Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: Hackoo on December 23, 2018, 04:45:02 AM
-
Hi everyone !
I need help from experts to guide me how can i solve my problem on Windows 10 64 bits in recovery mode !
So here is the FRST.txt (https://hastebin.com/ogajumuwam.makefile)
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)
First of all, please tell me what is your problem with this computer?
-
Hello ;)
My problem is the computer becomes very slow to respond since logon session i have to wait almost 10 minutes or more to type my password to enter the session logon, i guess a problem with a system files corrupted or a bad driver that make this hard to read from the hard drive !
Here is a fresh Log of FRST.txt and Addition.txt in attachments
-
Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)
*************************************************************************
Please download AdwareCleaner onto your Desktop. AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/)
Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.
(http://i424.photobucket.com/albums/pp322/digistar/AdwCleaner-icon.jpg)
If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
When the AdwCleaner program will open, click on the Scan button as shown below.
(http://i424.photobucket.com/albums/pp322/digistar/untitled.png)
AdwCleaner will now start to search for malicious files that may be installed on your computer.
To remove the files that were detected in the previous step, please click on the Clean button.
(http://i424.photobucket.com/albums/pp322/digistar/3.png)
AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.
*********************************************
(http://i424.photobucket.com/albums/pp322/digistar/mbamicontw5.gif) Download and install: Please download Malwarebytes' scanner (http://downloads.malwarebytes.org/file/mbam) to your desktop.
Double Click mbam-setup.exe to install the application.
- It should update automatically if the computer is connected to the internet.
- Click on Threat Scan and click on Scan Now.
- The scan may take some time to finish,so please be patient.
- When the scan is complete make sure all the infections have "quarantine" selected in the Action box.
- Click on "Apply actions" You may be asked to Restart your computer to completely remove the infections.
- When disinfection is completed you can click on "Copy to Clipboard".
- Paste the log in you next reply (CTRL+ V)
*************************************************
Download Security Check by screen317 from the following link and save it to your desktop.
Security Check (http://www.bleepingcomputer.com/download/securitycheck/)
* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
-
Log of Adwcleaner[C00].txt
# -------------------------------
# Malwarebytes AdwCleaner 7.2.5.0
# -------------------------------
# Build: 11-16-2018
# Database: 2018-12-21.2 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 12-23-2018
# Duration: 00:00:12
# OS: Windows 10 Home Single Language
# Cleaned: 50
# Failed: 0
***** [ Services ] *****
Deleted Update service
***** [ Folders ] *****
Deleted C:\ProgramData\IObit\Advanced SystemCare
Deleted C:\Program Files (x86)\IObit\Advanced SystemCare
Deleted C:\Program Files (x86)\Common Files\IObit\Advanced SystemCare
Deleted C:\Users\USER\AppData\LocalLow\IObit\Advanced SystemCare
Deleted C:\Users\USER\AppData\Roaming\IObit\Advanced SystemCare
Deleted C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare
***** [ Files ] *****
Deleted C:\Users\Public\Desktop\Smart Defrag 5.lnk
***** [ DLL ] *****
No malicious DLLs cleaned.
***** [ WMI ] *****
No malicious WMI cleaned.
***** [ Shortcuts ] *****
No malicious shortcuts cleaned.
