(file) contained a virus and was deleted,

[asuslappy]

I have been having strange messages for over a month, one started by saying "invalid java home" or similar then now I see I cannot download a file from my browser even when I know it does not have a virus.  I might have the zeroaccess rootkit, not sure.

Please help

malwarebytes log.txt

FRST.txt

Addition.txt

[AdvancedSetup]

Hello @asuslappy and

You have an old possibly compromised version of Java installed. Please uninstall all versions of Java from Control Panel, Programs, Add/Remove

You have µTorrent installed. Though it's legal to use it opens ports and access to your computer that can greatly increase your chances of being infected. Though there are legal uses for the program the vast majority of use on the web is illegal in most Countries. I would highly suggest uninstalling and not using P2P software.

The computer is also running a hack to steal software from Microsoft.

I can help you to clean up the computer but in so doing I will remove all of these hacks. If that's something you'd like to proceed with please let me know.

Thank you

Ron

 

 

[asuslappy]

Yes, lets proceed. I purchased a new computer for my son to go to college and took this one back.  So not aware of what is on it.

I only had one java on uninstall programs that being Java 8 Update 161, when I went to uninstall it I received the message "Cannot determine valid java home"  and had to click "ok" to continue. no other java programs are showing now.

[AdvancedSetup]

Recommendations

1. Uninstall µTorrent
2. No security issue I'm aware of but 7 Zip is now on 18.05 you're on 18.01 - once done here you may want to possibly update https://www.7-zip.org/download.html
3. Due to possible corruption I would recommend you temporarily uninstall the AVG antivirus (Windows 10 has Defender antivirus so you're still protected) then once done if you so decide we'll go ahead and reinstall AVG or any other antivirus of your choice.
4. Uninstall Bonjour
5. The release version of WinRAR is 5.60 you have 5.01 - again, once done you may want to consider an update
6. WinZip is on version 22, you're on 15. Unfortunately the amount of advertising from WinZip nowadays it incredible. Difficult to recommend an upgrade or possibly even using it considering you have 7-Zip and WinRAR both of which can do much of what WinZip can do already. Just making you aware, up to you what you choose to do. I'm not aware of any specific threats directed at older versions of the program.
7. You have 2 entries for Russian programs for MS Office. "Language package for supporting the placement of the Microsoft Visual Studio Tools toolkit for working with 2012 (x64) applications - RUS" Do you know, speak or use Russian? Not sure why a Russian version is installed instead of an English version.
8. You may want to read up on CCleaner and decide for yourslef if you wish to continue using it.  https://betanews.com/2018/08/01/do-not-install-the-latest-version-of-ccleaner/

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks, Ron

 

 

Edited September 28, 2018 by AdvancedSetup
Updated information

[asuslappy]

Thanks for the instructions Ron,

I have uninstalled utorrent, and WinRAR and ran frst64 file attached.

I will note that I was not able to download the file you attached on the previous message with Microsoft edge, "kept saying file contained a virus and was deleted"  however I used "TOR" browser and it worked.

Russian Language:  this is a mystery,  I do not know anyone who speaks Russian nor does my son who had this computer previously.

Fixlog.txt

[AdvancedSetup]

I don't believe they are an issue but they are installed and hidden to the normal Add/Remove due to a registry key entry saying not to show them.

 

Языковой пакет для поддержки размещения набора средств Microsoft Visual Studio Tools для работы с приложениями 2012 (x64) - RUS (HKLM\...\{25FB53C5-BE4C-3B6C-A0C9-D49A39227E1E}) (Version: 11.0.51108 - Microsoft Corporation) Hidden
Языковой пакет для поддержки размещения набора средств Microsoft Visual Studio Tools для работы с приложениями 2012 (x86) - RUS (HKLM-x32\...\{68DC347D-C1C0-3DE2-A53E-CCC71DA53E57}) (Version: 11.0.51108 - Microsoft Corporation) Hidden

How is the computer running now?

Let's go ahead and have you run a Kaspersky antivirus scan to make sure nothing else is found.

