Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

boot rootkit need help asap,make computer crash [Solved]

bootkit issue

  • This topic is locked This topic is locked

#16
bambidbl

bambidbl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

ok no problem,thanks again and have a nice day


  • 0

Advertisements


#17
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,258 posts

Hello.
 
I had a discussion about your system detections with our Security Colleague picasso. 
 
In fact, we can't say what those detections by Avast are (bad or harmless). The "EfiGuardDxe.efi" shown on the Avast screen could be used not only by malware but some non-malicious software to bypass Windows locks. It could be that you installed it manually (eg. together with a game patcher or something like that). From what I see in your logs, this is something possible. Right? 
 
In case they are bad, you can't target that by normal programs and reinstalling Windows won't help either. To remove an infection inside UEFI firmware flashing / upgrading the BIOS is the solution. But let's leave that at the moment. Now, we are going to clean the operating system, and later see what to do with the BIOS. 
 

 

Let's continue.

 
1. Chinese app
 
Do you recognize the following app?
 
变声器 -> C:\Program Files\WindowsApps\WuhanNetPowerTechnologyCo.50481F0A70C20_2.1.2.0_neutral__63m8b6nby1dvp [2024-01-25] (Wuhan Net Power Technology Co., Ltd)
 
If not, please uninstall it. 

  • Go to Settings (press the Windows logo key on the keyboard, together with the letter i) > Apps > Apps & Features.
  • Choose the above app and click the Uninstall button.
  • Restart the computer.

 
2. OneDrive/Onzdrive
 
I found strange the OneDrive to be shown as Onzdrive in your system.
 

See:

Startup: C:\Users\pc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Onzdrive.lnk [2023-07-20]
ShortcutTarget: Onzdrive.lnk -> C:\Program Files\Microsoft OneDrive\OneDrive.exe (Microsoft Corporation -> Microsoft Corporation)
 
Is this something you incorrectly typed? Let me know, please. 
 
 
3. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Start::
CreateRestorePoint:
CloseProcesses:
AV: Sophos Home (Enabled - Up to date) {595C718E-12D9-5B04-E421-F4FBD7CB88E8}
AlternateDataStreams: C:\mount:$WIMMOUNTDATA [562]
AlternateDataStreams: C:\MSOCache:err [1620]
AlternateDataStreams: C:\ProgramData\DP45977C.lfl:677104FCAA [5146]
AlternateDataStreams: C:\ProgramData\lir.bats:286F7FC5C6 [5146]
AlternateDataStreams: C:\ProgramData\lock.dat:B839BDBBBE [5146]
AlternateDataStreams: C:\ProgramData\mntemp:8EAD8B3507 [5146]
AlternateDataStreams: C:\ProgramData\rc.dat:64746D5524 [5146]
AlternateDataStreams: C:\ProgramData\sldh.dat:136096DD5B [5146]
AlternateDataStreams: C:\ProgramData\sldh.dat:F3D162C601 [5146]
AlternateDataStreams: C:\ProgramData\ts.dat:447AB85D72 [5146]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini:B1DA6C571C [5146]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Assistant Mise à jour de Windows 10.lnk:628A25EA7E [5146]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BakkesMod.lnk:14E057C8D9 [5146]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [5146]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immersive Control Panel.lnk:DC8F23BC3A [5146]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Health Check.lnk:F20EF51E1F [5146]
AlternateDataStreams: C:\Users\pc\Application Data:00e481b5e22dbe1f649fcddd505d3eb7 [394]
AlternateDataStreams: C:\Users\pc\AppData\Roaming:00e481b5e22dbe1f649fcddd505d3eb7 [394]
AlternateDataStreams: C:\Users\Public\AppData:CSM [119]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [1101]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\19777135.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\19777135.sys => ""="Driver"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\StartupFolder: => "Onzdrive.lnk"
HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\StartupFolder: => "[bleep].lnk"
HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\Run: => "ut"
HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\Run: => "Lively"
HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\Run: => "shdocvw"
HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\Run: => "DriverFix"
HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\Run: => "utweb"
HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\StartupApproved\Run: => "WallpaperAlive"
FirewallRules: [TCP Query User{06030275-A4C7-4119-8DB3-0ED53FE2C01F}C:\users\pc\appdata\local\nvidia corporation\geforcenow\cef\geforcenow.exe] => (Allow) C:\users\pc\appdata\local\nvidia corporation\geforcenow\cef\geforcenow.exe => No File
FirewallRules: [UDP Query User{B80845F8-BD1A-4502-B940-D67E53E58A0C}C:\users\pc\appdata\local\nvidia corporation\geforcenow\cef\geforcenow.exe] => (Allow) C:\users\pc\appdata\local\nvidia corporation\geforcenow\cef\geforcenow.exe => No File
FirewallRules: [TCP Query User{154987E3-6A2F-41E4-BAA6-0588E74E32C7}C:\users\pc\appdata\local\programs\bettercrewlink\better-crewlink.exe] => (Allow) C:\users\pc\appdata\local\programs\bettercrewlink\better-crewlink.exe => No File
FirewallRules: [UDP Query User{4BA258FC-6053-4C69-9FF9-AF996C9D73B2}C:\users\pc\appdata\local\programs\bettercrewlink\better-crewlink.exe] => (Allow) C:\users\pc\appdata\local\programs\bettercrewlink\better-crewlink.exe => No File
FirewallRules: [TCP Query User{20CA9CE4-90B4-490E-94CE-C6FF7EBF830F}C:\program files (x86)\call of duty\_retail_\cod.exe] => (Allow) C:\program files (x86)\call of duty\_retail_\cod.exe => No File
FirewallRules: [UDP Query User{B8BE7AF2-9DAD-4145-8738-6D0D1B4D45C6}C:\program files (x86)\call of duty\_retail_\cod.exe] => (Allow) C:\program files (x86)\call of duty\_retail_\cod.exe => No File
FirewallRules: [TCP Query User{2367DBA8-3DDB-41BF-914B-3A759749B114}C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe] => (Allow) C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe => No File
FirewallRules: [UDP Query User{443B6968-3D75-4719-93E1-9578FAF556EA}C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe] => (Allow) C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe => No File
FirewallRules: [TCP Query User{90B9F0EB-7893-4E12-9527-2E716CE81476}C:\riot games\riot client\riotclientservices.exe] => (Allow) C:\riot games\riot client\riotclientservices.exe => No File
FirewallRules: [UDP Query User{22FC2055-2AFC-4F71-AC78-64D9A687FD12}C:\riot games\riot client\riotclientservices.exe] => (Allow) C:\riot games\riot client\riotclientservices.exe => No File
FirewallRules: [TCP Query User{95A59BE0-0DBA-40DC-9EC3-8D6771D4DF0C}C:\program files (x86)\steam\steamapps\common\unitedheist\cooppuzzle\binaries\win64\cooppuzzle-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\unitedheist\cooppuzzle\binaries\win64\cooppuzzle-win64-shipping.exe => No File
FirewallRules: [UDP Query User{9B74ABAF-4365-4AB0-B57E-AB3BE3372C7F}C:\program files (x86)\steam\steamapps\common\unitedheist\cooppuzzle\binaries\win64\cooppuzzle-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\unitedheist\cooppuzzle\binaries\win64\cooppuzzle-win64-shipping.exe => No File
FirewallRules: [TCP Query User{85ABB665-4744-4972-897C-F930C30F2EA2}C:\program files (x86)\steam\steamapps\common\hideandshriek\hideandshriek\binaries\win64\hideandshriek-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\hideandshriek\hideandshriek\binaries\win64\hideandshriek-win64-shipping.exe => No File
FirewallRules: [UDP Query User{C34A68FF-FC51-4352-9F88-4DBF4AF0D0D0}C:\program files (x86)\steam\steamapps\common\hideandshriek\hideandshriek\binaries\win64\hideandshriek-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\hideandshriek\hideandshriek\binaries\win64\hideandshriek-win64-shipping.exe => No File
FirewallRules: [TCP Query User{F6265EE8-D64B-4731-86AE-C8C0EEB6452F}C:\program files\epic games\pubgbhx8r\tslgame\binaries\win64\tslgame.exe] => (Allow) C:\program files\epic games\pubgbhx8r\tslgame\binaries\win64\tslgame.exe => No File
FirewallRules: [UDP Query User{39273DCE-CB3F-4FA5-9B2C-AC6506750A13}C:\program files\epic games\pubgbhx8r\tslgame\binaries\win64\tslgame.exe] => (Allow) C:\program files\epic games\pubgbhx8r\tslgame\binaries\win64\tslgame.exe => No File
FirewallRules: [TCP Query User{1A87902C-66C3-410B-BB42-FAA1DFA109F5}C:\program files (x86)\call of duty modern warfare\modernwarfare.exe] => (Allow) C:\program files (x86)\call of duty modern warfare\modernwarfare.exe => No File
FirewallRules: [UDP Query User{A8224A5F-ABF3-4848-AA42-0A3D15B401E7}C:\program files (x86)\call of duty modern warfare\modernwarfare.exe] => (Allow) C:\program files (x86)\call of duty modern warfare\modernwarfare.exe => No File
FirewallRules: [{CB7BCF8C-5AD1-4017-9C5A-DE68F7A3ABF7}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.98.3407.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{F5F6D3CA-0EDE-4369-B10A-5AA1025E45C1}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.98.3407.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{5A755563-213E-43FC-B216-24429B62825C}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.98.3407.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{BB68CA23-A179-468B-B450-CA877DCCEDD7}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.98.3407.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [TCP Query User{1D350F18-2D7F-4A46-80BF-6D3CFE16AD47}C:\program files\epic games\paladins\binaries\win64\paladins.exe] => (Allow) C:\program files\epic games\paladins\binaries\win64\paladins.exe => No File
FirewallRules: [UDP Query User{024AF97E-4E3C-41EB-9667-DCF532089213}C:\program files\epic games\paladins\binaries\win64\paladins.exe] => (Allow) C:\program files\epic games\paladins\binaries\win64\paladins.exe => No File
FirewallRules: [TCP Query User{19741046-5B94-494A-97B1-B3ED81DA995E}C:\program files (x86)\blu-games\blu-games launcher\blu-games launcher.exe] => (Allow) C:\program files (x86)\blu-games\blu-games launcher\blu-games launcher.exe => No File
FirewallRules: [UDP Query User{9CC6F0CC-6382-4067-97A8-B281B61891E4}C:\program files (x86)\blu-games\blu-games launcher\blu-games launcher.exe] => (Allow) C:\program files (x86)\blu-games\blu-games launcher\blu-games launcher.exe => No File
FirewallRules: [TCP Query User{901476FC-9F67-48E3-90B5-E98D911CF0EF}C:\blugames\dayz\game\dayz_x64.exe] => (Allow) C:\blugames\dayz\game\dayz_x64.exe => No File
FirewallRules: [UDP Query User{E81E1963-A81D-4A74-AC79-9800BB4C87B9}C:\blugames\dayz\game\dayz_x64.exe] => (Allow) C:\blugames\dayz\game\dayz_x64.exe => No File
FirewallRules: [{687DAA24-1DF4-4876-BB80-D97F06E05E45}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wallpaper Alive\wallpaper_service\WallpaperAlive.exe => No File
FirewallRules: [{DD45B61A-90EA-4842-AC7E-6D7FA4C27261}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wallpaper Alive\wallpaper_service\WallpaperAlive.exe => No File
FirewallRules: [{CDD32B4B-7E9F-449A-BC19-75D958DB4194}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wallpaper Alive\config_service\WallpaperAliveMenu.exe => No File
FirewallRules: [{A3A0B7EB-0BFE-4B08-B9A4-68EADE88F883}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Wallpaper Alive\config_service\WallpaperAliveMenu.exe => No File
FirewallRules: [{40623537-F869-49BA-83F2-DCAC34CD0637}] => (Allow) C:\Users\pc\AppData\Local\Programs\Opera\101.0.4843.43\opera.exe => No File
FirewallRules: [{169A877C-6A32-4C20-9AA4-8F6731A86BA5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [{A56FC238-37FB-4CFF-8581-2C84438C2271}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [{E0A79FB1-1BF6-4EB2-B334-90F4D36712A0}] => (Allow) C:\Program Files\Epic Games\Steep\steep.exe => No File
FirewallRules: [TCP Query User{6D3FEB84-21B1-4845-BEE3-77A81318BD38}C:\program files\java\jdk-17\bin\javaw.exe] => (Allow) C:\program files\java\jdk-17\bin\javaw.exe => No File
FirewallRules: [UDP Query User{64BACB36-F16F-4275-A2F5-53729BF57F42}C:\program files\java\jdk-17\bin\javaw.exe] => (Allow) C:\program files\java\jdk-17\bin\javaw.exe => No File
FirewallRules: [{DCDC2AAF-0F95-4647-AF93-4F0A9B3236E3}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.106.3212.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{81EE8920-BBD2-41D1-8A42-01C72A8D279C}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.106.3212.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{EC7C6C41-ACD2-417C-8EF1-3ED70DFC0E36}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.106.3212.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{64DD0CC4-96BC-4696-9E6C-DB2C50ABE1A8}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.106.3212.0_x64__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [TCP Query User{43933096-E979-4270-A19C-AF58FC26B6B1}C:\users\pc\desktop\portal\portal.2.build.11097438\portal.2.build.11097438\portal2.exe] => (Allow) C:\users\pc\desktop\portal\portal.2.build.11097438\portal.2.build.11097438\portal2.exe => No File
FirewallRules: [UDP Query User{C2005B2F-1D76-4E2D-8AB6-7527E4067619}C:\users\pc\desktop\portal\portal.2.build.11097438\portal.2.build.11097438\portal2.exe] => (Allow) C:\users\pc\desktop\portal\portal.2.build.11097438\portal.2.build.11097438\portal2.exe => No File
FirewallRules: [TCP Query User{F2E94714-8D7E-4137-9594-E7BA79F118D9}C:\program files (x86)\steam\steamapps\common\vrchat\vrchat.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\vrchat\vrchat.exe => No File
FirewallRules: [UDP Query User{9941FE6B-921F-4A8D-9ED5-F9991EDA7DD0}C:\program files (x86)\steam\steamapps\common\vrchat\vrchat.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\vrchat\vrchat.exe => No File
FirewallRules: [TCP Query User{CF75796E-931B-47CF-BDEB-4A9E2F3E15AD}C:\program files (x86)\steam\steamapps\common\poppy playtime - multiplayer\playtime_multiplayer\binaries\win64\playtime_multiplayer-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\poppy playtime - multiplayer\playtime_multiplayer\binaries\win64\playtime_multiplayer-win64-shipping.exe => No File
FirewallRules: [UDP Query User{A78ABD4B-34A0-4249-81ED-E50F61A4CF47}C:\program files (x86)\steam\steamapps\common\poppy playtime - multiplayer\playtime_multiplayer\binaries\win64\playtime_multiplayer-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\poppy playtime - multiplayer\playtime_multiplayer\binaries\win64\playtime_multiplayer-win64-shipping.exe => No File
FirewallRules: [{19B1585E-8323-4896-AC96-6F370B4269BB}] => (Allow) C:\Program Files\MiniTool ShadowMaker\AgentService.exe => No File
FirewallRules: [{5FC23F83-809D-490E-9E92-8A3F7986DE45}] => (Allow) C:\Program Files\MiniTool ShadowMaker\AgentService.exe => No File
FirewallRules: [TCP Query User{43C45E26-8447-4FFF-B79C-44E5E0D7701C}C:\program files\epic games\thehuntercallofthewild\thehuntercotw_f.exe] => (Allow) C:\program files\epic games\thehuntercallofthewild\thehuntercotw_f.exe => No File
FirewallRules: [UDP Query User{FF7B387C-D99B-4977-98A9-E8D8BAD44123}C:\program files\epic games\thehuntercallofthewild\thehuntercotw_f.exe] => (Allow) C:\program files\epic games\thehuntercallofthewild\thehuntercotw_f.exe => No File
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\Run: [] => [X]
HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\Run: [DriverFix] => C:\Program Files (x86)\DriverFix\DriverFix.exe [23516144 2023-05-16] (KAPE TECHNOLOGIES (CYPRUS) LIMITED -> DriverFix)
HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\Run: [WallpaperAlive] => "C:\Program Files (x86)\Steam\steamapps\common\Wallpaper Alive\wallpaper_service\WallpaperAlive.exe" (No File)
HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\Run: [utweb] => "C:\Users\pc\AppData\Roaming\uTorrent Web\utweb.exe" /MINIMIZED (No File)
HKU\S-1-5-21-2523344994-3823910579-3822066088-1001\...\MountPoints2: {7d949cec-b15f-11ea-a1fc-a8a159210e20} - "D:\AutoRun.exe" 
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk [2020-11-06]
ShortcutTarget: $McRebootA5E6DEAA56$.lnk ->  (No File)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Préchargeur.lnk [2020-10-10]
ShortcutTarget: WinZip Préchargeur.lnk -> C:\Program Files\WinZip\WzPreloader.exe (No File)
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {5A9F0264-7616-4F40-87C4-ECF124484053} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2523344994-3823910579-3822066088-1015Core{286B73C5-88C4-48AA-B72D-C3D838E5FEA2} => C:\Users\marti_m1c3rms\AppData\Local\Google\Update\GoogleUpdate.exe  /c (No File)
Task: {E400B8F3-CC55-4521-9014-A81040EAC662} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2523344994-3823910579-3822066088-1015UA{862391AA-128F-4667-AEF6-3E45721CBF15} => C:\Users\marti_m1c3rms\AppData\Local\Google\Update\GoogleUpdate.exe  /ua /installsource scheduler (No File)
Task: {53067DD0-2B92-456D-99EF-516A4C54C8BE} - System32\Tasks\MSIAfterburner => C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe  /s (No File)
Edge Notifications: Default -> hxxps://astneutchine.com
FF Extension: (New tab with poshukach.com search) - C:\Users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\xjdvpwas.default\Extensions\{5737b515-9d7d-44ca-bbe3-e2e15bec0d4f}.xpi [2022-08-28]
FF Notifications: Mozilla\Firefox\Profiles\xtdrh5oe.default-release -> hxxps://mail-notification.info; hxxps://zarabotok-online.xyz; hxxps://supertopfreegames.com; hxxps://best-loan-info.com; hxxps://ccleaner-download.xyz; hxxps://pinghauz.xyz; hxxps://s-tracking.xyz; hxxps://mnthor.xyz
FF Extension: (New tab with poshukach.com search) - C:\Users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\xtdrh5oe.default-release\Extensions\{5737b515-9d7d-44ca-bbe3-e2e15bec0d4f}.xpi [2022-08-28]
S3 MBAMService; "C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" [X]
2024-04-01 16:15 - 2024-04-01 16:15 - 000055248 ____N (AVG Technologies) C:\WINDOWS\system32\Drivers\rm.sys
2024-04-01 16:12 - 2024-04-01 16:12 - 001322464 _____ (AVG Technologies CZ) C:\Users\pc\Downloads\avg_remover_bootkit.exe
2024-03-29 21:35 - 2024-03-29 21:35 - 000000000 ____D C:\Users\pc\AppData\Local\Sophos
2024-03-29 21:32 - 2024-03-29 21:32 - 000000000 ____D C:\WINDOWS\CryptoGuard
2024-03-29 21:29 - 2024-04-03 16:08 - 000000000 ____D C:\ProgramData\Sophos
2024-03-29 21:28 - 2024-03-29 21:28 - 003770440 _____ (Sophos Limited) C:\Users\pc\Downloads\SophosInstall.exe
2024-04-03 18:35 - 2022-02-02 20:51 - 000000000 ____D C:\Users\pc\AppData\Roaming\uTorrent
C:\Program Files (x86)\DriverFix
DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2
Hosts:
CMD: Net user net user "wgautilacc" /Delete
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

 

 

In your next reply please post:

  1. Your thoughts about the comment I made about the detections by Avast
  2. A reply about the Chinese app and what you did
  3. A reply about the Onzdrive
  4. The fixlog.txt

  • 0

#18
bambidbl

bambidbl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

Hello again!

thank you again for your time and your answer.

-Firstly,me installing something bad in the past is really possible because i cracked and modded a lot of games,and something could have been infected.

 

-About that cinese app,i uninstalled it as i didnt know what it was.

 

-Onz drive was apparently just a grammar issue as it leads to the correct folder so i just changed the letter.

 

-Here is the fixlog.txt

 

Waiting for an answer.

Attached Files


  • 0

#19
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,258 posts

There was a syntax error in the fixlist.

 

Please repeat the process for a FRST fix, but this time select the following:

start::
CMD: net user wgautilacc /Delete
end::

Please post the fixlog.txt in your next reply. 


  • 0

#20
bambidbl

bambidbl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

Hello,idk if it worked but here it is

Attached Files


  • 0

#21
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,258 posts

If Google translation for French is correct, then yes, the command completed successfully. :)

 

Last task for tonight. Besides, it will take some hours to get completed.

ESET Online Scan

Download ESET Online Scanner and save it to your desktop.

  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • When the tool opens, click Get Started.
  • Read and accept the license agreement.
  • At the Welcome to ESET Online Scanner window, click Get Started.
  • Select whether you would like to send anonymous data to ESET.
  • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
  • Click on the Full Scan option.
  • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

  • 0

#22
bambidbl

bambidbl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

Hello,here it is:

 
 
05/04/2024 10:00:21
Fichiers analysés: 926028
Fichiers détectés: 3
Fichiers nettoyés: 3
Temps d'analyse total 04:54:03
État de l'analyse: Terminé
C:\FRST\Quarantine\C\Users\pc\AppData\Roaming\uTorrent\updates\3.6.0_46896.exe a variant of Win32/uTorrent.E potentially unwanted application cleaned by deleting
 
C:\FRST\Quarantine\C\Users\pc\AppData\Roaming\uTorrent\updates\3.6.0_46902.exe a variant of Win32/uTorrent.E potentially unwanted application cleaned by deleting
 
C:\FRST\Quarantine\C\Users\pc\AppData\Roaming\uTorrent\updates\utorrent.exe a variant of Win32/uTorrent.E potentially unwanted application cleaned by deleting

  • 0

#23
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,258 posts

Hi, bambidbl.

 

It's time to check fresh FRST logs.

 

Run the tool as you did before and attach for me fresh Addition and FRST logs to check. 


  • 0

#24
bambidbl

bambidbl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts
On it when I get home,thank you
  • 0

#25
bambidbl

bambidbl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

here they are.

Attached Files


  • 0

Advertisements


#26
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,258 posts

Hello.
 
The logs seem to be clean, however, I'll repeat what I said at the beginning:
 

Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

 
Have you run Eset Online Scanner again? If you ran it, please post the latest results in your next reply.
 

There are also some other changes in the logs.
 

 

Moving on.

 
1. Antivirus 
 
It seems that now both, Avast and Defender are disabled. Since you decided to go with Avast, please check it to run fine. Let me know if you successfully enabled it again.
 
 
2. DriverFix

We do not recommend registry cleaners, system optimizers, driver boosters and the like. It is your computer and certainly your choice. However, please consider with registry cleaners and system optimization software programs, the potential is ever present to cause more problems than they claim to fix. My recommendation is to uninstall DriverFix 4.2021.8.30 now. 

 

(Note that I removed some DriverFix instances in the fix before, since I missed it in the Installed Programs list. However, if you need it, I can get them back for you.)

 

 

In your next reply please post:

  1. If you were able to enable Avast
  2. What did you do with DriverFix
  3. The eset.txt if you re-ran Eset Online Scanner

  • 0

#27
bambidbl

bambidbl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

Hello,i may have uninstalled some walpaper programs wich came from the microsoft store,i dont remember if i did anything else.About Eset i ahvent runned it again after what you asked me but there was a conflict with avast  so i disabled my av during the scan.It is working fine.I ll put the eset.txt again if you want it.Waiting for your answer.

Attached Files

  • Attached File  eset.txt   1.26KB   75 downloads

  • 0

#28
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,258 posts

 

Hello,i may have uninstalled some walpaper programs wich came from the microsoft store,i dont remember if i did anything else.About Eset i ahvent runned it again after what you asked me but there was a conflict with avast  so i disabled my av during the scan.It is working fine.I ll put the eset.txt again if you want it.Waiting for your answer.

 

Thanks for your explanation. No, no need to run it again. 

 

So Avast works fine now.

 

What about DriverFix? 


  • 0

#29
bambidbl

bambidbl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

Hello,i unisntalled it,sorry i forgot to mention my bad.


  • 0

#30
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,258 posts

Hello,i unisntalled it,sorry i forgot to mention my bad.

 

No worries. 

 

Now the Windows system is clean. Can you check if you still get the Avast detections from Avast? If yes, it will be necessary to move to the second part of the process here. 


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP