Malware, boot issues, BSoD msahci.sys, empty start menu

[kompot]

Hi All,

Please bear with me as I'm new here and not an IT expert. I'll ty to give best description I can to aid this.

ASUS K52 laptop, Windows 7, ESET internet security AV.

Initially it had HDD holding the system, I've then added an SSD and cloned the system onto it and was using the SSD system. I've left the HDD files intact, which was useful lately, see below.

I've bougth some USB receivers and downloaded a few bluetooth drivers, trying to find a working one. One driver/SW started causing windows prompts every minute or so about Windows not being able to display message from it, I've ignored them first, then after googling the issue decided to view it. I believe the message was about the driver not being able to finish the installation. After that I've uninstalled all downloaded bluetooth drivers/SW through the control panel and deleted all files from local drive. In the meantime in my local drivers properties/security/users I've noticed a username I did not recognise (system and laptop are very old, so it's not 100% impossible I didn't set it up years ago...). It did not have any rights really, and I've deleted this user from properties/security/users from all drives.

At the same time, being afraid I might have malware I've run a known antimalware SW (don't want to do any advertising here, but can reveal name if necessary) and it found numerous issues including a couple instances of malware. I've let it fix all of them and then realised my Start menu has emptied. System was asking for a reboot but would not boot after that, I think it was BSoD saying msahci.sys was missing.

I did have the old system on HDD so I've booted it and copied the msahci.sys from Windows folder on HDD to the SSD.

Then booting SSD system would show another BSoD, this time "Stop: 0x0000007B". 

After googling I've checked 

• switching AHCI/IDE in BIOS
• Windows defender offline (would not work actually due to impossibility of updating it, which I've managed to find confirmation for being a known issue)
• I've downloaded the said antimalware software again and installed on the HDD system

I could always access files on the SSD, so it was working OK, it's only that the system was damaged and wouldn't boot.

In the end I've wiped my SSD and cloned the system from HDD to it again (I shall highlight this means it's still installed and working).

This is the state I'm in at the moment, working off the old clone on the SSD.

I'd like to do this properly and have run the instructions to tackle any malware left.

 

 

Log from Malewarebytes is below, the two files from FRST are attached. Many thanks for your help.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 28/06/2020
Scan Time: 15:52
Log File: f1db24c4-b94e-11ea-9f36-20cf306d1e51.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.955
Update Package Version: 1.0.26109
Licence: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Patryk\Patryk H

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 268180
Threats Detected: 55
Threats Quarantined: 0
Time Elapsed: 11 min, 12 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 11
PUP.Optional.GetPrivate, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\GPUPDATECHECK, No Action By User, 5192, 238712, , , , 
PUP.Optional.GetPrivate, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{73A58F8B-AD92-4AF7-81E0-F1303BAA824D}, No Action By User, 5192, 238712, , , , 
PUP.Optional.GetPrivate, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{73A58F8B-AD92-4AF7-81E0-F1303BAA824D}, No Action By User, 5192, 238712, , , , 
PUP.Optional.FaceMoods, HKLM\SOFTWARE\CLASSES\APPID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}, No Action By User, 72, 392823, , , , 
PUP.Optional.FaceMoods, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}, No Action By User, 72, 392823, , , , 
PUP.Optional.FaceMoods, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{5B1881D1-D9C7-46df-B041-1E593282C7D0}, No Action By User, 72, 392823, 1.0.26109, , ame, 
PUP.Optional.V9.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\V9SOFTWARE\v9hp, No Action By User, 4329, 192831, 1.0.26109, , ame, 
Adware.Agent.OL, HKLM\SOFTWARE\CLASSES\Prod.cap, No Action By User, 6935, 830817, 1.0.26109, , ame, 
PUP.Optional.InstallCore, HKU\S-1-5-21-3985608894-3351105237-3686923162-1001\SOFTWARE\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I, No Action By User, 501, 352832, 1.0.26109, , ame, 
PUP.Optional.SmartTweak, HKU\S-1-5-21-3985608894-3351105237-3686923162-1001\SOFTWARE\SMARTTWEAK\UpdateMyDrivers, No Action By User, 3359, 438807, 1.0.26109, , ame, 
PUP.Optional.SweetIM, HKLM\SOFTWARE\WOW6432NODE\SweetIM, No Action By User, 447, 243762, 1.0.26109, , ame, 

