Jump to content

My Lenovo Laptop is infected


Recommended Posts

Hello,

My laptop has been acting up for awhile. It exits full screen on its own, hangs up in Chrome, Opera, and IE and freezes up constantly when browsing, hangs up and freezes when using Explorer and other apps as well. It runs slower than it ever has and has got me to the point of just going down and buying a new machine. It is a Lenovo 550Touch, 64 bit, running Windows 10. I have run Malwarebytes 3.0 but it only found two PUPs and a Yahoo Chrome add-on which it quarantined but this didn't help the symptoms.

Attached are the two logs from FRST.64.

Thanks for your help!

 

Mike0921

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello @Mike0921

Sorry for the delay, please follow the directions below.

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

 

 

adwcleaner_new.png Fix with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

Hi, thanks for responding. Because of the time delay, the FRST logs I ran and attached to my first post as instructed, might not be valid.  I have made some changes to my laptop. Installed a couple of battery saver widgets, and I installed a few programs that I never use...

Should I reproduce the "First" logs generated, repost them for you, and then follow and execute these instructions? Or is it okay to execute these new instructions now?

 

Sorry for the confusion,

 

Mike

Link to post
Share on other sites

Ron,

The Sophos Virus Tool did not find anything and reported my laptop Clean.

Here are the logs generated from the tools you had me download.

 I am beginning to really wonder why my PC is lagging and freezing all the time... The blue progress circle spinning and freezing itself at times as well.  I am hoping you find something! 

Thanks,

Mike

AdwCleaner[C0].txt

Addition.txt

AdwCleaner[S0].txt

FRST.txt

Link to post
Share on other sites

  • Root Admin

Let's go ahead and remove this Intel Driver Update. It is running multiple instances and Windows will automatically update the Intel drivers if needed.

 

  • Open Task Manager and terminate the Intel Driver Update Utility process, including Esrv.exe file.
  • Right-click on Windows key and select Control Panel.
  • Open Programs and Features applet and locate Intel Driver Update Utility.
  • Click it and select Uninstall.
  • Once done, reboot your PC.

You have more Chrome extensions than probably anyone else I've ever seen. That has to be slowing down Chrome usage in general, but should not be affecting other browsers as you say also are slow.

This service has something wrong with it and it crashes quite often.

System errors:
=============
Error: (06/06/2017 08:03:29 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Energy Server Service WILLAMETTE service terminated unexpectedly.  It has done this 49 time(s).

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

 

Link to post
Share on other sites

13 minutes ago, AdvancedSetup said:

Open Task Manager and terminate the Intel Driver Update Utility process, including Esrv.exe file.

I did not see anything labeled as an Intel Driver Update Utility in the process list o the Task Manager. Nor did I see a file labeled Esrv.exe. 

There is an Update Driver Utility in the list of Programs in my Revo Uninstaller Pro. Again no Esrv.exe  there, but it shouldn't be anyway, right?

I just read about too many extensions in Chrome while waiting. I had decided to remove all but the three or four I actually use regularly but I wanted to ask you if I can do that now or wait until finished with your instructions... what shuldI do?

I'm going now to uninstall the driver utility program.

Link to post
Share on other sites

  • Root Admin

Be careful removing an unknown Driver Utility - it may be valid. But as long as you've created a System Restore Point before the removal it should be okay

You can go ahead and remove the extensions in Chrome. When done, reboot the computer and let me know how it runs now. Any better ?

Ron

 

Link to post
Share on other sites

Hi Ron,

1.  I apologize for being unclear above. I meant that I had the Intel Update Driver Utility listed in Revo Pro but not in the Task Manager. I did uninstall that using Rev Pro.

2. What about having no Esrv.exe?  

So, I will run the FRST.exe program with the Fixlist.txt file in the same folder and then remove the extensions from Chrome.

I should have the results posted in about an hour or so. It's dinner time!

Thanks,

Link to post
Share on other sites

  • Root Admin

From what I've read online from others the Intel Utility is just there for updates, but Windows 10 will already automatically update the driver if needed. I don't keep those types of apps running on my system. If I'm having an issue and I've verified it is an older driver issue (pretty rare) then I'll go manually get the newer driver myself. No need letting something like that run 24/7 for years with no updates and just sucking up resources for nothing.

 

Link to post
Share on other sites

Ron,

I am speechless! It took all of about two minutes to notice the difference! I really have been using my laptop for ten minutes or so after I ran the Fix function of FRST.and then removed all but eight of the Chrome extensions. I'm one of those users who aways have twelve or thirteen Chrome tabs open when I work or just surf the web. I'm not sure what the Fixlist.exe file you had me run did, but doing both things you had me do sure made a difference.

What next?

 

Link to post
Share on other sites

  • Root Admin

Please open Malwarebytes and run a Threat Scan and post back that log.

Then reboot the computer and run FRST again and make sure to place a checkmark in the Additions.txt checkbox and post back those two logs as an attachment and we'll see what else is going on.

Also let me know if you're seeing or experiencing an issue that might be malware related.

Thanks

 

Link to post
Share on other sites

  • Root Admin

Overall the logs look pretty good from a malware point of view. You have a few Event Log errors about programs and things you might want to research and see if you can fix.

You do have a couple entries for old Java that is compromised. I would highly recommend that you uninstall ALL versions of Java and if you can go without Java that would be my recommendation.

Also, check and make sure your Flash player is up to date.

https://helpx.adobe.com/flash-player.html

Other than that you should be good to go. I'll go ahead and close your topic soon unless there is something else.

Take care Mike

Cheers

Ron

 

Link to post
Share on other sites

Ron

Isn't Java needed for web surfing and such?  What do I do when a window pops up letting me know I need it to do something? What do I replace it with when something isn't working? I'm not really all that sure about how much it is needed and all that it is used for.

I went to update Flash Player and the web page told me don't need to because my browser has it incorporated within it. It said the same thing about Edge and IE... not that I use either very much. :)

I do appreciate your help n all this!

Mike

Edited by Mike0921
Link to post
Share on other sites

  • Root Admin

IE can and does use Flash. Edge and Chrome do not.

JavaScript (not the same thing as Java) is typically what almost all web pages use. There are some pages that use Java - but with billions and billions of web pages out there most do not use it. If you happen to visit some site regularly that does need Java then by all means go ahead and install Java but only from https://java.com no other sties. If you get a popup that says you need it then distrust it at first and go to the official Java site to get it, not that web site.

You're quite welcome for the help Mike.

Aside from that we should be done here. I'll give you a closing speech and wish for you a great weekend.

Take care

Ron

 

Link to post
Share on other sites

  • Root Admin

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot


Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.


 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.


If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

 

Link to post
Share on other sites

8 hours ago, AdvancedSetup said:

IE can and does use Flash. Edge and Chrome do not.

JavaScript (not the same thing as Java) is typically what almost all web pages use. There are some pages that use Java - but with billions and billions of web pages out there most do not use it. If you happen to visit some site regularly that does need Java then by all means go ahead and install Java but only from https://java.com no other sties. If you get a popup that says you need it then distrust it at first and go to the official Java site to get it, not that web site.

You're quite welcome for the help Mike.

Aside from that we should be done here. I'll give you a closing speech and wish for you a great weekend.

Take care

Ron

4

 

8 hours ago, AdvancedSetup said:

Ron,

Thanks for this info. I wasn't aware of the risks using Java. I have also updated Flash and will now go on to finish the rest or your instructions. When I'm finished I'll post back here and let you know.

Mike

 

 

Link to post
Share on other sites

Hello again!

I have deleted all of the old restore points and created a new one. My laptop is running faster and smoother than it has since I bought it I think. :) 

One last request, you mentioned some items in my event log that I should check. Could you please give me an idea what I would be looking for to check and where I would find them? Under which task in the Task Catagory should I look and am I looking for warnings or what? I could take it from there... just need to know a few terms I guess.

I'll sign off and say goodbye now so you can close this out.

