Couple of PC issues...PC running slow and PC will not restart

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Malnutrition
    PCHF Moderator
    • Jul 2016
    • 7041

    #31
    ???. I am currently at work, I’ll be home in 8 or so hours. I’ll have to check this on my laptop.

    Comment

    • Malnutrition
      PCHF Moderator
      • Jul 2016
      • 7041

      #32
      Copy the content of the code box below.
      [COLOR=rgb(184, 49, 47)]Do not copy the word code!!!
      Right Click FRST and run as Administrator.
      Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
      Attach it to your next message.
      Code:
      start::
      CreateRestorePoint:
      EmptyTemp:
      CloseProcesses:
      EmptyEventLogs:
      HKLM\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0
      HKLM\...\Policies\Explorer: [NoResolveSearch] 1
      HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
      HKLM\Software\Policies\...\system: [EnableCloudClipboard] 0
      HKLM\Software\Policies\...\system: [CloudClipboardAutomaticUpload] 0
      HKLM\Software\Policies\...\system: [EnableActivityFeed] 0
      HKLM\Software\Policies\...\system: [PublishUserActivities] 0
      HKLM\Software\Policies\...\system: [UploadUserActivities] 0
      HKLM\Software\Policies\...\system: [AllowCrossDeviceClipboard] 0
      HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Run: [MicrosoftEdgeAutoLaunch_3B3BB905A374F1CF0D310AB30E4EDE63] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start [3883560 2024-07-11] (Microsoft Corporation -> Microsoft Corporation)
      HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
      HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
      HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Policies\Explorer: [NoResolveSearch] 1
      HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Policies\Explorer: [NoInternetOpenWith] 1
      HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Policies\Explorer: [HideSCAMeetNow] 1
      HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
      GroupPolicy: Restriction ? <==== ATTENTION
      Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
      HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
      HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
      HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
      HKLM\...\Run: [C:\WINDOWS\system32\V0770Ext.ax] => C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0770Ext.ax (No File)
      HKLM-x32\...\Run: [C:\WINDOWS\System32\V0770Ext.ax] => C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\System32\V0770Ext.ax (No File)
      HKU\S-1-5-21-3466739526-2485095647-408758403-1009\...\Run: [AMDNoiseSuppression] => "C:\WINDOWS\system32\AMD\ANR\AMDNoiseSuppression.exe" (No File)
      Task: {116E3548-253D-4F04-A9E0-FC4387A9822F} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
      Task: {1C5E60AA-0C47-4621-A967-049429A2D4DF} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
      Task: {38883215-466E-4BD7-8D0C-2A569F5179EE} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
      Task: {519A8396-93C1-430C-9B66-957F837C561F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
      Task: {5243425B-993B-40ED-BDF5-92AB68DBF2EF} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
      Task: {868E7A8D-EFAC-4ECD-9354-CA69CBC63EC0} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
      Task: {9BD0A96C-7DCD-4E94-A191-650252DE7A6A} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
      Task: {BD83E793-452E-4EC7-83B7-FBE05E1FCD87} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
      Task: {D5330EA6-8548-46B2-8013-23AB0D32C1A2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
      Task: {DF573AD4-8335-432C-8091-D74A4B1A2544} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
      Task: {E27C0C30-95E3-440E-B7EF-67557F3B763D} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
      Task: {EE8419BF-8261-44DF-9F69-5398DCE47A1A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
      Task: {FBA7627D-3194-440A-87DD-3563128AA85A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
