Jump to content

Need malware removal help


Recommended Posts

Attached files is what I have done. 

Ran AdwCleaner, ran farbar recovery tool, running malware bytes scan. Ads show up on my computer, some accounts disabled as administrator, computer slows down, chrome and firefox slowing up, address replace with another address example 1XXXXXXX to 2XXXXXXX when copy and paste. I also need the fixlist.txt file for computer fix. Currently running malwarebytes scan will get back with the scan log.

 

Addition.txt FRST.txt AdwCleaner[S01].txt

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Do you need/installed these proxy entries?
AutoConfigURL: [{6B5FBD50-2BE1-4310-AAAB-9F81E9B93C5B}] => proxy.packetstream.io:31111
ProxyServer: [S-1-5-21-3113052357-2328876423-1108310803-1001] => socks=24.236.125.58:43520


Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please run the AdwCleaner and Malwarebytes and delete all the items reported.

Restart the computer normally when done.

Please post the Fixlog.txt.

Please run the Farbar program again and attach fresh logs for my review.

Let me know what problem persists.
 

fixlist.txt

Link to post
Share on other sites

35 minutes ago, nasdaq said:

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Do you need/installed these proxy entries?
AutoConfigURL: [{6B5FBD50-2BE1-4310-AAAB-9F81E9B93C5B}] => proxy.packetstream.io:31111
ProxyServer: [S-1-5-21-3113052357-2328876423-1108310803-1001] => socks=24.236.125.58:43520


Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please run the AdwCleaner and Malwarebytes and delete all the items reported.

Restart the computer normally when done.

Please post the Fixlog.txt.

Please run the Farbar program again and attach fresh logs for my review.

Let me know what problem persists.
 

fixlist.txt 15.33 kB · 1 download

 

35 minutes ago, nasdaq said:

Do you need/installed these proxy entries?
AutoConfigURL: [{6B5FBD50-2BE1-4310-AAAB-9F81E9B93C5B}] => proxy.packetstream.io:31111
ProxyServer: [S-1-5-21-3113052357-2328876423-1108310803-1001] => socks=24.236.125.58:43520

dont need those proxy entries dont know where it had came from. Seems like windows firewall is off and im unable to gain administrative access to some parts of my computer even enabling windows firewall is a problem and AdwCleaner cant delete items from AppData section coming from program EpicNet Inc and I have a trojan agent that is in C:\Windows\rss folder? ive also posted fixlog.txt and fresh review logs

Fixlog.txt Addition.txt FRST.txt

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Windows defender is Disabled. If you installed SMADAV then it's OK, other wise delete SMADAV via the Control panel....
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SMADAV version 13.5.0 (HKLM-x32\...\{8B9FA5FF-3E61-4658-B0DA-E6DDB46D6BAD}_is1) (Version: 13.5.0 - Smadsoft)

Remove this program in bold via the Control Panel > Programs > Programs and Features.
App Explorer (HKU\S-1-5-21-3113052357-2328876423-1108310803-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05022020121433658\...\Host App Service) (Version: 0.272.1.295 - SweetLabs) <==== ATTENTION
You may find only one entry. (not sure)
App Explorer (HKU\S-1-5-21-3113052357-2328876423-1108310803-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05022020121434502\...\Host App Service) (Version: 0.273.3.727 - SweetLabs) <==== ATTENTION
<<<>>>

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

1 hour ago, nasdaq said:

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Windows defender is Disabled. If you installed SMADAV then it's OK, other wise delete SMADAV via the Control panel....
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SMADAV version 13.5.0 (HKLM-x32\...\{8B9FA5FF-3E61-4658-B0DA-E6DDB46D6BAD}_is1) (Version: 13.5.0 - Smadsoft)

Remove this program in bold via the Control Panel > Programs > Programs and Features.
App Explorer (HKU\S-1-5-21-3113052357-2328876423-1108310803-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05022020121433658\...\Host App Service) (Version: 0.272.1.295 - SweetLabs) <==== ATTENTION
You may find only one entry. (not sure)
App Explorer (HKU\S-1-5-21-3113052357-2328876423-1108310803-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05022020121434502\...\Host App Service) (Version: 0.273.3.727 - SweetLabs) <==== ATTENTION
<<<>>>

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt 1.63 kB · 1 download

Ok computer runs faster now, but i cant find those programs in programs features under control panel how do i get rid of those programs App Explorer cant find it also posted fixlog. I seen user defaultuser0 being created I did not create any user like that at all?

Fixlog.txt

Link to post
Share on other sites

Hi,

The programs were removed but the Registry entries are still on

If you wish to remove the follow the directives on this page.
They are not causing any problems. Your call.

Removing Invalid Entries in the Add/Remove Programs Tool
https://support.microsoft.com/en-ca/help/243723/removing-invalid-entries-in-the-add-remove-programs-tool

===

You can delete the account follow the directives on this page.
https://pureinfotech.com/delete-user-account-windows-10/

Read carefully and make sure you are deleting this account.

defaultuser0 (S-1-5-21-3113052357-2328876423-1108310803-1000 - Limited - Disabled) => C:\Users\defaultuser0

Link to post
Share on other sites

35 minutes ago, nasdaq said:

Hi,

The programs were removed but the Registry entries are still on

If you wish to remove the follow the directives on this page.
They are not causing any problems. Your call.

Removing Invalid Entries in the Add/Remove Programs Tool
https://support.microsoft.com/en-ca/help/243723/removing-invalid-entries-in-the-add-remove-programs-tool

===

You can delete the account follow the directives on this page.
https://pureinfotech.com/delete-user-account-windows-10/

Read carefully and make sure you are deleting this account.

defaultuser0 (S-1-5-21-3113052357-2328876423-1108310803-1000 - Limited - Disabled) => C:\Users\defaultuser0

that defaultuser0 is an unknown account located on my computer. I did not create it neither did I find this account anywhere how can I delete it, since I cant delete it from settings is there a script of something to delete it?

Link to post
Share on other sites

Hi,

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
defaultuser0
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply

Link to post
Share on other sites

32 minutes ago, nasdaq said:

Hi,

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
defaultuser0
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply

Farbar Recovery Scan Tool (x64) Version: 03-05-2020
Ran by azfar (05-05-2020 11:15:47)
Running from C:\Users\azfar\Downloads
Boot Mode: Normal

================== Search Registry: "defaultuser0" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Wireless\Folders\LAPTOP-RQLMMHQM\defaultuser0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Wireless\Folders\LAPTOP-RQLMMHQM\defaultuser0]
"Path"="C:\Users\defaultuser0\AppData\Roaming\Intel\Wireless\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3113052357-2328876423-1108310803-1000]
"ProfileImagePath"="C:\Users\defaultuser0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\CrawlScopeManager\Windows\SystemIndex\DefaultRules\7]
"URL"="file:///C:\[ec37c04e-d268-4e01-808f-189142e31190]\Users\defaultuser0\AppData\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\CrawlScopeManager\Windows\SystemIndex\WorkingSetRules\7]
"URL"="file:///C:\[ec37c04e-d268-4e01-808f-189142e31190]\Users\defaultuser0\AppData\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Sites\LocalHost\Paths\5]
"Path"="file:///C:\[ec37c04e-d268-4e01-808f-189142e31190]\Users\defaultuser0\AppData\"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3113052357-2328876423-1108310803-1000]
"ProfileImagePath"="C:\Users\defaultuser0"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Search\CrawlScopeManager\Windows\SystemIndex\DefaultRules\7]
"URL"="file:///C:\[ec37c04e-d268-4e01-808f-189142e31190]\Users\defaultuser0\AppData\"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Search\CrawlScopeManager\Windows\SystemIndex\WorkingSetRules\7]
"URL"="file:///C:\[ec37c04e-d268-4e01-808f-189142e31190]\Users\defaultuser0\AppData\"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Search\Gather\Windows\SystemIndex\Sites\LocalHost\Paths\5]
"Path"="file:///C:\[ec37c04e-d268-4e01-808f-189142e31190]\Users\defaultuser0\AppData\"

====== End of Search ======

Link to post
Share on other sites

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

22 minutes ago, nasdaq said:

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt 1.29 kB · 1 download

 

Fixlog.txt

Link to post
Share on other sites

19 minutes ago, nasdaq said:

Is the problem solved?

The user is not deleted although it is hidden and cannot be accessed its not causing much of an issue. All of the viruses have been fixed and no more ads are showing up but all is good. Will let you know if anything else shows up.

Link to post
Share on other sites

  • 2 weeks later...

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.