Windows acting very strange

**Gourde** · 12-30-2022, 03:17 AM

Originally posted by Malnutrition

The fixlist is here, click to download.

Or copy the content of the code box below. Do not copy the word code.
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt). Attach it to your next message.

Code:

Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [707256 2021-12-15] (Oracle America, Inc. -> Oracle Corporation)
HKLM\...\Policies\Explorer: [HideSCAMeetNow] 1
HKU\S-1-5-21-2286714474-3743661787-3778775637-1002\...\Run: [{5E9C47D5-C2A3-4B5B-9646-23F9F5362F1A}] => "C:\Users\Glitc\Downloads\MTGAInstaller.exe" /cmdloc "HKCU\Software\Wizards of the Coast AiTemp\{5E9C47D5-C2A3-4B5B-9646-23F9F5362F1A}" (No File) <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
HKU\S-1-5-21-2286714474-3743661787-3778775637-1002\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
C:\Users\Glitc\Downloads\MTGAInstaller.exe
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A8504530-742B-42BC-895D-2BAD6406F698}] -> "C:\Program Files (x86)\AVAST Software\Browser\Application\108.0.19667.125\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
C:\Program Files\Avast Software
(services.exe ->) (Avast Software s.r.o. -> AVAST Software) C:\Program Files\Avast Software\Cleanup\TuneupSvc.exe
(services.exe ->) (Avast Software s.r.o. -> AVAST Software) C:\Program Files\Avast Software\Driver Updater\DriverUpdSvc.exe
(services.exe ->) (Avast Software s.r.o. -> AVAST Software) C:\Program Files\Avast Software\SecureLine VPN\VpnSvc.exe
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A8504530-742B-42BC-895D-2BAD6406F698}] -> "C:\Program Files (x86)\AVAST Software\Browser\Application\108.0.19667.125\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
Task: {476AD4BB-9CC7-4D7F-A287-9D7DE4A51DED} - System32\Tasks\Avast Secure Browser Heartbeat Task (Logon) => C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe --type=heartbeat --logon (No File)
Task: {5B429217-B850-49BC-83B4-9E88B8688851} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [2250576 2022-06-17] (Avast Software s.r.o. -> Avast Software)
Task: {85FDB129-7AEE-49F1-B958-ACA13FD9F102} - System32\Tasks\Avast Secure Browser Heartbeat Task (Hourly) => C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe --type=heartbeat --hourly (No File)
Task: {868CEF18-291C-453A-BBD0-A9DF001C73D7} - System32\Tasks\Avast Software\Avast Driver Updater Update => C:\Program Files\Common Files\Avast Software\Icarus\avast-du\icarus.exe [6803168 2022-08-30] (Avast Software s.r.o. -> Avast Software)
Task: {91D80FA8-4A33-4AE4-ADF7-B6277F2B9B7A} - System32\Tasks\Avast Software\Avast SecureLine VPN Update => C:\Program Files\Common Files\Avast Software\Icarus\avast-vpn\icarus.exe [6694224 2022-11-22] (Avast Software s.r.o. -> Avast Software)
Task: {9FBAAD52-9ED5-4045-95DE-2BDA895FF0A7} - System32\Tasks\AvastUpdateTaskMachineUA => C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe [191120 2022-12-13] (Avast Software s.r.o. -> AVAST Software)
Task: {A8CD4948-8D49-4913-8630-A3AB4291F451} - System32\Tasks\Avast Emergency Update => C:\Program Files\Avast Software\Avast\AvEmUpdate.exe (No File)
Task: {D1B80101-C672-4B44-B722-2B9C23D68F0D} - System32\Tasks\Avast Software\Avast Cleanup Update => C:\Program Files\Common Files\Avast Software\Icarus\avast-tu\icarus.exe [6803168 2022-09-06] (Avast Software s.r.o. -> Avast Software)
Task: {D51AD049-63CC-4682-A533-44A317A755FE} - System32\Tasks\AvastUpdateTaskMachineCore => C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe [191120 2022-12-13] (Avast Software s.r.o. -> AVAST Software)
