johny Posted August 28, 2020 ID:1404171 Share Posted August 28, 2020 Hello, I seemingly have some kind of hidden virus on my laptop. after clicking an older "normal" link on the Acer forum. Should have refered to a shop page but instead it showed a fake version of a news website of my country, with a fake story about bitcoins. I haven't clicked anything on that page and closed it. And i started up the anti virus program to have a quick check nothing was wrong. But after half a minute running the program my laptop starts to freeze and nothing responds anymore. i forced the computer to stop by holding power button , after restart, the computer still freezes and starts getting hot. now a day later it starts up "normal" but i see a quick flash of a window everytime i start up . which wasn't there before last night! so again i ran malwarebytes . but nothing found! Also task manager doesn't show anything running. I have taken a photo of this window. (see attachement)it shows some letters/symbols,( i hope it is visible. ) is there any advice in how to track this program and get rid of it? i am a bit worried it would copy my passwords or maybe is mining for bitcoins .... Many thanks in advance ,any help is much appreciated! Johny Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 28, 2020 ID:1404172 Share Posted August 28, 2020 (edited) Hello Please do all the steps in this pinned topic. After that, attach the 2 report files from the Farbar F R S T report tool. Those are the first steps. Reports are needed for analysis & review. Edited August 28, 2020 by Maurice Naggar added link Link to post Share on other sites More sharing options...
johny Posted August 28, 2020 Author ID:1404176 Share Posted August 28, 2020 hello Mr Naggar, Thanks for your quick assistance with my problem. i have run FARBAR and the 2 results are in the attachement. many thanks for your time FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 28, 2020 ID:1404179 Share Posted August 28, 2020 Hi, Johny. Thank you for the FRST reports. There does not appear to be something unusual in these reports. Tell me, have you done a scan with the Telenet Security by F-Secure ? If not, please make time to do so. . One observation: It does seem that each of the web browsers does have browsing protection by F-Secure. . The following is just a scan for adwares. I would suggest to download, Save, and then run Malwarebytes ADWCLEANER. Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan. Adwcleaner detects factory Preinstalled applications too! Please download Malwarebytes AdwCleaner https://downloads.malwarebytes.com/file/adwcleaner Be sure to Save the file first, to your system. Saving to the Downloads folder should be the default on your system. Go to the folder where you saved Adwcleaner. Double click Adwcleaner to start it. At the prompt for license agreement, review and then click on I agree. You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner). Then click on Dashboard button. Click the blue button "Scan Now". allow it a few minutes to finish the Scan. Let it remove what it finds. NOTE: When it comes to the section " Pre-installed applications You can skip that. Please find and send the Adwcleaner "C" clean report. In Adwcleaner, click the "Reports" button. Look at the list of reports for the latest date & type "Clean". Double Click that line & it will open in Notepad. Save the file to your system and then Attach that with your reply. That C clean report will be the one with the most recent Date and time at folder C:\AdwCleaner\Logs Thanks. Keep me advised. Link to post Share on other sites More sharing options...
johny Posted August 28, 2020 Author ID:1404187 Share Posted August 28, 2020 Hello Mr naggar, I have run the F-secure anti virus. and it also doesn't find anything. is this worriesom? Adwcleaner did find something and it should be quarantined . the adwcleaner logs are in attachement. there are 2 of them, made at the same time ... thanks again!!! AdwCleaner[C00].txt AdwCleaner[S00].txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 28, 2020 ID:1404203 Share Posted August 28, 2020 Hi. Please just call me Maurice. No, there is not a need to be worried. The scan by Adwcleaner only found a minor adware trace / a leftover in the registry that has no possible harm. . The quick window you've noticed is "perhaps" about a Windows applet for Skype that has some sort of "error condition". Do you ever use Skype ? . What follows is a custom script to do a quick scan with the Windows 10 Windows Defender antivirus & to run the Windows 10 System File Checker to check the system. You should do this at a point where you will not be needing to use the system for any other purpose. The system will be rebooted after the script has run. . This custom script is for Johny only / for this machine only. Close and save any open work files before starting this procedure. I am sending a custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair. Please RIGHT-click the (attached file named) FIXLIST and select SAVE link AS and save it directly ( as is) to the Downloads folder The tool named FRST64 .exe tool is already on the Downloads Start the Windows Explorer and then, to Downloads folder RIGHT click on FRST64 and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity Fixlist.txt Link to post Share on other sites More sharing options...
johny Posted August 28, 2020 Author ID:1404227 Share Posted August 28, 2020 Hi Maurice, i have run frst.64 again i will attache the fix.log at bottom. i noticed at restart , the window still pops up very fast again. i ran the anti virus of F-secure this time again and the computer totaly freezed again at 15% and computer cpu is very bussy. i don't think it is related to skype as i do not use it . its only installed because of windows 10 i guess. still a bit worried thanks again! Fixlog.txt Link to post Share on other sites More sharing options...
