[vinay9099]

Hi All,

 

Please help me to solve this issue. got irritated with this file.

C:\ProgramData\Xnqfxq keeps coming back. An extension is adding to all browsers with the name wCleanVideo.

 

What to do? How to remove this virus. Please anyone help me to solve it.

 

I have scanned with FRST and got a log file. It is attached here to this topic please check it and solve my issue.  Addition_06-04-2021 14.20.05.txt   91.07KB   227 downloads

[Advertisements]

Hi, vinay9099.

 

FRST tool produced 2 logs when it ran the scan. FRST.txt and Addition.txt. We need you to attach both. You only attached Addition.txt.

 

Also: Could you please move FRST tool on your Desktop? Now it's in your Downolads folder. Just drag it and move it on the Desktop.

[DR M]

Hi, vinay9099.

 

FRST tool produced 2 logs when it ran the scan. FRST.txt and Addition.txt. We need you to attach both. You only attached Addition.txt.

 

Also: Could you please move FRST tool on your Desktop? Now it's in your Downolads folder. Just drag it and move it on the Desktop.

[DR M]

Do you still need assistance?

[DR M]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[DR M]

The thread opened at User's request.
 
======================
 
Hi, vinay9099.

 

Although you ran FRST before, please download the latest version and run it once again for fresh logs.


Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.

If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

• Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach the content of these two logs in your next reply.

[vinay9099]

HI,

 

Please check the attachments below. I got these files after scanning.

 

 

Attached Files

•  FRST.txt   134.11KB   165 downloads
•  Addition.txt   90.41KB   169 downloads

[DR M]

Thank you. Give me some time to review your logs.

Meanwhile, please, adhere to the guidelines below:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

4. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

[vinay9099]

Okay. Some time means, you will reply today only tomorrow?

[DR M]

Some time means about an hour. 

[DR M]

Hi.
 
These are my first comments/instructions regarding your logs:
 
1. Windows Insider?
 
Are you a Windows Insider? This is what is shown in your logs:
 
Windows 10 Home Single Language Version Dev 21370.1 
 
 
2. RAM
 
It seems that the RAM in use is 86%. This means that the computer can't function properly. We will see how it's going and discuss this at the end of the procedure.
 
 
3. Hard disk limited space
 
It seems that C, the drive with the operating system installed, has only 11 GB free. The computer can't run properly with such a limited space and you will have a problem with installing updates very soon. 
 
 
4. Pirated programs
 
Please, uninstall any pirated/cracked/not legally activated programs. Having such programs is the best and easiest way to install malware in your computer. 
 
 
5. Uninstall an app
 
Press Start button, find the following app, right click on it and select Uninstall:
 
McAfee® Personal Security
 
 
6. Uninstall an Edge extension
 
Open Edge, press the 3 horizontal dots at the upper right corner and select Extensions. Find the following one, and remove it:
 