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

[asuslappy]

I am still unable to download a file in Edge.  When I went to download the kapersky file you attached it said it contained a virus and deleted it.  I attach a screen shot to show you.   Also, I find that when I open windows explorer it runs the green bar at the top for a few seconds before it will display the icons for the folders.  This seems unusual compared to other computer I have. I sometimes notice the fan running very fast when there does not seem to be any active task going on other than open windows, and this is not how it about 6 months ago. I only have SSD no mechanical Hard Drive.   I think there is still something wrong.

I ran Kapersky only after downloading through tor browser again, it reported no threats found.

[AdvancedSetup]

Please open an elevated Admin command prompt and type in the following and let it run. Post back the results of what it says when it's done.

 

SFC   /SCANNOW

Ron

 

[asuslappy]

I just went to my laptop and noticed that all the lights were on in front indicating that the computer was running, WITH THE LID DOWN.

I opened the lid and it appeard to have rebooted "after:"  I closed the lid around 1am, and got the following messages:

"windows cannot find the specified file" and in the background the cmd promp window is open with the path C:\windows\system32\cmd.exe. the message window is looking for a file in the windows temp directory (see screen shot)

within a few seconds another message appeared at the bottom left saying that the virus windows defender and Malwarebytes was turned off, I opened Malwarebytes and it said it was on ??????

I did not run the the SFC command yet, but wanted to show the messages I received after opening the laptop lid this morning,

I will proceed to run the SFC command and post back after it's finished.

[asuslappy]

ran SFC /scannow

Windows resource protection did not find integrity violations

[asuslappy]

I just tried to download a picture from facebook messenger and still getting the message that the download contained a virus and was deleted using Microsoft edge (see attached)

[AdvancedSetup]

We're not done yet.

Please go ahead and run FRST again. Make sure you place a check mark in the Additions.txt check box and attach both new logs on your next reply.

Ron

 

[asuslappy]

done

FRST.txt

Addition.txt

[AdvancedSetup]

Please double-check your date and time on the computer and make sure it's correct.

Then run the following.

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Microsoft Edge
How to Reset Microsoft Edge in Windows 10

Firefox
Click on Help / Troubleshooting Information then click on the Refresh Firefox button.

Chrome
Reset Chrome back to defaults to completely clear out issues with Chrome.

• Open Chrome and at the top right, click  More tools  Extensions
• Write down the list of Extensions installed.
• Next, go to >> Google Sync << and sign into your account. Make sure you know your password as this will clear it from the browser.
• Scroll down until you see the   "reset sync" button to clear your data from the server and remove your passphrase.
• Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
• Press the Windows key + R at the same time, to bring up the run dialog box.
   
  • 
     
• Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\

1. Press Ctrl + A to select all the files and folders.
2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
4. Example of all files and folders selected, except Bookmarks

 

Restart your computer now and make sure there are no longer any redirects or other browser issues and let me know the results

Thanks

Ron

 

 

[asuslappy]

I completed all the above steps,  i was not getting browser redirects that i am aware of, however I do not know if my search results where altered as I have read could be done when you have a virus.

Microsoft Edge still will not download a picture and says it was deleted because it contained a virus.  I did not notice any differences after completing the tasks.

[AdvancedSetup]

Please run the following from an elevated Admin command prompt.

dism /online /cleanup-image /restorehealth

 

https://www.windowscentral.com/how-use-dism-command-line-utility-repair-windows-10-image

 

 

[asuslappy]

Done.  It said 100% The restore operation completed successfully.  It did not indicate any findings.

[asuslappy]

I did a test by right clicking a picture on face book and it allowed me to download it.  But if I open messenger and pick a picture there is a download option at the top right and when I select this this comes up and says "running security scan"  then says ….. contained a virus and was deleted.  So apparently it seems to be when it has to run a security scan but not when I save using a method that does not want to run a scan.  I don't know what triggers the security scan to activate but seems that what ever it tries to scan it finds that there is a virus when I know there is not.

[asuslappy]

I Have also noticed that fan is not running as much and the temp of the drive that is being registered is much lower than it has been lately since the changes you have had me do.

[AdvancedSetup]

The computer is a lot cleaner. Send me a PM (private message) with links to some examples of files you're trying to download please.

 

[AdvancedSetup]

Since this issue is resolved the topic will now be closed to prevent others from posting here.

If you need assistance please start your own new topic and someone will be happy to assist you.

Thanks