Jump to content

Malware Infected my Windows


Recommended Posts

  • Root Admin

Hello @Fanacantik

Please run the following and attach back the logs and we'll see what we can find. It's very late for me but I'll check back on you in the morning some time.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin
Posted (edited)

What is up with your hosts file? Are these valid entries for you?

2019-12-07 17:14 - 2021-05-25 21:08 - 000002196 _____ C:\Windows\system32\drivers\etc\hosts
127.0.0.1      action.test          #laragon magic!   
127.0.0.1      carrier.test         #laragon magic!   
127.0.0.1      corona.test          #laragon magic!   
127.0.0.1      corona-free-dark-bootstrap-admin-template-master.test #laragon magic!   
127.0.0.1      form.test            #laragon magic!   
127.0.0.1      Fujikura.test        #laragon magic!   
127.0.0.1      inventory-management-system.test #laragon magic!   
127.0.0.1      invoice.test         #laragon magic!   
127.0.0.1      kingkoil.test        #laragon magic!   
127.0.0.1      kingkoil_test.test   #laragon magic!   
127.0.0.1      learn.test           #laragon magic!   
127.0.0.1      nbproject.test       #laragon magic!   
127.0.0.1      Panthera.test        #laragon magic!   
127.0.0.1      Panthera1.test       #laragon magic!   
127.0.0.1      pdf.test             #laragon magic!   
127.0.0.1      php_barcode.test     #laragon magic!   
127.0.0.1      PointOfSale-master.test #laragon magic!   
127.0.0.1      pos.test             #laragon magic!   
127.0.0.1      POS_webased.test     #laragon magic!   
127.0.0.1      project1.test        #laragon magic!   
127.0.0.1      shop.test            #laragon magic!   
127.0.0.1      sidebar.test         #laragon magic!   
127.0.0.1      stock.test           #laragon magic!   127.0.0.1       activate.navicat.com

Never mind. I see you're using largon as a Web Server to do testing. I take it you do printer testing or re manufacturing?

Are these valid Firewall blocks for you?

FirewallRules: [TCP Query User{06486081-EAC2-46AE-9BE8-10EC1E1E6035}C:\xampp\filezillaftp\filezillaserver.exe] => (Block) C:\xampp\filezillaftp\filezillaserver.exe (FileZilla Project) [File not signed]
FirewallRules: [UDP Query User{1AEDE5A7-342C-473E-971E-96049D2F06D1}C:\xampp\filezillaftp\filezillaserver.exe] => (Block) C:\xampp\filezillaftp\filezillaserver.exe (FileZilla Project) [File not signed]
FirewallRules: [TCP Query User{7FFE9254-AD04-47DA-BB8A-EE39028E0926}C:\xampp\mercurymail\mercury.exe] => (Block) C:\xampp\mercurymail\mercury.exe (David Harris) [File not signed]
FirewallRules: [UDP Query User{9D29C93C-7A19-4A4E-92E5-9E2F21B3B70C}C:\xampp\mercurymail\mercury.exe] => (Block) C:\xampp\mercurymail\mercury.exe (David Harris) [File not signed]
FirewallRules: [TCP Query User{AF55A3F7-86DF-4C26-BD93-FE1C638A345D}D:\program files\avast software\avast\avastui.exe] => (Block) D:\program files\avast software\avast\avastui.exe (Avast Software s.r.o. -> AVAST Software)
FirewallRules: [UDP Query User{8134BD8C-0D27-460C-9E3C-24A1A5AB93E0}D:\program files\avast software\avast\avastui.exe] => (Block) D:\program files\avast software\avast\avastui.exe (Avast Software s.r.o. -> AVAST Software)

You don't even appear to have Avast installed anymore. Well, I take that back. It is installed but looks like the system has been attacked and it doesn't look like it was installed properly. The fix below will remove Avast and we'll go from there after the fix and see what we have.

 

You appear to have Emsisoft antivirus installed but its faulting.

Application errors:
==================
Error: (07/02/2021 10:32:27 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: a2service.exe, version: 2021.7.0.11059, time stamp: 0x60d5a0a2
Faulting module name: a2core.dll, version: 2020.5.0.47379, time stamp: 0x5eab77f0
Exception code: 0xc0000005
Fault offset: 0x00000000000199b0
Faulting process id: 0x8f0
Faulting application start time: 0x01d76eea13ce2260
Faulting application path: C:\Program Files\Emsisoft Anti-Malware\a2service.exe
Faulting module path: C:\Program Files\Emsisoft Anti-Malware\a2core.dll
Report Id: 449670b6-c9c6-4d61-bf5a-ad9ce4a7e133
Faulting package full name: 
Faulting package-relative application ID:

 

You have multiple drivers that appear to be missing or need attention, but we can take care of that later on

==================== Faulty Device Manager Devices ============

Name: Base System Device
Description: Base System Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Memory Controller
Description: PCI Memory Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Data Acquisition and Signal Processing Controller
Description: PCI Data Acquisition and Signal Processing Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Data Acquisition and Signal Processing Controller
Description: PCI Data Acquisition and Signal Processing Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

 

What is Combo Cleaner? I thought that was a Macintosh software tool?

HKLM\...\Run: [Combo Cleaner] => C:\Program Files (x86)\Combo Cleaner\ComboCleaner.exe [1701504 2021-06-10] (RCS LT, UAB -> RCS LT)

 

Let me finish making a Fix for you and I'll be back soon

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

  • Root Admin

Please run the following fix for me @Fanacantik

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

Let me also have you run the following Microsoft Safety Scanner

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

Link to post
Share on other sites

  • Root Admin

Please open an elevated admin command prompt and type in the following and press the Enter key

SFC /SCANNOW 

Post back the results

Then from the command prompt copy/paste the following and press the Enter key

 DISM.exe /Online /Cleanup-Image /ScanHealth

Post back the results

If it says something is wrong then run the following

DISM.exe /Online /Cleanup-image /Restorehealth

I'll check back on you again sometime tomorrow

 

We'll also want to have you run the following

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current-security-update status of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

 

Please run the following to get Malwarebytes fully cleaned up and reinstalled. Let me know if Malwarebytes still won't run after this.

 

Can you please do the following?

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
  • NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following

  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

 

 

 

 

 

Once everything has completed let me know if you're still having any issues or signs of malware.

 

Thank you

 

Link to post
Share on other sites

  • Root Admin

Emsisoft is registered as your antivirus. Please uninstall the Bitdefender Agent

This is a 3 day long Holiday here int he US so depending on my schedule I may or may not be back until Tuesday.

Please follow the other steps as requested above for SFC and DISM

 

How is the computer running now?

 

Thank you

 

 

 

 

 

Link to post
Share on other sites

Microsoft Windows [Version 10.0.19042.1052]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>SFC /SCANNOW

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

C:\Windows\system32>DISM.exe /Online /Cleanup-Image /ScanHealth

Deployment Image Servicing and Management tool
Version: 10.0.19041.844

Image Version: 10.0.19042.1052

[==========================100.0%==========================] No component store corruption detected.
The operation completed successfully.

C:\Windows\system32>

Link to post
Share on other sites

  • Root Admin

Please uninstall, update, or otherwise address the following issues as appropriate

 


--------------------------- [ OtherUtilities ] ----------------------------
Git version 2.31.1 v.2.31.1 Warning! Download Update

Notepad++ (64-bit x64) v.7.9.5 Warning! Download Update


Node.js v.14.17.0 Warning! Download Update

Backup and Sync from Google v.3.55.3625.9414 Warning! Download Update

Microsoft Visual Studio Code (User) v.1.56.2 Warning! Download Update


------------------------------ [ ArchAndFM ] ------------------------------
WinRAR 6.01 (64-bit) v.6.01.0 Warning! Download Update


------------------------------- [ Browser ] -------------------------------
Mozilla Firefox 87.0 (x64 en-US) v.87.0 Warning! Download Update


---------------------------- [ UnwantedApps ] -----------------------------
Restoro v.2.0.2.8 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering.

Combo Cleaner v.1.0.44.0 << Hidden Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering.

NewProduct 1.00 v.1.00 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware and Malwarebytes AdwCleaner. Before uninstallation and scanning it is necessary to consult in the forum where cure is provided for you!!!

 

 

Then run the following

 

Can you please do the following?

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
  • NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following

  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

What is this program?  It sure looks like Snake Oil

Restoro (HKLM\...\Restoro) (Version: 2.0.2.8 - Restoro)

anyways.. it's faulting on the computer too

 

Please save the attached FIXLIST.TXT file as before to the same location as the Farbar FRST program. Then click the FIX button

fixlist.txt

Once it's has run and restarted the computer please post back the FIXLOG.TXT file and let me know if there are any other issues I can assist you with

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.