johny Posted August 28, 2020 Author ID:1404230 Share Posted August 28, 2020 I also noticed in my antiviruslog , my anti virus was deactivated at the moment of visiting the malicious website Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 28, 2020 ID:1404262 Share Posted August 28, 2020 Thank you for the Fixlog report. The Windows System File Checker did run and found no issues about Windows system files. That is very good. Do try to not be worried. and I would like to know what website you visited by your last mention. . Most often those real quick "windows" at startup are simply computer-manufacturer's mini-applets. This machine appears to be a Asus machine. While we do not yet know just what that quick-window is, you can take some comfort in knowing that you have Malwarebytes for Windows installed. If it is in Trial mode, then it does have real-time protections. . At this point, lets get a different report. Let’s please try to get and run a special report tool from Microsoft. It does not make changes. It will be just a report. Please download Sysinternals Autoruns from here and save it to your desktop. Note: you also need to do the following: Right-click on Autoruns.exe and select Properties Click on the Compatibility tab Under Privilege Level check the box next to Run this program as an administrator Click on Apply then click OK Double-click Autoruns.exe to run it. Once it starts, please press the Esc key on your keyboard. Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options... In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them: Include empty locations Hide Microsoft entries Hide Windows entries Verify that the following is checked, if it is unchecked, check it: Verify code signatures Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish. When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns. Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder Attach the Autoruns.zip folder you just created to your next reply Thank you. Link to post Share on other sites More sharing options...
johny Posted August 28, 2020 Author ID:1404274 Share Posted August 28, 2020 Hi Maurice, i have run autoruns. and made the compressed zip file. thanks for your asistance DESKTOP-9CH6NNK.zip Link to post Share on other sites More sharing options...
johny Posted August 28, 2020 Author ID:1404278 Share Posted August 28, 2020 The website i got redirected to by clicking on old link on the Acer forum. the link itself was a shop for a hard drive tray for acer. the website is registered in my history as https://europedaily.org/hln/?Ipkey=158c............ i also see i visitted2 websites i actually didn't visit in history right after the first one. usa.caralla-ver.com/zcvisitor/433f........... and: usa.caralla-ver.com/zcredirect?vis............ hope this helps greets Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 29, 2020 ID:1404301 Share Posted August 29, 2020 There is a lot I can say about using web browsers. One of the most important is to be very very careful before you click on any link ! just always hover the mouse pointer over a link AND watch real real close at the actual address line displayed on the status bar at the bottom of the web browser. Look real close for odd names / odd links with mis spelling or extra amount of tracking information. Just look before you even click. and the big point is, to Delete the cache & history file of each web browser. You did not mention what web browser you had used. .. Thanks for the Autoruns report. On the presumption that the "popup window" you have seen is one from Skype - - - let's do what follows with the goal being to NOT have auto-start of Skype. I do not know the version on your Windows 10. However, I do see that your Windows 10 version is quite old. ( more on that later). That is to say, I'm not sure what version of Skype app is on this. But you can type into the Windows search box skype and click on the SKYPE app from the list shown. Open Skype > at the top, click Tools > click Options > right side, uncheck the box " Start Skype when I start Windows " > Save when done. and close the app. [ 2 ] Next lets do a one time special scan with Malwarebytes for Windows. Run a scan with Malwarebytes. Start Malwarebytes from the Windows Start menu. Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window. Then click the SECURITY tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON Click it to get it ON if it does not show a blue-color Now click the small X to get back to the main menu window. Click the SCAN button. Select a Threat Scan ( which should be the default). When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. Then click on Quarantine selected. Be sure all items were removed. Then too, Repeat the scan one more time. It does not take long. and again, be sure all detected items are removed. Let it remove what it has detected.[ 3 ] This Windows is Windows 10 Pro Versie 1903. 1903 is a old version that will be deemed mandatory to update to newer / current version this fall. Let's take time now and get it updated to the current release version 2004 ( that is the May 2020 version ). Your system will benefit from it. as a first step, do this first. suggest that ( at your next best opportunity) enable the F8 function key use at machine boot ( that way you have means to have advanced startup options See Option One at this article https://www.tenforums.com/tutorials/22455-enable-disable-f8-advanced-boot-options-windows-10-a.html NEXT Close all your open work files ( if any) and save it. You need to have a clear view all around. And eventually be ready for the system to do restarts. I would suggest to upgrade to the Windows 10 build 2004 ( or spring 2020 build). You should be able to manually get it thru Windows Update. It may take repeated tries with Windows Update till your pc is able to see that Update. You should make a try each day, from here on out, till you see it offered. The suggestion I have is to go to the Start menu, click the Windows Settings icon. Select Update & Security. Click on Windows Update. The Windows Update ( eventually) will have a display like this when it shows up. Note that the display will show the new build in a new way, in the middle of the display. You will need to click on the blue line marked "Download and install now" when ready. . Link to post Share on other sites More sharing options...
