Tweet
Perfect. Thread will remain open.
-
-
@Moogera when you get around to it, an update please. ???Comment
-
Hi hopefully tomorrowComment
-
(y)Comment
-
Hi on running process explorer these are the results,i think im looking at the correct file,when opened and selecting the image tab as you can see it says “access denied”Comment
-
That may indicate malicious activity. Please post the two logs requested in the link below, after running FRST
Comment
-
Hi yeah will do
I will mention I’ve run a Windows Security offline scan last night and that too found nothing
So this file is hiding itself even from a Malwarebytes scan
Thanks will post backComment
-
Hi the logs will not paste due to “image type file is invalid” pop up
The logs opened in Word Pad when the scans finishedComment
-
You can attach the files. Or upload them to a file sharing site, or post as pastebin then send the linkComment
-
Thanks they are attached,i have never used Farbar,some of the apps/programs on that list are not on my PC anymore so there must be remnants remaining from when they were uninstalled.Comment
-
The logs have been modified. Pieces are missing. FirewallRules: [{911CB2CE-C3DA-41D7-
Did you delete?
Also, what programs remain that you see trails of?
Copy the content of the code box below.
[COLOR=rgb(184, 49, 47)]Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.
Code:Start:: CloseProcesses: SystemRestore: On CreateRestorePoint: RemoveProxy: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION HKU\S-1-5-21-2192984707-2358445379-1302979691-1001\...\Run: [MicrosoftEdgeAutoLaunch_242E4C524F052A377EE29368EB4D3ABC] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start [3854376 2023-12-14] (Microsoft Corporation -> Microsoft Corporation) GroupPolicy: Restriction ? <==== ATTENTION Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION Task: {27E20D5D-9228-4E1F-9C4C-1490F57B700A} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1566200 2023-09-20] (Adobe Inc. -> Adobe Inc.) Task: {CD88E278-C214-4B25-B085-8D4FEB600954} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [714256 2023-12-05] (PIRIFORM SOFTWARE LIMITED -> Piriform Software Ltd) Task: {9F9D260B-C808-4246-97E5-D0F4A3F54672} - System32\Tasks\CCleanerCrashReporting => C:\Program Files\CCleaner\CCleanerBugReport.exe [4703648 2023-12-05] (PIRIFORM SOFTWARE LIMITED -> Piriform Software) -> --product 90 --send dumps|report --path "C:\Program Files\CCleaner\LOG" --programpath "C:\Program Files\CCleaner" --guid "9880bd83-8eb4-46b7-8ec2-1df5113133a5" --version "6.19.10858" --silent Task: {F993FA91-8686-4B05-B094-5605685844E3} - System32\Tasks\CCleanerSkipUAC - mart d => C:\Program Files\CCleaner\CCleaner.exe [37458848 2023-12-05] (PIRIFORM SOFTWARE LIMITED -> Piriform Software Ltd) Task: {D8B8A6DD-7C26-4852-B7E4-37E056F91A7C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156968 2019-03-15] (Google Inc -> Google Inc.) Task: {DEF0F1A1-D249-41CF-A48A-50AB245F97AA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156968 2019-03-15] (Google Inc -> Google Inc.) Task: {491E0665-D717-429E-87E8-0AC6FA1B5A2A} - System32\Tasks\MicrosoftEdgeUpdateTaskMachineId => C:\WINDOWS\system32\wscript.exe [170496 2023-10-13] (Microsoft Windows -> Microsoft Corporation) -> C:\Users\mart d\AppData\Local\Microsoft\Windows\Explorer\SQLite.flush.vbs Task: {4382CDDC-38DE-4CFB-B79F-9F4566E572BA} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-2192984707-2358445379-1302979691-1002 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /reporting (No File) Task: {2C6EBBB6-2667-4854-924D-F2A5E61503F6} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2192984707-2358445379-1302979691-1002 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe (No File) Task: {F99E7810-7494-4F8A-8824-BF1E57DFA900} - System32\Tasks\Toolbox.exe_{6BAEEA95-59DA-4381-8DA4-2C6C2511F44E} => C:\Program Files\HP\HP DeskJet 2600 series\Bin\Toolbox.exe CN83T5N5VF06PX:USB -cmd setup -virtualalerts off (No File) Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100 Tcpip\..