 1031, 351300, 1.0.26109, , ame, RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\log, No Action By User, 867, 411853, , , , RiskWare.BitCoinMiner, C:\USERS\PATRYK H\APPDATA\LOCAL\MINERGATE, No Action By User, 867, 411853, 1.0.26109, , ame, PUP.Optional.Babylon, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 393, 455059, , , , File: 30 PUP.Optional.GetPrivate, C:\WINDOWS\SYSTEM32\TASKS\GPUPDATECHECK, No Action By User, 5192, 238712, 1.0.26109, , ame, PUP.Optional.SmartCoupon, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, No Action By User, 2418, 179643, , , , PUP.Optional.SmartCoupon, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, No Action By User, 2418, 179643, , , , RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\log\aeon.log, No Action By User, 867, 411853, , , , RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\log\bcn.log, No Action By User, 867, 411853, , , , RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\log\minergate.log, No Action By User, 867, 411853, , , , RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\log\xmr.log, No Action By User, 867, 411853, , , , RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\hrackopane@gmail.com.achievements, No Action By User, 867, 411853, , , , RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\hrackopane@gmail.com.achievements.bak, No Action By User, 867, 411853, , , , RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\miners.ini, No Action By User, 867, 411853, , , , RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\pools.config, No Action By User, 867, 411853, , , , PUP.Optional.MindSpark, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\http_www.easypdfcombine.com_0.localstorage, No Action By User, 717, 490519, 1.0.26109, , ame, PUP.Optional.MindSpark, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\http_www.easypdfcombine.com_0.localstorage-journal, No Action By User, 717, 490519, 1.0.26109, , ame, PUP.Optional.Carambis, C:\PROGRAMDATA\mtbjfghn.xbe, No Action By User, 1031, 726629, 1.0.26109, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\http_easypdfcombine.dl.tb.ask.com_0.localstorage, No Action By User, 1817, 443123, 1.0.26109, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\http_easypdfcombine.dl.tb.ask.com_0.localstorage-journal, No Action By User, 1817, 443123, 1.0.26109, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\http_easypdfcombine.dl.myway.com_0.localstorage, No Action By User, 1817, 443124, 1.0.26109, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\http_easypdfcombine.dl.myway.com_0.localstorage-journal, No Action By User, 1817, 443124, 1.0.26109, , ame, HackTool.Agent, C:\PROGRAM FILES (X86)\WINOLS\LOADER_WINOLS.1.500.EXE, No Action By User, 3930, 1570, 1.0.26109, AAC3EA3CF22BC9A8ED2AFE1E, dds, 00784156 HackTool.Agent, C:\PROGRAM FILES (X86)\WINOLS\WINOLS.EXE, No Action By User, 3930, 1570, 1.0.26109, AAC3EA3CF22BC9A8ED2AFE1E, dds, 00784156 PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, No Action By User, 393, 455059, , , , PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000038.ldb, No Action By User, 393, 455059, , , , PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000039.log, No Action By User, 393, 455059, , , , PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000040.ldb, No Action By User, 393, 455059, , , , PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, No Action By User, 393, 455059, , , , PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, No Action By User, 393, 455059, , , , PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, No Action By User, 393, 455059, , , , PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, No Action By User, 393, 455059, , , , PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, No Action By User, 393, 455059, , , , PUP.Optional.Babylon, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 393, 455059, 1.0.26109, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) Addition.txt FRST.txt