Again, thanks a million. I hope your weekend was like you were hoping for! (In a good way :D)

 

 

Link to post
Share on other sites

  • Root Admin

Hi Mike,

Sorry for the delay. The good news is that since all the cleaning we've already done the Event Logs are not showing any new, ongoing errors.

There are some things to look at though I think and I'll ask you to decide.

 


This program loads every time you start the computer but it's from 2014. Do you use it daily? I'd recommend removing it from starting each time the computer starts.
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2087264 2014-09-11] (Wondershare)

This needs to get fixed. System Restore can save your hide sometime in an emergency. Please try to fix and enable it or explain again what's up with it.
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION

Probably nothing wrong with this - I just don't like Google all that much and I don't like using names like this to launch a process. Up to you, my computer I'd remove but I see you use Google quite a bit so maybe okay for you to leave it alone
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\Run: [09009A79D78F7D57D59454FD1051E02615098430._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1197912 2017-06-03] (Google Inc.)

Odd entry for a normal BootExecute setting. I was not able to find an entry for "bootdelete" maybe Hitman Pro or iObit placed it there. Personally I'd recommend removing it and putting it back to the Microsoft defaults.
BootExecute: autocheck autochk * bootdelete


Don't like most restrictions unless made myself and I know what it's doing. If you're not sure what it is or what placed the restriction I'd remove it.
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION


You no longer appear to have any of the Chinese company iObit software on your computer except for this service. I'd recommend removing it.
S2 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2585376 2015-03-26] (IObit)

You don't appear to be using or have any McAfee installed software on the computer. I'd recommend removing this service.
S0 mfeelamk; C:\WINDOWS\System32\drivers\mfeelamk.sys [82072 2015-08-10] (McAfee, Inc.)

We should run a temp cleaner
2017-06-11 12:43 - 2016-03-02 16:13 - 0922152 _____ (McAfee, Inc.) C:\Users\Mike\AppData\Local\Temp\0084051497199427McInst.exe
2017-06-09 14:40 - 2017-06-09 14:40 - 2974456 _____ () C:\Users\Mike\AppData\Local\Temp\npp.7.3.3.Installer.x64.exe


I would highly recommend you run MSCONFIG and put it on NORMAL and reboot. Then run MSCONFIG again and verify it stayed on NORMAL

Please read the following article concerning the use of MSCONFIG
Msconfig Is Not A Startup Manager


==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\StartupFolder: => "FAH.lnk"
HKLM\...\StartupApproved\StartupFolder: => "WinZip Preloader.lnk"
HKLM\...\StartupApproved\StartupFolder: => "Update Notifier.lnk"
HKLM\...\StartupApproved\Run: => "Energy Manager"
HKLM\...\StartupApproved\Run: => "Lenovo Utility"
HKLM\...\StartupApproved\Run: => "Acronis Scheduler2 Service"
HKLM\...\StartupApproved\Run32: => "IJNetworkScanUtility"
HKLM\...\StartupApproved\Run32: => "AcronisTibMounterMonitor"
HKLM\...\StartupApproved\Run32: => "TrueImageMonitor.exe"
HKLM\...\StartupApproved\Run32: => "Wondershare Helper Compact.exe"
HKLM\...\StartupApproved\Run32: => "SDTray"
HKLM\...\StartupApproved\Run32: => "5KPlayer.exe"
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\StartupApproved\StartupFolder: => "Qpid Network 1.lnk"
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\StartupApproved\StartupFolder: => "EvernoteClipper.lnk"
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\StartupApproved\Run: => "GlassWire"
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\StartupApproved\Run: => "GoogleDriveSync"
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\StartupApproved\Run: => "Amazon Cloud Drive"
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\StartupApproved\Run: => "CCleaner Monitoring"
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\StartupApproved\Run: => "Parallels Access"
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\StartupApproved\Run: => "09009A79D78F7D57D59454FD1051E02615098430._service_run"
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\StartupApproved\Run: => "Pushbullet"
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\StartupApproved\Run: => "AirDroid 3"
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\StartupApproved\Run: => "Chromium"
HKU\S-1-5-21-600349727-4254295022-2170233210-1001\...\StartupApproved\Run: => "SendAnywhere"

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.