      Task: {20697CEF-A6C5-4754-86A4-F48E8E92C130} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\AVAST Software\Overseer\overseer.exe /from_scheduler:1 (No File)
      Task: {99DAB5B9-B9AA-45EF-B826-3F7DB707F69D} - System32\Tasks\DropboxUpdateTaskMachineCore => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /c (No File)
      Task: {E1E5EA9B-45B0-44B6-90F5-9A05AD38AAE7} - System32\Tasks\DropboxUpdateTaskMachineUA => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /ua /installsource scheduler (No File)
      Task: {16FE398A-2720-4078-BDF8-C4F616A8DAFD} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => %SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch (No File)
      Task: {1ECF0236-9F72-45BA-AD5B-1C3ACF743F2C} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => %SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService (No File)
      Task: {1EC448A7-56D8-444F-8FFB-419390675C2E} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => %SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0) (No File)
      Task: {7698B61B-812C-42E9-9A79-EBD591212F69} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => %SystemRoot%\ehome\ehPrivJob.exe /DRMInit (No File)
      Task: {5D92A073-3E21-451D-A751-29DD8BF4B1CC} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => %SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0) (No File)
      Task: {3BA3CF0C-28CE-46C7-8EB0-EFADED5D7B26} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => %SystemRoot%\ehome\mcupdate $(Arg0) (No File)
      Task: {41CBF80B-D38A-4887-951C-827F277A149E} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => %SystemRoot%\ehome\mcupdate -crl -hms -pscn 15 (No File)
      Task: {AF9D17B0-C1C9-467A-BF18-79EA73477B89} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => %SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask (No File)
      Task: {6772B81E-2739-4656-A805-A38B57F6BB3E} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => %SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask (No File)
      Task: {D72F9EF5-E92D-4349-91D7-C11F80585250} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => %SystemRoot%\ehome\ehPrivJob.exe /OCURActivate (No File)
      Task: {04927EC1-C6B4-4772-8E6E-033034782CD1} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => %SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0) (No File)
      Task: {6A0B3724-EC49-4DEB-96D3-CD6E3849B0A6} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => %SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery (No File)
      Task: {F1851D8E-5C21-44CF-88B4-F0A2D466E043} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => %SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery (No File)
      Task: {1A793F00-F97B-428A-8963-F4B1118CBAEE} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => %SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery (No File)
      Task: {9A789A97-DE78-46CF-9163-6F9E23B559B1} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => %windir%\ehome\MCUpdate.exe -pscn 0 (No File)
      Task: {2183BFE5-4329-40F4-8A9D-C53244CAC165} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => %SystemRoot%\ehome\mcupdate.exe -PvrRecoveryTask (No File)
      Task: {91CC317A-B720-482D-BEE7-D9F25F0FD773} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => %SystemRoot%\ehome\mcupdate.exe -PvrSchedule (No File)
      Task: {E394741E-C4AD-4E3B-B0CA-E403EEE20BAA} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => %SystemRoot%\ehome\ehrec /RestartRecording (No File)
      Task: {381A8673-B576-4AB8-95F1-DC99CF561C00} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => %SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0) (No File)
      Task: {3BEE19E5-67EC-4563-BF63-FE89F704316E} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => %SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot (No File)
      Task: {6B34BB93-5EF8-407B-AB1D-17F2D65B30EA} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => %SystemRoot%\ehome\mcupdate.exe -SqlLiteRecoveryTask (No File)