Registry Value: 2
PUP.Optional.SmartCoupon, HKU\S-1-5-21-3985608894-3351105237-3686923162-1001\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|eonffnnfmbfnmjpaiigdclmfelolemah, No Action By User, 2418, 179643, , , , 
PUP.Optional.GetPrivate, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{73A58F8B-AD92-4AF7-81E0-F1303BAA824D}|PATH, No Action By User, 5192, 337036, 1.0.26109, , ame, 

Registry Data: 3
PUP.Optional.V9.ShrtCln, HKU\S-1-5-21-3985608894-3351105237-3686923162-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|DEFAULT_PAGE_URL, No Action By User, 4329, 291265, 1.0.26109, , ame, 
PUP.Optional.V9.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|DEFAULT_PAGE_URL, No Action By User, 4329, 291270, 1.0.26109, , ame, 
PUP.Optional.V9.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, No Action By User, 4329, 291270, 1.0.26109, , ame, 

Data Stream: 0
(No malicious items detected)

Folder: 9
PUP.Optional.SmartCoupon, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EONFFNNFMBFNMJPAIIGDCLMFELOLEMAH, No Action By User, 2418, 179643, 1.0.26109, , ame, 
PUP.Optional.FFHotfix, C:\USERS\PATRYK H\APPDATA\ROAMING\MOZILLA\FIREFOX\EXTENSIONS\MOZILLAHOTFIX, No Action By User, 1357, 182009, 1.0.26109, , ame, 
PUP.Optional.Carambis, C:\Users\Patryk H\AppData\Roaming\Carambis\Driver Updater\drivers, No Action By User, 1031, 351300, , , , 
PUP.Optional.Carambis, C:\Users\Patryk H\AppData\Roaming\Carambis\Driver Updater\License, No Action By User, 1031, 351300, , , , 
PUP.Optional.Carambis, C:\Users\Patryk H\AppData\Roaming\Carambis\Driver Updater\temp, No Action By User, 1031, 351300, , , , 
PUP.Optional.Carambis, C:\USERS\PATRYK H\APPDATA\ROAMING\CARAMBIS\DRIVER UPDATER, No Action By User, 1031, 351300, 1.0.26109, , ame, 
RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\log, No Action By User, 867, 411853, , , , 
RiskWare.BitCoinMiner, C:\USERS\PATRYK H\APPDATA\LOCAL\MINERGATE, No Action By User, 867, 411853, 1.0.26109, , ame, 
PUP.Optional.Babylon, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 393, 455059, , , , 