Task: {F343082E-4F4C-455C-A728-349D7C259A27} - System32\Tasks\Avast SecureLine VPN Update => C:\Program Files\Avast Software\SecureLine VPN\VpnUpdate.exe [1209424 2022-12-02] (Avast Software s.r.o. -> AVAST Software)
FF Plugin-x32: @update.avastbrowser.com/Avast Browser;version=3 -> C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\npAvastBrowserUpdate3.dll [2022-12-13] (Avast Software s.r.o. -> AVAST Software)
FF Plugin-x32: @update.avastbrowser.com/Avast Browser;version=9 -> C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\npAvastBrowserUpdate3.dll [2022-12-13] (Avast Software s.r.o. -> AVAST Software)
S2 avast; C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe [191120 2022-12-13] (Avast Software s.r.o. -> AVAST Software)
S3 avastm; C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe [191120 2022-12-13] (Avast Software s.r.o. -> AVAST Software)
R2 CleanupPSvc; C:\Program Files\Avast Software\Cleanup\TuneupSvc.exe [15464160 2022-09-15] (Avast Software s.r.o. -> AVAST Software)
R2 DriverUpdSvc; C:\Program Files\Avast Software\Driver Updater\DriverUpdSvc.exe [7692000 2022-09-15] (Avast Software s.r.o. -> AVAST Software)
R2 SecureLine; C:\Program Files\Avast Software\SecureLine VPN\VpnSvc.exe [9461328 2022-12-02] (Avast Software s.r.o. -> AVAST Software)
S3 aswbIDSAgent; "C:\Program Files\Avast Software\Avast\aswidsagent.exe" [X]
S2 avast! Antivirus; "C:\Program Files\Avast Software\Avast\AvastSvc.exe" /runassvc [X]
S2 avast! Firewall; "C:\Program Files\Avast Software\Avast\afwServ.exe" [X]
S2 avast! Tools; "C:\Program Files\Avast Software\Avast\aswToolsSvc.exe" /runassvc [X]
S3 AvastSecureBrowserElevationService; "C:\Program Files (x86)\AVAST Software\Browser\Application\108.0.19667.125\elevation_service.exe" [X]
S2 AvastWscReporter; "C:\Program Files\Avast Software\Avast\wsc_proxy.exe" /runassvc /rpcserver [X]
S0 aswArDisk; C:\Windows\System32\drivers\aswArDisk.sys [31424 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
R1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [229208 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdriver.sys [391272 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
R0 aswbidsh; C:\Windows\System32\drivers\aswbidsh.sys [297832 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
R0 aswbuniv; C:\Windows\System32\drivers\aswbuniv.sys [95960 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
R0 aswElam; C:\Windows\System32\drivers\aswElam.sys [25576 2022-10-13] (Microsoft Windows Early Launch Anti-malware Publisher -> AVAST Software)
R1 aswKbd; C:\Windows\System32\drivers\aswKbd.sys [39648 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
R1 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [267888 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
R1 aswNetHub; C:\Windows\System32\drivers\aswNetHub.sys [555560 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [105248 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [80376 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [852000 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [695496 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [212632 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [318456 2022-12-13] (Microsoft Windows Hardware Compatibility Publisher -> AVAST Software)
S3 aswVpnRdr; C:\Windows\System32\drivers\aswVpnRdr.sys [65944 2022-06-17] (Avast Software s.r.o. -> Avast Software)
R3 aswWintun; C:\Windows\System32\drivers\aswWintun.sys [51112 2022-12-02] (Avast Software s.r.o. -> AVAST Software)
