zherot Posted July 28, 2021 ID:1471438 Share Posted July 28, 2021 This is the original topic: As suggested by the advisor I got some logs made with the FRST64 scan, long story short addwarecleaner won't start even after uninstalling Avast (which was suggested by the advisor). Addition.txt FRST.txt 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 28, 2021 ID:1471544 Share Posted July 28, 2021 Hello @zherot My name is Maurice. Please let me know what nickname you prefer to go by. I will guide you from this point on. Please just stick here on this thread. I will first review your reports, then later, get back with you on this. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 28, 2021 ID:1471551 Share Posted July 28, 2021 This case will likely take many rounds. Patience is a must. This pc has signs of it haveing had AVAST & Avira antivirus. When did you first try to install ? How did you uninstall ? I see traces of refences for both. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 28, 2021 ID:1471553 Share Posted July 28, 2021 These are just some opening type first steps. First adjustments. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html [ 2 ] Be sure you are logged in with an administrator-rights account Visual check on services using MSCONFIG From Start button, (or Win-key +R) and in the searcht-box type in MSCONFIG and press OK or Enter. . You should see the General tab. Click the General tab. It should have Normal startup selected (in the radio-box=selection) IF it does not, then you click on Normal startup. Click on Services tab. To get it's display of services. Keep a written list of any changes from my list of services below. That way you and I have a reference document. Look at the bottom line Hide all Microsoft services IF and only IF its is checkmarked, then un-check it. ( We need to SHOW all Microsoft services.) the list of servies may be shown in non-alphabetical order, so .... Look at the heading titled "Service". Click on it as needed so the list is sorted and top of list starts with the "A" services. You can toggle as needed to get the desired order. IF any of below services are NOT shown, don't panic & do not stop, just write down the info for me and proceed with the others ! Then using the scroll-bar scroll down the list Look for SecurityHealth . IF it shows & IF it is un-ticked ....then TICK the box. ( We want that to have a check-mark so that it is enabled). When done, press the Apply button. Click OK button. EXIT out of the applet. [ 3 ] On the Windows taskbar , on the Windows search box, type in cmd.exe and then look at the entire list of choices, and click on Run as Administrator. Once the Command prompt window is up, type in ( or COPY & then PASTE ) WMIC SERVICE WHERE Name="winmgmt" set startmode="auto" tap Enter key to proceed forward. Then COPY this whole next line & then Paste into the command window net start winmgmt tap Enter key to proceed forward. Let me know the results of all this. Then you may close the command prompt window. Link to post Share on other sites More sharing options...
zherot Posted July 28, 2021 Author ID:1471570 Share Posted July 28, 2021 I uninstalled Avast yesterday just using the add or remove programs from windows 10 Couldn't find the "SecurityHealth" service maybe it's there but since my pc is in spanish most services are shown in spanish and while it should be easy to find if it where a 1 on 1 translation but most of the time the translations are not 1-1 and are kinda "renamed" but what can I tell you is that ll Microsoft services were checked. The CMD commands the first one said "Properties correctly updated" and the second one said "System error 5" Access denied. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 28, 2021 ID:1471577 Share Posted July 28, 2021 What follows is a custom script . This may take a long time. Hopefully it will be much less than an hour. The script Fixlist.txt needs to be saved to the same folder that contains FRSTENGLISH.exe / it is on Downloads Please save the (attached file named) FIXLIST.txt to the DOWNLOADS folder Fixlist.txt The custom script on this post is ONLY for this machine and NO other. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. The system will be rebooted after the script has run. Start the Windows Explorer and then, to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Keep in mind this is not a single shot cure-all. There will be more to do later. Link to post Share on other sites More sharing options...
zherot Posted July 28, 2021 Author ID:1471598 Share Posted July 28, 2021 I deleted the FRSTENGLISH.exe and all of the Farbar logs and exe because i thought I would not use them anymore. Link to post Share on other sites More sharing options...
zherot Posted July 28, 2021 Author ID:1471606 Share Posted July 28, 2021 33 minutes ago, zherot said: I deleted the FRSTENGLISH.exe and all of the Farbar logs and exe because i thought I would not use them anymore. Well I discovered that it downloaded with the malwarebytes supporttool so i am using that again to get it again and after that i will run the script as you said. Link to post Share on other sites More sharing options...
zherot Posted July 28, 2021 Author ID:1471610 Share Posted July 28, 2021 This is the log after running the script: Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 29, 2021 ID:1471638 Share Posted July 29, 2021 (edited) If you run into a hitch, as we go along, stop and ask me first. We may wind up needing to re-use FRSTENGLISH at a later point. So please do not delete it. Plus, I will guide you on tools cleanup when we get to close the case ( at the end). Thanks for the Fixlog. The Windows System File Checker reports, "Windows Resource Protection found damaged files and repaired them correctly.". Overall, the custom script run is a good thing to have done. Now, as a matter of fact, we do need to get a fresh report. And we will need to use FRSTENGLISH to get that. . Go to the Downloads folder. RIGHT-click with the mouse on FRSTENGLISH & select "Run as Administrator" to start it. When prompted to allow it to run, reply YES and let it go forward. When the tool opens click Yes to the disclaimer. Now, be sure to TICK the check-box marked "Addition.txt " ( like in picture here). Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually Please attach both logs to your reply. To save attachments please click the link "choose files". Then browse to where your file is located and select it and click the Open button. Edited July 29, 2021 by Maurice Naggar 1 Link to post Share on other sites More sharing options...
zherot Posted July 29, 2021 Author ID:1471642 Share Posted July 29, 2021 Here Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 29, 2021 ID:1471644 Share Posted July 29, 2021 Thank you for the FRST reports. NEXT This should only take something less than 15 minutes. Now a fresh new scan with Malwarebytes for Windows. In Malwarebytes for Windows program, we want to do a special scan. Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window. Then click the Security tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply.See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 1 Link to post Share on other sites More sharing options...
zherot Posted July 29, 2021 Author ID:1471665 Share Posted July 29, 2021 It found nothing, here is the report and yeah I enabled the rootkit scan too. Report.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 29, 2021 ID:1471710 Share Posted July 29, 2021 Thank you for that. The Malwarebytes for Windows on this machine is Versión: 4.3.0.98 / Versión de los componentes: 1.0.1358 I want to guide you to doing 2 update runs so that this pc has the latest version, and on the latest Beta version. Start Malwarebytes for Windows. Click on the Settings ( gear icon) Now click on the tab "General". Then scroll up a bit. and then click on "Check for Updates " button. Watch & follow all prompts. That ought to do a check with the update server, and hopefully offer the newest component update. . Click Settings. In the General tab, scroll down to the Beta updates toggle. Click the Beta updates toggle. In the pop-up window, click Enable Beta Application Updates. scroll up a bit. and then click on "Check for Updates " button. This is a second run to get that Beta. Watch & follow all prompts. Hopefully this will get the program to Beta version 4.4.4.126 and component package 1.0.1404 Keep me advised on that. Close Malwarebytes when done. This version has added protections. . On this next program download, first take precaution to close other apps that are open ( with open windows) so as to reduce chances to lose a place between screens. Be sure to SAVE the download to a known permanent folder, maybe even a new one just for Adwcleaner. Watch that the download is fully completed. Then close the web browser. Download Adwcleaner like in this guide https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner Close the browser. and only after that, go to the folder. Then start Adwcleaner. advise me of the folder-name where you saved the EXE file. Link to post Share on other sites More sharing options...
zherot Posted July 29, 2021 Author ID:1471737 Share Posted July 29, 2021 I updated my Malwarebytes to the version you mentioned now. About the folder for addwarecleaner, this folder can be anywhere on the pc or it has to be in an specific place? I tried on the desktop, closed everything after download and tried to run it on the new folder after i closed the browser and it still didn't run. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 29, 2021 ID:1471755 Share Posted July 29, 2021 (edited) Please get for me, the full PATH location of where the Adwcleaner is at preset, as well as its file-name on disk. Also, did you write down the exact message that is shown when it fails to start ? what do you see ? The file can be saved anywhere as long as it is a regular user folder. You can have it in a special-named folder of your own. What I was alluding to is the one place we do not want it to be is any "temporary" folder. Again, what did Windows show as the "error text"? If you could follow this special procedure, it would help for the long run. For Adwcleaner we would like for you to turn On it's Debug log option. See https://support.malwarebytes.com/hc/en-us/articles/360038520134-Malwarebytes-AdwCleaner-Application-settings In Adwcleaner, in Settings section, at "Mode" , turn ON the generate debug log. Then do a new scan in Adwcleaner. Edited July 29, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
zherot Posted July 29, 2021 Author ID:1471778 Share Posted July 29, 2021 2 hours ago, Maurice Naggar said: Please get for me, the full PATH location of where the Adwcleaner is at preset, as well as its file-name on disk. Also, did you write down the exact message that is shown when it fails to start ? what do you see ? The file can be saved anywhere as long as it is a regular user folder. You can have it in a special-named folder of your own. What I was alluding to is the one place we do not want it to be is any "temporary" folder. Again, what did Windows show as the "error text"? If you could follow this special procedure, it would help for the long run. For Adwcleaner we would like for you to turn On it's Debug log option. See https://support.malwarebytes.com/hc/en-us/articles/360038520134-Malwarebytes-AdwCleaner-Application-settings In Adwcleaner, in Settings section, at "Mode" , turn ON the generate debug log. Then do a new scan in Adwcleaner. The issue is that Addwarecleaner doesn't even start at all, I double click on it and a brief MSDOS window appears with no message and nothing happens. I will upload an image, I will clickly capture the msdos window that appears for a second and then it disappears and nothing happens. My Adwarecleaner was sitting on my desktop I tried moving it to the Adwarecleaner folder on C: but does the same thing. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 30, 2021 ID:1471884 Share Posted July 30, 2021 Hi. Thank you for the info. Alas, since attempting to run Adwcleaner keeps running into a issue or another ... I would suggest a one time use of JRT (junkware removal tool). Download ans save JRT from this link at Bleepingcomputer Disregard any ads & such. Save the file to either the Downloads folder or the Desktop. Save first. Then close browser. Go to where JRT is saved. Run one time JRT.exe Post back with its log. Later one, we may try other steps. Link to post Share on other sites More sharing options...
zherot Posted July 30, 2021 Author ID:1471919 Share Posted July 30, 2021 This is the result. Also after that I tried running addwarecleaner with no effect. JRT.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 30, 2021 ID:1471923 Share Posted July 30, 2021 Thank you. That is a good run of JRT. Put it aside. You can actually delete JRT.exe. We dont need it now. Question about Google Chrome browser> Was it removed in the recent past ? Kindly look in Windows Control Panel >>> Programs and Features. Does it show Chrome browser ? The FRST had shown some references to Chrome. This may perhaps be one factor that gets Adwcleaner off track. IF this no longer has a Chrome browser in place, then we need to do yet another script fix. 1 Link to post Share on other sites More sharing options...
zherot Posted July 30, 2021 Author ID:1471932 Share Posted July 30, 2021 Nope I don't use google Chrome but I did uninstalled it at some point before making that desicion. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 30, 2021 ID:1471954 Share Posted July 30, 2021 I would like to run a new script. First please delete the old file named Fixlist.txt on Downloads folder. The new script Fixlist.txt needs to be saved to the same folder that contains FRSTENGLISH.exe / it is on Downloads This one is to do a few specific actions. The main one to remove leftover traces of Chrome. It will also do a new run of the Windows System File Checker ( SFC ) and the Windows DISM tool. Please save the (attached file named) FIXLIST.txt to the DOWNLOADS folder Fixlist.txt The custom script on this post is ONLY for this machine and NO other. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. The system will be rebooted after the script has run. Start the Windows Explorer and then, to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Keep in mind this is not a single shot cure-all. 1 Link to post Share on other sites More sharing options...
zherot Posted July 31, 2021 Author ID:1471993 Share Posted July 31, 2021 Here is the log Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 31, 2021 ID:1472035 Share Posted July 31, 2021 Good morning. Thank you for the report. I hope your weekend is going well. The run is good. Some last traces of Chrome are removed. The Windows System File Checker ( SFC ) found no issue. What follows is more like security housekeeping. First, know that Adobe Flash Player is obsolete & no longer supported by Adobe. I need for you to uninstall Adobe Flash Player 32 NPAPI 1. Press & hold the Windows key on keyboard & then tap the R key to open the Run box-windoww. 2. Type appwiz.cpl and tap Enter. The Programs and Features window will appear. Locate "Adobe Flash Player 32 NPAPI" on the list. Click the line once with your mouse pointer. Now do a RIGHT-click on it and then select Uninstall. and follow thru to have it uninstalled. When done, close the window for Programs and Features. NEXT I would urge getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Link to post Share on other sites More sharing options...
zherot Posted July 31, 2021 Author ID:1472084 Share Posted July 31, 2021 Here is the log of the security check, thanks. SecurityCheck.txt Link to post Share on other sites More sharing options...
Recommended Posts