Tweet
???. I am currently at work, I’ll be home in 8 or so hours. I’ll have to check this on my laptop.
-
-
Copy the content of the code box below.
[COLOR=rgb(184, 49, 47)]Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.
[/COLOR]Code:start:: CreateRestorePoint: EmptyTemp: CloseProcesses: EmptyEventLogs: HKLM\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0 HKLM\...\Policies\Explorer: [NoResolveSearch] 1 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION HKLM\Software\Policies\...\system: [EnableCloudClipboard] 0 HKLM\Software\Policies\...\system: [CloudClipboardAutomaticUpload] 0 HKLM\Software\Policies\...\system: [EnableActivityFeed] 0 HKLM\Software\Policies\...\system: [PublishUserActivities] 0 HKLM\Software\Policies\...\system: [UploadUserActivities] 0 HKLM\Software\Policies\...\system: [AllowCrossDeviceClipboard] 0 HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Run: [MicrosoftEdgeAutoLaunch_3B3BB905A374F1CF0D310AB30E4EDE63] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start [3883560 2024-07-11] (Microsoft Corporation -> Microsoft Corporation) HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1 HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1 HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Policies\Explorer: [NoResolveSearch] 1 HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Policies\Explorer: [NoInternetOpenWith] 1 HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Policies\Explorer: [HideSCAMeetNow] 1 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION GroupPolicy: Restriction ? <==== ATTENTION Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION HKLM\...\Run: [C:\WINDOWS\system32\V0770Ext.ax] => C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0770Ext.ax (No File) HKLM-x32\...\Run: [C:\WINDOWS\System32\V0770Ext.ax] => C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\System32\V0770Ext.ax (No File) HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Run: [AMDNoiseSuppression] => "C:\WINDOWS\system32\AMD\ANR\AMDNoiseSuppression.exe" (No File) Task: {116E3548-253D-4F04-A9E0-FC4387A9822F} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {1C5E60AA-0C47-4621-A967-049429A2D4DF} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {38883215-466E-4BD7-8D0C-2A569F5179EE} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION Task: {519A8396-93C1-430C-9B66-957F837C561F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {5243425B-993B-40ED-BDF5-92AB68DBF2EF} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION Task: {868E7A8D-EFAC-4ECD-9354-CA69CBC63EC0} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {9BD0A96C-7DCD-4E94-A191-650252DE7A6A} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION Task: {BD83E793-452E-4EC7-83B7-FBE05E1FCD87} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {D5330EA6-8548-46B2-8013-23AB0D32C1A2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {DF573AD4-8335-432C-8091-D74A4B1A2544} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {E27C0C30-95E3-440E-B7EF-67557F3B763D} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {EE8419BF-8261-44DF-9F69-5398DCE47A1A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {FBA7627D-3194-440A-87DD-3563128AA85A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {20697CEF-A6C5-4754-86A4-F48E8E92C130} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\AVAST Software\Overseer\overseer.exe /from_scheduler:1 (No File) Task: {99DAB5B9-B9AA-45EF-B826-3F7DB707F69D} - System32\Tasks\DropboxUpdateTaskMachineCore => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /c (No File) Task: {E1E5EA9B-45B0-44B6-90F5-9A05AD38AAE7} - System32\Tasks\DropboxUpdateTaskMachineUA => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /ua /installsource scheduler (No File) Task: {16FE398A-2720-4078-BDF8-C4F616A8DAFD} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => %SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch (No File) Task: {1ECF0236-9F72-45BA-AD5B-1C3ACF743F2C} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => %SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService (No File) Task: {1EC448A7-56D8-444F-8FFB-419390675C2E} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => %SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0) (No File) Task: {7698B61B-812C-42E9-9A79-EBD591212F69} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => %SystemRoot%\ehome\ehPrivJob.exe /DRMInit (No File) Task: {5D92A073-3E21-451D-A751-29DD8BF4B1CC} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => %SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0) (No File) Task: {3BA3CF0C-28CE-46C7-8EB0-EFADED5D7B26} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => %SystemRoot%\ehome\mcupdate $(Arg0) (No File) Task: {41CBF80B-D38A-4887-951C-827F277A149E} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => %SystemRoot%\ehome\mcupdate -crl -hms -pscn 15 (No File) Task: {AF9D17B0-C1C9-467A-BF18-79EA73477B89} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => %SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask (No File) Task: {6772B81E-2739-4656-A805-A38B57F6BB3E} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => %SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask (No File) Task: {D72F9EF5-E92D-4349-91D7-C11F80585250} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => %SystemRoot%\ehome\ehPrivJob.exe /OCURActivate (No File) Task: {04927EC1-C6B4-4772-8E6E-033034782CD1} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => %SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0) (No File) Task: {6A0B3724-EC49-4DEB-96D3-CD6E3849B0A6} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => %SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery (No File) Task: {F1851D8E-5C21-44CF-88B4-F0A2D466E043} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => %SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery (No File) Task: {1A793F00-F97B-428A-8963-F4B1118CBAEE} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => %SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery (No File) Task: {9A789A97-DE78-46CF-9163-6F9E23B559B1} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => %windir%\ehome\MCUpdate.exe -pscn 0 (No File) Task: {2183BFE5-4329-40F4-8A9D-C53244CAC165} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => %SystemRoot%\ehome\mcupdate.exe -PvrRecoveryTask (No File) Task: {91CC317A-B720-482D-BEE7-D9F25F0FD773} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => %SystemRoot%\ehome\mcupdate.exe -PvrSchedule (No File) Task: {E394741E-C4AD-4E3B-B0CA-E403EEE20BAA} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => %SystemRoot%\ehome\ehrec /RestartRecording (No File) Task: {381A8673-B576-4AB8-95F1-DC99CF561C00} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => %SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0) (No File) Task: {3BEE19E5-67EC-4563-BF63-FE89F704316E} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => %SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot (No File) Task: {6B34BB93-5EF8-407B-AB1D-17F2D65B30EA} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => %SystemRoot%\ehome\mcupdate.exe -SqlLiteRecoveryTask (No File) Task: {DA44B33B-AC1F-41F5-B95D-8F686BE929EE} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => %SystemRoot%\ehome\ehrec /StartRecording (No File) Task: {AAA61D29-CF9C-488F-9E9F-30252612D69E} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => %SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0) (No File) Task: {B6BCB4E1-4114-4150-BE26-CE5DC04DE4BC} - System32\Tasks\Microsoft\Windows\rempl\shell => %ProgramFiles%\rempl\sedlauncher.exe (No File) Task: {862DFBA4-23F4-41E6-A5DD-A3EE59B73024} - System32\Tasks\Safer-Networking\Spybot Anti-Beacon\Refresh Anti-Beacon immunization => "C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\Spybot3AntiBeacon.exe" /apply /silent /atlogon (No File) FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File] unlock: C:\Program Files (x86)\Safer-Networking Ltd unlock: C:\Program Files\Common Files\AVAST Software unlock: C:\Program Files\Microsoft Security Client unlock: C:\Program Files (x86)\IObit C:\Program Files (x86)\IObit C:\Program Files\Microsoft Security Client C:\Program Files (x86)\Safer-Networking Ltd C:\Program Files\Common Files\AVAST Software Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100 Tcpip\..\Interfaces\{013b464c-8697-4c75-99ff-506f33faecca}: [DhcpNameServer] 172.18.11.1 Tcpip\..\Interfaces\{2925c1fa-818d-4087-b6e4-fe1470812e13}: [DhcpNameServer] 194.168.4.100 194.168.8.100 Tcpip\..\Interfaces\{5e6392e4-179a-44fc-8ee8-ff0999cbc492}: [DhcpNameServer] 194.168.4.100 194.168.8.100 Tcpip\..\Interfaces\{6a48626b-bb9c-4aa2-9d50-d55a281d5918}: [DhcpNameServer] 194.168.4.100 194.168.8.100 Tcpip\..\Interfaces\{bd7af2aa-0472-42f1-8119-fbbde3ff19d3}: [DhcpNameServer] 194.168.4.100 194.168.8.100 Tcpip\..\Interfaces\{ee550c16-21cf-4ff9-a401-2758c1a38dbe}: [DhcpNameServer] 194.168.4.100 194.168.8.100 CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 10\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-06-20] CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 11\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-06-27] CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 12\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-12-07] CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 13\Extensions\gomekmidlodglbbmalcneegieacbdmki [2024-02-26] CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\gomekmidlodglbbmalcneegieacbdmki [2024-06-05] CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\gomekmidlodglbbmalcneegieacbdmki [2022-01-21] CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\gomekmidlodglbbmalcneegieacbdmki [2022-02-24] CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\gomekmidlodglbbmalcneegieacbdmki [2022-03-01] CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-02-15] CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 7\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-03-17] CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 8\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-04-18] CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 9\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-04-25] S3 AppleLowerFilter; \SystemRoot\System32\drivers\AppleLowerFilter.sys [X] Task: {C43DE1C1-1630-4296-82DC-9BE28A3339E2} - System32\Tasks\{DAF28B77-7893-4299-9FE0-8B7FE3AC27C2} => C:\Windows\System32\pcalua.exe [88064 2024-07-09] (Microsoft Windows -> Microsoft Corporation) -> -a "C:\Program Files (x86)\IObit\Advanced SystemCare 8\unins000.exe" Task: C:\WINDOWS\Tasks\ASC8_SkipUac_chredge.job => C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASC.exe 2024-07-20 13:20 - 2019-05-05 15:21 - 000000000 ____D C:\Users\DefaultAppPool.IIS APPPOOL\AppData\Roaming\IObit 2024-07-20 13:20 - 2018-06-06 23:36 - 000000000 ____D C:\Users\ReportServer\AppData\Roaming\IObit 2024-07-20 13:20 - 2018-06-06 23:36 - 000000000 ____D C:\Users\MSSQLServerOLAPService\AppData\Roaming\IObit 2024-07-20 13:20 - 2018-06-06 23:36 - 000000000 ____D C:\Users\MSSQLSERVER\AppData\Roaming\IObit 2024-07-20 13:20 - 2018-06-06 23:36 - 000000000 ____D C:\Users\MSSQLFDLauncher\AppData\Roaming\IObit 2024-07-20 13:20 - 2018-06-06 23:36 - 000000000 ____D C:\Users\MsDtsServer110\AppData\Roaming\IObit 2024-07-20 13:20 - 2018-06-06 23:36 - 000000000 ____D C:\Users\chredge\AppData\Roaming\IObit 2024-07-20 13:20 - 2015-12-05 07:38 - 000000000 ____D C:\Users\chredge\AppData\LocalLow\IObit 2024-07-20 13:20 - 2015-04-04 08:41 - 000000000 ____D C:\ProgramData\IObit 2024-07-20 13:20 - 2015-04-04 08:41 - 000000000 ____D C:\Program Files (x86)\IObit 2017-01-08 08:57 - 2017-01-30 19:16 - 000000347 _____ () C:\Users\chredge\AppData\Roaming\WB.CFG 2016-07-03 12:04 - 2018-07-22 17:37 - 002128896 _____ () C:\Users\chredge\AppData\Local\file__0.localstorage 2018-03-24 15:47 - 2018-03-24 15:47 - 000001810 _____ () C:\Users\chredge\AppData\Local\recently-used.xbel 2017-11-11 17:58 - 2017-11-11 17:58 - 000000017 _____ () C:\Users\chredge\AppData\Local\resmon.resmoncfg ShortcutWithArgument: C:\Users\chredge\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\DBandT Helper.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe (Google LLC) -> --profile-directory="Profile 2" --app-id=mpnidfjngpijmjaloelmomppgpebokim ShortcutWithArgument: C:\Users\chredge\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9501e18d7c2ab92e\Christopher (veolia.com) - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --profile-directory="Profile 2" StartBatch: WMIC SERVICE WHERE Name="dcomlaunch" set startmode="auto" WMIC SERVICE WHERE Name="nsi" set startmode="auto" WMIC SERVICE WHERE Name="dhcp" set startmode="auto" WMIC SERVICE WHERE Name="rpcss" set startmode="auto" WMIC SERVICE WHERE Name="rpceptmapper" set startmode="auto" WMIC SERVICE WHERE Name="winmgmt" set startmode="auto" WMIC SERVICE WHERE Name="sdrsvc" set startmode="manual" WMIC SERVICE WHERE Name="vss" set startmode="manual" WMIC SERVICE WHERE Name="eventlog" set startmode="auto" WMIC SERVICE WHERE Name="bfe" set startmode="auto" WMIC SERVICE WHERE Name="eventsystem" set startmode="auto" WMIC SERVICE WHERE Name="msiserver" set startmode="manual" WMIC SERVICE WHERE Name="sstpsvc" set startmode="manual" WMIC SERVICE WHERE Name="rasman" set startmode="manual" WMIC SERVICE WHERE Name="trustedinstaller" set startmode="auto" net start sdrsvc net start vss net start rpcss net start eventsystem net start winmgmt net start msiserver net start bfe net start trustedinstaller "%WINDIR%\SYSTEM32\lodctr.exe" /R "%WINDIR%\SysWOW64\lodctr.exe" /R "%WINDIR%\SYSTEM32\lodctr.exe" /R "%WINDIR%\SysWOW64\lodctr.exe" /R NETSH winsock reset catalog NETSH int ipv4 reset reset.log NETSH int ipv6 reset reset.log ipconfig /release ipconfig /renew ipconfig /flushdns ipconfig /registerdns netsh winhttp reset proxy bitsadmin /list /allusers bitsadmin /reset /allusers Winmgmt /salvagerepository Winmgmt /resetrepository Winmgmt /resyncperf netsh advfirewall reset netsh advfirewall set allprofiles state on del /f /s /q %windir%\prefetch\*.* sc stop sysmain sc config sysmain start= disabled sc stop DiagTrack sc config DiagTrack start= disabled sc stop dmwappushservice sc config dmwappushservice start= disabled sc stop WSearch sc config WSearch start= disabled sc stop lfsvc sc config lfsvc start= disabled Endbatch: CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*" ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions emptytemp: Reboot: End::Comment
-
Hi,
Please find the attached Fixlog.txtComment
-
We removed a heap of garbage, we will make one more dig for trash files. How is the machine running?
Download ZHP Suite to your desktop.
Right Click Run as admin.
Hit the scanner button.
Once it is complete a file name ZHPdiag.txt will be on your desktop.
Attach it.Comment
-
Hi,
The PC is running super-quick and super-smooth at the moment, like it’s had a new lease of life! A spring chicken again! Cheers.
Here’s the ZHPdiag.txtComment
-
:ROFLMAO:Originally posted by Ginger-Overlord
Let me take a look at this log will take 30 minutes or so…
Do you use edge?
Do you use One Drive?
Bitlocker?
Care for updates?
You can disable them all with these tools.
Edge Blocker Download Edge Blocker v2.0
Disable One Drive. How to Disable OneDrive and Remove It From File Explorer on Windows 10
Disable Bitlocker https://support.lenovo.com/us/en/sol...-or-windows-11
Disable updates Windows Update Blocker v1.8
Clean up old temp files etc Privazer Free PC cleaner & Privacy toolComment
-
Copy the content of the code box below.
[COLOR=rgb(184, 49, 47)]Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.
Code:start:: CreateRestorePoint: EmptyTemp: CloseProcesses: DeleteValue: HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION|DriverUpdate.exe DeleteValue: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|AceStream DeleteValue: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|CCleaner Smart Cleaning DeleteValue: HKEY_USERS\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|CCleaner Monitoring DeleteValue: HKEY_USERS\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|AceStream DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|AvastUI.exe DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|IObit Malware Fighter DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|AvastUI.exe DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|Wondershare Helper Compact.exe DeleteKey: HKLM\SOFTWARE\AVAST Software DeleteKey: HKLM\SOFTWARE\CoreSecurity DeleteKey: HKLM\SOFTWARE\WOW6432Node\Auslogics DeleteKey: HKLM\SOFTWARE\WOW6432Node\Symantec DeleteKey: HKCU\SOFTWARE\Avast Software DeleteKey: HKCU\SOFTWARE\AvastAdSDK DeleteKey: HKCU\SOFTWARE\IObit DeleteKey: HKCU\SOFTWARE\KasperskyLab DeleteKey: HKCU\SOFTWARE\Safer Networking Limited DeleteKey: HKCU\SOFTWARE\Safer-Networking Ltd. DeleteKey: HKU\.DEFAULT\SOFTWARE\IObit DeleteKey: HKU\.DEFAULT\SOFTWARE\Safer Networking Limited DeleteKey: HKU\.DEFAULT\SOFTWARE\Safer-Networking Ltd. DeleteKey: HKU\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\Avast Software DeleteKey: HKU\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\AvastAdSDK DeleteKey: HKU\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\IObit DeleteKey: HKU\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\KasperskyLab DeleteKey: HKU\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\Safer Networking Limited DeleteKey: HKU\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\Safer-Networking Ltd. DeleteKey: HKLM\System\CurrentControlSet\Services\EventLog\Reason\ReasonByteFence File: C:\WINDOWS\System32\drivers\ElRawDsk.sys File: C:\WINDOWS\System32\drivers\JitDriver.sys File: C:\IORRT\IORRT.bat VirusTotal: C:\WINDOWS\System32\drivers\JitDriver.sys C:\Users\chredge\AppData\Local\AVAST Software C:\ProgramData\Driver Support C:\ProgramData\McAfee C:\ProgramData\Trend Micro C:\Program Files (x86)\Common Files\IObit C:\Users\chredge\AppData\Local\Safer-Networking Ltd emptytemp: Reboot: End::
Security Check Scan.
[ul]
[li]Download Security Check to your desktop.[/li][li]Right click it run as administrator.[/li][li]When the program completes, the tool will automatically open a log file.[/li][li]Please Copy and paste that log here in your next post.[/li][li]There will be items listed in red when you post this log, those items need to be updated.[/li][/ul][/COLOR]Comment
-
Hi again,
The Fixlog you asked for is attached.
Here is the SecurityChecklist.txt:
SecurityCheck by glax24 & Severnyj v.1.4.0.57 [24.01.24]
WebSite: www.safezone.cc
DateLog: 20.07.2024 21:28:51
Path starting: C:\Users\chredge\AppData\Local\Temp\SecurityCheck\ SecurityCheck.exe
Log directory: C:\SecurityCheck
IsAdmin: True
User: chredge
VersionXML: 12.38is-14.07.2024
Windows 10(6.3.19045) (x64) Core Release: 2009 Lang: English(0409)
Installation date OS: 22.04.2021 17:10:26
LicenseStatus: Windows(R), Core edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
SystemDrive: C: FS: [NTFS] Capacity: [465.3 Gb] Used: [231.7 Gb] Free: [233.6 Gb]
------------------------------- [ Windows ] -------------------------------
User Account Control enabled (Level 2)
Automatically download and schedule installation
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
---------------------------- [ Antivirus_WMI ] ----------------------------
Windows Defender (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Windows Defender Firewall (mpssvc) - The service is running
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Malwarebytes version 5.1.6.117 v.5.1.6.117
--------------------------- [ OtherUtilities ] ----------------------------
AMD Software v.23.7.2 Warning! Download Update
Microsoft SQL Server 2012 (64-bit) Warning! This software is no longer supported.
Microsoft SQL Server 2012 Native Client v.11.2.5388.0 Warning! This software is no longer supported.
LibreOffice 7.1.5.2 v.7.1.5.2 Warning! Download Update
Microsoft .NET Framework 4.5.1 v.4.5.50938 Warning! Download Update
Microsoft SQL Server 2012 RsFx Driver v.11.2.5058.0 Warning! This software is no longer supported.
Microsoft SQL Server 2008 Setup Support Files v.10.1.2731.0 Warning! This software is no longer supported.
Microsoft SQL Server 2012 Setup (English) v.11.2.5388.0 Warning! This software is no longer supported.
Microsoft SQL Server 2012 T-SQL Language Service v.11.0.2100.60 Warning! This software is no longer supported.
Microsoft SQL Server 2012 Data-Tier App Framework v.11.1.2818.0 Warning! This software is no longer supported.
Microsoft SQL Server 2012 Transact-SQL ScriptDom v.11.2.5058.0 Warning! This software is no longer supported.
Microsoft SQL Server 2012 Management Objects (x64) v.11.0.2100.60 Warning! This software is no longer supported.
Microsoft SQL Server 2012 Transact-SQL Compiler Service v.11.2.5388.0 Warning! This software is no longer supported.
Microsoft Edge WebView2 Runtime v.126.0.2592.113
Steam v.1.0.0.0 Warning! Download Update
Microsoft SQL Server 2008 R2 Management Objects v.10.51.2500.0 Warning! This software is no longer supported.
Microsoft SQL Server 2012 Management Objects v.11.0.2100.60 Warning! This software is no longer supported.
Microsoft SQL Server 2012 Policies v.11.2.5058.0 Warning! This software is no longer supported.
------------------------------ [ ArchAndFM ] ------------------------------
WinRAR 5.70 (64-bit) v.5.70.0 Warning! Download Update
------------------------------- [ Imaging ] -------------------------------
paint.net v.5.0.13
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 162 v.8.0.1620.12 Warning! Download Update
Uninstall old version and install new one (jre-8u411-windows-i586.exe).
-------------------------------- [ Media ] --------------------------------
VLC media player v.3.0.10 Warning! Download Update
--------------------------- [ AdobeProduction ] ---------------------------
swMSM v.12.0.0.1 << Hidden Warning! This software is no longer supported. Please uninstall it.
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox (x64 en-GB) v.128.0
Google Chrome v.126.0.6478.128
Microsoft Edge v.126.0.2592.113
------------------ [ AntivirusFirewallProcessServices ] -------------------
Malwarebytes Service (MBAMService) - The service is running
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe v.3.2.0.1306
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24060.7-0\MsMpEng.exe v.4.18.24060.7
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24060.7-0\NisSrv.exe v.4.18.24060.7
Microsoft Defender Antivirus Service (WinDefend) - The service is running
Microsoft Defender Antivirus Network Inspection Service (WdNisSvc) - The service is running
---------------------------- [ UnwantedApps ] -----------------------------
PrivaZer v.4.0.90.0 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program.
AppNHost 1.0.5.1 v.1.0.5.1 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware and Malwarebytes AdwCleaner. Before uninstallation and scanning it is necessary to consult in the forum where cure is provided for you!!!
----------------------------- [ End of Log ] ------------------------------Comment
-
Make sure and update everything you can as per log. Or use Patch My PC Home
Remove Anything you do not want on the machine with GeekUninstaller.
This file comes back as malicious when I run the MD5 at VirusTotal. I want to be sure before we remove anything, so I’ll have you manually scan it.
Upload to VT
Upload Files to VirusTotal
[ul]
[li]Please go to VirusTotal.[/li][li]Click the Choose File button.[/li][li]Navigate to >>>>>>>> [COLOR=rgb(184, 49, 47)]C:\WINDOWS\System32\drivers\ElRawDsk.sys[/li][li]or simply copy and paste it. [/li][li]Click the Scan it! button.[/li][li]You might see a message saying File already analysed, if you do [COLOR=rgb(226, 80, 65)]click Reanalyse.[/li][li]Wait for all the scans to finish then copy and paste the web address from your broswer’s address bar.[/li]Example of web address :
[IMG alt=“VirusTotalresultslink.jpg”]http://i526.photobucket.com/albums/c...esultslink.jpg
[li][COLOR=rgb(184, 49, 47)]Include the link in your next reply.[/li][/ul]
[COLOR=rgb(250, 197, 28)]Are there any more issues to speak of?
You recognize these?[COLOR=rgb(184, 49, 47)]
CHR Extension: [COLOR=rgb(250, 197, 28)](Bomgar Remote Support) [COLOR=rgb(184, 49, 47)]- C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\ipfljipbjloahhabacnofonhfbddnajm [2021-12-10]
FF Plugin HKU\S-1-5-21-3466739526-2485095647-408758403-1009: [COLOR=rgb(250, 197, 28)]temasys.com.sg/TemWebRTCPlugin → C:\Users\chredge\AppData\Roaming\Tem\TemWebRTCPlug in\0.8.902\npTemWebRTCPlugin.dll [2017-10-26] (Temasys Communications Pte Ltd → Temasys)
StartMenuInternet: FIREFOX.EXE - firefox.exe[/IMG][/COLOR][/COLOR]Comment
-
Hi,
Cheers for your ongoing help this evening, really appriciate it!
I will have to go bed soon, so I will perform your requests tomorrow morning and update you.
Good night and thanks again.Comment
-
No problem. I’ll be around; glad the computer is running better.Comment
-
Hi,
Just using virustool.com. I’ve navigated to C:\WINDOWS\System32\drivers\ElRawDsk.sys
but I don’t see a scan button to select…
[ATTACH type=“full”]14002[/ATTACH]Comment
-
[ATTACH type=“full”]14003[/ATTACH]Comment
-
Let’s do this, Boot into safe mode and then rename the driver from
C:\WINDOWS\System32\drivers\ElRawDsk.sys
To:
C:\WINDOWS\System32\drivers\ElRawDsk.[COLOR=rgb(184, 49, 47)]BAK
[COLOR=rgb(184, 49, 47)]This will disable the driver without ripping it out of the system since I do not know what program it is appended to.
I am not sure what program that driver is attached to and if this is a false positive it will cause that program to not work, this way you can re enable it if a program breaks or it causes system instability and if it is malicious and there is no ill effect we can remove it after you test the machine for a while.
Hit the windows key and r at the same time to copy and paste [COLOR=rgb(235, 107, 86)]C:\WINDOWS\System32\drivers into the run box hit enter then find the [COLOR=rgb(243, 121, 52)]ElRawDsk.sys driver, rename it then boot back into normal mode.
https://pchelpforum.net/r/how-to-boo...safe-mode.233/[/COLOR][/COLOR][COLOR=rgb(235, 107, 86)][COLOR=rgb(243, 121, 52)][/color][/color][/COLOR][/COLOR]Comment
-
You can rename the file with command prompt as well.
You will need to boot into safe mode as mentioned before.
Open an elevated command prompt.
Copy and paste the line blow then hit enter, it will not work in normal mode as it is running.
ren “C:\WINDOWS\System32\drivers\ElRawDsk.sys” “ElRawDsk.BAK”
[COLOR=rgb(97, 189, 109)]You recognize these; they are both programs that allow remote support, combined with the file above they could be used in conjunction for malicious activity. Although the programs are legit, it is just a matter of did you install them or not.
CHR Extension: ([COLOR=rgb(184, 49, 47)]Bomgar Remote Support) - [/COLOR][/COLOR][COLOR=rgb(97, 189, 109)][COLOR=rgb(184, 49, 47)]C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\ipfljipbjloahhabacnofonhfbddnajm [2021-12-10]
[ICODE] Bomgar Remote Support, now known as BeyondTrust Remote Support, is a comprehensive remote access and support solution designed to enable IT support teams to securely connect to and troubleshoot devices from virtually anywhere in the world. This software allows technicians to remotely access and control computers, mobile devices, servers, and other endpoints across various operating systems including Windows, macOS, Linux, iOS, and Android. [/ICODE]
FF Plugin HKU\S-1-5-21-3466739526-2485095647-408758403-1009: [COLOR=rgb(184, 49, 47)]temasys.com.sg/TemWebRTCPlugin → C:\Users\chredge\AppData\Roaming\Tem\TemWebRTCPlug in\0.8.902\npTemWebRTCPlugin.dll [2017-10-26] (Temasys Communications Pte Ltd → Temasys)
StartMenuInternet: FIREFOX.EXE - firefox.exe
[ICODE] This plugin allows users to engage in real-time audio and video communication, as well as data sharing directly through their web browsers without the need for additional software installations. [/ICODE]
C:\WINDOWS\System32\drivers\ElRawDsk.sys
[ICODE]This driver allows applications to access raw disk data directly, bypassing the standard security restrictions imposed by the Windows operating system. It enables user-mode applications to read and write to hard-drive and flash-disk partitions at a low level, which can be particularly useful for forensic analysis, data recovery, and undelete operations.[/ICODE][/COLOR][/color][/color]Comment
Comment