McAfee® WebAdvisor
 
 
7. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-2768028787-2044878470-836221256-1001_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 -> C:\Users\91709\AppData\Local\Kingsoft\WPS Office\11.2.0.9327\office6\kwpsmenushellext64.dll => No File
CustomCLSID: HKU\S-1-5-21-2768028787-2044878470-836221256-1001_Classes\CLSID\{46406D82-6EC0-47CC-8A75-1F33C6DEDBBE}\InprocServer32 -> C:\Users\91709\AppData\Local\Google\Update\1.3.35.442\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2768028787-2044878470-836221256-1001_Classes\CLSID\{540C17A8-04F2-4B66-95D7-B2FEF9A19B54}\InprocServer32 -> C:\Users\91709\AppData\Local\Google\Update\1.3.35.422\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2768028787-2044878470-836221256-1001_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll => No File
ContextMenuHandlers1_S-1-5-21-2768028787-2044878470-836221256-1001: [          kwpsshellext] -> {28A80003-18FD-411D-B0A3-3C81F618E22B} => C:\Users\91709\AppData\Local\Kingsoft\WPS Office\11.2.0.9327\office6\kwpsmenushellext64.dll -> No File
ContextMenuHandlers4_S-1-5-21-2768028787-2044878470-836221256-1001: [          kwpsshellext] -> {28A80003-18FD-411D-B0A3-3C81F618E22B} => C:\Users\91709\AppData\Local\Kingsoft\WPS Office\11.2.0.9327\office6\kwpsmenushellext64.dll -> No File
SearchScopes: HKU\S-1-5-21-2768028787-2044878470-836221256-1001 -> DefaultScope {90037DE7-7B1B-44CD-964C-1B7D550DD7E0} URL = 
SearchScopes: HKU\S-1-5-21-2768028787-2044878470-836221256-1001 -> {90037DE7-7B1B-44CD-964C-1B7D550DD7E0} URL = 
FirewallRules: [UDP Query User{4C02F474-76C9-455B-883B-CC7C6823D754}D:\vinaycelluloid\adobe after effects 2020\support files\afterfx.exe] => (Allow) D:\vinaycelluloid\adobe after effects 2020\support files\afterfx.exe => No File
FirewallRules: [TCP Query User{B3F3443F-F068-460E-939D-3BD90C14A859}D:\vinaycelluloid\adobe after effects 2020\support files\afterfx.exe] => (Allow) D:\vinaycelluloid\adobe after effects 2020\support files\afterfx.exe => No File
FirewallRules: [{1704D8E8-A361-4216-A923-288D3D05CAD0}] => (Allow) D:\GTA\GTA V\7launcher\tools\aria2\aria2c.exe => No File
FirewallRules: [{A11E34F2-52BB-4CE9-B5C7-273D227436B7}] => (Allow) D:\GTA\GTA V\7launcher\tools\aria2\aria2c.exe => No File
FirewallRules: [{5BD48D88-4CE2-4E99-B83E-0BB4A82362E2}] => (Allow) D:\GTA\GTA V\Run_GTAV.exe => No File
FirewallRules: [{83CB345C-1423-423C-BE8F-586AC35C8F58}] => (Allow) D:\GTA\GTA V\Run_GTAV.exe => No File
FirewallRules: [{586BD10B-6EC7-447E-873F-1F57CF83D230}] => (Allow) D:\GTA\GTA V\GTA5.exe => No File
FirewallRules: [{0780DF22-F952-4278-A10E-43F94F61C21C}] => (Allow) D:\GTA\GTA V\GTA5.exe => No File
FirewallRules: [TCP Query User{8BA95E40-CCAC-4BD5-B160-BD6BA2CEA2A6}D:\vinaycelluloid\adobe after effects 2021\support files\afterfx.exe] => (Allow) D:\vinaycelluloid\adobe after effects 2021\support files\afterfx.exe => No File
FirewallRules: [UDP Query User{BCC16BE9-F6CE-4B89-B822-DC30036A0E86}D:\vinaycelluloid\adobe after effects 2021\support files\afterfx.exe] => (Allow) D:\vinaycelluloid\adobe after effects 2021\support files\afterfx.exe => No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk [2021-05-08]
ShortcutTarget: $McRebootA5E6DEAA56$.lnk ->  (No File)
Task: {B3C9C90C-EE12-4B8C-9A3F-4429C344FBC1} - System32\Tasks\Microsoft\Office\Osktpapi => rundll32 C:\ProgramData\MenuGoogle\ZWka0t_Wjeamip.dll,Sfstem_Workflow_Runessp
C:\ProgramData\MenuGoogle
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
R2 McAfee WebAdvisor; C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe [971976 2021-04-30] (McAfee, LLC -> McAfee, LLC)
S3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe [646248 2021-03-19] (McAfee, Inc. -> McAfee, LLC)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe [646248 2021-03-19] (McAfee, Inc. -> McAfee, LLC)
S3 mfevtp; C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe [646248 2021-03-19] (McAfee, Inc. -> McAfee, LLC)
R3 mfeaack; C:\WINDOWS\System32\drivers\mfeaack.sys [531896 2021-03-19] (McAfee, Inc. -> McAfee, LLC)
R3 mfeavfk; C:\WINDOWS\System32\drivers\mfeavfk.sys [385464 2021-03-19] (McAfee, Inc. -> McAfee, LLC)
R0 mfedisk; C:\WINDOWS\System32\DRIVERS\mfedisk.sys [107448 2021-03-19] (McAfee, Inc. -> McAfee, LLC)
S0 mfeelamk; C:\WINDOWS\System32\drivers\mfeelamk.sys [85944 2021-03-19] (Microsoft Windows Early Launch Anti-malware Publisher -> McAfee, LLC)
R3 mfefirek; C:\WINDOWS\System32\drivers\mfefirek.sys [522168 2021-03-19] (McAfee, Inc. -> McAfee, LLC)
R3 mfehck; C:\WINDOWS\System32\drivers\mfehck.sys [91576 2021-03-19] (McAfee, Inc. -> McAfee, LLC)
R0 mfehidk; C:\WINDOWS\System32\drivers\mfehidk.sys [1019832 2021-03-19] (McAfee, Inc. -> McAfee, LLC)
R1 mfenlfk; C:\WINDOWS\system32\DRIVERS\mfenlfk.sys [82360 2021-03-19] (McAfee, Inc. -> McAfee, LLC)
R3 mfeplk; C:\WINDOWS\System32\drivers\mfeplk.sys [116664 2021-03-19] (McAfee, Inc. -> McAfee, LLC)
R0 mfewfpk; C:\WINDOWS\System32\drivers\mfewfpk.sys [252344 2021-03-19] (McAfee, Inc. -> McAfee, LLC)
S4 DBUtilDrv2; \SystemRoot\System32\drivers\DBUtilDrv2.sys [X]
S3 MpKsldeb9ed07; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{404DBFAF-60E2-471F-8CA2-6D9BABB33351}\MpKslDrv.sys [X]
C:\ProgramData\Xnqfxq
C:\Program Files\McAfee\
C:\Program Files\Common Files\McAfee
C:\WINDOWS\System32\drivers\mfeaack.sys 
C:\WINDOWS\System32\drivers\mfeavfk.sys
C:\WINDOWS\System32\DRIVERS\mfedisk.sys 
C:\WINDOWS\System32\drivers\mfeelamk.sys 
C:\WINDOWS\System32\drivers\mfefirek.sys 
C:\WINDOWS\System32\drivers\mfehck.sys 
C:\WINDOWS\System32\drivers\mfehidk.sys 
C:\WINDOWS\system32\DRIVERS\mfenlfk.sys 
C:\WINDOWS\System32\drivers\mfeplk.sys 
C:\WINDOWS\System32\drivers\mfewfpk.sys
Winsock: Catalog5 07 C:\WINDOWS\SysWOW64\nlansp_c.dll [83456 2021-04-25] (Microsoft Windows -> Microsoft Corporation) ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 07 C:\Windows\system32\nlansp_c.dll [126976 2021-04-25] (Microsoft Windows -> Microsoft Corporation) ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
cmd: netsh winsock reset
RemoveProxy:
EmptyTemp:
End::

• Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Please post the log in your next reply.

 

In your next reply please post:

• Your reply to point 1
• Which programs did you uninstall
• If you had any problems uninstalling the app and the extension
• The fixlog.txt

[DR M]

Please refresh your page before running the fix.

 

There was an error regarding the code inside the script and I fixed it.

[vinay9099]

(Point 1 Answer) Yes, I use Windows Insider.

 

5. McAfee® Personal Security   - Uninstalled this.
 
6. McAfee® WebAdvisor  -  Uninstalled.

 

One thing This virus file is also creating an extension on both Microsoft Edge and Google Chrome.

Attached Files

•  Fixlog.txt   1.97KB   161 downloads

[vinay9099]

Before I running this Farbar Recovery Scan Tool . I uninstalled GTA V cracked version.

[DR M]

Can you please run the fix again?

 

The output you attached seems weird.

[vinay9099]

How much space I need in C: Drive?

Attached Files

•  Fixlog.txt   17.82KB   167 downloads