File: 30
PUP.Optional.GetPrivate, C:\WINDOWS\SYSTEM32\TASKS\GPUPDATECHECK, No Action By User, 5192, 238712, 1.0.26109, , ame, 
PUP.Optional.SmartCoupon, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, No Action By User, 2418, 179643, , , , 
PUP.Optional.SmartCoupon, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, No Action By User, 2418, 179643, , , , 
RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\log\aeon.log, No Action By User, 867, 411853, , , , 
RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\log\bcn.log, No Action By User, 867, 411853, , , , 
RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\log\minergate.log, No Action By User, 867, 411853, , , , 
RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\log\xmr.log, No Action By User, 867, 411853, , , , 
RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\hrackopane@gmail.com.achievements, No Action By User, 867, 411853, , , , 
RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\hrackopane@gmail.com.achievements.bak, No Action By User, 867, 411853, , , , 
RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\miners.ini, No Action By User, 867, 411853, , , , 
RiskWare.BitCoinMiner, C:\Users\Patryk H\AppData\Local\minergate\pools.config, No Action By User, 867, 411853, , , , 
PUP.Optional.MindSpark, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\http_www.easypdfcombine.com_0.localstorage, No Action By User, 717, 490519, 1.0.26109, , ame, 
PUP.Optional.MindSpark, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\http_www.easypdfcombine.com_0.localstorage-journal, No Action By User, 717, 490519, 1.0.26109, , ame, 
PUP.Optional.Carambis, C:\PROGRAMDATA\mtbjfghn.xbe, No Action By User, 1031, 726629, 1.0.26109, , ame, 
PUP.Optional.MindSpark.Generic, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\http_easypdfcombine.dl.tb.ask.com_0.localstorage, No Action By User, 1817, 443123, 1.0.26109, , ame, 
PUP.Optional.MindSpark.Generic, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\http_easypdfcombine.dl.tb.ask.com_0.localstorage-journal, No Action By User, 1817, 443123, 1.0.26109, , ame, 
PUP.Optional.MindSpark.Generic, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\http_easypdfcombine.dl.myway.com_0.localstorage, No Action By User, 1817, 443124, 1.0.26109, , ame, 
PUP.Optional.MindSpark.Generic, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\http_easypdfcombine.dl.myway.com_0.localstorage-journal, No Action By User, 1817, 443124, 1.0.26109, , ame, 
HackTool.Agent, C:\PROGRAM FILES (X86)\WINOLS\LOADER_WINOLS.1.500.EXE, No Action By User, 3930, 1570, 1.0.26109, AAC3EA3CF22BC9A8ED2AFE1E, dds, 00784156
HackTool.Agent, C:\PROGRAM FILES (X86)\WINOLS\WINOLS.EXE, No Action By User, 3930, 1570, 1.0.26109, AAC3EA3CF22BC9A8ED2AFE1E, dds, 00784156
PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, No Action By User, 393, 455059, , , , 
PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000038.ldb, No Action By User, 393, 455059, , , , 
PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000039.log, No Action By User, 393, 455059, , , , 
PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000040.ldb, No Action By User, 393, 455059, , , , 
PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, No Action By User, 393, 455059, , , , 
PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, No Action By User, 393, 455059, , , , 
PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, No Action By User, 393, 455059, , , , 
PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, No Action By User, 393, 455059, , , , 
PUP.Optional.Babylon, C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, No Action By User, 393, 455059, , , , 
PUP.Optional.Babylon, C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 393, 455059, 1.0.26109, , ame, 

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

Addition.txt FRST.txt

[Maurice Naggar]

Hi.

There are quite a few different things, all at once, on this situation.   I am sorry to read about BSOD

Regret your trouble.  I am concerned that there are compound factors.

 

This machine has K-Lite Mega Codec Pack 10.8.0   installed.

and  you mentions  

Quote

my Start menu has emptied.

 

Can you possibly get a screen capture of that ?

 

The switching of drive types / the closing is perhaps confusing.    and the scan by Malwarebytes does show action needs to be done to remove those flagged items.

Also

a big reason I am answering,  a recent case I helped, where the Start menu was "missing / non-functional"  was found to be due to having K-Lite

Would you consider uninstalling   K-Lite Mega Codec Pack 10.8.0    ?

Edited June 29, 2020 by Maurice Naggar

[Maurice Naggar]

Hello.   This is my second reply in a row.  So please do not overlook the previous reply  ^^^^^

My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.
 

After uninstalling K-Lite Mega Codec,  I suggest the following procedures as the first initial steps to do some cleanups.   There will be more later on.

 

This Windows is in Polish language  and so the FRST report will tend to also have some Polish notes.  I need a small adjustment to help me.

Find the FRST64.exe  on the Downloads folder.   Use the mouse-pointer and do a RIGHT-click on FRST64

&  then select RENAME

& then renamed it to

ENGLISHFRST.exe

and tap Enter-key on keyboard.

 

NEXT,  this is a small cleanup for the purpose of a few small cleanups.

This custom script is for  Kompot  only / for this machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a  new  custom Fix script which is going to be used by the ENGLISHFRST tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named ENGLISHFRST.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on  ENGLISHFRST   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the ENGLISHFRST window:
Click the Fix button just once, and wait.

 
PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please keep going down this next list.

[     2     ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

.

NOTE:  We will do more after this.  That will include a new special run with Malwarebytes for Windows.

The ESET Security is an excellent antivirus / security app.   With that and Malwarebytes for windows the pc really did not need SuperAntispyware.

Malwarebytes for Windows had found a large number of adwares, plus, coin-miner hijack, plus a "hack tool"

HackTool.Agent, C:\PROGRAM FILES (X86)\WINOLS\LOADER_WINOLS.1.500.EXE,           No Action By User
HackTool.Agent, C:\PROGRAM FILES (X86)\WINOLS\WINOLS.EXE,                                       No Action By User

 

The one thing that needed to be done, which was not done, was to select ALL line items for removal.   I will help you to do that.

Your patience is appreciated.   Much patience is needed.   Plus, do not make changes or additions on your own.  Always ask me first.

I will be your guide.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.
 

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.
Thank you,
Sincerely.
 

 

Fixlist.txt

[kompot]

Hello, many thanks for the reply.

With the Start menu it might have been just the "recently used programmes" that disappeared (due to SAS cleanup?), I never opened Start menu programmes fully so can't say if they disappeared as well, perhaps not. I do not have an actual screenshot from when the problem appeared so I'll try to invent something from memory using MS Paint.

See attachment 2.PNG.

 

Secondly I shall clarify that when I've posted the thread originally, after I've run the Malwarebytes scan (which found problems) I took no action, just left MB open, and I've run a scan with FRST. So the FRST and Addition attachments in post #1 are before Malwarebytes cleanup. Only after FRST finished I clicked the Malwarebytes "cleanup". Confusing I know, sorry.

 

I attach the fixlog as requested.

I attach the C log from Adwcleaner.

 

I had the K-Lite codec pack installed for over 5 years, but I've uninstalled it as requested.

For the moment I have the ESET + MB + SAS installed, I'll wait with SAS uninstall unit explicitly told to do so.

Normally I was only using ESET without any antimalware.

 

Many thanks for your help.

AdwCleaner[C00].txt Fixlog.txt

[Maurice Naggar]

OK.  Thank you so much for the 2 log-reports.   Both very worthwhile to do.   Good cleanups.

The next run is a very specific way to run Malwarebytes for Windows so that it does remove all items it identifies as any P U P  or threat, or riskware, or other type of malicious-ness.

Sorry, but it is in English  in this write-up.   But I am confident you understand.

 

I would like you to do a new scan with Malwarebytes for Windows.  One of the major goals here is to have it remove all that it detects.  If it finds anything that is.

Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

 

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".

You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

 

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.

Next click the blue button marked Scan.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).

 

 

Then click on Quarantine selected.

 

 

When the quarantine is completed,

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

 

[kompot]

Thanks again. I've run the MB again with the requested settings and attached the report below.

Sorry the start menu is in Polish, I was just trying to indicate which part of it was empty (shown in white).

 

MWB_20202906.txt

[Maurice Naggar]

We can perhaps look for what can be done  ( later ) about the 1 mising line on the displayed Start menu list.

My initial goal here is to insure that there is no malware , malicious type things.

This last Malwarevytes for Windows scan has removed 2 items of unwanted / ill-advised adwares:    PUP.Optional.SmartCoupon &  PUP.Optional.Babylon

 

I noticed that they were associated to the Chrome browser's "user data" store.   So I would like for you to do this follow-on.

[   1   ]

Set the Chrome "sync"  to OFF.

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

 

After we are all finished with this case, you may if you wish / if you need to /  turn the Google Sync back On.

[   2   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   3   ]

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

 

Make real sure it is "NOT" set to "continue where you left off"

.

[   4   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[   5   ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

When these are completed,  I would like to know about the Chrome browser,  and,  if the blue-screen Windows abort  has gone away.

[kompot]

Hello, many thanks for the reply.

I've followed all 5 steps.

Two things to clarify after I've cloned the system from HDD to SDD (as described in post #1)

• BSoD issue went away immediately back then, because my broken system on SSD was overwritten by an old working copy from HDD
• start menu problem also went away back then
• so no technical issues any more, just need to get rid of malware etc

A couple of questions I have:

1. Shall I uninstall the S*A*S?
2. I use the browser function to open the last closed session quite a lot, can I use it again?
3. MB has run an automatic scan when I switched my machine on and has found 14 items again... I attach the report.
4. Do I need antimalware software on top of ESET internet security?

Best regards.

MWB_20200630.txt

[Maurice Naggar]

Hi.

To # 1, uninstalling of keeping S*A*S*   is all up to you.   It all amounts as to whether you derive some added benefit  you feel it provides.

But since your pc has ESET  &  Malwarebytes for Windows  ....your pc is protected from malicious malware.   Plus ESET is a super antivirus.

 

to #2, I do not recommend re-opening closed sessions   ......if the browser had a crash / abort on the prior session.

But yes, you can do as you used to.

To # 3,  I will have to dig into your report

 

to #4  it is up to you.  Though I would tend for myself to have both.

.

To the last Scan report:   all the items are tagged  PUP.Optional.SmartCoupon   AND they are tied into the Chrome preferences   & can well be muddled by its SYNC option !

In any event, Chrome browser is the most pesky and Hardest to clean up.

.

We have run the Malwarebytes ADWCLEANER before.

.

I do wonder whether you use Google with the same Google Chrome account on this Windows as well as another Android device or other machine ?  ?

That along with the SYNC being on  would cause these repeats.

.

Delete the previously saved file named FIXLIST.txt

 

Close and save any open work files before starting this procedure. 

I am sending a  new  custom Fix script which is going to be used by the ENGLISHFRST tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named ENGLISHFRST.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on  ENGLISHFRST   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the ENGLISHFRST window:
Click the Fix button just once, and wait.

 
PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

 

Fixlist.txt

[kompot]

Yes, I can confirm I run same google account with Chrome on my android phone.

What are these 14 PUP.Optional.SmartCoupon items?

Thank you for the script, log is attached.

Fixlog.txt

[Maurice Naggar]

Thanks for the Fixlog.  However, it ( the run) did not succeed because the system could not find the folders  that needed to be cleared.

Anyhow,  you must keep the Google "SYNC"  to OFF  .....that is so important.

Take another look and be sure it is OFF.

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
Look very closely.

 

.  

PUP.Optional.SmartCoupon   are advertising related pests.

 

I am going to suggest to you to go  ahead   and do this next Scan.

 

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

[kompot]

Hi, I might have just done the reset, not sync off by accident. I've reseted it and switched it off now.

I have ESET installed, full proper copy of ESET Internet Security I've bought. Can I run it instead of the online scan?

[kompot]

Hello, I've run a local ESET scan, log is attached.

Many thanks for your help!

ESET_scan.txt

[Maurice Naggar]

OK.  ESET found just 1 item.  That was a dll file.   It removed it.  It is classified as a variant of Win64/WebBar.B potentially unwanted application

How is the situation at this point ?

[kompot]

I don't see any problems eith my machine.

I've just tried to run the ENGLISHFRST64 script again, with Chrome sync off and Chrome closed, log attached.

Fixlog.txt

[kompot]

I've struggled with some Windows Updates. After googling it my Temp variable was set incorrectly, I've managed to fix it. 

No change with this script though. Do you want me to delete the contents of folders from the script manually?

Thank you

[Maurice Naggar]

You may try to delete by using a Command prompt  and then COPY ing  and PASTE  ing each line verbatim as listed here.

 

First, set your Windows to Show ALL hidden folders,  and show ALL files

see   https://www.sevenforums.com/tutorials/394-hidden-files-folders-show-hide.html

 

You must be certain that Chrome browser is Closed before you do these .

 

1.  How to get the Elevated Command prompt

https://www.sevenforums.com/tutorials/783-elevated-command-prompt.html

 

Then, one at a time, copy > paste  and for each line tap the Enter-key

del /s /q C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\*.*

 

del /s /q C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data\*.*

 

del /q C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EONFFNNFMBFNMJPAIIGDCLMFELOLEMAH

 

Edited July 2, 2020 by Maurice Naggar
edited to add Show all hidden folders

[kompot]

OK, so here's what's happening. My cmd line or 'Run' won't run this folder

C:\Users\Patryk H\

or subfolders of it.

When I do try it, it opens Windows Prompt "To open this file, Windows needs to know what program you want to use?"...

I've tried selecting explorer.exe but it just comes back with the same prompt.

I can run any other random path outside this, for example this works fine:

C:\Users\Public

Other folders on other drives also work OK. I suspect this is the reason for fix not working in the first place.

 

 

Another worrying bit is I've discovered a new user, when going to Properties>Security user list

What is that one in the bottom with a red question mark?

Name is "account unknown"

It has no rights set or blocked:

Apart from the bottom one, "special rights"

 

 

I've chedked in "User accounts" it only lists my account and "guest".

Many thanks...

[Maurice Naggar]

I am going to relist some tips to set Windows File Explorer to Show all folders

and I am adjusting the command lines so that they take into account spaces in the folder names.

Plus also, let us understand that if Chrome is working ok now,  that these are just extra precautions.

First, set your Windows to Show ALL hidden folders,  and show ALL files

see   https://www.sevenforums.com/tutorials/394-hidden-files-folders-show-hide.html

 

You must be certain that Chrome browser is Closed before you do these .

 

1.  How to get the Elevated Command prompt

https://www.sevenforums.com/tutorials/783-elevated-command-prompt.html

 

Then, one at a time, copy > paste  and for each line tap the Enter-key

del /s /q "C:\Users\Patryk H\AppData\Local\Google\Chrome\User Data\Default\Sync Data\*.*"

 

del /s /q "C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data\*.*"

 

del /q "C:\USERS\PATRYK H\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EONFFNNFMBFNMJPAIIGDCLMFELOLEMAH"

 

Edited 18 hours ago by Maurice Naggar

[kompot]

No problems with Chrome in general Maurice.

I've run the scripts.

First one worked, the other two did not.

Second - name of folder incorrect, I also can't find this folder manually.

Third one - 'can't find C:\...', same I can't find this folder manually.

 

What do you think about the user account and also the Windows prompt asking which program to use, when trying to 'Run...' a folder path?

Regards

[Maurice Naggar]

So, one of the 3 worked.   allright.   And since there are no current problem with Chrome, lets put those considerations away/

I can only guess that either the 2 things went away since Sync was turned off.   Otherwise, maybe you are mis-typing some thing.

 

I have zero idea as to where exactly and how you "see" this other "thing"  { account unknown ??  ]   .   Plus again, there is the factor of the screen & display being in Polish.

Let me suggest that you run a fresh new report with ENGLISHFRST.

 

Run report with ENGLISHFRST

Right-click on ENGLISHFRST icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.
 

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.

 

 

The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

Edited July 2, 2020 by Maurice Naggar

[kompot]

Shall I turn the Chrome sync on and run these scripts?

I've run the FRST, logs are attached.

Thank you

Addition.txt FRST.txt

[Maurice Naggar]

I need time to review these FRST reports.

Keep the Chrome SYNC to OFF.   do not run any script on your own.

[Maurice Naggar]

Thank you for the FRST reports. I do not know just what file you had been looking at before   ( where you said you spotted some unknown "user "   )

It may help to have you tell me just where you had been looking.

 

As far as user accounts on the system, your account has Administrator-level rights.   There is just one other account but it has "limited" rights  and is "postgres".   But as I said, it has limited rights.

 

As to Chrome, it should be doing well.

 

[kompot]

Thank you Maurice.

Bizzare user accounts are visible when I go to:

C:\Users\Public -> Right Click -> Properties -> Security -> Group or user names

 

If I do that on another folder or on a local drive 'folder' I get something more like this (screenshot off the Internet, but I get 'equivalent' content)