Tech Support Guy banner
Cancel
Create thread New Forums

My laptop got hacked through an unknown file

Tags
hacked malware
Jump to Latest
10K views 142 replies 5 participants last post by  Couriant  
#1 · (Edited)
Hello everyone.
It has been a few months that all my accounts are getting constantly hacked. I believe it is caused by something I downloaded (that I deleted since). Some of my accounts such as Gmail or Steam keep getting hacked even after changing my passwords to more secure ones (on a different device than my computer). I believe that this started when I downloaded an unknown file, but I am not sure about it.
I also noticed 2 new drives (H and G) that I can't open when clicking (I added an image to show it).
I am a little puzzled about this situation and would really love it if someone could help, even with a little step towards keeping this third person from my data.

Thank you very much!!

PS: I have also included both scan files, as the rules of this forum asked me to do.
PS2: I have also added a screenshot of my windows security. When I click on it, nothing shows.


Edit: There is an unknown process taking a lot of memory called exactly like the windows defender process. I also joined a screenshot of it. I cannot end that project when I try to.
 

Attachments

#2 ·
Hello!

I would also like to add that my laptop's internet connection is very slow compared to my other devices connected to the same network. For example, my iPad would download a video in 5 minutes while my laptop takes 45 minutes to download the exact same video from the exact same website, regardless of the browser used.

Thanks!!
 
#3 ·
Hello, and welcome to TSG.
Image


Apologies for the late response. I am extremely busy with my work these days.

I will be assisting you with your computer issues, mainly checking it for malware.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

=====================

I'll need some time to review your logs and be back to you as soon as I am ready.
 
#5 ·
There are a lot things to say looking into your logs. Let's start from the programs you need to uninstall.

1. P2P programs

You have uTorrent Web and ÎĽTorrent installed in your computer. These are P2P programs. P2P programs form a direct conduit on to a computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. If you don't uninstall them, your computer will probably get infected again, as soon as you use it again. But it is your computer and of course your decision.
  • If you decide to keep them, DON'T use them during the cleaning procedure.
  • If you decide to uninstall them, uninstall them.

2. Security programs

You have Microsoft Defender as your security solution program and this is fine. In addition, Avira Security (with a lot of other bundled programs) is installed as well as McAfee® Personal Security. There are also remnants from AVAST. Have in mind that you actually need one antivirus and one antimalware program to run in real time. More, will cause conflicts soon or later. Although Avira isn't shown in your logs as active, my recommendation is to uninstall it, along with McAfee.

Avira Security
McAfee® Personal Security

3. Java

There are very few reasons these days to continue having Java installed on your computer. However, if you do elect to keep Java, it needs to be updated to the latest version which you can find here: Java SE Runtime Environment 8 - Downloads. Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

For now, uninstall the following Java entries. If you want to install the latest version, do that at the end of this cleaning process.

Java 8 Update 221
Java 8 Update 241


4. Web Companion

Let me know if you intentionally installed Web Companion (Lavasoft). It is supposed to be a legitimate program, but it also may have been bundled with a third party software, and has to be uninstalled.

Web Companion


5. Other programs you may want to uninstall

Chrome Remote Desktop Host
TeamViewer
Driver Easy

In your next reply:

Let me know which programs did you uninstall. Then, I'll need fresh FRST logs, Addition and FRST.
 
#6 ·
Thank you very much for your very extensive reply. I am really grateful for that!

I am currently on my way to a meeting which will last a few hours. I will make sure to uninstall all these apps and send you the logs as soon as my meeting is over. I hope it is no problem.

Thank you again!!
 
#9 ·
Hello,
Thanks for your reply again!
First of all about Anaconda, I have a license given by the university I study/work at, so it should be legitimate.

About the rest of the apps:
1- P2P apps : I have uninstalled both of them
2- Security programs: I have uninstalled both of them
3- Java: I have uninstalled both entries
4- Web companion : I do not recognize it, therefore I also deleted it.
5- Other apps: I deleted the three apps.

So in general I managed to delete all the apps you mentioned! Thanks for that!!
I also attached the new logs to my message.

Have a good evening!
 

Attachments

#10 ·
Hi!

It took me a lot of time to review your logs! Many things need to be taken care of. Therefore, you have a lot of work to do. I hope you are ready. :)

1. Remove Chrome extensions
  • Open Chrome.
  • At the top right choose More (the three vertical dots) > More Tools > Extensions
  • Find the Chrome Remote Desktop, and remove it, clicking on Remove.
  • Confirm the action by clicking Remove once again.
  • Repeat the procedure for the following two extensions:
    • Bureau Ă  distance Google Chrome
    • Avast Online Security & Privacy

2. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code: 
Start::
CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-2059324634-4167950844-340847315-1001_Classes\CLSID\{930e604a-cc01-4d06-8d7a-5a07914f3afb}\localserver32 -> "C:\Program Files\TechSmith\Camtasia 2019\CamtasiaStudio.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-2059324634-4167950844-340847315-1001_Classes\CLSID\{CB965DF1-B8EA-49C7-BDAD-5457FDC1BF92}\InprocServer32 -> C:\Users\Asus\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.20244.4\x64\Microsoft.Teams.AddinLoader.dll => No File
ContextMenuHandlers2: [ContextMenu] -> {ee10d625-cc60-30a4-b3df-4b349785be6b} => C:\Program Files (x86)\Avira\Security\Antivirus.ContextMenu\Antivirus.ContextMenu.DLL -> No File
ContextMenuHandlers3: [ContextMenu] -> {ee10d625-cc60-30a4-b3df-4b349785be6b} => C:\Program Files (x86)\Avira\Security\Antivirus.ContextMenu\Antivirus.ContextMenu.DLL -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ShortcutWithArgument: C:\Users\Asus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Applications Chrome\Bureau Ă  distance Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory=Default --app-id=gbchcmhmhahfdphkhkmpfmihenigjmpp
ShortcutWithArgument: C:\Users\Asus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Applications Chrome\Chrome Remote Desktop.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe (Google LLC) ->  --profile-directory=Default --app-id=efmjfjelnicpmdcmfikempdhlmainjcb
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer1.log:F107EE40EF [6018]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer1.log_backup1:2DD1EC5C91 [6018]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer2.log:CCB2353F35 [6018]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer3.log:8A1F56CED6 [6018]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer3.log_backup1:A473474DD2 [6018]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer4.log:3B2EC2BDEF [6018]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer4.log_backup1:DC5D04D24A [6018]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer5.log:84BD5AAA09 [6018]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer5.log_backup1:038079845B [6018]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer6.log:4C1811BCCA [6018]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer6.log_backup1:AC11A713EE [6018]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer7.log:2C973AF0F1 [6018]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini:B1DA6C571C [6018]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access.lnk:A1B76439FE [6018]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Illustrator 2020.lnk:708E5666EE [6018]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk:09A0A90EF3 [6018]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast Premium Sécurité.lnk:1AE8BDDDB4 [6018]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AZ Launcher - Minecraft.lnk:EE97536411 [6018]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debut Video Capture Software.lnk:CDB1906A95 [6018]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini:41964AA945 [6018]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk:B96E9B8455 [5162]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [5374]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""="Service"
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\S-1-5-21-2059324634-4167950844-340847315-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
IE trusted site: HKU\S-1-5-21-2059324634-4167950844-340847315-1001\...\webcompanion.com -> hxxp://webcompanion.com
MSCONFIG\Services: RasAuto => 3
MSCONFIG\Services: RasMan => 2
MSCONFIG\Services: RpcLocator => 3
MSCONFIG\Services: WCAssistantService => 2
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKU\S-1-5-21-2059324634-4167950844-340847315-1001\...\StartupApproved\Run: => "Web Companion"
HKU\HKU\S-1-5-21-2059324634-4167950844-340847315-1001\...\StartupApproved\Run: => "launchOnStartup"
S-1-5-21-2059324634-4167950844-340847315-1001\...\StartupApproved\Run: => "uTorrent"
HKU\S-1-5-21-2059324634-4167950844-340847315-1001\...\StartupApproved\Run: => "Chromium"
FirewallRules: [{E04F75CD-192D-464D-A100-CB36FA43C2F9}] => (Allow) D:\FIFA 22\FIFA 22\FIFASetup\fifaconfig.exe => No File
FirewallRules: [{B9F1A273-1EAD-4E39-858C-13DE37FDEE92}] => (Allow) D:\FIFA 22\FIFA 22\FIFASetup\fifaconfig.exe => No File
FirewallRules: [{09DDDCFD-8F1B-47E1-92DA-7A40EE499F30}] => (Allow) D:\Steam\steamapps\common\Dying Light\DevTools\DyingLightPlayer.exe => No File
FirewallRules: [{5C115601-10B5-42E3-B933-5ECC0B2F121E}] => (Allow) D:\Steam\steamapps\common\Dying Light\DevTools\DyingLightPlayer.exe => No File
FirewallRules: [{5659D420-D515-4F13-B4D2-7BFEC8B57F96}] => (Allow) D:\Steam\steamapps\common\Agrou\Agrou.exe => No File
FirewallRules: [{BC970964-655E-413D-A9DA-58EFDB1489DE}] => (Allow) D:\Steam\steamapps\common\Agrou\Agrou.exe => No File
FirewallRules: [UDP Query User{9D7877F1-0799-41BB-B7B6-A303A5F81D38}C:\users\asus\appdata\local\temp\rar$exa4672.5461\powerremotewin.exe] => (Allow) C:\users\asus\appdata\local\temp\rar$exa4672.5461\powerremotewin.exe => No File
FirewallRules: [TCP Query User{B43842EE-3B2D-447A-92A4-719D7343AD0B}C:\users\asus\appdata\local\temp\rar$exa4672.5461\powerremotewin.exe] => (Allow) C:\users\asus\appdata\local\temp\rar$exa4672.5461\powerremotewin.exe => No File
FirewallRules: [UDP Query User{108F3123-3BDA-444C-BC07-21AB08F8DDBA}C:\users\asus\appdata\roaming\utorrent\utorrent.exe] => (Block) C:\users\asus\appdata\roaming\utorrent\utorrent.exe => No File
FirewallRules: [TCP Query User{E36D81FF-4890-4F90-9B23-510849F32A97}C:\users\asus\appdata\roaming\utorrent\utorrent.exe] => (Block) C:\users\asus\appdata\roaming\utorrent\utorrent.exe => No File
FirewallRules: [{F7D375F1-7715-47AF-8094-5538F479D482}] => (Allow) D:\Steam\steamapps\common\Battlerite\Battlerite.exe => No File
FirewallRules: [{02B66C98-E7DC-4EF3-BB37-721368B9F8A8}] => (Allow) D:\Steam\steamapps\common\Battlerite\Battlerite.exe => No File
FirewallRules: [{6C818350-271E-49B6-9410-36A2452A83DA}] => (Allow) C:\Program Files\BlueStacks\HD-Player.exe => No File
FirewallRules: [TCP Query User{DA78E5AB-B6E4-469B-A420-E169FE57C47E}C:\program files\moonlight game streaming\moonlight.exe] => (Allow) C:\program files\moonlight game streaming\moonlight.exe => No File
HKLM\...\Run: [CL-26-2A8E7B0F-EB9B-4C36-A640-209E9E8C6124] => "C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-2A8E7B0F-EB9B-4C36-A640-209E9E8C6124\setuplauncher.exe" /run:Installer.exe /args:"/setup-folder:"CL-26-2A8E7B0F-EB9B-4C36-A640-209E9E8 (the data entry has 7 more characters). (No File)
HKU\S-1-5-21-2059324634-4167950844-340847315-1001\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize (No File)
HKU\S-1-5-21-2059324634-4167950844-340847315-1001\...\Run: [uTorrent] => "C:\Users\Asus\AppData\Roaming\uTorrent\uTorrent.exe"  /MINIMIZED (No File)
HKU\S-1-5-21-2059324634-4167950844-340847315-1001\...\Run: [EADM] => "D:\Origin\Origin.exe" -AutoStart (No File)
HKU\S-1-5-21-2059324634-4167950844-340847315-1001\...\Run: [GoogleChromeAutoLaunch_4520928B98C8B06AFF3B70DD266600ED] => "C:\Users\Asus\AppData\Local\chromium\Application\chrome.exe" --no-startup-window /prefetch:5 [859648 2017-02-26] (The Chromium Authors) [File not signed]
HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] ->
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {171C513D-9342-4A06-A9D9-68A5505D81D2} - System32\Tasks\Microsoft\Windows\Conexant\SA2 => C:\Program Files\WindowsApps\22094SynapticsIncorporate.SmartAudio2_1.1.50.0_x86__qt57b6kdvhcfw\SAII\SACpl.exe /c /delay:45 (No File)
Task: {1C975318-D296-49E3-9758-B96122B5F74E} - System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(1): schtasks.exe -> /Change /TN "\Adobe Acrobat Update Task" /ENABLE
Task: {1C975318-D296-49E3-9758-B96122B5F74E} - System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(2): schtasks.exe -> /Change /TN "\AdobeGCInvoker-1.0" /ENABLE
Task: {1C975318-D296-49E3-9758-B96122B5F74E} - System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(3): schtasks.exe -> /Change /TN "\ASUS Update Checker 2.0" /ENABLE
Task: {1C975318-D296-49E3-9758-B96122B5F74E} - System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(4): schtasks.exe -> /Change /TN "\AsusSystemAnalysis_754F3273-0563-4F20-B12F-826510B07474" /ENABLE
Task: {1C975318-D296-49E3-9758-B96122B5F74E} - System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(5): schtasks.exe -> /Change /TN "\GoogleUpdateTaskMachineCore" /ENABLE
Task: {1C975318-D296-49E3-9758-B96122B5F74E} - System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(6): schtasks.exe -> /Change /TN "\GoogleUpdateTaskMachineUA" /ENABLE
Task: {1C975318-D296-49E3-9758-B96122B5F74E} - System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(7): schtasks.exe -> /Change /TN "\MicrosoftEdgeUpdateTaskMachineCore1d763759bd4a0e5" /ENABLE
Task: {1C975318-D296-49E3-9758-B96122B5F74E} - System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(8): schtasks.exe -> /Change /TN "\MicrosoftEdgeUpdateTaskMachineUA" /ENABLE
Task: {1C975318-D296-49E3-9758-B96122B5F74E} - System32\Tasks\AVAST Software\Gaming mode Task Scheduler recovery => Command(9): schtasks.exe -> /Change /TN "\AVAST Software\Gaming mode Task Scheduler recovery" /DISABLE
Task: {21EA0ECE-285D-4AB0-92B0-725665372424} - System32\Tasks\Bitdefender Agent WatchDog_65D6944A0EF74FDAB96E31112AD39864 => C:\Program Files\Bitdefender Agent\26.0.1.241\WatchDog.exe [1056808 2023-02-27] (Bitdefender SRL -> Bitdefender)
Task: {4CE7C1C5-7972-47F2-B0F1-EC832970E6C6} - System32\Tasks\AviraSystemSpeedupRemoval => %comspec% [Argument = /C rmdir "C:\Program Files (x86)\Avira\System Speedup" /S /Q & schtasks /Delete /F /TN AviraSystemSpeedupRemoval]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
FF Homepage: Mozilla\Firefox\Profiles\o94b2f10.default-release -> hxxps://segoonow.com/homepage?hp=1&bitmask=9996&pId=BT171101&iDate=2019-09-11 03:33:50&bName=
FF NewTab: Mozilla\Firefox\Profiles\o94b2f10.default-release -> hxxps://segoonow.com/homepage?hp=1&bitmask=9996&pId=BT171101&iDate=2019-09-11 03:33:50&bName=
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho]
CHR HKLM\...\Chrome\Extension: [hppemobdikemkbmccnjbilolonmpaljl]
CHR HKU\S-1-5-21-2059324634-4167950844-340847315-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hppemobdikemkbmccnjbilolonmpaljl]
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho]
CHR HKLM-x32\...\Chrome\Extension: [hppemobdikemkbmccnjbilolonmpaljl]
R2 ProductAgentService; C:\Program Files\Bitdefender Agent\ProductAgentService.exe [794152 2023-02-28] (Bitdefender SRL -> Bitdefender)
S2 McAfee WebAdvisor; "C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe" [X]
S4 phantomtap; \SystemRoot\System32\drivers\phantomtap.sys [X]
2023-03-15 02:31 - 2023-03-15 02:31 - 000003452 _____ C:\WINDOWS\system32\Tasks\AviraSystemSpeedupRemoval
2023-03-15 02:31 - 2023-03-15 02:31 - 000000000 ____D C:\WINDOWS\system32\Tasks\Avira
2023-03-15 02:32 - 2022-01-05 22:26 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2023-03-15 02:32 - 2022-01-05 22:26 - 000000000 ____D C:\ProgramData\Avira
2023-03-15 02:32 - 2022-01-05 22:26 - 000000000 ____D C:\Program Files (x86)\Avira
2023-03-15 02:25 - 2019-09-11 16:33 - 000000000 ____D C:\Users\Asus\AppData\Roaming\uTorrent
2022-12-30 00:06 - 2022-12-30 00:06 - 000004622 _____ () C:\Users\Asus\AppData\Local\92775093213
2023-01-28 22:12 - 2023-01-28 22:12 - 000004622 _____ () C:\Users\Asus\AppData\Local\9943258716
2023-03-15 02:37 - 2020-04-28 21:08 - 000000000 ____D C:\Users\Asus\AppData\Roaming\Easeware
2023-03-15 02:37 - 2020-04-28 21:08 - 000000000 ____D C:\Program Files\Easeware
C:\Program Files\Common Files\Bitdefender
C:\Users\Asus\AppData\Local\chromium
C:\Program Files\Bitdefender Agent
C:\Program Files (x86)\Avira
C:\Program Files\McAfee
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

3. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

4. Run Malwarebytes (scan only)
  • Download Malwarebytes and save it to your Desktop.
  • Once downloaded, close all programs and Windows on your computer.
  • Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
  • Follow the instructions to install the program.
  • When finished, double click the program's icon created on your Desktop.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code: 
    Under the title Scan Options, all the options are checked.
Under the title Windows Security Center (Premium only) the option is NOT checked.
Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.


In your next reply, please post:
  1. If uninstalling the extensions ran smoothly
  2. The fixlog.txt
  3. The AdwCleaner[S0*].txt
  4. The Malwarebytes report
 
#13 ·
Hi again!
I tried to be as careful as possible :D
1-Chrome extensions: I deleted the three extensions.

2- Frst fix: I put the log file in the attachments.

3- ADWCleaner (scan only). You can find here the results of the scan.
Code: 
# -------------------------------
# Malwarebytes AdwCleaner 8.4.0.0
# -------------------------------
# Build:    08-30-2022
# Database: 2022-10-10.1 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    03-15-2023
# Duration: 00:00:13
# OS:       Windows 11 (Build 22000.1574)
# Scanned:  32083
# Detected: 27


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Adware.Heuristic            C:\ProgramData\AD9021AC
Trojan.SmartClock               C:\Users\Asus\AppData\Roaming\Smart Clock

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.InstallCore        HKCU\Software\csastats
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00004}
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00005}
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00006}
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00007}
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00008}
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00009}
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000A}
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000B}
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000C}
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000D}
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000E}
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000F}
PUP.Optional.Legacy             HKLM\System\Setup\FirstBoot\Services\WCAssistantService
PUP.Optional.WebCompanion       HKCU\SOFTWARE\Mozilla\NativeMessagingHosts\com.webcompanion.native
PUP.Optional.WebCompanion       HKCU\Software\Lavasoft\Web Companion
PUP.Optional.WebCompanion       HKLM\Software\Wow6432Node\Lavasoft\Web Companion
PUP.Optional.WebCompanion       HKU\.DEFAULT\Software\Mozilla\NativeMessagingHosts\com.webcompanion.native
PUP.Optional.WebCompanion       HKU\S-1-5-18\SOFTWARE\Mozilla\NativeMessagingHosts\com.webcompanion.native

***** [ Chromium (and derivatives) ] *****

PUP.Optional.AmazonBrowserBar   Assistant Amazon pour Chrome - pbjikboenpfhbbejgkoklgkhjpfogcam
PUP.Optional.VeePN              Free VPN for Chrome - VPN Proxy VeePN - majdfhpaihoncoakbjgbdhglocklcgno

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.ASUSGiftBox   Folder   C:\Program Files (x86)\ASUS\ASUS GIFTBOX SERVICE
Preinstalled.ASUSGiftBox   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{4701E5AB-AF91-4D40-8F18-358CC80E4E5B}
Preinstalled.ASUSHello   Folder   C:\Program Files (x86)\ASUS\ASUS HELLO
Preinstalled.ASUSHello   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{D8CE1923-92A9-4036-817E-9E0D8AA2169B}



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########
4- Malwarebytes : Threats were not found: Here are the results.
Code: 
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/15/23
Scan Time: 6:33 PM
Log File: 771d442c-c357-11ed-907a-24ee9a9d27c1.json

-Software Information-
Version: 4.5.24.248
Components Version: 1.0.1944
Update Package Version: 1.0.66736
License: Trial

-System Information-
OS: Windows 11 (Build 22000.1574)
CPU: x64
File System: NTFS
User: LAPTOP-I8PPCJJ3\Asus

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 355287
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 4 min, 57 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
 

Attachments

#15 ·
Good!

Let's clean what AdwCleaner found.

1. AdwCleaner (Clean mode)

The findings in Folders, Registry and Chromium parts of the log, are adware and PUPs which stands for Potentially Unwanted Programs. In the instructions below, I will list them all to be removed.

The section at the bottom under Preinstalled Software is software that was apparently installed when the device was new, which you may or may not use (ASUSGiftBox and ASUSHello). Personally, I do not keep anything I don't use/need. But it's your computer, so your decision.

To proceed, please do the following:
  • Double click AdwCleaner.exe on your Desktop, to run it as you did before.
  • Click Scan Now.
  • When the scan has finished a Scan Results window will open.
  • Please check all the boxes and then click Quarantine.
  • Click Next.
    • If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
    • Check any pre-installed software items you want to remove.
    • Click Quarantine.
  • A prompt to save your work will appear.
    • Click Continue when you're ready to proceed.
  • A prompt to restart your computer will appear.
    • Click Restart Now.
  • Once your computer has restarted:
    • If it doesn't open automatically, please start AdwCleaner.
    • Click the Log Files tab.
    • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
    • A Notepad file will open containing the results of the removal.
    • Please post the contents of the file in your next reply.

2. Fresh FRST logs

I'll need to review fresh FRST logs at this point: Addition and FRST.


In your next reply, please post:
  1. The AdwCleaner[C0*].txt
  2. The fresh FRST logs, Addition and FRST
 
#16 ·
I just followed your instructions.

1- ADW Cleaner (clean mode) : I followed your instructions and got everything, but it did not ask to restart my laptop. I did not have any prompt asking that. I still got the log and the cleaning went to term.

Code: 
# -------------------------------
# Malwarebytes AdwCleaner 8.4.0.0
# -------------------------------
# Build:    08-30-2022
# Database: 2022-10-10.1 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    03-15-2023
# Duration: 00:00:04
# OS:       Windows 11 (Build 22000.1574)
# Cleaned:  27
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted       C:\ProgramData\AD9021AC
Deleted       C:\Users\Asus\AppData\Roaming\Smart Clock

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted       HKCU\SOFTWARE\Mozilla\NativeMessagingHosts\com.webcompanion.native
Deleted       HKCU\Software\Lavasoft\Web Companion
Deleted       HKCU\Software\csastats
Deleted       HKLM\Software\Wow6432Node\Lavasoft\Web Companion
Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00004}
Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00005}
Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00006}
Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00007}
Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00008}
Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00009}
Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000A}
Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000B}
Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000C}
Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000D}
Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000E}
Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000F}
Deleted       HKLM\System\Setup\FirstBoot\Services\WCAssistantService
Deleted       HKU\.DEFAULT\Software\Mozilla\NativeMessagingHosts\com.webcompanion.native
Deleted       HKU\S-1-5-18\SOFTWARE\Mozilla\NativeMessagingHosts\com.webcompanion.native

***** [ Chromium (and derivatives) ] *****

Deleted       Assistant Amazon pour Chrome - pbjikboenpfhbbejgkoklgkhjpfogcam
Deleted       Free VPN for Chrome - VPN Proxy VeePN - majdfhpaihoncoakbjgbdhglocklcgno

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

Deleted       Preinstalled.ASUSGiftBox   Folder   C:\Program Files (x86)\ASUS\ASUS GIFTBOX SERVICE
Deleted       Preinstalled.ASUSGiftBox   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{4701E5AB-AF91-4D40-8F18-358CC80E4E5B}
Deleted       Preinstalled.ASUSHello   Folder   C:\Program Files (x86)\ASUS\ASUS HELLO
Deleted       Preinstalled.ASUSHello   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{D8CE1923-92A9-4036-817E-9E0D8AA2169B}


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [4045 octets] - [15/03/2023 18:28:27]
AdwCleaner[S01].txt - [4106 octets] - [15/03/2023 19:04:21]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########
2- Frst logs :I am running these scans but the files don't get replaced. I still open them and see an old time. Is that normal?

Thanks!!!
 
#22 ·
I will do that right now!

I would also like to add that something new started happening right after I restarted my PC to re scan the logs (10 minutes ago) :All the icons on my taskbar are now gone, and I can't create any folder on my desktop again because I am not admin for some reason ( see screenshot). I hope I did not do anything wrong or missed something when following your instructions, I was as careful as I could. Thank you!!
Image
 
Tech Support Guy
posts
9.9M
members
873K
Since
1998
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking