Jump to content
CTHrobo

Help removing HKU/s-1-5-21

Recommended Posts

Hi,     😋

My name is Maurice. I will be helping and guiding you, going forward on this case.   Please let me know what first name you prefer t go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

Thanks for those reports provided.  PUP.Optional.MySearch.Generic   was found & removed on Chrome browser.

Chrome happens to be one of the more pesky to keep clean.

Let's start out with what follows.

[   1   ]

Turn off "SYNC" for Google Chrome.

Using Chrome browser,  go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

Now, Close Chrome.

[   2    ]

get & install the Malwarebytes Browser Guard extension for Chrome,

Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

Then proceed with the setup.

[   3    ]

Other suggestions, for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )


Still in Chrome, press ALT+F then Settings
Click Extensions on the left.
Closely review the browser extensions that are listed. Disable any that you are not familiar with or that you do not trust.

 

[   4   ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

Please know I help here as a volunteer.  and that I am not on 24 x 7.

Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,

Sincerely.

Edited by AdvancedSetup
corrected font issue

Share this post


Link to post
Share on other sites

Hi, Tore.

OK.  Thanks for the heads up.   I will keep this open for you.

Thanks for the Adwcleaner report.  It found and removed a few adwares type items.

 

Run a new scan with Malwarebytes.     This will just take a few minutes.   Be sure you close all web browsers before you click Scan
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed.     Let it remove what it has detected.

 

Share this post


Link to post
Share on other sites

Hi, I did the scan but it didn't detect anything. However the reason i started looking into any virus was because i noticed that my storage drives are fuller than they should be. and the virus seem to be gone but my drives are still full. Is this an issue in windows or is it possible that malwarebytes didn't detect the virus?

Share this post


Link to post
Share on other sites

There is no basis for suspecting or for trying to think of asserting about a "virus" or infection.

What steps have you taken to look at the Windows Trash Bin , looking it over, and emptying the Trash Bin?

Also, what about cleaning out TEMP files ?

Those are some of the things to be looking at and deleting.

.

also, at Bleepingcomputer  see

https://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/

.

CLEANMGR is the Windows Disk cleanup utility.   See this guide   https://www.tenforums.com/tutorials/3012-open-use-disk-cleanup-windows-10-a.html

Just ignore all about compress or system compression.

But run the cleanup steps listed under option One.

Skip over the ones under 6 & 7.

.

NEXT

You can scan the system with a different tool from ESET

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Look at & un-tick   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites

hi, sorry for the late reply. I have emptied the recycling bin and removed temp files, and the Bleepingcomputer post is about fixing a slow computer and mine is as fast as is should be. It can't be files that I don't know about or anything like that since i have checked the size of all folders in the root directory of all my drives (I have "showed" hidden folders) and that says that the drives are way less full than the properties in This PC and steam says. also here's the scan log:

eset scan log.txt

Share this post


Link to post
Share on other sites

Hi.   The ESET found and removed one MSIL/TrojanClicker.Agent.NPD trojan

What I found a bit unusual, is that it was on the E drive.   Have you somehow moved or re-direct some WINDOWS folders to other drives ( other than c )  like E drive ?

.

As far as your notes about disc space or the likes, let me ask you if you have run CHKDSK  or Windows System File Checker ?

This procedure will use the Windows System File Checker tool  ( SFC ).

 

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

sfc /scannow

then tap Enter-key.   Monitor that.   Let me know what the bottom line result display says.

 

[  2   ]

Still while in a Elevated Command prompt,  Copy & Paste this command

chkdsk c: /f

then tap Enter-key.   Monitor that.   Let me know what the bottom line result display says.

 

[  3  ]

 Still while in a Elevated Command prompt,  Copy & Paste this command

chkdsk e: /f

then tap Enter-key.   Monitor that.   Let me know what the bottom line result display says.

Close command prompt when all done.

 

[  4  ]

RSIT (Random's System Information Tool)
Please download RSITx64 by random/random... save it to your desktop.

  1. Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
  2. Please read the disclaimer... click on Continue.
  3. RSIT will start running. When done... 2 logs files...will be produced.
    The first one, "log.txt", <<will be maximized... the second one, "info.txt", <<will be minimized.
  4. Please post both... "log.txt" and "info.txt", file contents in your next reply.

.

Regards.

Share this post


Link to post
Share on other sites

Here's the first bottom line: Windows Resource Protection did not find any integrity violations.

the second one wouldn't run because "the volume is in use by another process" it asked me if i wanted it to do it the next time i restarted my computer so i did that and it checked my disk but i didn't get any text.

the third wouldn't run because of the same reason, is said it could run if i forced a dismount, but i didn't want to do that without knowing it was safe.

log.txt info.txt

Share this post


Link to post
Share on other sites

You may have it schedule the CHKDSK run on C drive for later.