\Interfaces\{0b3a9198-49ac-43d1-86c4-a64235e3c100}: [DhcpNameServer] 194.168.4.100 194.168.8.100 S4 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [173040 2023-09-20] (Adobe Inc. -> Adobe Inc.) CustomCLSID: HKU\S-1-5-21-2192984707-2358445379-1302979691-1001_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\localserver32 -> no filepath CustomCLSID: HKU\S-1-5-21-2192984707-2358445379-1302979691-1001_Classes\CLSID\{24734139-2E14-88F8-FDDF-194FDB2B19C4}\InprocServer32 -> no filepath C:\WINDOWS\system32\drivers\etc\hosts Hosts: FirewallRules: [{34823CB6-96DB-4289-B863-8341773A43CC}] => (Allow) LPort=1688 FirewallRules: [{F6942558-C91A-465B-9B20-1D4DDCC134FA}] => (Allow) LPort=5357 FirewallRules: [{AB58FCF7-F90F-4725-9F39-686DCB38D0C3}] => (Allow) LPort=1688 VirusTotal: C:\Users\mart d\AppData\Roaming\msregsvv.dll C:\WINDOWS\system32\drivers\etc\hosts.ics C:\Windows\system32\drivers\etc\hosts Hosts: cmd: net stop bits Move: C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db.old cmd: net start bits cmd: bitsadmin /list /allusers CMD: del /f /s /q %windir%\prefetch\*.* CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.* CMD: del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*" cmd: del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*.*" cmd: del /s /q "%userprofile%\AppData\Local\Opera Software\Opera Stable\Cache\Cache_Data\*.*" CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*" CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.* CMD: ipconfig /flushdns C:\Windows\Temp\*.* C:\WINDOWS\system32\*.tmp C:\WINDOWS\syswow64\*.tmp emptytemp: ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions Folder: C:\Windows\System32\Tasks Reboot: End::
Download Malwarebytes v.4 . Install and run.
[ul]
[li]Once the MBAM dashboard opens, click on Settings (gear icon).[/li][li]Click on Security tab and make sure that all four Scan options are enabled.[/li][li]Close Settings and click on the Scan button on the dashboard.[/li][li]Once the scan is completed make sure you have it quarantine any detections it finds.[/li][li]If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.[/li][li]If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.[/li][li]If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and include that log on your next reply.[/li][/ul][/COLOR]Comment
-
No I didn’t delete firewall rules,I don’t really use the firewalI I may have on the BS5 game
Where do I paste the code?
Took a while to download Farbar ,Windows Smartscreen kept popping up and stopping it downloadingComment
-
You don’t paste anything. Copy the entire code, right click Frst run as admin and hit fix. The tool does the work. It was designed that way due to over the years people not understanding the process, it was simplified by the creator of the tool to make the helpers job easier.Comment
-
Hi well you know what MWB found nothing but the CODE run with FRST has FIXED the Problem!!!
Thats just great
Logs attached
ThanksComment
-
It was this scheduled task that was the issue.
Task: {491E0665-D717-429E-87E8-0AC6FA1B5A2A} - System32\Tasks\MicrosoftEdgeUpdateTaskMachineId => C:\WINDOWS\system32\wscript.exe [170496 2023-10-13] (Microsoft Windows → Microsoft Corporation) → C:\Users\mart d\AppData\Local\Microsoft\Windows\Explorer\SQLite. flush.vbs
In the FRST script I sent this file to Virus Total, Although nothing turned up on the scanners I am a bit suspicious of this file. Open the file location and rename it to .bak instead of .dll if any issues arise rename it back to .dll It is not a windows file, so it will not break the system.
C:\Users\mart d\AppData\Roaming\msregsvv.dll
Also, this part of the log is missing deleted by you by mistake? I’d like to know what the entry was…
[ATTACH type=“full”]13141[/ATTACH]
What is this in your startup folder?
[HKU\S-1-5-21-2192984707-2358445379-1302979691-1001\Software\Microsoft\Windows\CurrentVersion\Exp lorer\StartupApproved\Run]
[COLOR=rgb(184, 49, 47)]
“Lync”=“03000000e21730c1074ad501”
There are remnants of Avira.
C:\Windows\System32\Tasks\Avira\System Speedup
C:\Windows\System32\Tasks\Avira
Bitlocker is running on your machine and known to slow a computer
As well if you do not use one drive…
Sppextcomobjhook.dll is a file that is installed on a system when the user runs software crack tools (AutoKMS) and other license activators intended to crack MS Windows and/or MS Office[COLOR=rgb(226, 80, 65)]. Are you aware of this?
“C:\WINDOWS\System32\SppExtComObjPatcher.exe”=“0”
“C:\WINDOWS\System32\SppExtComObjHook.dll”=“0”[/COLOR][/COLOR]Comment
Comment