Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware/Remote Logging?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware/Remote Logging?

Unread postby koblinV3 » September 10th, 2019, 1:01 pm

I recently noticed a bunch of weird programs/tcp ports being allowed through my Defender firewall recently. I had some other peculiar stuff as well. Every once in a while I see my screen flicker like someone is remotely logging in/out so that has me concerned. Also.. a service was running for SSH but I think that might be from messing with VM stuff. My System32 Folder is also shared by default and I'm not sure why. To make things more weird, I have one drive that's formatted as exFAT. I have folders that had a modified date of a future date as well so I'm pretty sure there's something going on. I'm also concerned there could be something with VMware/Android SDK/my phone involved in all of this. I have my boot manager setup weird too where my BIOS is UEFI + Legacy (grub and windows manager together on two separate drives lol... disorganized) so that's a bit disconcerting. I started learning programming a while back too so there might be some stuff on here that's ill advised security wise. I also felt like I was getting weird google search results at times but that could just be me. There's more too if you need more info.

Anyway here are my logs.

Addition (2).txt


FRST (3).txt
You do not have the required permissions to view the files attached to this post.
koblinV3
Active Member
 
Posts: 5
Joined: September 10th, 2019, 12:35 pm
Advertisement
Register to Remove

Re: Malware/Remote Logging?

Unread postby pgmigg » September 11th, 2019, 3:53 pm

Hello koblinV3,

Welcome to the forum! :)

I am pgmigg and I'll be helping you with any malware problems.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. You must have Administrator rights, permissions for this computer.
  3. DO NOT run any other fix or removal tools unless instructed to do so!
  4. DO NOT install any other software (or hardware) during the cleaning process until we are done as well as
    DO NOT Remove, or Scan with anything on your system unless I ask. This adds more items to be researched.
    Extra Additions and Removals of files make the analysis more difficult.
  5. Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  6. Print each set of instructions if possible - your Internet connection will not be available during some fix processes.
  7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  8. Only reply to this thread, do not start another one. Please, continue responding, until I give you the "All Clean!" :cheers:
    Absence of symptoms does not mean that everything is clear.

I am currently reviewing your logs and will return, as soon as possible, with additional instructions. In the meantime...

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf you have any questions or problems executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start


Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4651
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Malware/Remote Logging?

Unread postby pgmigg » September 11th, 2019, 4:57 pm

Hello koblinV3,

P2P Advisory!
IMPORTANT: There are signs of one or more P2P (Peer to Peer) File Sharing Programs installed on your computer.
qBittorrent

As long as you have the P2P program(s) installed, per Forum Policy,
I can offer you no further assistance
.

If you choose NOT to remove the program(s), please indicate that in your next reply and this topic will be closed.

Otherwise, please perform the following steps:

Step 1.
Remove P2P Programs
  1. Please press the Windows Key + R.
  2. Enter appwiz.cpl into the text box and click OK.
  3. Locate the following programs:
    qBittorrent
  4. Click on the Change/Remove button to uninstall it.
  5. When the program have been uninstalled, please close Control Panel
  6. Reboot (restart) your computer.
By using any form of P2P networking to download files you can anticipate infestations of malware to occur. The P2P program itself may be safe but the files may not - use P2P at your own risk!
Keep in mind that this practice may be the source of your current malware infestation.
Reference... siting risk factors, using P2P programs: How to Prevent the Online Invasion of Spyware and Adware

Step 2.
Run CKScanner
  1. Please download CKScanner from here
  2. Important: - Save it to your Desktop.
  3. Double-click CKScanner.exe and click Search For Files.
  4. After a very short time, when the cursor hourglass disappears, click Save List To File.
  5. A message box will verify the file saved.
  6. Double-click the CKFiles.txt icon on your Desktop and copy/paste the contents in your next reply.

Step 3.
TSG - SysInfo utility
  1. Please download SysInfo utility and save it to your Desktop.
  2. Right click on SysInfo.exe, select "Run As Administrator..." to run it... if UAC prompts, please allow it.
  3. Right click, select copy and then paste in your next post.

Step 4.
Run CodeCheck Scan
  1. Please download codecheck from here to your Desktop.
  2. Make sure that codecheck.exe is on the your Desktop before running the application!
  3. Right-click on codecheck.exe and select "Run as administrator..." to run it.
  4. After a very short time a codecheck.txt icon will appear on your Desktop
  5. Double-click on the codecheck.txt icon on your Desktop and copy/paste the contents in your next reply.