      Task: {DA44B33B-AC1F-41F5-B95D-8F686BE929EE} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => %SystemRoot%\ehome\ehrec /StartRecording (No File)
      Task: {AAA61D29-CF9C-488F-9E9F-30252612D69E} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => %SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0) (No File)
      Task: {B6BCB4E1-4114-4150-BE26-CE5DC04DE4BC} - System32\Tasks\Microsoft\Windows\rempl\shell => %ProgramFiles%\rempl\sedlauncher.exe (No File)
      Task: {862DFBA4-23F4-41E6-A5DD-A3EE59B73024} - System32\Tasks\Safer-Networking\Spybot Anti-Beacon\Refresh Anti-Beacon immunization => "C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\Spybot3AntiBeacon.exe" /apply /silent /atlogon (No File)
      FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
      unlock: C:\Program Files (x86)\Safer-Networking Ltd
      unlock: C:\Program Files\Common Files\AVAST Software
      unlock: C:\Program Files\Microsoft Security Client
      unlock: C:\Program Files (x86)\IObit
      C:\Program Files (x86)\IObit
      C:\Program Files\Microsoft Security Client
      C:\Program Files (x86)\Safer-Networking Ltd
      C:\Program Files\Common Files\AVAST Software
      Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100
      Tcpip\..\Interfaces\{013b464c-8697-4c75-99ff-506f33faecca}: [DhcpNameServer] 172.18.11.1
      Tcpip\..\Interfaces\{2925c1fa-818d-4087-b6e4-fe1470812e13}: [DhcpNameServer] 194.168.4.100 194.168.8.100
      Tcpip\..\Interfaces\{5e6392e4-179a-44fc-8ee8-ff0999cbc492}: [DhcpNameServer] 194.168.4.100 194.168.8.100
      Tcpip\..\Interfaces\{6a48626b-bb9c-4aa2-9d50-d55a281d5918}: [DhcpNameServer] 194.168.4.100 194.168.8.100
      Tcpip\..\Interfaces\{bd7af2aa-0472-42f1-8119-fbbde3ff19d3}: [DhcpNameServer] 194.168.4.100 194.168.8.100
      Tcpip\..\Interfaces\{ee550c16-21cf-4ff9-a401-2758c1a38dbe}: [DhcpNameServer] 194.168.4.100 194.168.8.100
      CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 10\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-06-20]
      CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 11\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-06-27]
      CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 12\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-12-07]
      CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 13\Extensions\gomekmidlodglbbmalcneegieacbdmki [2024-02-26]
      CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\gomekmidlodglbbmalcneegieacbdmki [2024-06-05]
      CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\gomekmidlodglbbmalcneegieacbdmki [2022-01-21]
      CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\gomekmidlodglbbmalcneegieacbdmki [2022-02-24]
      CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\gomekmidlodglbbmalcneegieacbdmki [2022-03-01]
      CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-02-15]
      CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 7\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-03-17]
      CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 8\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-04-18]
      CHR Extension: (Avast Online Security & Privacy) - C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 9\Extensions\gomekmidlodglbbmalcneegieacbdmki [2023-04-25]
      S3 AppleLowerFilter; \SystemRoot\System32\drivers\AppleLowerFilter.sys [X]
      Task: {C43DE1C1-1630-4296-82DC-9BE28A3339E2} - System32\Tasks\{DAF28B77-7893-4299-9FE0-8B7FE3AC27C2} => C:\Windows\System32\pcalua.exe [88064 2024-07-09] (Microsoft Windows -> Microsoft Corporation) -> -a "C:\Program Files (x86)\IObit\Advanced SystemCare 8\unins000.exe"
      Task: C:\WINDOWS\Tasks\ASC8_SkipUac_chredge.job => C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASC.exe
      2024-07-20 13:20 - 2019-05-05 15:21 - 000000000 ____D C:\Users\DefaultAppPool.IIS APPPOOL\AppData\Roaming\IObit
      2024-07-20 13:20 - 2018-06-06 23:36 - 000000000 ____D C:\Users\ReportServer\AppData\Roaming\IObit
      2024-07-20 13:20 - 2018-06-06 23:36 - 000000000 ____D C:\Users\MSSQLServerOLAPService\AppData\Roaming\IObit
      2024-07-20 13:20 - 2018-06-06 23:36 - 000000000 ____D C:\Users\MSSQLSERVER\AppData\Roaming\IObit