2022-12-13 13:27 - 2022-12-13 13:27 - 000273816 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2022-12-02 17:10 - 2022-12-02 17:10 - 000051112 _____ (AVAST Software) C:\Windows\system32\Drivers\aswWintun.sys
2022-12-29 18:38 - 2022-06-17 08:42 - 000004028 _____ C:\Windows\system32\Tasks\Avast SecureLine VPN Update
2022-12-29 18:38 - 2022-06-17 08:36 - 000000000 ____D C:\ProgramData\Avast Software
2022-12-28 21:08 - 2022-06-17 08:37 - 000000000 ____D C:\Program Files\Avast Software
2022-12-28 20:11 - 2022-06-17 08:40 - 000004264 _____ C:\Windows\system32\Tasks\Avast Emergency Update
2022-12-23 22:56 - 2022-06-17 08:49 - 000000000 ____D C:\Users\Glitc\AppData\Local\Avast Software
2022-12-13 13:27 - 2022-06-17 08:40 - 000852000 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2022-12-13 13:27 - 2022-06-17 08:40 - 000695496 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2022-12-13 13:27 - 2022-06-17 08:40 - 000555560 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetHub.sys
2022-12-13 13:27 - 2022-06-17 08:40 - 000391272 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdriver.sys
2022-12-13 13:27 - 2022-06-17 08:40 - 000318456 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2022-12-13 13:27 - 2022-06-17 08:40 - 000297832 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsh.sys
2022-12-13 13:27 - 2022-06-17 08:40 - 000267888 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2022-12-13 13:27 - 2022-06-17 08:40 - 000229208 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2022-12-13 13:27 - 2022-06-17 08:40 - 000105248 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2022-12-13 13:27 - 2022-06-17 08:40 - 000095960 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbuniv.sys
2022-12-13 13:27 - 2022-06-17 08:40 - 000080376 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2022-12-13 13:27 - 2022-06-17 08:40 - 000039648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2022-12-13 13:27 - 2022-06-17 08:40 - 000031424 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArDisk.sys
HKU\S-1-5-21-2286714474-3743661787-3778775637-1002\...\Run: [{5E9C47D5-C2A3-4B5B-9646-23F9F5362F1A}] => "C:\Users\Glitc\Downloads\MTGAInstaller.exe" /cmdloc "HKCU\Software\Wizards of the Coast AiTemp\{5E9C47D5-C2A3-4B5B-9646-23F9F5362F1A}" (No File) <==== ATTENTION
Task: {476AD4BB-9CC7-4D7F-A287-9D7DE4A51DED} - System32\Tasks\Avast Secure Browser Heartbeat Task (Logon) => C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe --type=heartbeat --logon (No File)
Task: {85FDB129-7AEE-49F1-B958-ACA13FD9F102} - System32\Tasks\Avast Secure Browser Heartbeat Task (Hourly) => C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe --type=heartbeat --hourly (No File)
Task: {925126B0-2476-41D9-B2F6-655650ED9773} - System32\Tasks\MicrosoftEdgeUpdateTaskMachineUA => C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe /ua /installsource scheduler (No File)
Task: {A5CBCF62-6981-42A5-808C-285A16CA8D17} - System32\Tasks\Driver Easy Scheduled Scan => C:\Program Files\Easeware\DriverEasy\DriverEasy.exe --scan (No File)
Task: {A8CD4948-8D49-4913-8630-A3AB4291F451} - System32\Tasks\Avast Emergency Update => C:\Program Files\Avast Software\Avast\AvEmUpdate.exe (No File)
Task: {C461F25A-435C-4E22-AEE6-8E75CBDB9039} - System32\Tasks\MicrosoftEdgeShadowStackRollbackTask => C:\Program Files (x86)\Microsoft\Edge\Application\108.0.1462.54\Installer\setup.exe --handle-crash="$(ProcessPath)" (No File)
Task: {D03F795E-48E1-4ACA-8626-C5E0C24E44C7} - System32\Tasks\MicrosoftEdgeUpdateTaskMachineCore => C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe /c (No File)
C:\Program Files\Easeware