Then:
Please tell me is this computer used for business or educational purposes and/or connected to a business or educational network?
I need to know it - so I can provide the proper instructions.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

Don't post anything as attachments unless I will ask you about it specifically!

Please include in your next reply:
  1. Your decision about P2P programs
  2. Do you have any problems executing the instructions?
  3. Contents of CKFiles.txt log file
  4. Contents of SysInfo scan
  5. Contents of a log created by codecheck.txt
  6. Answer to my question related to type of using of your computer

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4651
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Malware/Remote Logging?

Unread postby koblinV3 » September 11th, 2019, 9:23 pm

I have removed any P2P stuff. No, I have my PC on a private home network. Thanks for all of your help :)


CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files\gimp 2\share\gimp\2.0\patterns\stone\cracked.pat
c:\windows\winsxs\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.17763.1_none_ad6c66b207e8c478\ssh-keygen.exe
scanner sequence 3.AA.11.LDAPTZ
----- EOF -----

Tech Support Guy System Info Utility version 1.0.0.4
OS Version: Microsoft Windows 10 Pro, 64 bit
Processor: Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz, Intel64 Family 6 Model 94 Stepping 3
Processor Count: 8
RAM: 16347 Mb
Graphics Card: NVIDIA GeForce GTX 980, -1 Mb
Hard Drives: C: 232 GB (75 GB Free); D: 1984 GB (1829 GB Free); E: 810 GB (810 GB Free); F: 465 GB (261 GB Free);
Motherboard: MSI, Z170A XPOWER GAMING TITANIUM EDITION(MS-7968)
Antivirus: Avast Antivirus, Enabled


Codecheck Version 1.0

09011
koblinV3
Active Member
 
Posts: 5
Joined: September 10th, 2019, 12:35 pm

Re: Malware/Remote Logging?

Unread postby pgmigg » September 12th, 2019, 11:14 am

Hello koblinV3,

Thank you! Now we can start our treatment... :D

Step 1.
Create a Backup With Tweaking.com Registry Backup (TCRB)
There is also a tutorial with pictures available HERE.
  1. Please download TCRB from HERE and save it to your Desktop, then double-click on tweaking.com_registry_backup_setup.exe and follow the prompts to install TCRB.
  2. Launch TCRB.
  3. Click the Backup Registry tab and make sure all the boxes are checked.
  4. Click on Backup Now.
  5. Once the backup is finished you can now exit the program.
< STOP > Do not proceed any further if you were not able to create a registry backup. Post back with what happened so we can determine why it was unsuccessful.

Step 2.
Scan with AdwCleaner.
  1. Please download AdwCleaner and save it to your Desktop.
  2. Double click AdwCleaner.exe to run it.
  3. Click Yes on UAC question and I Agreeon Welcome window.
  4. Click Scan now button and wait for a while until the scan finish... then click on Cancel button.
  5. On the vertical left side menu select Log Files, click on it, and you will see the list of log files.
  6. Find most recent AdwCleaner[Sxx].txt one and double click on it - the Notepad with a log file will be opened.
  7. Close the AdwCleaner.
  8. Please post the contents of AdwCleaner[Sxx].txt log file from Notepad with your next reply.
  9. You can also find the log file at C:\AdwCleaner\Logs\AdwCleaner[Sxx].txt.

AT THIS POINT, DO NOT ATTEMPT TO CLEAN ANYTHING THAT MAY BE FOUND

Step 3.
I see in your logs that you have Java installed:
Java 8 Update 221 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180221F0}) (Version: 8.0.2210.11 - Oracle Corporation)
Java 8 Update 221 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180221F0}) (Version: 8.0.2210.11 - Oracle Corporation)

What was it done for?

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

Don't post anything as attachments unless I will ask you about it specifically!

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Content of the C:\AdwCleaner[Sxx].txt
  3. Answer for my question about Java.
  4. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4651
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Malware/Remote Logging?

Unread postby koblinV3 » September 12th, 2019, 5:56 pm

# -------------------------------
# Malwarebytes AdwCleaner 7.4.1.0
# -------------------------------
# Build: 09-04-2019
# Database: 2019-09-06.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 09-12-2019
# Duration: 00:00:08
# OS: Windows 10 Pro
# Scanned: 35598
# Detected: 1


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

PUP.Optional.Legacy C:\Users\Kobli\Desktop\SysInfo.exe

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.


AdwCleaner_Debug.log - [7005 octets] - [12/09/2019 17:51:38]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########
koblinV3
Active Member
 
Posts: 5
Joined: September 10th, 2019, 12:35 pm

Re: Malware/Remote Logging?

Unread postby koblinV3 » September 12th, 2019, 6:03 pm

2019-09-12 21:51:38 : <INFO> [Application] AdwCleaner 7 . 4 . 1 launched
2019-09-12 21:51:39 : <INFO> [MBInstaller] Checking Iris
2019-09-12 21:51:39 : <INFO> [IRIS] Making request
2019-09-12 21:51:39 : <INFO> [AdwUpgrade] Checking application updates
2019-09-12 21:51:40 : <INFO> [SslCert] Issued by ("DigiCert SHA2 High Assurance Server CA")
2019-09-12 21:51:40 : <INFO> [SslCert] Issued to ("*.malwarebytes.com")
2019-09-12 21:51:40 : <INFO> [SslCert] Locality Name ("Santa Clara")
2019-09-12 21:51:40 : <INFO> [SslCert] Organization ("Malwarebytes Inc")
2019-09-12 21:51:40 : <INFO> [SslCert] Certificate EffectiveDate: "Mon Oct 2 00:00:00 2017 GMT"
2019-09-12 21:51:40 : <INFO> [SslCert] Certificate ExpirationDate: "Tue Oct 6 12:00:00 2020 GMT"
2019-09-12 21:51:40 : <INFO> [SslCert] ALPN: None
2019-09-12 21:51:40 : <INFO> [SslCert] Cipher: "ECDHE-RSA-AES256-GCM-SHA384"
2019-09-12 21:51:40 : <INFO> [SslCert] KXE: "ECDH"
2019-09-12 21:51:40 : <INFO> [SslCert] Protocol: "TLSv1.2"
2019-09-12 21:51:40 : <INFO> [SslCert] Issued by ("DigiCert SHA2 High Assurance Server CA")
2019-09-12 21:51:40 : <INFO> [SslCert] Issued to ("*.malwarebytes.com")
2019-09-12 21:51:40 : <INFO> [SslCert] Locality Name ("Santa Clara")
2019-09-12 21:51:40 : <INFO> [SslCert] Organization ("Malwarebytes Inc")
2019-09-12 21:51:40 : <INFO> [SslCert] Certificate EffectiveDate: "Mon Oct 2 00:00:00 2017 GMT"
2019-09-12 21:51:40 : <INFO> [SslCert] Certificate ExpirationDate: "Tue Oct 6 12:00:00 2020 GMT"
2019-09-12 21:51:40 : <INFO> [SslCert] ALPN: None
2019-09-12 21:51:40 : <INFO> [SslCert] Cipher: "ECDHE-RSA-AES256-GCM-SHA384"
2019-09-12 21:51:40 : <INFO> [SslCert] KXE: "ECDH"
2019-09-12 21:51:40 : <INFO> [SslCert] Protocol: "TLSv1.2"
2019-09-12 21:51:40 : <INFO> [Telemetry] Status code: QVariant(int, 200)
2019-09-12 21:51:40 : <WARNING> [File Downloader] Error downloading ( QNetworkReply::NetworkError(ContentNotFoundError) )
2019-09-12 21:51:40 : <INFO> [IRIS] Failed
2019-09-12 21:51:41 : <INFO> [Button clicked] Close EULA
2019-09-12 21:51:50 : <INFO> [Application] AdwCleaner 7 . 4 . 1 launched
2019-09-12 21:51:50 : <INFO> [MBInstaller] Checking Iris
2019-09-12 21:51:50 : <INFO> [IRIS] Making request
2019-09-12 21:51:50 : <INFO> [Telemetry] Sending hello
ication updates
2019-09-12 21:51:51 : <INFO> [SslCert] Issued by ("DigiCert SHA2 High Assurance Server CA")
2019-09-12 21:51:51 : <INFO> [SslCert] Issued to ("*.malwarebytes.com")
2019-09-12 21:51:51 : <INFO> [SslCert] Locality Name ("Santa Clara")
2019-09-12 21:51:51 : <INFO> [SslCert] Organization ("Malwarebytes Inc")
2019-09-12 21:51:51 : <INFO> [SslCert] Certificate EffectiveDate: "Mon Oct 2 00:00:00 2017 GMT"
2019-09-12 21:51:51 : <INFO> [SslCert] Certificate ExpirationDate: "Tue Oct 6 12:00:00 2020 GMT"
2019-09-12 21:51:51 : <INFO> [SslCert] ALPN: None
2019-09-12 21:51:51 : <INFO> [SslCert] Cipher: "ECDHE-RSA-AES256-GCM-SHA384"
2019-09-12 21:51:51 : <INFO> [SslCert] KXE: "ECDH"
2019-09-12 21:51:51 : <INFO> [SslCert] Protocol: "TLSv1.2"
2019-09-12 21:51:51 : <INFO> [SslCert] Issued by ("DigiCert SHA2 High Assurance Server CA")
2019-09-12 21:51:51 : <INFO> [SslCert] Issued to ("*.malwarebytes.com")
2019-09-12 21:51:51 : <INFO> [SslCert] Locality Name ("Santa Clara")
2019-09-12 21:51:51 : <INFO> [SslCert] Organization ("Malwarebytes Inc")
2019-09-12 21:51:51 : <INFO> [SslCert] Certificate EffectiveDate: "Mon Oct 2 00:00:00 2017 GMT"
2019-09-12 21:51:51 : <INFO> [SslCert] Certificate ExpirationDate: "Tue Oct 6 12:00:00 2020 GMT"
2019-09-12 21:51:51 : <INFO> [SslCert] ALPN: None
2019-09-12 21:51:51 : <INFO> [SslCert] Cipher: "ECDHE-RSA-AES256-GCM-SHA384"
2019-09-12 21:51:51 : <INFO> [SslCert] KXE: "ECDH"
2019-09-12 21:51:51 : <INFO> [SslCert] Protocol: "TLSv1.2"
2019-09-12 21:51:51 : <INFO> [Telemetry] Status code: QVariant(int, 200)
2019-09-12 21:51:51 : <WARNING> [File Downloader] Error downloading ( QNetworkReply::NetworkError(ContentNotFoundError) )
2019-09-12 21:51:51 : <INFO> [IRIS] Failed
2019-09-12 21:51:53 : <INFO> [Button clicked] EULA agreed
2019-09-12 21:52:02 : <INFO> [Button clicked] Scan
2019-09-12 21:52:02 : <INFO> [Scan] Started
2019-09-12 21:52:02 : <INFO> [Database] Downloading database
2019-09-12 21:52:03 : <INFO> [Database] Checking integrity
2019-09-12 21:52:03 : <INFO> [Database] Found 2599 families
2019-09-12 21:52:03 : <INFO> [Database] Database v "2019-09-06.1"
2019-09-12 21:52:03 : <INFO> [Loading paths] Local paths loaded
2019-09-12 21:52:03 : <INFO> [Loading paths] Chrome paths loaded
2019-09-12 21:52:03 : <INFO> [Loading paths] User Keys loaded
2019-09-12 21:52:03 : <INFO> [Module initialized] "File"
2019-09-12 21:52:03 : <INFO> [Module initialized] "Folder"
2019-09-12 21:52:03 : <INFO> [Module initialized] "RegistryKey"
2019-09-12 21:52:03 : <INFO> [Module initialized] "RegistryValue"
2019-09-12 21:52:03 : <INFO> [Module initialized] "TaskName"
2019-09-12 21:52:03 : <INFO> [Module initialized] "Service"
2019-09-12 21:52:03 : <INFO> [Module initialized] "Winlogon"
2019-09-12 21:52:04 : <INFO> [Module initialized] "URL"
2019-09-12 21:52:04 : <INFO> [Module initialized] "RegAppInit"
2019-09-12 21:52:04 : <INFO> [Module initialized] "RegClasses"
2019-09-12 21:52:04 : <INFO> [Module initialized] "DNS"
2019-09-12 21:52:04 : <INFO> [Module initialized] "RegFirewallPolicy"
2019-09-12 21:52:04 : <INFO> [Module initialized] "RegGuid"
2019-09-12 21:52:04 : <INFO> [Module initialized] "RegIEElevationPolicy"
2019-09-12 21:52:04 : <INFO> [Module initialized] "RegOther"
2019-09-12 21:52:04 : <INFO> [Module initialized] "RegProductID"
2019-09-12 21:52:04 : <INFO> [Module initialized] "RegSoftware"
2019-09-12 21:52:04 : <INFO> [Module initialized] "RegStartup"
2019-09-12 21:52:04 : <INFO> [Module initialized] "WMI"
2019-09-12 21:52:04 : <INFO> [Module initialized] "ChromiumExt"
2019-09-12 21:52:04 : <INFO> [Module initialized] "FirefoxExt"
2019-09-12 21:52:04 : <INFO> [Module initialize] Scan Browser
2019-09-12 21:52:04 : <INFO> [Module initialize] Scan Browser FF
2019-09-12 21:52:04 : <INFO> [Module initialize] FF start pages loaded
2019-09-12 21:52:04 : <INFO> [Module initialize] FF search providers loaded
2019-09-12 21:52:04 : <INFO> [Module initialize] FF plugin list loaded
2019-09-12 21:52:04 : <INFO> [Scan] Exclusions loaded
2019-09-12 21:52:04 : <INFO> [Scan] Item detected: "PUP.Optional.Legacy" , "C:\\Users\\Kobli\\Desktop\\SysInfo.exe" [ "File" ]
2019-09-12 21:52:11 : <INFO> [Telemetry] Sending to Influx
2019-09-12 21:52:11 : <INFO> [SslCert] Issued by ("Let's Encrypt Authority X3")
2019-09-12 21:52:11 : <INFO> [SslCert] Issued to ("telemetry-02.adwc.mb.fr33tux.org")
2019-09-12 21:52:11 : <INFO> [SslCert] Locality Name ()
2019-09-12 21:52:11 : <INFO> [SslCert] Organization ()
2019-09-12 21:52:11 : <INFO> [SslCert] Certificate EffectiveDate: "Sun Aug 18 10:50:38 2019 GMT"
2019-09-12 21:52:11 : <INFO> [SslCert] Certificate ExpirationDate: "Sat Nov 16 10:50:38 2019 GMT"
2019-09-12 21:52:11 : <INFO> [SslCert] ALPN: Yes
2019-09-12 21:52:11 : <INFO> [SslCert] Cipher: "ECDHE-RSA-AES256-GCM-SHA384"
2019-09-12 21:52:11 : <INFO> [SslCert] KXE: "ECDH"
2019-09-12 21:52:11 : <INFO> [SslCert] Protocol: "TLSv1.2"
2019-09-12 21:52:11 : <INFO> [Telemetry] Status code: QVariant(int, 204)
2019-09-12 21:52:11 : <INFO> [Telemetry] Sending to DSE
2019-09-12 21:52:12 : <INFO> [SslCert] Issued by ("DigiCert SHA2 High Assurance Server CA")
2019-09-12 21:52:12 : <INFO> [SslCert] Issued to ("*.malwarebytes.com")
2019-09-12 21:52:12 : <INFO> [SslCert] Locality Name ("San Jose")
2019-09-12 21:52:12 : <INFO> [SslCert] Organization ("Malwarebytes Inc.")
2019-09-12 21:52:12 : <INFO> [SslCert] Certificate EffectiveDate: "Thu Feb 22 00:00:00 2018 GMT"
2019-09-12 21:52:12 : <INFO> [SslCert] Certificate ExpirationDate: "Wed Apr 22 12:00:00 2020 GMT"
2019-09-12 21:52:12 : <INFO> [SslCert] ALPN: Yes
2019-09-12 21:52:12 : <INFO> [SslCert] Cipher: "ECDHE-RSA-AES256-GCM-SHA384"
2019-09-12 21:52:12 : <INFO> [SslCert] KXE: "ECDH"
2019-09-12 21:52:12 : <INFO> [SslCert] Protocol: "TLSv1.2"
2019-09-12 21:52:12 : <INFO> [Telemetry] Status code: QVariant(int, 201)
2019-09-12 21:52:12 : <INFO> [Scan] Finished
2019-09-12 21:52:58 : <INFO> [Button clicked] Log files menu item
2019-09-12 21:53:01 : <INFO> [Button clicked] Dashboard menu item
2019-09-12 21:53:05 : <INFO> [Button clicked] Log files menu item


No I didn't have any problems with the instructions. I feel like I can still see my screen shift occasionally like when someone connects/disconnects remotely while running different things.
koblinV3
Active Member
 
Posts: 5
Joined: September 10th, 2019, 12:35 pm

Re: Malware/Remote Logging?

Unread postby pgmigg » September 12th, 2019, 9:27 pm

Hello koblinV3,

I am still waiting for your answer to my question related to installed Java.

Same time I don't understand for what reason you placed in you replay the content of AdwCleaner_Debug.log which I did not ask.

koblinV3 wrote:I feel like I can still see my screen shift occasionally like when someone connects/disconnects remotely while running different things.
Of course, so far all the problems remain unchanged, because I'm trying to make a diagnosis and study your computer - what, why, how, for what ...
This can be a lengthy process, and to shorten it, please answer my questions, which I ask for a reason.

Thank you,
pgmigg
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4651
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Malware/Remote Logging?

Unread postby koblinV3 » September 13th, 2019, 10:51 pm

So I originally put Java on here because I needed it to start learning programming. That's why I have virtual linux machines and GRUB on one of my drives. I was meaning to get rid of that but now I want to make sure my PC is clean beforehand. Sorry for not answering your question. I must have missed it unintentionally.

Yeah as far the debug thing I just thought I posted the wrong one. So when I posted the debug I thought I had unintentionally done that on the previous post. I'll make sure I remember/more carefully follow your instructions from now on since I can see how that could be perceived as a different person being logged in or something.
koblinV3
Active Member
 
Posts: 5
Joined: September 10th, 2019, 12:35 pm

Re: Malware/Remote Logging?

Unread postby pgmigg » September 14th, 2019, 11:38 am

Hello koblinV3,

koblinV3 wrote:So I originally put Java on here because I needed it to start learning programming. That's why I have virtual linux machines and GRUB on one of my drives. I was meaning to get rid of that but now I want to make sure my PC is clean beforehand. Sorry for not answering your question. I must have missed it unintentionally.
Thank you!
I had to make sure that Java's installation was meaningful - the fact is that Java is a big headache (in the old days many websites didn’t work without it, and today this need has disappeared) and it, left unattended, can be a potential source of all kinds of problems related primarily to computer security issues. Your version is outdated a long time ago and I want to delete it - if necessary, then you can always install a new one.

Let's continue to look for problems for now...

I would like to uninstall Avast Secure Browser too as your default browser is Google Chrome.
Avast browser is not exactly the best written piece of software, and I've seen a number of cases where it has interacted badly with the host computer, causing any number of weird effects.
Your version of Malwarebytes is very old and if we need it, the best is to install the newest one.

Step 1.
Remove Program
  1. Click on Start, then click the Start Search box on the Start Menu.
  2. Copy and paste the value below without into the open text entry box:
    (Click the Select all button next to Code: to select the entire script).
    Code: Select all
     appwiz.cpl 
    and press Enter - the Unistall or change a program list will be opened.
  3. Click on the every Entrys in a row below (please do it exactly in my sequence!), if it exists, choose Uninstall, and give permission to Continue:
    Avast Secure Browser
    Java 8 Update 221
    Java 8 Update 221
    Malwarebytes
  4. When all programs have been uninstalled, please close Control Panel
  5. Reboot (restart) your computer.
  6. The Windows Defender will be started automatically as your default defense software.

Step 2.
FRST Fix
  1. Close all your programs.
  2. You should still have FRST64.exe on your Desktop. If not please download it HERE and save it on your Desktop.
  3. Click Start and type notepad.exe in the search programs and files box and click Enter - a blank Notepad page should open.
    • Copy and Paste the following script into Notepad, but do not include the words Code: Select all.
    • (Click the Select all button next to Code: to select the entire script).
    Code: Select all
    CreateRestorePoint:
    
    (Oracle America, Inc. -> Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [644552 2019-07-04] (Oracle America, Inc. -> Oracle Corporation)
    BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_221\bin\ssv.dll [2019-07-19] (Oracle America, Inc. -> Oracle Corporation)
    BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_221\bin\jp2ssv.dll [2019-07-19] (Oracle America, Inc. -> Oracle Corporation)
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_221\bin\ssv.dll [2019-07-19] (Oracle America, Inc. -> Oracle Corporation)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_221\bin\jp2ssv.dll [2019-07-19] (Oracle America, Inc. -> Oracle Corporation)
    HKLM-x32\...\Run: [] => [X]
    FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
    HKU\S-1-5-21-3779585765-1514221111-3341031475-1001\...\Run: [AvastBrowserAutoLaunch_43649C95E0334351713E069CD256E7D4] => C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe [1808504 2019-07-18] (AVAST Software s.r.o. -> AVAST Software)
    FF Plugin: @java.com/DTPlugin,version=11.221.2 -> C:\Program Files\Java\jre1.8.0_221\bin\dtplugin\npDeployJava1.dll [2019-07-19] (Oracle America, Inc. -> Oracle Corporation)
    FF Plugin: @java.com/JavaPlugin,version=11.221.2 -> C:\Program Files\Java\jre1.8.0_221\bin\plugin2\npjp2.dll [2019-07-19] (Oracle America, Inc. -> Oracle Corporation)
    FF Plugin-x32: @java.com/DTPlugin,version=11.221.2 -> C:\Program Files (x86)\Java\jre1.8.0_221\bin\dtplugin\npDeployJava1.dll [2019-07-19] (Oracle America, Inc. -> Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=11.221.2 -> C:\Program Files (x86)\Java\jre1.8.0_221\bin\plugin2\npjp2.dll [2019-07-19] (Oracle America, Inc. -> Oracle Corporation)
    Task: {081E3A1E-2D2D-43FD-B63C-F972CB4FB3A3} - System32\Tasks\AvastUpdateTaskMachineUA => C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe [164984 2019-04-09] (AVAST Software s.r.o. -> AVAST Software)
    Task: {258CEA99-CE47-42D1-9246-86B1284B388C} - System32\Tasks\AvastUpdateTaskMachineCore => C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe [164984 2019-04-09] (AVAST Software s.r.o. -> AVAST Software)
    Task: {36D54129-9984-4707-9FDE-11800270C0C2} - System32\Tasks\Avast Secure Browser Heartbeat Task (Hourly) => C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe [1808504 2019-07-18] (AVAST Software s.r.o. -> AVAST Software)
    Task: {E8C7F0E8-B5EA-4B86-91F5-E496000D5BCA} - System32\Tasks\Avast Secure Browser Heartbeat Task (Logon) => C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe [1808504 2019-07-18] (AVAST Software s.r.o. -> AVAST Software)
    S2 avast; C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe [164984 2019-04-09] (AVAST Software s.r.o. -> AVAST Software)
    S3 avastm; C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe [164984 2019-04-09] (AVAST Software s.r.o. -> AVAST Software)
    S3 AvastSecureBrowserElevationService; C:\Program Files (x86)\AVAST Software\Browser\Application\75.1.1528.101\elevation_service.exe [978720 2019-07-18] (AVAST Software s.r.o. -> AVAST Software)
    2019-09-08 07:38 - 2019-03-24 20:58 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
    2019-09-08 07:33 - 2019-03-24 20:58 - 000000000 ____D C:\Program Files\Java
    2019-09-08 07:33 - 2019-03-24 20:58 - 000000000 ____D C:\Program Files (x86)\Java
    HKU\S-1-5-21-3779585765-1514221111-3341031475-1001\...\StartupApproved\Run: => "AvastBrowserAutoLaunch_43649C95E0334351713E069CD256E7D4"
    FirewallRules: [{41269909-5E1E-488A-AA10-86E6376581DF}] => (Allow) C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe (AVAST Software s.r.o. -> AVAST Software)
    FirewallRules: [{807880C4-E098-47A3-A795-A9CA6A34EDD0}] => (Allow) C:\Program Files\qBittorrent\qbittorrent.exe () [File not signed]
    FirewallRules: [{A79F110E-1092-4A48-B18A-518DC87B347F}] => (Allow) C:\Program Files\qBittorrent\qbittorrent.exe () [File not signed]
    
    EmptyTemp:
    
  4. Save it next to FRST64.exe as fixlist.txt.
    Important! fixlist.txt must be saved in the same directory as FRST64.exe to work.
  5. Right click on FRST64.exe and select Run as administrator.
  6. Press the Fix button one time only and wait.
  7. When FRST finishes you will be prompted to reboot your computer. Click OK.
  8. Your computer should now restart. On reboot navigate to your Desktop where you should find Fixlog.txt. Copy and paste the contents in your reply.

Step 3.
Fresh FRST Scan
  1. Close all your programs.
  2. You should still have FRST64.exe on your Desktop. If not please download it HERE and save it on your Desktop.
  3. Run a new scan with FRST and post me your new Frst.txt and Addition.txt logs.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

Don't post anything as attachments unless I will ask you about it specifically!

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of the fixlog.txt log file
  3. Contents of FRST.txt and Addition.txt logs created by FRST scan.
  4. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4651
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Malware/Remote Logging?

Unread postby pgmigg » September 17th, 2019, 9:57 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4651
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 158 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware