Jump to content

DriverPack Solution DRPsu DotNet.exe autorun


Recommended Posts

# -------------------------------
# Malwarebytes AdwCleaner 8.0.3.0
# -------------------------------
# Build:    03-03-2020
# Database: 2020-03-09.2 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    03-10-2020
# Duration: 00:00:00
# OS:       Windows 10 Pro
# Cleaned:  0
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1494 octets] - [10/03/2020 21:46:51]
AdwCleaner[C00].txt - [1664 octets] - [10/03/2020 21:47:12]
AdwCleaner[S01].txt - [1527 octets] - [10/03/2020 22:43:07]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########
 

Link to post
Share on other sites

Hi,      :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

.

Tell me please, did you install "Dotnet" ?   I see a trace of it listed as a program.

Did you otherwise accept or get some sort of alluring "updater"?

 

Really, for software applications, you should only get updates from the software maker.   For hardware drivers, those you can get directly  from the hardware maker support site.

There are too many "problematic" "updater" programs out there.  Most of them are snake oil junk.

.
You have FRST64 on the Downloads folder.

Go to that folder.

RIGHT-click on FRST64 with your mouse,  and select "Run as Administrator"  to Start FRST.   Reply YES to allow it to run when prompted by Windows.

 

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.

into the FRST window
Type the following ( better yet, use COPY  then Paste)   into the search box exactly as show then press the Search Files button

SearchAll: drpsu;dotnet.exe;dotnet

Please wait while the program searches for all entries relating to this program, when done a search.txt log will be saved to the desktop. Please attach this log to your next reply.

Just attach the report-file.   And do not do any fixes, changes, or modifications on your own.   If you have questions, please ask me first.

 

[  2   ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.

 

We will do much more later.   Do have patience.   The cleanup will take a few more different additional passes.

Link to post
Share on other sites

I have sent you one other reply before this here.   Please be sure you do those suggestions first.

Next, when you get the chance, Please do this here.  This involves starting a Elevated Command Prompt & then pasting a command line.

Please take your time as you do this.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command   & after it is in place, tap the Enter key

WMIC /OUTPUT:"%userprofile%\desktop\ProcessList.txt" path win32_process WHERE Name="cmd.exe" get Caption,Processid,Commandline

 

When it is completed, you may close the Command prompt.

Look on the Desktop.  You should see a file named  ProcessList.txt

Please attach that in a new reply.

Cheers

Link to post
Share on other sites

Hi,

Minju is fine.

Yes, I have installed dotnet. Dotnet is .NET Framework. It comes with Windows. I think just because they named their .exe 'DotNet.exe', doesn't mean it's actually related to dotnet. 

The reason I'm in this predicament, is because I installed Driverpack Solutions as a last resort to finding what has been the reason for my PC crashing, but without realising it was a big mistake, since it is basically malware. There was no uninstall function, so I just manually deleted all the traces I could find. Please read the thread I linked, that person explains it.

I'm honestly just considering reinstalling my PC..

 

ProcessList.txtSearch.txtmalwarebytes_result.txtmsert.log

 

PS. Could you please remove the 2nd post I made? I didn't realise it'd post literally everything I have on my PC, some of which are confidential file/folder names. 

Link to post
Share on other sites

Thanks for the reports.  I have hidden the 2nd post from you.

Fully aware that .Net Framework is the MS implementation.   But this system has at least 2 bogus-looking "dotnet" folders.

.

I am listing below one custom fix script  & a different scan.   Please do all of the following.   Just keep going down the list.

[  1  ]

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

This custom script is for   Minju   only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

image.png.8bec87954381743388f615af7b68e7ad.png

 

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

[    2   ]

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

  •  
  • Save the file first,
  • Close any running programs that you started on your own ( if any).

Double-click  RogueKillerx64.exe to run the program.

Follow the prompts. If a browser window opens, close the window.

 

In the HOME tab, click Start Scan.

Upon completion, a browser window may open. Close this window.

 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.

Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.

Please attach the file in your next reply.

[  3   ]   P.S.    Please look again on your desktop.   Look for a new ProcessList.txt

Please attach that as well.

 

Thank you.

 

Fixlist.txt

Edited by Maurice Naggar
re-edited
Link to post
Share on other sites

Thank you for the reports.

[  1  ]

Do a new run with roguekiller64.

When it has completed its scan,  Look at the Registry  area.

& then select the following items & have them removed

 

 

>>>>>> XX - Software
  [PUP.MailRU (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-229390518-132880457-2566876645-1001\Software\GameCenter -- N/A -> Found

 

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{AB61FA25-C10C-4422-AF5E-34D566B50446} -- v2.30|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Minju\AppData\Local\Temp\DriverPack-20200304195521\tools\aria2c.exe|Name=DriverPack aria2c.exe| (C:\Users\Minju\AppData\Local\Temp\DriverPack-20200304195521\tools\aria2c.exe) (missing) -> Found

 

[   2   ]

Lets be sure that Windows 10 is set to show all files, all folders

Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command   & after it is in place, tap the Enter key

rd /s /q C:\Users\Minju\AppData\Local\Temp\DriverPack-20200304195521

 

[   3  ]

Let’s  please try to get and run a special  report  tool from Microsoft. 

It does not make changes. It will be just a report.

 

  • Please download Sysinternals Autoruns from here and save it to your desktop.
  • Note: you also need to do the following:
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK


Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...

In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:

  • Include empty locations
  • Hide Microsoft entries
  • Hide Windows entries


Verify that the following is checked, if it is unchecked, check it:

  • Verify code signatures


Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.


Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

 

Let me know how things are.

Thank you.

 

 

Link to post
Share on other sites

Recheck to see that Windows Explorer is set to show all system files & folder

The "appdata" is normal not accessible

so set show all  & then try once more.

 

I would also do this command line

del /s /q C:\Users\Minju\AppData\Local\Temp\*.*

That is the delete command

Edited by Maurice Naggar
Link to post
Share on other sites

I already deleted my whole temp folder myself before I even made this topic. I didn't mean to post that picture along with my comment. I'm just going to reinstall windows when I get my new SSD tomorrow. 

Thanks again for trying. 😀

Link to post
Share on other sites

Allright.   That is the safest to do for the long term.

Allow me to relay my usual advice about staying safe ( r ).

The first best practice of computer safety is to have backups of the system.  Make regular periodic backups to offline removable media.

Backup is your best friend.

 

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

I wish you all the best.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.