Task: C:\Windows\Tasks\Driver Easy Scheduled Scan.job => C:\Program Files\Easeware\DriverEasy\DriverEasy.exe
S3 aswbIDSAgent; "C:\Program Files\Avast Software\Avast\aswidsagent.exe" [X]
S2 avast! Antivirus; "C:\Program Files\Avast Software\Avast\AvastSvc.exe" /runassvc [X]
S2 avast! Firewall; "C:\Program Files\Avast Software\Avast\afwServ.exe" [X]
S2 avast! Tools; "C:\Program Files\Avast Software\Avast\aswToolsSvc.exe" /runassvc [X]
S3 AvastSecureBrowserElevationService; "C:\Program Files (x86)\AVAST Software\Browser\Application\108.0.19667.125\elevation_service.exe" [X]
S2 AvastWscReporter; "C:\Program Files\Avast Software\Avast\wsc_proxy.exe" /runassvc /rpcserver [X]
S2 edgeupdate; "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc [X]
S3 edgeupdatem; "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc [X]
S3 MicrosoftEdgeElevationService; "C:\Program Files (x86)\Microsoft\Edge\Application\108.0.1462.54\elevation_service.exe" [X]
Avast Update Helper (HKLM-x32\...\{19C3AB22-3718-4E4D-B203-242F5001565B}) (Version: 1.8.1579.3 - AVAST Software) Hidden
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll -> No File
ShellIconOverlayIdentifiers-x32: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll -> No File
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll -> No File
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll -> No File
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} =>  -> No File
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll -> No File
BHO: IEToEdge BHO -> {1FD49718-1D00-4B19-AF5F-070AF6D5D54C} -> C:\Program Files (x86)\Microsoft\Edge\Application\108.0.1462.54\BHO\ie_to_edge_bho_64.dll => No File
BHO-x32: IEToEdge BHO -> {1FD49718-1D00-4B19-AF5F-070AF6D5D54C} -> C:\Program Files (x86)\Microsoft\Edge\Application\108.0.1462.54\BHO\ie_to_edge_bho.dll => No File
FirewallRules: [{EEC2CF29-CF3E-477F-86B6-88D4A4FAA5D1}] => (Allow) C:\Program Files\Avast Software\Avast\AvastUI.exe => No File
FirewallRules: [{3F0193D7-0A1F-4703-BB1A-62421B112224}] => (Allow) C:\Program Files\Avast Software\Avast\AvastUI.exe => No File
FirewallRules: [{2F287D58-0C63-443C-BF12-EDFD6D46D5F2}] => (Allow) C:\Program Files\Easeware\DriverEasy\DriverEasy.exe => No File
FirewallRules: [{F8D99408-90DB-414B-B3D1-66804AE11C11}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.92.3204.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{D8CE1367-6B72-485B-BB4B-3DF646C3D900}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.92.3204.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{5554C8E8-D29E-416F-8A75-10BFD4FB1B6E}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.92.3204.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{341E6CD1-F072-49BE-92E3-4C98463C72FB}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.92.3204.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{F6B245FD-94EF-4DC2-B99D-E8802A7B78A4}] => (Allow) C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe => No File
cmd: net stop bits
Move: C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db.old
cmd: net start bits
cmd:  bitsadmin /list /allusers
CMD: "%WINDIR%\SYSTEM32\lodctr.exe /R"
CMD: "%WINDIR%\SysWOW64\lodctr.exe /R"
CMD: "C:\Windows\SYSTEM32\lodctr.exe /R"
CMD: "C:\Windows\SysWOW64\lodctr.exe /R"
CMD: del /f /s /q %windir%\prefetch\*.*
CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
CMD: del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*"
CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
CMD: ipconfig /flushdns
C:\Windows\Temp\*.*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
emptytemp:
Reboot:
End::

FRST is just a text file. I am confused? I did delete some of the app installers, maybe I accidentally deleted this previously downloaded thing?

**Malnutrition** · 12-30-2022, 03:21 AM

FRST is here.

Click me to download.
Save this to your Desktop!!

Copy the content of the code box in my last reply. Do not copy the word code.
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt). Attach it to your next message.

**Gourde** · 12-30-2022, 03:27 AM

Originally posted by Malnutrition

FRST is here.

Click me to download.
Save this to your Desktop!!

Copy the content of the code box in my last reply. Do not copy the word code.
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt). Attach it to your next message.

Okay, thank you so much for explaining it again! I greatly appreciate your patience.
Here is the log:

**Malnutrition** · 12-30-2022, 03:29 AM

After the FRST fix.

There was a Bitcoin miner on your computer, as well as many active trojans…which would explain the symptoms!!

RiskWare.BitCoinMiner, C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\L OCAL\MICROSOFT\WINDOWS\INETCACHE\IE\LOLMINER_V1.50 _BETA_WIN64[1].ZIP, Quarantined, 869, 1054239, 1.0.64011, , ame, , E61DEAF6173330C0EA9F54E3720BCDFD, 0242B260E9151D6807D75A706136469CE1F9A724348D25CE42 BD54111D0CCE65

Download AV block remover .
[COLOR=rgb(184, 49, 47)]Unzip to your desktop, Right click run as admin and follow the instructions. If it does not start, rename the AVbr.exe file to, for example, AV_br.exe
Click yes to reset hosts file.
After the machine reboots then there will be a logfile in the new folder created, post that please.

How is the computer running now?

Please Attach brand new FRST and Addition.txt logs so that I can check if anything remains on the computer after the AVBR log is ran.[/COLOR]

**Gourde** · 12-30-2022, 03:35 AM

Originally posted by Malnutrition

After the FRST fix.

There was a Bitcoin miner on your computer, as well as many active trojans…which would explain the symptoms!!

RiskWare.BitCoinMiner, C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\L OCAL\MICROSOFT\WINDOWS\INETCACHE\IE\LOLMINER_V1.50 _BETA_WIN64[1].ZIP, Quarantined, 869, 1054239, 1.0.64011, , ame, , E61DEAF6173330C0EA9F54E3720BCDFD, 0242B260E9151D6807D75A706136469CE1F9A724348D25CE42 BD54111D0CCE65

Download AV block remover .
[COLOR=rgb(184, 49, 47)]Unzip to your desktop, Right click run as admin and follow the instructions. If it does not start, rename the AVbr.exe file to, for example, AV_br.exe
Click yes to reset hosts file.
After the machine reboots then there will be a logfile in the new folder created, post that please.

How is the computer running now?

Please Attach brand new FRST and Addition.txt logs so that I can check if anything remains on the computer after the AVBR log is ran.
[/COLOR]

[COLOR=rgb(184, 49, 47)]
Oh my gosh, thank you so much for noticing that! I have no idea how it would get on there, I am generally very careful with what I download. It actually makes me angry knowing there’s a darn Bitcoin miner on my computer!
I do need some help knowing how to extract to my desktop, when I click the option when extracting to extract to the desktop is says access denied.[/color]

**Malnutrition** · 12-30-2022, 03:37 AM

File Explorer in Windows - Microsoft Support

https://support.microsoft.com/en-us/windows/find-my-downloads-in-windows-10-de903ee9-7d37-256b-9145-f0f016c5aed8

Find and open File Explorer in Windows, and customize Quick access by pinning and removing files and folders.

Drag the file from the downloads folder to the desktop.

I need to get to sleep for work tomorrow, so please run this scan on your machine. Cure/delete any detections. Make a screen shot of anything detected.

Save it to your desktop.
I suggest a full scan with Kaspersky.
Disable Defender/antivirus prior to scanning…
Download and run a full scan with the Kaspersky Virus Removal tool.
Accept the terms.
Click Change Parameters.
Select the System drive.
All volumes.
Click OK, start Scan.
Report any detections here.

Code:

    [IMG alt="Capture.PNG"]https://pchelpforum.net/attachments/capture-png.9392/

**Malnutrition** · 12-30-2022, 03:39 AM

Good night. I will check this thread tomorrow, when I get off of work. If you can post the AVBR log, and or run the scan with Kaspersky and post Fresh FRST and Addtion.txt logs for me to review.

Have a good rest of your night, until tomorrow.

**Gourde** · 12-30-2022, 03:42 AM

Originally posted by Malnutrition

After the FRST fix.

There was a Bitcoin miner on your computer, as well as many active trojans…which would explain the symptoms!!

RiskWare.BitCoinMiner, C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\L OCAL\MICROSOFT\WINDOWS\INETCACHE\IE\LOLMINER_V1.50 _BETA_WIN64[1].ZIP, Quarantined, 869, 1054239, 1.0.64011, , ame, , E61DEAF6173330C0EA9F54E3720BCDFD, 0242B260E9151D6807D75A706136469CE1F9A724348D25CE42 BD54111D0CCE65

Download AV block remover .
[COLOR=rgb(184, 49, 47)]Unzip to your desktop, Right click run as admin and follow the instructions. If it does not start, rename the AVbr.exe file to, for example, AV_br.exe
Click yes to reset hosts file.
After the machine reboots then there will be a logfile in the new folder created, post that please.

How is the computer running now?

Please Attach brand new FRST and Addition.txt logs so that I can check if anything remains on the computer after the AVBR log is ran.
[/COLOR]

[COLOR=rgb(184, 49, 47)]
Sadly the AVBlock remover asks me to check my date, with no further instruction. It closes after I click “Okay”. Hopefully this isn’t the first message you see when you wake up XD
Thank you for the help, I too need to go to bed![/color]

**Malnutrition** · 12-30-2022, 03:46 AM

Run the tool in safe mode with Networking.

[KB2268] Start Windows in Safe Mode or Safe Mode with Networking

https://support.eset.com/en/kb2268-start-windows-in-safe-mode-or-safe-mode-with-networking

Good night.

**Gourde** · 12-30-2022, 04:42 AM

Originally posted by Malnutrition

Run the tool in safe mode with Networking.

[KB2268] Start Windows in Safe Mode or Safe Mode with Networking

https://support.eset.com/en/kb2268-start-windows-in-safe-mode-or-safe-mode-with-networking

Good night.

I tried that, it still says the same message of setting the date.

**Malnutrition** · 12-30-2022, 11:27 AM

Ok.
Make sure date and time are correct.
Make sure you disable Crystal Security/Defender prior to running it.

How to fix a system time, date, and time zone in Windows

https://support.kaspersky.com/common/windows/3508#block4

Overview of settings and features available in a Kaspersky application and guides on how to use them.

Right click AVBR.exe and rename it to Svchost.exe, (or any other name just make sure the .exe remains) then [COLOR=rgb(184, 49, 47)]right click on SVchost.exe and run as administrator.
If this fails, then we will skip it.

Download Autologger to your desktop.
Disable your Anitivirus/Defender prior to running.

[ul]
[li]Unzip it there. – If you are unsure how to unzip a program, then use ---- http://www.7-zip.org/ ----[/li][li]Right click Autologger and run as admin. (Xp user double click)[/li][li]AVZ4 will open and scan your machine, allow this to complete.[/li][li]Upload Collectionlog.zip to your next reply.[/li][/ul]

Go ahead and do the full scan with Kaspersky. I will check all logs when I return from work.

Hard to say if any malware remains, I need to check the logs; which I will do after work today. How is the computer running after removing the trojans and trash?[/COLOR]

**Gourde** · 12-30-2022, 03:58 PM

Originally posted by Malnutrition

Ok.
Make sure date and time are correct.
Make sure you disable Crystal Security/Defender prior to running it.

How to fix a system time, date, and time zone in Windows

https://support.kaspersky.com/common/windows/3508#block4

Overview of settings and features available in a Kaspersky application and guides on how to use them.

Right click AVBR.exe and rename it to Svchost.exe, (or any other name just make sure the .exe remains) then [COLOR=rgb(184, 49, 47)]right click on SVchost.exe and run as administrator.
If this fails, then we will skip it.

Download Autologger to your desktop.
Disable your Anitivirus/Defender prior to running.

[ul]
[li]Unzip it there. – If you are unsure how to unzip a program, then use ---- http://www.7-zip.org/ ----[/li][li]Right click Autologger and run as admin. (Xp user double click)[/li][li]AVZ4 will open and scan your machine, allow this to complete.[/li][li]Upload Collectionlog.zip to your next reply.[/li][/ul]

Go ahead and do the full scan with Kaspersky. I will check all logs when I return from work.

Hard to say if any malware remains, I need to check the logs; which I will do after work today. How is the computer running after removing the trojans and trash?
[/COLOR]

[COLOR=rgb(184, 49, 47)]
Sadly it still isn’t working! And I’m trying to download Kaspersky but it’s saying it’s incompatible with Malwarebytes. I uninstalled Malwarebyes with the Geek uninstaller but Kaspersky keeps asking to delete it. Is there any other software I could use (Maybe one I’ve already downloaded) that can do the job you want it to?[/color]

**Malnutrition** · 12-30-2022, 05:10 PM

Remove malwarebytes with this tool.

Instructions in link.

Uninstall and reinstall Desktop Security with the Support Tool

https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-Malwarebytes-using-the-Malwarebytes-Support-Tool

Compatible with: Windows Use the Support Tool to perform a clean reinstallation of the Desktop Security app. If you're experiencing a technical issue that can't be repaired, you can use the Suppo...

**Gourde** · 12-30-2022, 10:54 PM

Originally posted by Malnutrition

Remove malwarebytes with this tool.

Instructions in link.

Uninstall and reinstall Desktop Security with the Support Tool

https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-Malwarebytes-using-the-Malwarebytes-Support-Tool

Compatible with: Windows Use the Support Tool to perform a clean reinstallation of the Desktop Security app. If you're experiencing a technical issue that can't be repaired, you can use the Suppo...

Thank you! Here is the scan log, and the computer is running very well now, albiet the internet is still a bit shoddy. Though that is probably due to after effects of the winter storm AND all the construction that is constantly going on across the street XD
I really cannot say how thankful I am that you helped me and for your patience too.

**Malnutrition** · 12-31-2022, 12:52 AM

@Gourde

Hit the windows key and R at the same time.
Type [COLOR=rgb(184, 49, 47)]appwiz.cpl hit ok.
Uninstall these programs below.

[COLOR=rgb(147, 101, 184)]Avast Update Helper
[COLOR=rgb(147, 101, 184)]Bonjour
[COLOR=rgb(147, 101, 184)]RogueKiller

Copy the content of the code box below.
[COLOR=rgb(184, 49, 47)]Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.

[ICODE] Start:: CloseProcesses: SystemRestore: On CreateRestorePoint: RemoveProxy: Task: {083163D5-609E-48B1-BE54-E2DA2575569D} - System32\Tasks\Avast Software\Avast Driver Updater BugReport => C:\Program Files\Avast Software\Driver Updater\AvBugReport.exe -> --send "dumps|report" --silent --product 148 --programpath "C:\Program Files\Avast Software\Driver Updater\Setup\.." --configpath "C:\Program Files\Avast Software\Driver Updater\Setup" --path "C:\ProgramData\Avast Software\Driver Updater\log" --path "C:\ProgramData\Avast Software\Icarus\Logs" --guid de300ee2-e23f-4751-91b4-58c31d20bd1b C:\ProgramData\Avast Software Task: {498CDF57-F003-4E9D-979D-FC6D938FDFE7} - System32\Tasks\Avast Software\Avast Cleanup BugReport => C:\Program Files\Avast Software\Cleanup\AvBugReport.exe -> --send "dumps|report" --silent --product 62 --programpath "C:\Program Files\Avast Software\Cleanup\Setup\.." --configpath "C:\Program Files\Avast Software\Cleanup\Setup" --path "C:\ProgramData\Avast Software\Cleanup\log" --path "C:\ProgramData\Avast Software\Icarus\Logs" --guid 9eef0178-67b2-4db3-80f2-05dfea390c97 Task: {7BA48D22-1EE0-4989-968B-80996146CF1E} - System32\Tasks\Avast Software\Avast SecureLine VPN Bug Report => C:\Program Files\Avast Software\SecureLine VPN\AvBugReport.exe -> --send "dumps|report" --silent --product 11 --programpath "C:\Program Files\Avast Software\SecureLine VPN" --configpath "C:\ProgramData\Avast Software\SecureLine VPN" --path "C:\ProgramData\Avast Software\SecureLine VPN\log" --path "C:\ProgramData\Avast Software\Icarus\Logs" --logpath "C:\ProgramData\Avast Software\SecureLine VPN\log" --guid 39a84409-03f5-447c-89e5-709507518629 Winsock: Catalog5 08 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [122128 2015-08-12] (Apple Inc. -> Apple Inc.) Winsock: Catalog5-x64 08 C:\Program Files\Bonjour\mdnsNSP.dll [133392 2015-08-12] (Apple Inc. -> Apple Inc.) R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [223176 2022-12-29] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes) S0 MbamElam; C:\Windows\System32\DRIVERS\MbamElam.sys [21480 2022-12-29] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes) R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [197088 2022-12-29] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes) R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [76216 2022-12-29] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes) R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [239544 2022-12-29] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes) R3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [181816 2022-12-29] (Malwarebytes Inc. -> Malwarebytes) C:\Windows\system32\DRIVERS\mwac.sys C:\Windows\System32\Drivers\mbamswissarmy.sys C:\Windows\system32\DRIVERS\mbam.sys C:\Windows\System32\DRIVERS\farflt.sys C:\Windows\System32\DRIVERS\MbamElam.sys C:\Windows\System32\Drivers\MbamChameleon.sys 2022-12-20 13:12 - 2022-12-20 13:14 - 000000410 ____H C:\Users\Glitc\MJKJRegInfo_U5E664P45VMUH7KFFLV36NS WUTVWJHRR 2022-12-20 13:12 - 2022-12-20 13:12 - 000000036 _____ C:\Users\Glitc\MJKJDeviceGUID C:\Windows\system32\Tasks\Avast Software HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Min imal\MBAMService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Net work\MBAMService => ""="Service" FirewallRules: [{1CB51AFB-A49A-4EF1-8EE9-9CEDEA7615A1}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc. -> Apple Inc.) FirewallRules: [{6BD3D265-1D78-465D-9A51-208D177F9C1E}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc. -> Apple Inc.) FirewallRules: [{1B96ABFE-1724-408C-B809-A2765EF16C7A}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe (Apple Inc. -> Apple Inc.) FirewallRules: [{D6E4D6DB-F37B-4B16-B6B9-02634BF7EF73}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe (Apple Inc. -> Apple Inc.) cmd: netsh winsock reset catalog cmd: netsh int ip reset C:\resettcpip.txt cmd: ipconfig /flushdns Emptytemp: End:: [/ICODE]

Update old programs with Patch My PC Home edition.

We will clean all the tools we used…

Download KpRM
Save to Desktop
Check Delete Tools’
Check Delete Restore points.
Create Restore point.
Then click run.

Originally posted by Gourde

the computer is running very well now,

Alright, I’ll mark this as solved, unless there is anything else you are concerned with?[/COLOR][/COLOR][/COLOR][/COLOR][/COLOR]

Windows acting very strange

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment