ok no problem,thanks again and have a nice day
boot rootkit need help asap,make computer crash [Solved]
#16
Posted 03 April 2024 - 11:21 AM
#17
Posted 04 April 2024 - 09:59 AM
Hello.
I had a discussion about your system detections with our Security Colleague picasso.
In fact, we can't say what those detections by Avast are (bad or harmless). The "EfiGuardDxe.efi" shown on the Avast screen could be used not only by malware but some non-malicious software to bypass Windows locks. It could be that you installed it manually (eg. together with a game patcher or something like that). From what I see in your logs, this is something possible. Right?
In case they are bad, you can't target that by normal programs and reinstalling Windows won't help either. To remove an infection inside UEFI firmware flashing / upgrading the BIOS is the solution. But let's leave that at the moment. Now, we are going to clean the operating system, and later see what to do with the BIOS.
Let's continue.
1. Chinese app
Do you recognize the following app?
变声器 -> C:\Program Files\WindowsApps\WuhanNetPowerTechnologyCo.50481F0A70C20_2.1.2.0_neutral__63m8b6nby1dvp [2024-01-25] (Wuhan Net Power Technology Co., Ltd)
If not, please uninstall it.
- Go to Settings (press the Windows logo key on the keyboard, together with the letter i) > Apps > Apps & Features.
- Choose the above app and click the Uninstall button.
- Restart the computer.
2. OneDrive/Onzdrive
I found strange the OneDrive to be shown as Onzdrive in your system.
See:
Startup: C:\Users\pc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Onzdrive.lnk [2023-07-20]
ShortcutTarget: Onzdrive.lnk -> C:\Program Files\Microsoft OneDrive\OneDrive.exe (Microsoft Corporation -> Microsoft Corporation)
Is this something you incorrectly typed? Let me know, please.
3. FRST fix
Please do the following to run a FRST fix.
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
- Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Start:: CreateRestorePoint: CloseProcesses: AV: Sophos Home (Enabled - Up to date) {595C718E-12D9-5B04-E421-F4FBD7CB88E8} AlternateDataStreams: C:\mount:$WIMMOUNTDATA [562] AlternateDataStreams: C:\MSOCache:err [1620] AlternateDataStreams: C:\ProgramData\DP45977C.lfl:677104FCAA [5146] AlternateDataStreams: C:\ProgramData\lir.bats:286F7FC5C6 [5146] AlternateDataStreams: C:\ProgramData\lock.dat:B839BDBBBE [5146] AlternateDataStreams: C:\ProgramData\mntemp:8EAD8B3507 [5146] AlternateDataStreams: C:\ProgramData\rc.dat:64746D5524 [5146] AlternateDataStreams: C:\ProgramData\sldh.dat:136096DD5B [5146] AlternateDataStreams: C:\ProgramData\sldh.dat:F3D162C601 [5146] AlternateDataStreams: C:\ProgramData\ts.dat:447AB85D72 [5146] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini:B1DA6C571C [5146] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Assistant Mise à jour de Windows 10.lnk:628A25EA7E [5146] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BakkesMod.lnk:14E057C8D9 [5146] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [5146] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immersive Control Panel.lnk:DC8F23BC3A [5146] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Health Check.lnk:F20EF51E1F [5146] AlternateDataStreams: C:\Users\pc\Application Data:00e481b5e22dbe1f649fcddd505d3eb7 [394] AlternateDataStreams: C:\Users\pc\AppData\Roaming:00e481b5e22dbe1f649fcddd505d3eb7 [394] AlternateDataStreams: C:\Users\Public\AppData:CSM [119] AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [1101] HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\19777135.