johny Posted August 29, 2020 Author ID:1404390 Share Posted August 29, 2020 Hello Maurice, thanks for your help again! I will keep these tips you gave always in mind I am using mozila firefox version 79. mostly. i also have the add-ons : noscript and addblockplus. as a precaution. i have deleted all coockies and memory in my browsing history. and have set it to "always delete when stopping firefox" i have disabled the "start skype at startup windows" option in skype. i will check later if the window is now gone as i am running windows update now. 2. i ran malwarebytes again with option root scan as you told me , but it didn't show any result. 3. i enabled F8 advanced boot option . ( i don't think i have "fastboot" enabled on my laptop so it should work fine when trying ) 4. at this moment im am downloading and installing windows10 version 2004 update. i will wait for it to install and get back to you when it does and i have checked that the window at startup has disapeardnow with skype at startup disabled. Many thanks again for you time and effort! greets Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 29, 2020 ID:1404392 Share Posted August 29, 2020 (edited) Good morning. Bravo to you. With Skype auto-start off, I expect that the quick window flashing by will be gone. It is great to read that Windows Build 2004 is in progress & update under way. Just be sure to not use that machine for anything else. That you Closed / exited out of any applications you had been using on it. Have lots & lots of patience during and after the update. If this is a laptop or notebook type machine, be sure it is directly connected with a regular power-cord. The update may need to do some restarts. Have lots and lots of patience. If the screen monitor goes all black, just simply use the mouse or trackpad if on a laptop, and make motions with the mouse like circles. That will get the screen monitor to refresh and display. Let me know after the update finishes. Cheers. Edited August 29, 2020 by Maurice Naggar Link to post Share on other sites More sharing options...
johny Posted August 29, 2020 Author ID:1404416 Share Posted August 29, 2020 good morning to you also ! (its already evening here :) The instal of windows 10 version 2004 has completed and my computer has restarted. at this moment there are no further updates available and my system is up to date. As are the anti virus programs. While starting windows 10 , the pop up window, or program, hasn't shown anymore! I maybe should run the antivirus 1 more time to see if it doesn't freeze the computer anymore. Link to post Share on other sites More sharing options...
johny Posted August 29, 2020 Author ID:1404419 Share Posted August 29, 2020 hello Maurice, Malwarebytes doesn't show any results but i checked again with anti-virus program F-secure and it freezes the computer again . on the file: nvvsvc.exe [pid:2616] I have read a post about f-secure having similar freez problem with also an ASUS computer. i will look deeper in that. many thanks again Link to post Share on other sites More sharing options...
johny Posted August 29, 2020 Author ID:1404443 Share Posted August 29, 2020 problem with other antivirus freezing is solved . it also doesn't find anything so i shouldn't worrie to much any more? i would like to thank you again for your time and help with this problem! if i should do another scan or check please let me know. kind regards johny Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 29, 2020 ID:1404481 Share Posted August 29, 2020 Hello. I got all your notes. It seems that the original issue is now gone away. That is great. It is also very excellent that your machine is now on Windows 10 version 2004. Once it is all settled in & you are comfortable with it, you should just check and be sure that the system's System Restore is ON & then do a Create new Restore point. See this article at Tenforums https://www.tenforums.com/tutorials/99782-enable-disable-system-restore-windows.html . Also highly recommended: For future safety, in case it is needed, make a USB recovery flash-thumb-drive See "Create a Bootable USB Recovery Drive in Windows 10"https://www.tenforums.com/tutorials/4200-create-recovery-drive-windows-10-a.html . Now, a few cleanups. To remove the FRST tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe . Then run that ( double click on it) to begin the cleanup process. Delete the downloaded file autoruns.exe The Adwcleaner program you can keep and run as needed, on-demand. Any other download file I had you save, you may delete. . Backup is your best friend. Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/ It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use. Best practices & malware prevention: Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources. First rule of internet safety: slow down & think before you "click". Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos). Free games & free programs are like "candy". We do not accept them from "strangers". Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing. Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program. Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next". Use a Standard user account rather than an administrator-rights account when "surfing" the web. See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html Don't remove ( or change ) your current login. Just use the new Standard-user-level one for everyday use while on the internet. Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. For other added tips, read "10 easy ways to prevent malware infection" Stay safe. I wish you all the best. 😎 Sincerely, Maurice Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 29, 2020 ID:1404482 Share Posted August 29, 2020 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts