Jump to content

File with hkl estension in temp folder


Recommended Posts

Still no luck unfortunately, to put the code there i'm copying and pasting it, and then hitting the enter key. Also the folder I gave the programs access to were

 %userprofile%\AppData\LocalLow\Temp to powershell and 

%localappdata%\Microsoft\Windows\Caches to conhost.

Mattia

Link to post
Share on other sites

  • Replies 59
  • Created
  • Last Reply

Top Posters In This Topic

Hello, so, thanks to time zones, I'll unfortunately be unable to reply for the moment to you because it's very late here, so we'll probably talk tomorrow. Thank you for assisting me, if powershell runs tomorrow or you ask something while I'm asleep I'll make sure to get the files that you need. 

Thanks again,

Mattia

Link to post
Share on other sites

Hello, good morning, so powershell too is not reporting anything from what you said. When I turned on the pc this morning nothing happened, powershell did not run and all the programs went smoothly. So, what is our next move? Also, if I got it right, there is absolutely no chance that my pc has a virus right? Because my brain is stupid and gives me paranoia when things like this happen.

Thank you,

Mattia

Link to post
Share on other sites

Hello, I'm sorry to say that, for the next days, I'll be unable to reply to this topic. From this evening, I'll be on holiday and I won't have wifi, or the pc with me. So if I don't reply please don't close the topic, I'll be back and I'll make sure to answer as soon as I can. Thank you for your understanding.

Thanks again,

Mattia

Link to post
Share on other sites

  • Root Admin

Hello @Matfra

The computer shows no signs of an infections. Glad to hear that PowerShell did not run.

Have a good time off. Once you're back we can look at it further. If nothing returns we should be done, if PowerShell keeps kicking off we can enable auditing to help us track down what is calling it.

Cheers

 

Link to post
Share on other sites

Hello, I came back yesterday and booted up the pc to no signs of powershell, but this morning, when I booted up the machine, powershell did in fact run and was blocked again by the protected folder option. I'm going to attach here the frst logs that I did today after powershell ran, as you requested. Also, I'm going to run malwarebytes and eset again to see if they find something.

Thank you,

Mattia

Addition.txt FRST.txt

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @Matfra

Please go to Control Panel, Programs, Programs and Features and uninstall the following software.

 

  • Acer Collection
  • App Explorer
  • Mozilla Firefox 52.0.1 (if you want to keep Firefox then please update it)
  • Norton Security Scan
  • Dashlane Upgrade Service

 

After you have uninstalled the above software please restart the computer and then run the following fix.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Hello, good morning. So, I did as you said, deleted the apps and ran the fix. Everything went smooth and I'm attaching the log it created. I opened it to see if something was wrong but it seems to me that nothing was found. Also, for some reason the log is mostly in italian so, if you need help with a translation, just let me know. So, did you find what was causing powershell to run from yesterday's log? Also, if I don't disturb you, I would like to ask you more questions in pm to help me calm down so let me know if you can do that.

Thank you again,

Mattia

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

The log looks good. It was not specifically targeted at PowerShell issue. I believe one of the apps I asked you to uninstall from the Control Panel was probably the cause. Please review over the next couple of days and let me know if the PowerShell issue remains.

Yes, you can send me a Private Message if you like.

Cheers

 

Link to post
Share on other sites

  • Root Admin

Hello @Matfra

Wow, a week later may prove a bit more difficult to track down as we can't grab continuous logging information. We'll probably need to enable auditing.

Please run and update the Farbar FRST program. Then run FRST and click on Scan and make sure you have a check mark on the Addition.txt check box.

Then post back both new logs and I will review again and we'll see about enabling auditing

Thanks

 

Link to post
Share on other sites

  • Root Admin

No, I don't believe it is malware as no other signs of negative or nasty changes appear to be made.

Let me have you run the following for me though to double-check again.

 

Auditing on the PC allows for more specific tracking of what is running what. I'll send you some instructions a bit later today.

 

Link to post
Share on other sites

Hello, thank you for the answer. I ran the scan and it found a malware, but when I saw the name of the program and where it was located I noticed it's just the autorun program you made me download, so I unchecked it and didn't remove it. I'm attaching a photo of he scan and the files it generated. Let me know if I have to do something, I'll wait for your next message.

Thank you again,

Mattia

Screenshot (682).png

mbar-log-2021-08-31 (23-18-57).txt system-log.txt

Link to post
Share on other sites

  • Root Admin

Please download the batch file from the following site to enable Group Policy Editor on Windows 10 Home version.

How to Enable gpedit.msc In Windows 10 Home Edition
https://www.itechtics.com/enable-gpedit-windows-10-home/

image.png

 

Do not download or run anything else from that site. Just download and run the batch file. Then restart the computer.

 

Link to post
Share on other sites

Ps: the file I downloaded is called "gpedit-enabler.bat"  and the link I clicked to download it was 

. Is it right or did I mess up?

Mattia

 

Edit: I didn't manage to make the link not usable, so I hid it under a spoiler. The link is functional, so beware if it was not right.

Edited by Matfra
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.