Jump to content
kompot

Malware, boot issues, BSoD msahci.sys, empty start menu

Recommended Posts

I dont think that is the way to look at all of the User accounts on Windows 7.

To do that on Windows 7  use these ways

Click Start, and then click Control Panel. Click Performance and Maintenance, click Administrative Tools, and then double-click Computer Management. The Computer Management window for the local computer is displayed.

 

Open Computer Management, and go to "Local Users and Groups -> Users."

On the right side, you see all the user accounts, their names as used by Windows behind the scenes, their full names (or the display names), and a description for each.

Share this post


Link to post
Share on other sites

I could not find these partical menus, but I went to user accounts in control panel and it only lits my and guest accound so I guess it's OK?

I also have done two MB scans, 1st with sync still off, then I switched it on, waited a few minutes and tun scan again. Both found 0 problems. I guess we're OK here?

Huge thanks for your help Maurice!

Share this post


Link to post
Share on other sites

Yes,  things are normal.   Glad to know that the scans reported no threats.

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

Stay safe.  I wish you all the best.   😎

Sincerely,

Maurice

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Share this post


Link to post
Share on other sites

Topic has been reopened per request.

Thanks

 

Share this post


Link to post
Share on other sites

Thanks Maurice.

On every Windows startup I have this prompt to select a program to open the file with.

I've opened it with Notepad, here's what I see (I've blanked some of that but not sure if it's required, I can show it of it's not harmful)

image.thumb.png.b9faaa55330e4f22709fda8ed027d8de.png

 

The file is stored in C:\Users and has a file name same as my user account, it has no extension.

I wonder what the characters at the bottom are...

Quick translate from polish:

>Interface list

><list>

>IPv4 route table

>active routes:

>none

>persistent routes:

>none

>IPv6 route table

>active routes:

>none

>persistent routes:

>none

>Asian characters...

 

Google translate isn't really helpful.

Thank you.

Share this post


Link to post
Share on other sites

That looks like some log of some sort, possibly network related.  This is a text-type file.   So it does not pose any threat of any sort.

This looks like a one off odd thing.

Let's see where it may be stored /  where it is called from.

RSIT (Random's System Information Tool)
Please download RSITx64 by random/random... save it to your desktop.

http://images.malwareremoval.com/random/RSITx64.exe

Right click on RSITx64.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.

Please read the disclaimer... click on Continue.

RSIT will start running. When done... 2 logs files...will be produced.
The first one, "log.txt", <<will be maximized... the second one, "info.txt", <<will be minimized.

Please post both... "log.txt" and "info.txt", file contents in your next reply.

.

 

Share this post


Link to post
Share on other sites

Hi.  Thyank you for that RSIT report set.

I would like to get a different report to help me to help you.

1: Please download & Save DDS from this link  and save it to your desktop:

 

Don't click any flashing ads  ( if any show up).   The download will begin on its own thru your browser.

 

2: Before running DDS, please disable any security software (excluding Malwarebytes ). If you are unsure of how to disable your security software, please skip this step and continue without doing so.

 

3: RIGHT-click dds.com and select OPEN.  (If prompted,  reply YES and allow the tool to run.)

Next click the Start button.

 

This scan will produce 2 logs, DDS.txt and Attach.txt, and save them to your desktop.

When the report has finished, the 2 report files will show in your default text application.

Just Close those 2 windows.

 

4: Please attach the two logs created to your next reply.   DDS.txt and Attach.txt

 

Thank you.

Share this post


Link to post
Share on other sites

I need to read about all these analysis softwares one day!

Thanks Maurice, I did disable ESET protection for this scan, two files are attached.

Best regards

dds.txt attach.txt

Share this post


Link to post
Share on other sites

Do turn back on the ESET.   I will reply after I have had a chance to digest these.   These logs were designed for people trained formally in malware removal.

Share this post


Link to post
Share on other sites

No problem. I did switch it back on, but thanks for the reminder!

Share this post


Link to post
Share on other sites

It is still a mystery what exactly the text file that pops out.

The following is just housekeepong;  because the pc has ESET Security.

There is one setting in Malwarebytes that needs to be off just in the Windows Security Center "registration".   The Premium ( or trial ) protections of Malwarebytes will still be on.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".    all the way to the left is OFF.

Close Malwarebytes when done.

WSC_MB4_register_OFF.jpg.7cb854c3530acd8c52c589d03245ebaa.jpg

 

Share this post


Link to post
Share on other sites

Hi.  I'd like to see  a different report in the hopes of findiing what triggers the opening of the text file at startup of Windows.

 

Get and run a special  report  tool from Microsoft. 

It does not make changes. It will be just a report.

 

  • Please download Sysinternals Autoruns from here and save it to your desktop.
  • Note: you also need to do the following:
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK


Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...

In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:

  • Include empty locations
  • Hide Microsoft entries
  • Hide Windows entries


Verify that the following is checked, if it is unchecked, check it:

  • Verify code signatures


Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.


Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

 

Thank you.

 

Share this post


Link to post
Share on other sites

Hi Maurice.

Many thanks for your help again.

I've adjusted MB settings as per your instructions.

I attach the Autoruns.zip file.

One thing to note - my autorun.exe settings were a bit different to yours, see below the setting I've run it in. I've tried to replicate what you said, let me know if I need to re-run it again with another setup.

Best regards.

 

image.png.d35fc172af595b233d43e97ec42be5b5.png

 

image.png.efe3cf35ab33b516d8d8783d35b783e6.png

Autoruns.zip

Share this post


Link to post
Share on other sites

Thanks for the Auroruns report.   You did fine.   I am attaching a screen-grab from the Autoruns.

I have highlighted 2 lines  that we need to remove,  by using the Autoruns.

The first line is at the very top.   and is the one listing RDPCLIP   under the "Startup programs".

The other line is for " spotify".

 

image.thumb.png.d7915b770d46af01c54cec66e1cead82.png

 

 

Start Autoruns one more time  ( unless you have it on screen at this point).

and look on the main tab named Everything.   For the following items un-tick the check box    on the far left-side

look for "RDPCLIP " and un-tick its check box

& while the focus is on that line, press & hold CTRL key & tap D key to delete.

 

look for "SPOTIFY " and un-tick its check box

& while the focus is on that line, press & hold CTRL key & tap D key to delete.

 

Share this post


Link to post
Share on other sites

The issue went away! Thank you very much!

I did notice a few entries for SW I no longer have, can or should I delete those? E.g. Maxthon web browser, controversially I think it was spying it's users back in the days or other entires highlighted in yellow in autoruns.

Share this post


Link to post
Share on other sites

Good to know this last "issue" went away.

Yes, if you know of programs that you no longer use.  do the regular way to Uninstall.    thru the Control Panel.

If you see line items  ( like in yellow color)  that have the notation  "file not found" then you can Delete those in Autoruns  ( like outlined before).

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.