***** [ Tasks ] *****
Deleted C:\Windows\System32\Tasks\ASC10_SKIPUAC_USER
Deleted C:\Windows\System32\Tasks\ASC10_PerformanceMonitor
***** [ Registry ] *****
Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{334E026C-318D-4B9E-9483-28CF1042BFE2}
Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{334E026C-318D-4B9E-9483-28CF1042BFE2}
Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASC10_SkipUac_USER
Deleted HKLM\Software\Wow6432Node\IObit\RealTimeProtector
Deleted HKLM\Software\Wow6432Node\IObit\Advanced SystemCare
Deleted HKLM\Software\Wow6432Node\IOBIT\ASC
Deleted HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Advanced SystemCare
Deleted HKLM\Software\Wow6432Node\Google\Chrome\NativeMessagingHosts\com.ascplugin.protect
Deleted HKLM\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
Deleted HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
Deleted HKLM\SOFTWARE\CLASSES\DIRECTORY\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
Deleted HKLM\Software\Wow6432Node\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}
Deleted HKLM\Software\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}
Deleted HKLM\Software\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}
Deleted HKLM\Software\Wow6432Node\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}
Deleted HKLM\Software\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}
Deleted HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced SystemCare_is1
Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Deleted HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Deleted HKLM\Software\Wow6432Node\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{B413BA11-0648-4104-BDAC-40B99A713C6A}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{0845833D-0900-4498-9031-9B03847349C2}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{30DF4237-2791-4B60-9B6C-8E4F2A0CAF0F}C:\program files (x86)\popcorn time\chromecast\node.exe
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{88E0F63C-7A43-42FD-8EF0-E80F0E7E6669}C:\program files (x86)\popcorn time\chromecast\node.exe
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{68F2354A-23C7-4621-9070-8569770100BD}C:\program files (x86)\popcorn time\popcorntimedesktop.exe
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{C0229FC6-5763-4367-9FD7-454875545388}C:\program files (x86)\popcorn time\popcorntimedesktop.exe
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{7D986628-9884-4479-88DB-070D53DEC5BA}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{868DF299-6194-4EF2-B3D8-2551895B8A45}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{3B69D403-B1E4-4F2C-9285-24903E0BF9AD}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{5EBDB9D8-7C0F-4597-BB08-407D35B62232}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{1C2AD9DE-C93F-4341-83F8-C8AEF065C31C}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{A30B8EC2-0065-4FB8-8138-3A849444320D}
Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3ED2A37F-E7E3-4B28-BD0D-2AC527C65FDA}
Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASC10_PerformanceMonitor
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\st.chatango.com
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\chatango.com
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\st.chatango.com
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\chatango.com
***** [ Chromium (and derivatives) ] *****
No malicious Chromium entries cleaned.
***** [ Chromium URLs ] *****
No malicious Chromium URLs cleaned.
***** [ Firefox (and derivatives) ] *****
Deleted IObit Surfing Protection & Ads Removal
***** [ Firefox URLs ] *****
No malicious Firefox URLs cleaned.
*************************
[+] Delete Tracing Keys
[+] Reset Winsock
*************************
AdwCleaner[S00].txt - [7830 octets] - [23/12/2018 20:27:37]
########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########
Log of Malwarebytes
Malwarebytes
www.malwarebytes.com
-Détails du journal-
Date de l'analyse: 24/12/2018
Heure de l'analyse: 02:14
Fichier journal: 9a0aa29e-074b-11e9-a503-3863bbae57b3.json
-Informations du logiciel-
Version: 3.6.1.2711
Version de composants: 1.0.508
Version de pack de mise à jour: 1.0.8461
Licence: Essai
-Informations système-
Système d'exploitation: Windows 10 (Build 16299.611)
Processeur: x64
Système de fichiers: NTFS
Utilisateur: System
-Résumé de l'analyse-
Type d'analyse: Analyse des menaces
Analyse lancée par: Planificateur
Résultat: Terminé
Objets analysés: 369943
Menaces détectées: 1
Menaces mises en quarantaine: 0
Temps écoulé: 44 min, 33 s
-Options d'analyse-
Mémoire: Activé
Démarrage: Activé
Système de fichiers: Activé
Archives: Activé
Rootkits: Désactivé
Heuristique: Activé
PUP: Détection
PUM: Détection
-Détails de l'analyse-
Processus: 0
(Aucun élément malveillant détecté)
Module: 0
(Aucun élément malveillant détecté)
Clé du registre: 0
(Aucun élément malveillant détecté)
Valeur du registre: 0
(Aucun élément malveillant détecté)
Données du registre: 0
(Aucun élément malveillant détecté)
Flux de données: 0
(Aucun élément malveillant détecté)
Dossier: 0
(Aucun élément malveillant détecté)
Fichier: 0
(Aucun élément malveillant détecté)
Secteur physique: 0
(Aucun élément malveillant détecté)
WMI: 0
(Aucun élément malveillant détecté)
(end)Log of SecurityCheck
Results of screen317's Security Check version 1.014 --- 12/23/15
x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Defender
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
VirusTotal Uploader 2.2
Microsoft VisualStudio JavaScript Project System
Microsoft VisualStudio JavaScript Language Service
Java version 32-bit out of Date!
Adobe Flash Player 26.0.0.131
Google Chrome (71.0.3578.98)
Google Chrome (SetupMetrics...)
````````Process Check: objlist.exe by Laurent````````
Windows Defender MSMpEng.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbam.exe
Malwarebytes Anti-Malware mbamtray.exe
Microsoft Windows Defender platform 4.18.1812.3-0\MpCmdRun.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````
-
Update Your Java (JRE)
Old versions of Java have vulnerabilities that malware can use to infect your system.
First Verify your Java Version (http://www.java.com/en/download/installed.jsp)
If there are any other version(s) installed then update now.
Get the new version (if needed)
If your version is out of date install the newest version of the Sun Java Runtime Environment (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html).
Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
Be sure to close ALL open web browsers before starting the installation.
Remove any old versions
1. Download JavaRa (http://raproducts.org/click/click.php?id=1) and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
Additional Note: The Java Quick Starter (JQS.exe) (http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*************************************************************
ESET Online Scanner
Note : If you use Internet Explorer to get the ESET Online Scanner, you won't have to download, nor install the tool, as everything will be ran in a contextual (pop-up) window of Internet Explorer. However, for every other browsers, you will have to download and install ESET Online Scanner. In this set of instruction, I'll use Google Chrome to download it and run it (since a lot of people will do it), however, except for the download and installation procedure, the same instructions applies if you use Internet Explorer. Please note that two or three prompts will appear if you use Internet Explorer asking you to reload the page, authorize the application, execute it, etc. Accept all of them in order to run ESET Online Scanner.
Download and execute ESET OnlineScan (http://eset.com/onlinescan) (on this window, click on ESET Smart Installer to trigger the download). People accessing this URL via Internet Explorer will start the integration process of ESET Online Scanner in their browser;
Once the installation is done (it requires Admin Rights), check the following settings (two of them are under Advanced Settings, click on it to display them) :
Enable detection of potentially unwanted applications;
Scan archives;
Scan for potentially unsafe applications;
Optional : If you want to scan more drives, click on Change... and select the drives you want to include in the scan;
(http://i424.photobucket.com/albums/pp322/digistar/Lilp6C2_1.png) (http://s424.photobucket.com/user/digistar/media/Lilp6C2_1.png.html)
After you're done checking these options, click on Start and ESET Online Scanner will download it's virus signature database before starting the scan;
(http://i424.photobucket.com/albums/pp322/digistar/PbI6QoP_1.png) (http://s424.photobucket.com/user/digistar/media/PbI6QoP_1.png.html)
Once done, the scan will start automatically. Detections will appear at the bottom of the window. ESET Online Scanner can have an extremely long scan time that can last between 2 or 3 hours. So if you start the scan, do not interrupt it, let it complete until the end;
(http://i424.photobucket.com/albums/pp322/digistar/iYk249p_1.png) (http://s424.photobucket.com/user/digistar/media/iYk249p_1.png.html)
After the scan is finished, a summary window will appear to give you the information about the scan. Then you'll have to the option to see what threads were found and to manage the threats that were quarantined;
(http://i424.photobucket.com/albums/pp322/digistar/SQWS56I.png) (http://s424.photobucket.com/user/digistar/media/SQWS56I.png.html)
Click on List of found threats, it'll display every threat identified during that scan, their type and what action was taken against them. Click on Copy to clipboard to copy these results on our clipboard and post them in your next reply;
(http://i424.photobucket.com/albums/pp322/digistar/OkgGDKc_1.png) (http://s424.photobucket.com/user/digistar/media/OkgGDKc_1.png.html)
Once you're done, click on the Back button;
Check both checkboxes at the bottom: Uninstall application on close and Delete quarantined files before clicking on the Finish button;
-
Thank you for your help !
The problem was a bad driver !
So i fixed it ;)
-
You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.