 

Thank you for the RSIT reports.

By the way, the RSIT report shows " System drive 'C'  has 60 GB (25%) free of 238 GB "

 

What is it tht you are looking at, that you believe is odd ?

 

 

 

Share this post


Link to post
Share on other sites

Hi, windows says the same thing about the space, however as you can see in the attached image the actual occupied space is way less than windows says, so i can't install games larger than 60 GB on my C: drive. so I should have around 130 - 140 GB free on C: but windows for some reason disagrees. 

Screenshot (14).png

Share this post


Link to post
Share on other sites

The image on the left-side is titled ONEDRIVE Temp

 

I had suggested to you before to run CHKDSK  on the C drive so that that app checked the disc on C

Share this post


Link to post
Share on other sites

i did run CHKDSK on c earlier when i scheduled to do it when i restarted. 

Share this post


Link to post
Share on other sites

Then, did you happen to see the result of the Chkdsk.

Other than Chkdsk, there is next to nothing I can suggest related to disk allocation, etc.

 

What we can do here is help you if there is a actual identified infection.

I had had you run a Malwarebytes scan on Feb 7 or 8.   What does the latest Malwarebytes scan report?

Share this post


Link to post
Share on other sites

Hi.  I am very glad to know that Malwarebytes reports no malware present.   That is very re-assuring.

FRST64 is on the Desktop.   We can used that to run a batch-command script.

This will run the Windows System File Checker ( SFC )  and run CHKDSK

Please have lots of patience while it runs.

 

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

This custom script is for  CTHrobo    only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Desktop 

The tool named FRST64exe   tool    is already on the Desktop folder

Start the Windows Explorer and then, to the Desktop.


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

image.png.492221802fc0a11ee652fe03ddcdb8f9.png

 

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Regards.

Fixlist.txt

Share this post


Link to post
Share on other sites

Hello.  Thank you for the Fixlog report.   That is a very good run.

As part of that run, it ran CHKDSK on your system and that completed just fine.   No errors with that applet.

How are things at this point ?

 

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Look at & un-tick   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Share this post


Link to post
Share on other sites

it seems like my discs are slowly being filled by something since i now only have 50 gb free on my main drive and i have barely put anything new on it plus selecting all the files( including the hidden ones) in the root directory and checking the properties still only shows about 105 gb. as for the eset scan, i did one of those earlier.

Share this post


Link to post
Share on other sites

I can help you here if there "is" a actual infection.   I have not found one here.

The space may be from temporary files, or from a task that has gone astray.

Close all games ( if any are running).   Close Discord and any instant messenger-type app.

 

I suggest you look real close on your system as to auto-started programs & reduce them to the absolute minimum.

How to perform a clean boot in Windows
https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows

.

I had suggested to you before to run SFC + CHKDSK from an elevated command prompt.   With CHKDSK being the app that you need to insure to check this system.

I can have you do that by means of the following script.

 

First, please delete the prior file I had you save named Fixlist.txt

 

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

This custom script is for  CTHrobo    only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Desktop 

The tool named FRST64exe   tool    is already on the Desktop folder

Start the Windows Explorer and then, to the Desktop.


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

image.png.492221802fc0a11ee652fe03ddcdb8f9.png

 

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Fixlist.txt

Share this post


Link to post
Share on other sites

This is for after you have finished with the prior advice.   This related to my suggestion above to do a clean boot startup.

 

Here are some of the auto-started applications  ( that start with Windows ),  from a prior report.

O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [Discord] C:\Users\Toreh\AppData\Local\Discord\app-0.0.305\Discord.exe
O4 - HKCU\..\Run: [WallpaperEngine] "C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\wallpaper32.exe" -silent
O4 - HKCU\..\Run: [Skype for Desktop] C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
O4 - HKCU\..\Run: [Spotify] C:\Users\Toreh\AppData\Roaming\Spotify\Spotify.exe --autostart --minimized
O4 - HKCU\..\Run: [NZXT.CAM] C:\Program Files\NZXT CAM\NZXT CAM.exe --startup
O4 - HKCU\..\Run: [EpicGamesLauncher] "C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win64\EpicGamesLauncher.exe" -silent

 

why use NZXT.CAM  ?   It is claimed to be a free PC monitoring software.   But it is not absolutely needed.

You do not need to have these apps auto-started

Steam

Discord

wallpaper_engine

Skype

Spotify

NZXT.CAM

EpicGames launcher

 

I would not be surprised if one or more of these is what may just be the one seemingly using lots of disc.

 

Share this post


Link to post
Share on other sites

Hello @CTHrobo

Have you done the windows-clean-boot procedure & run the special FRST FIXLIST   I  sent you on 25 February ?

I need a reply in the next day or two at most.

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.