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\19777135.sys => ""="Driver" HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched" HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\StartupFolder: => "Onzdrive.lnk" HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\StartupFolder: => "[bleep].lnk" HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\Run: => "ut" HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\Run: => "Lively" HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\Run: => "shdocvw" HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\Run: => "DriverFix" HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\Run: => "utweb" HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\Run: => "WallpaperAlive" FirewallRules: [TCP Query User{06030275-A4C7-4119-8DB3-0ED53FE2C01F}C:\users\pc\appdata\local\nvidia corporation\geforcenow\cef\geforcenow.exe] => (Allow) C:\users\pc\appdata\local\nvidia corporation\geforcenow\cef\geforcenow.exe => No File FirewallRules: [UDP Query User{B80845F8-BD1A-4502-B940-D67E53E58A0C}C:\users\pc\appdata\local\nvidia corporation\geforcenow\cef\geforcenow.exe] => (Allow) C:\users\pc\appdata\local\nvidia corporation\geforcenow\cef\geforcenow.exe => No File FirewallRules: [TCP Query User{154987E3-6A2F-41E4-BAA6-0588E74E32C7}C:\users\pc\appdata\local\programs\bettercrewlink\better-crewlink.exe] => (Allow) C:\users\pc\appdata\local\programs\bettercrewlink\better-crewlink.exe => No File FirewallRules: [UDP Query User{4BA258FC-6053-4C69-9FF9-AF996C9D73B2}C:\users\pc\appdata\local\programs\bettercrewlink\better-crewlink.exe] => (Allow) C:\users\pc\appdata\local\programs\bettercrewlink\better-crewlink.exe => No File FirewallRules: [TCP Query User{20CA9CE4-90B4-490E-94CE-C6FF7EBF830F}C:\program files (x86)\call of duty\_retail_\cod.exe] => (Allow) C:\program files (x86)\call of duty\_retail_\cod.exe => No File FirewallRules: [UDP Query User{B8BE7AF2-9DAD-4145-8738-6D0D1B4D45C6}C:\program files (x86)\call of duty\_retail_\cod.exe] => (Allow) C:\program files (x86)\call of duty\_retail_\cod.exe => No File FirewallRules: [TCP Query User{2367DBA8-3DDB-41BF-914B-3A759749B114}C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe] => (Allow) C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe => No File FirewallRules: [UDP Query User{443B6968-3D75-4719-93E1-9578FAF556EA}C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe] => (Allow) C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe => No File FirewallRules: [TCP Query User{90B9F0EB-7893-4E12-9527-2E716CE81476}C:\riot games\riot client\riotclientservices.exe] => (Allow) C:\riot games\riot client\riotclientservices.exe => No File FirewallRules: [UDP Query User{22FC2055-2AFC-4F71-AC78-64D9A687FD12}C:\riot games\riot client\riotclientservices.exe] => (Allow) C:\riot games\riot client\riotclientservices.exe => No File FirewallRules: [TCP Query User{95A59BE0-0DBA-40DC-9EC3-8D6771D4DF0C}C:\program files (x86)\steam\steamapps\common\unitedheist\cooppuzzle\binaries\win64\cooppuzzle-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\unitedheist\cooppuzzle\binaries\win64\cooppuzzle-win64-shipping.exe => No File FirewallRules: [UDP Query User{9B74ABAF-4365-4AB0-B57E-AB3BE3372C7F}C:\program files (x86)\steam\steamapps\common\unitedheist\cooppuzzle\binaries\win64\cooppuzzle-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\unitedheist\cooppuzzle\binaries\win64\cooppuzzle-win64-shipping.exe => No File FirewallRules: [TCP Query User{85ABB665-4744-4972-897C-F930C30F2EA2}C:\program files (x86)\steam\steamapps\common\hideandshriek\hideandshriek\binaries\win64\hideandshriek-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\hideandshriek\hideandshriek\binaries\win64\hideandshriek-win64-shipping.exe => No File FirewallRules: [UDP Query User{C34A68FF-FC51-4352-9F88-4DBF4AF0D0D0}C:\program files (x86)\steam\steamapps\common\hideandshriek\hideandshriek\binaries\win64\hideandshriek-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\hideandshriek\hideandshriek\binaries\win64\hideandshriek-win64-shipping.exe => No File FirewallRules: [TCP Query User{F6265EE8-D64B-4731-86AE-C8C0EEB6452F}C:\program files\epic games\pubgbhx8r\tslgame\binaries\win64\tslgame.exe] => (Allow) C:\program files\epic games\pubgbhx8r\tslgame\binaries\win64\tslgame.exe => No File FirewallRules: [UDP Query User{39273DCE-CB3F-4FA5-9B2C-AC6506750A13}C:\program files\epic games\pubgbhx8r\tslgame\binaries\win64\tslgame.exe] => (Allow) C:\program files\epic games\pubgbhx8r\tslgame\binaries\win64\tslgame.exe => No File FirewallRules: [TCP Query User{1A87902C-66C3-410B-BB42-FAA1DFA109F5}C:\program files (x86)\call of duty modern warfare\modernwarfare.exe] => (Allow) C:\program files (x86)\call of duty modern warfare\modernwarfare.exe => No File FirewallRules: [UDP Query User{A8224A5F-ABF3-4848-AA42-0A3D15B401E7}C:\program files (x86)\call of duty modern warfare\modernwarfare.exe] => (Allow) C:\program files (x86)\call of duty modern warfare\modernwarfare.exe => No File FirewallRules: [{CB7BCF8C-5AD1-4017-9C5A-DE68F7A3ABF7}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.98.3407.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File FirewallRules: [{F5F6D3CA-0EDE-4369-B10A-5AA1025E45C1}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.98.3407.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File FirewallRules: [{5A755563-213E-43FC-B216-24429B62825C}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.98.3407.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File FirewallRules: [{BB68CA23-A179-468B-B450-CA877DCCEDD7}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.98.3407.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File FirewallRules: [TCP Query User{1D350F18-2D7F-4A46-80BF-6D3CFE16AD47}C:\program files\epic games\paladins\binaries\win64\paladins.exe] => (Allow) C:\program files\epic games\paladins\binaries\win64\paladins.exe => No File FirewallRules: [UDP Query User{024AF97E-4E3C-41EB-9667-DCF532089213}C:\program files\epic games\paladins\binaries\win64\paladins.exe] => (Allow) C:\program files\epic games\paladins\binaries\win64\paladins.exe => No File FirewallRules: [TCP Query User{19741046-5B94-494A-97B1-B3ED81DA995E}C:\program files (x86)\blu-games\blu-games launcher\blu-games launcher.exe] => (Allow) C:\program files (x86)\blu-games\blu-games launcher\blu-games launcher.exe => No File FirewallRules: [UDP Query User{9CC6F0CC-6382-4067-97A8-B281B61891E4}C:\program files (x86)\blu-games\blu-games launcher\blu-games launcher.exe] => (Allow) C:\program files (x86)\blu-games\blu-games launcher\blu-games launcher.exe => No File FirewallRules: [TCP Query User{901476FC-9F67-48E3-90B5-E98D911CF0EF}C:\blugames\dayz\game\dayz_x64.exe] => (Allow) C:\blugames\dayz\game\dayz_x64.exe => No File FirewallRules: [UDP Query User{E81E1963-A81D-4A74-AC79-9800BB4C87B9}C:\blugames\dayz\game\dayz_x64.exe] => (Allow) C:\blugames\dayz\game\dayz_x64.exe => No File FirewallRules: [{687DAA24-1DF4-4876-BB80-D97F06E05E45}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wallpaper Alive\wallpaper_service\WallpaperAlive.exe => No File FirewallRules: [{DD45B61A-90EA-4842-AC7E-6D7FA4C27261}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wallpaper Alive\wallpaper_service\WallpaperAlive.exe => No File FirewallRules: [{CDD32B4B-7E9F-449A-BC19-75D958DB4194}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wallpaper Alive\config_service\WallpaperAliveMenu.exe => No File FirewallRules: [{A3A0B7EB-0BFE-4B08-B9A4-68EADE88F883}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wallpaper Alive\config_service\WallpaperAliveMenu.exe => No File FirewallRules: [{40623537-F869-49BA-83F2-DCAC34CD0637}] => (Allow) C:\Users\pc\AppData\Local\Programs\Opera\101.0.4843.43\opera.exe => No File FirewallRules: [{169A877C-6A32-4C20-9AA4-8F6731A86BA5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File FirewallRules: [{A56FC238-37FB-4CFF-8581-2C84438C2271}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File FirewallRules: [{E0A79FB1-1BF6-4EB2-B334-90F4D36712A0}] => (Allow) C:\Program Files\Epic Games\Steep\steep.exe => No File FirewallRules: [TCP Query User{6D3FEB84-21B1-4845-BEE3-77A81318BD38}C:\program files\java\jdk-17\bin\javaw.exe] => (Allow) C:\program files\java\jdk-17\bin\javaw.exe => No File FirewallRules: [UDP Query User{64BACB36-F16F-4275-A2F5-53729BF57F42}C:\program files\java\jdk-17\bin\javaw.exe] => (Allow) C:\program files\java\jdk-17\bin\javaw.exe => No File FirewallRules: [{DCDC2AAF-0F95-4647-AF93-4F0A9B3236E3}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.106.3212.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File FirewallRules: [{81EE8920-BBD2-41D1-8A42-01C72A8D279C}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.106.3212.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File FirewallRules: [{EC7C6C41-ACD2-417C-8EF1-3ED70DFC0E36}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.106.3212.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File FirewallRules: [{64DD0CC4-96BC-4696-9E6C-DB2C50ABE1A8}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.106.3212.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File FirewallRules: [TCP Query User{43933096-E979-4270-A19C-AF58FC26B6B1}C:\users\pc\desktop\portal\portal.2.build.11097438\portal.2.build.11097438\portal2.exe] => (Allow) C:\users\pc\desktop\portal\portal.2.build.11097438\portal.2.build.11097438\portal2.exe => No File FirewallRules: [UDP Query User{C2005B2F-1D76-4E2D-8AB6-7527E4067619}C:\users\pc\desktop\portal\portal.2.build.11097438\portal.2.build.11097438\portal2.exe] => (Allow) C:\users\pc\desktop\portal\portal.2.build.11097438\portal.2.build.11097438\portal2.exe => No File FirewallRules: [TCP Query User{F2E94714-8D7E-4137-9594-E7BA79F118D9}C:\program files (x86)\steam\steamapps\common\vrchat\vrchat.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\vrchat\vrchat.exe => No File FirewallRules: [UDP Query User{9941FE6B-921F-4A8D-9ED5-F9991EDA7DD0}C:\program files (x86)\steam\steamapps\common\vrchat\vrchat.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\vrchat\vrchat.exe => No File FirewallRules: [TCP Query User{CF75796E-931B-47CF-BDEB-4A9E2F3E15AD}C:\program files (x86)\steam\steamapps\common\poppy playtime - multiplayer\playtime_multiplayer\binaries\win64\playtime_multiplayer-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\poppy playtime - multiplayer\playtime_multiplayer\binaries\win64\playtime_multiplayer-win64-shipping.exe => No File FirewallRules: [UDP Query User{A78ABD4B-34A0-4249-81ED-E50F61A4CF47}C:\program files (x86)\steam\steamapps\common\poppy playtime - multiplayer\playtime_multiplayer\binaries\win64\playtime_multiplayer-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\poppy playtime - multiplayer\playtime_multiplayer\binaries\win64\playtime_multiplayer-win64-shipping.exe => No File FirewallRules: [{19B1585E-8323-4896-AC96-6F370B4269BB}] => (Allow) C:\Program Files\MiniTool ShadowMaker\AgentService.exe => No File FirewallRules: [{5FC23F83-809D-490E-9E92-8A3F7986DE45}] => (Allow) C:\Program Files\MiniTool ShadowMaker\AgentService.exe => No File FirewallRules: [TCP Query User{43C45E26-8447-4FFF-B79C-44E5E0D7701C}C:\program files\epic games\thehuntercallofthewild\thehuntercotw_f.exe] => (Allow) C:\program files\epic games\thehuntercallofthewild\thehuntercotw_f.exe => No File FirewallRules: [UDP Query User{FF7B387C-D99B-4977-98A9-E8D8BAD44123}C:\program files\epic games\thehuntercallofthewild\thehuntercotw_f.exe] => (Allow) C:\program files\epic games\thehuntercallofthewild\thehuntercotw_f.exe => No File HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\Run: [] => [X] HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\Run: [DriverFix] => C:\Program Files (x86)\DriverFix\DriverFix.exe [23516144 2023-05-16] (KAPE TECHNOLOGIES (CYPRUS) LIMITED -> DriverFix) HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\Run: [WallpaperAlive] => "C:\Program Files (x86)\Steam\steamapps\common\Wallpaper Alive\wallpaper_service\WallpaperAlive.exe" (No File) HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\Run: [utweb] => "C:\Users\pc\AppData\Roaming\uTorrent Web\utweb.exe" /MINIMIZED (No File) HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\MountPoints2: {7d949cec-b15f-11ea-a1fc-a8a159210e20} - "D:\AutoRun.exe" Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk [2020-11-06] ShortcutTarget: $McRebootA5E6DEAA56$.lnk -> (No File) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Préchargeur.lnk [2020-10-10] ShortcutTarget: WinZip Préchargeur.lnk -> C:\Program Files\WinZip\WzPreloader.exe (No File) Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION Task: {5A9F0264-7616-4F40-87C4-ECF124484053} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2523344994-3823910579-3822066088-1015Core{286B73C5-88C4-48AA-B72D-C3D838E5FEA2} => C:\Users\marti_m1c3rms\AppData\Local\Google\Update\GoogleUpdate.exe /c (No File) Task: {E400B8F3-CC55-4521-9014-A81040EAC662} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2523344994-3823910579-3822066088-1015UA{862391AA-128F-4667-AEF6-3E45721CBF15} => C:\Users\marti_m1c3rms\AppData\Local\Google\Update\GoogleUpdate.exe /ua /installsource scheduler (No File) Task: {53067DD0-2B92-456D-99EF-516A4C54C8BE} - System32\Tasks\MSIAfterburner => C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe /s (No File) Edge Notifications: Default -> hxxps://astneutchine.com FF Extension: (New tab with poshukach.com search) - C:\Users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\xjdvpwas.default\Extensions\{5737b515-9d7d-44ca-bbe3-e2e15bec0d4f}.xpi [2022-08-28] FF Notifications: Mozilla\Firefox\Profiles\xtdrh5oe.default-release -> hxxps://mail-notification.info; hxxps://zarabotok-online.xyz; hxxps://supertopfreegames.com; hxxps://best-loan-info.com; hxxps://ccleaner-download.xyz; hxxps://pinghauz.xyz; hxxps://s-tracking.xyz; hxxps://mnthor.xyz FF Extension: (New tab with poshukach.com search) - C:\Users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\xtdrh5oe.default-release\Extensions\{5737b515-9d7d-44ca-bbe3-e2e15bec0d4f}.xpi [2022-08-28] S3 MBAMService; "C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" [X] 2024-04-01 16:15 - 2024-04-01 16:15 - 000055248 ____N (AVG Technologies) C:\WINDOWS\system32\Drivers\rm.sys 2024-04-01 16:12 - 2024-04-01 16:12 - 001322464 _____ (AVG Technologies CZ) C:\Users\pc\Downloads\avg_remover_bootkit.exe 2024-03-29 21:35 - 2024-03-29 21:35 - 000000000 ____D C:\Users\pc\AppData\Local\Sophos 2024-03-29 21:32 - 2024-03-29 21:32 - 000000000 ____D C:\WINDOWS\CryptoGuard 2024-03-29 21:29 - 2024-04-03 16:08 - 000000000 ____D C:\ProgramData\Sophos 2024-03-29 21:28 - 2024-03-29 21:28 - 003770440 _____ (Sophos Limited) C:\Users\pc\Downloads\SophosInstall.exe 2024-04-03 18:35 - 2022-02-02 20:51 - 000000000 ____D C:\Users\pc\AppData\Roaming\uTorrent C:\Program Files (x86)\DriverFix DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 Hosts: CMD: Net user net user "wgautilacc" /Delete EmptyTemp: End::
- Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
- Press the Fix button once and wait.
- FRST will process fixlist.txt
- When finished, it will produce a log fixlog.txt on your Desktop.
- Post the log in your next reply.
In your next reply please post:
- Your thoughts about the comment I made about the detections by Avast
- A reply about the Chinese app and what you did
- A reply about the Onzdrive
- The fixlog.txt
#18
Posted 04 April 2024 - 11:50 AM
Hello again!
thank you again for your time and your answer.
-Firstly,me installing something bad in the past is really possible because i cracked and modded a lot of games,and something could have been infected.
-About that cinese app,i uninstalled it as i didnt know what it was.
-Onz drive was apparently just a grammar issue as it leads to the correct folder so i just changed the letter.
-Here is the fixlog.txt
Waiting for an answer.
Attached Files
#19
Posted 04 April 2024 - 12:05 PM
There was a syntax error in the fixlist.
Please repeat the process for a FRST fix, but this time select the following:
start:: CMD: net user wgautilacc /Delete end::
Please post the fixlog.txt in your next reply.
#20
Posted 04 April 2024 - 12:18 PM
Hello,idk if it worked but here it is
Attached Files
#21
Posted 04 April 2024 - 12:23 PM
If Google translation for French is correct, then yes, the command completed successfully.
Last task for tonight. Besides, it will take some hours to get completed.
ESET Online Scan
Download ESET Online Scanner and save it to your desktop.
- Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
- When the tool opens, click Get Started.
- Read and accept the license agreement.
- At the Welcome to ESET Online Scanner window, click Get Started.
- Select whether you would like to send anonymous data to ESET.
- Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
- Click on the Full Scan option.
- Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
- ESET will now begin scanning your computer. This may take some time.
- When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
- ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
- On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
- Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.
#22
Posted 05 April 2024 - 02:02 AM
Hello,here it is:
#23
Posted 05 April 2024 - 07:58 AM
Hi, bambidbl.
It's time to check fresh FRST logs.
Run the tool as you did before and attach for me fresh Addition and FRST logs to check.
#24
Posted 05 April 2024 - 08:35 AM
#25
Posted 05 April 2024 - 09:53 AM
here they are.
Attached Files
#26
Posted 05 April 2024 - 12:40 PM
Hello.
The logs seem to be clean, however, I'll repeat what I said at the beginning:
Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.
Have you run Eset Online Scanner again? If you ran it, please post the latest results in your next reply.
There are also some other changes in the logs.
Moving on.
1. Antivirus
It seems that now both, Avast and Defender are disabled. Since you decided to go with Avast, please check it to run fine. Let me know if you successfully enabled it again.
2. DriverFix
We do not recommend registry cleaners, system optimizers, driver boosters and the like. It is your computer and certainly your choice. However, please consider with registry cleaners and system optimization software programs, the potential is ever present to cause more problems than they claim to fix. My recommendation is to uninstall DriverFix 4.2021.8.30 now.
(Note that I removed some DriverFix instances in the fix before, since I missed it in the Installed Programs list. However, if you need it, I can get them back for you.)
In your next reply please post:
- If you were able to enable Avast
- What did you do with DriverFix
- The eset.txt if you re-ran Eset Online Scanner
#27
Posted 05 April 2024 - 12:45 PM
Hello,i may have uninstalled some walpaper programs wich came from the microsoft store,i dont remember if i did anything else.About Eset i ahvent runned it again after what you asked me but there was a conflict with avast so i disabled my av during the scan.It is working fine.I ll put the eset.txt again if you want it.Waiting for your answer.
Attached Files
#28
Posted 05 April 2024 - 12:50 PM
Hello,i may have uninstalled some walpaper programs wich came from the microsoft store,i dont remember if i did anything else.About Eset i ahvent runned it again after what you asked me but there was a conflict with avast so i disabled my av during the scan.It is working fine.I ll put the eset.txt again if you want it.Waiting for your answer.
Thanks for your explanation. No, no need to run it again.
So Avast works fine now.
What about DriverFix?
#29
Posted 05 April 2024 - 12:51 PM
Hello,i unisntalled it,sorry i forgot to mention my bad.
#30
Posted 05 April 2024 - 01:02 PM
Hello,i unisntalled it,sorry i forgot to mention my bad.
No worries.
Now the Windows system is clean. Can you check if you still get the Avast detections from Avast? If yes, it will be necessary to move to the second part of the process here.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users