      2024-07-20 13:20 - 2018-06-06 23:36 - 000000000 ____D C:\Users\MSSQLFDLauncher\AppData\Roaming\IObit
      2024-07-20 13:20 - 2018-06-06 23:36 - 000000000 ____D C:\Users\MsDtsServer110\AppData\Roaming\IObit
      2024-07-20 13:20 - 2018-06-06 23:36 - 000000000 ____D C:\Users\chredge\AppData\Roaming\IObit
      2024-07-20 13:20 - 2015-12-05 07:38 - 000000000 ____D C:\Users\chredge\AppData\LocalLow\IObit
      2024-07-20 13:20 - 2015-04-04 08:41 - 000000000 ____D C:\ProgramData\IObit
      2024-07-20 13:20 - 2015-04-04 08:41 - 000000000 ____D C:\Program Files (x86)\IObit
      2017-01-08 08:57 - 2017-01-30 19:16 - 000000347 _____ () C:\Users\chredge\AppData\Roaming\WB.CFG
      2016-07-03 12:04 - 2018-07-22 17:37 - 002128896 _____ () C:\Users\chredge\AppData\Local\file__0.localstorage
      2018-03-24 15:47 - 2018-03-24 15:47 - 000001810 _____ () C:\Users\chredge\AppData\Local\recently-used.xbel
      2017-11-11 17:58 - 2017-11-11 17:58 - 000000017 _____ () C:\Users\chredge\AppData\Local\resmon.resmoncfg
      ShortcutWithArgument: C:\Users\chredge\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\DBandT Helper.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe (Google LLC) -> --profile-directory="Profile 2" --app-id=mpnidfjngpijmjaloelmomppgpebokim
      ShortcutWithArgument: C:\Users\chredge\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9501e18d7c2ab92e\Christopher (veolia.com) - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --profile-directory="Profile 2"
      StartBatch:
      WMIC SERVICE WHERE Name="dcomlaunch" set startmode="auto"
      WMIC SERVICE WHERE Name="nsi" set startmode="auto"
      WMIC SERVICE WHERE Name="dhcp" set startmode="auto"
      WMIC SERVICE WHERE Name="rpcss" set startmode="auto"
      WMIC SERVICE WHERE Name="rpceptmapper" set startmode="auto"
      WMIC SERVICE WHERE Name="winmgmt" set startmode="auto"
      WMIC SERVICE WHERE Name="sdrsvc" set startmode="manual"
      WMIC SERVICE WHERE Name="vss" set startmode="manual"
      WMIC SERVICE WHERE Name="eventlog" set startmode="auto"
      WMIC SERVICE WHERE Name="bfe" set startmode="auto"
      WMIC SERVICE WHERE Name="eventsystem" set startmode="auto"
      WMIC SERVICE WHERE Name="msiserver" set startmode="manual"
      WMIC SERVICE WHERE Name="sstpsvc" set startmode="manual"
      WMIC SERVICE WHERE Name="rasman" set startmode="manual"
      WMIC SERVICE WHERE Name="trustedinstaller" set startmode="auto"
      net start sdrsvc
      net start vss
      net start rpcss
      net start eventsystem
      net start winmgmt
      net start msiserver
      net start bfe
      net start trustedinstaller
      "%WINDIR%\SYSTEM32\lodctr.exe" /R
      "%WINDIR%\SysWOW64\lodctr.exe" /R
      "%WINDIR%\SYSTEM32\lodctr.exe" /R
      "%WINDIR%\SysWOW64\lodctr.exe" /R
      NETSH winsock reset catalog
      NETSH int ipv4 reset reset.log
      NETSH int ipv6 reset reset.log
      ipconfig /release
      ipconfig /renew
      ipconfig /flushdns
      ipconfig /registerdns
      netsh winhttp reset proxy
      bitsadmin /list /allusers
      bitsadmin /reset /allusers
      Winmgmt /salvagerepository
      Winmgmt /resetrepository
      Winmgmt /resyncperf
      netsh advfirewall reset
      netsh advfirewall set allprofiles state on
      del /f /s /q %windir%\prefetch\*.*
      sc stop sysmain
      sc config sysmain start= disabled
      sc stop DiagTrack
      sc config DiagTrack start= disabled
      sc stop dmwappushservice
      sc config dmwappushservice start= disabled
      sc stop WSearch
      sc config WSearch start= disabled
      sc stop lfsvc
      sc config lfsvc start= disabled
      Endbatch:
      CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
      ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
      ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
      ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32
      ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
      ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
      emptytemp:
      Reboot:
      End::
      [/COLOR]

      Comment

      • Ginger-Overlord
        PCHF Member
        • Jul 2024
        • 59

        #33
        Hi,

        Please find the attached Fixlog.txt

        Comment

        • Malnutrition
          PCHF Moderator
          • Jul 2016
          • 7041

          #34
          We removed a heap of garbage, we will make one more dig for trash files. How is the machine running?

          Download ZHP Suite to your desktop.
          Right Click Run as admin.
          Hit the scanner button.
          Once it is complete a file name ZHPdiag.txt will be on your desktop.
          Attach it.

          Comment

          • Ginger-Overlord
            PCHF Member
            • Jul 2024
            • 59

            #35
            Hi,

            The PC is running super-quick and super-smooth at the moment, like it’s had a new lease of life! A spring chicken again! Cheers.

            Here’s the ZHPdiag.txt

            Comment

            • Malnutrition
              PCHF Moderator
              • Jul 2016
              • 7041

              #36
              Originally posted by Ginger-Overlord
              A spring chicken again!
              :ROFLMAO:

              Let me take a look at this log will take 30 minutes or so…

              Do you use edge?
              Do you use One Drive?
              Bitlocker?
              Care for updates?

              You can disable them all with these tools.

              Edge Blocker Download Edge Blocker v2.0
              Disable One Drive. How to Disable OneDrive and Remove It From File Explorer on Windows 10
              Disable Bitlocker https://support.lenovo.com/us/en/sol...-or-windows-11
              Disable updates Windows Update Blocker v1.8





              Clean up old temp files etc Privazer Free PC cleaner & Privacy tool

              Comment

              • Malnutrition
                PCHF Moderator
                • Jul 2016
                • 7041

                #37
                Copy the content of the code box below.
                [COLOR=rgb(184, 49, 47)]Do not copy the word code!!!
                Right Click FRST and run as Administrator.
                Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
                Attach it to your next message.
                Code:
                start::
                CreateRestorePoint:
                EmptyTemp:
                CloseProcesses:
                DeleteValue: HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION|DriverUpdate.exe
                DeleteValue: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|AceStream
                DeleteValue: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|CCleaner Smart Cleaning
                DeleteValue: HKEY_USERS\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|CCleaner Monitoring
                DeleteValue: HKEY_USERS\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|AceStream
                DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|AvastUI.exe
                DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|IObit Malware Fighter
                DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|AvastUI.exe
                DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|Wondershare Helper Compact.exe
                DeleteKey: HKLM\SOFTWARE\AVAST Software
                DeleteKey: HKLM\SOFTWARE\CoreSecurity
                DeleteKey: HKLM\SOFTWARE\WOW6432Node\Auslogics
                DeleteKey: HKLM\SOFTWARE\WOW6432Node\Symantec
                DeleteKey: HKCU\SOFTWARE\Avast Software
                DeleteKey: HKCU\SOFTWARE\AvastAdSDK
                DeleteKey: HKCU\SOFTWARE\IObit
                DeleteKey: HKCU\SOFTWARE\KasperskyLab
                DeleteKey: HKCU\SOFTWARE\Safer Networking Limited
                DeleteKey: HKCU\SOFTWARE\Safer-Networking Ltd.
                DeleteKey: HKU\.DEFAULT\SOFTWARE\IObit
                DeleteKey: HKU\.DEFAULT\SOFTWARE\Safer Networking Limited
                DeleteKey: HKU\.DEFAULT\SOFTWARE\Safer-Networking Ltd.
                DeleteKey: HKU\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\Avast Software
                DeleteKey: HKU\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\AvastAdSDK
                DeleteKey: HKU\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\IObit
                DeleteKey: HKU\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\KasperskyLab
                DeleteKey: HKU\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\Safer Networking Limited
                DeleteKey: HKU\S-1-5-21-3466739526-2485095647-408758403-1009\SOFTWARE\Safer-Networking Ltd.
                DeleteKey: HKLM\System\CurrentControlSet\Services\EventLog\Reason\ReasonByteFence
                File: C:\WINDOWS\System32\drivers\ElRawDsk.sys
                File: C:\WINDOWS\System32\drivers\JitDriver.sys
                File: C:\IORRT\IORRT.bat
                VirusTotal: C:\WINDOWS\System32\drivers\JitDriver.sys
                C:\Users\chredge\AppData\Local\AVAST Software
                C:\ProgramData\Driver Support
                C:\ProgramData\McAfee
                C:\ProgramData\Trend Micro
                C:\Program Files (x86)\Common Files\IObit
                C:\Users\chredge\AppData\Local\Safer-Networking Ltd
                emptytemp:
                Reboot:
                End::




                Security Check Scan.

                [ul]
                [li]Download Security Check to your desktop.[/li][li]Right click it run as administrator.[/li][li]When the program completes, the tool will automatically open a log file.[/li][li]Please Copy and paste that log here in your next post.[/li][li]There will be items listed in red when you post this log, those items need to be updated.[/li][/ul][/COLOR]

                Comment

                • Ginger-Overlord
                  PCHF Member
                  • Jul 2024
                  • 59

                  #38
                  Hi again,

                  The Fixlog you asked for is attached.

                  Here is the SecurityChecklist.txt:

                  SecurityCheck by glax24 & Severnyj v.1.4.0.57 [24.01.24]
                  WebSite: www.safezone.cc
                  DateLog: 20.07.2024 21:28:51
                  Path starting: C:\Users\chredge\AppData\Local\Temp\SecurityCheck\ SecurityCheck.exe
                  Log directory: C:\SecurityCheck
                  IsAdmin: True
                  User: chredge
                  VersionXML: 12.38is-14.07.2024


                  Windows 10(6.3.19045) (x64) Core Release: 2009 Lang: English(0409)
                  Installation date OS: 22.04.2021 17:10:26
                  LicenseStatus: Windows(R), Core edition The machine is permanently activated.
                  Boot Mode: Normal
                  Default Browser: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  SystemDrive: C: FS: [NTFS] Capacity: [465.3 Gb] Used: [231.7 Gb] Free: [233.6 Gb]
                  ------------------------------- [ Windows ] -------------------------------
                  User Account Control enabled (Level 2)
                  Automatically download and schedule installation
                  Security Center (wscsvc) - The service is running
                  Remote Registry (RemoteRegistry) - The service has stopped
                  SSDP Discovery (SSDPSRV) - The service is running
                  Remote Desktop Services (TermService) - The service has stopped
                  Windows Remote Management (WS-Management) (WinRM) - The service has stopped
                  ---------------------------- [ Antivirus_WMI ] ----------------------------
                  Windows Defender (enabled and up to date)
                  --------------------------- [ FirewallWindows ] ---------------------------
                  Windows Defender Firewall (mpssvc) - The service is running
                  ---------------------- [ AntiVirusFirewallInstall ] -----------------------
                  Malwarebytes version 5.1.6.117 v.5.1.6.117
                  --------------------------- [ OtherUtilities ] ----------------------------
                  AMD Software v.23.7.2 Warning! Download Update
                  Microsoft SQL Server 2012 (64-bit) Warning! This software is no longer supported.
                  Microsoft SQL Server 2012 Native Client v.11.2.5388.0 Warning! This software is no longer supported.
                  LibreOffice 7.1.5.2 v.7.1.5.2 Warning! Download Update
                  Microsoft .NET Framework 4.5.1 v.4.5.50938 Warning! Download Update
                  Microsoft SQL Server 2012 RsFx Driver v.11.2.5058.0 Warning! This software is no longer supported.
                  Microsoft SQL Server 2008 Setup Support Files v.10.1.2731.0 Warning! This software is no longer supported.
                  Microsoft SQL Server 2012 Setup (English) v.11.2.5388.0 Warning! This software is no longer supported.
                  Microsoft SQL Server 2012 T-SQL Language Service v.11.0.2100.60 Warning! This software is no longer supported.
                  Microsoft SQL Server 2012 Data-Tier App Framework v.11.1.2818.0 Warning! This software is no longer supported.
                  Microsoft SQL Server 2012 Transact-SQL ScriptDom v.11.2.5058.0 Warning! This software is no longer supported.
                  Microsoft SQL Server 2012 Management Objects (x64) v.11.0.2100.60 Warning! This software is no longer supported.
                  Microsoft SQL Server 2012 Transact-SQL Compiler Service v.11.2.5388.0 Warning! This software is no longer supported.
                  Microsoft Edge WebView2 Runtime v.126.0.2592.113
                  Steam v.1.0.0.0 Warning! Download Update
                  Microsoft SQL Server 2008 R2 Management Objects v.10.51.2500.0 Warning! This software is no longer supported.
                  Microsoft SQL Server 2012 Management Objects v.11.0.2100.60 Warning! This software is no longer supported.
                  Microsoft SQL Server 2012 Policies v.11.2.5058.0 Warning! This software is no longer supported.
                  ------------------------------ [ ArchAndFM ] ------------------------------
                  WinRAR 5.70 (64-bit) v.5.70.0 Warning! Download Update
                  ------------------------------- [ Imaging ] -------------------------------
                  paint.net v.5.0.13
                  -------------------------------- [ Java ] ---------------------------------
                  Java 8 Update 162 v.8.0.1620.12 Warning! Download Update
                  Uninstall old version and install new one (jre-8u411-windows-i586.exe).
                  -------------------------------- [ Media ] --------------------------------
                  VLC media player v.3.0.10 Warning! Download Update
                  --------------------------- [ AdobeProduction ] ---------------------------
                  swMSM v.12.0.0.1 << Hidden Warning! This software is no longer supported. Please uninstall it.
                  ------------------------------- [ Browser ] -------------------------------
                  Mozilla Firefox (x64 en-GB) v.128.0
                  Google Chrome v.126.0.6478.128
                  Microsoft Edge v.126.0.2592.113
                  ------------------ [ AntivirusFirewallProcessServices ] -------------------
                  Malwarebytes Service (MBAMService) - The service is running
                  C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe v.3.2.0.1306
                  C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24060.7-0\MsMpEng.exe v.4.18.24060.7
                  C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24060.7-0\NisSrv.exe v.4.18.24060.7
                  Microsoft Defender Antivirus Service (WinDefend) - The service is running
                  Microsoft Defender Antivirus Network Inspection Service (WdNisSvc) - The service is running
                  ---------------------------- [ UnwantedApps ] -----------------------------
                  PrivaZer v.4.0.90.0 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program.
                  AppNHost 1.0.5.1 v.1.0.5.1 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware and Malwarebytes AdwCleaner. Before uninstallation and scanning it is necessary to consult in the forum where cure is provided for you!!!
                  ----------------------------- [ End of Log ] ------------------------------

                  Comment

                  • Malnutrition
                    PCHF Moderator
                    • Jul 2016
                    • 7041

                    #39
                    Make sure and update everything you can as per log. Or use Patch My PC Home
                    Remove Anything you do not want on the machine with GeekUninstaller.





                    This file comes back as malicious when I run the MD5 at VirusTotal. I want to be sure before we remove anything, so I’ll have you manually scan it.

                    Upload to VT

                    Upload Files to VirusTotal

                    [ul]
                    [li]Please go to VirusTotal.[/li][li]Click the Choose File button.[/li][li]Navigate to >>>>>>>> [COLOR=rgb(184, 49, 47)]C:\WINDOWS\System32\drivers\ElRawDsk.sys[/li][li]or simply copy and paste it. [/li][li]Click the Scan it! button.[/li][li]You might see a message saying File already analysed, if you do [COLOR=rgb(226, 80, 65)]click Reanalyse.[/li][li]Wait for all the scans to finish then copy and paste the web address from your broswer’s address bar.[/li]Example of web address :

                    [IMG alt=“VirusTotalresultslink.jpg”]http://i526.photobucket.com/albums/c...esultslink.jpg
                    [li][COLOR=rgb(184, 49, 47)]Include the link in your next reply.[/li][/ul]





                    [COLOR=rgb(250, 197, 28)]Are there any more issues to speak of?

                    You recognize these?
                    [COLOR=rgb(184, 49, 47)]

                    CHR Extension:
                    [COLOR=rgb(250, 197, 28)](Bomgar Remote Support) [COLOR=rgb(184, 49, 47)]-
                    C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\ipfljipbjloahhabacnofonhfbddnajm [2021-12-10]



                    FF Plugin HKU\S-1-5-21-3466739526-2485095647-408758403-1009: [COLOR=rgb(250, 197, 28)]temasys.com.sg/TemWebRTCPlugin → C:\Users\chredge\AppData\Roaming\Tem\TemWebRTCPlug in\0.8.902\npTemWebRTCPlugin.dll [2017-10-26] (Temasys Communications Pte Ltd → Temasys)
                    StartMenuInternet: FIREFOX.EXE - firefox.exe[/IMG][/COLOR][/COLOR]

                    Comment

                    • Ginger-Overlord
                      PCHF Member
                      • Jul 2024
                      • 59

                      #40
                      Hi,

                      Cheers for your ongoing help this evening, really appriciate it!

                      I will have to go bed soon, so I will perform your requests tomorrow morning and update you.

                      Good night and thanks again.

                      Comment

                      • Malnutrition
                        PCHF Moderator
                        • Jul 2016
                        • 7041

                        #41
                        No problem. I’ll be around; glad the computer is running better.

                        Comment

                        • Ginger-Overlord
                          PCHF Member
                          • Jul 2024
                          • 59

                          #42
                          Hi,

                          Just using virustool.com. I’ve navigated to C:\WINDOWS\System32\drivers\ElRawDsk.sys
                          but I don’t see a scan button to select…

                          [ATTACH type=“full”]14002[/ATTACH]

                          Comment

                          • Malnutrition
                            PCHF Moderator
                            • Jul 2016
                            • 7041

                            #43
                            [ATTACH type=“full”]14003[/ATTACH]

                            Comment

                            • Malnutrition
                              PCHF Moderator
                              • Jul 2016
                              • 7041

                              #44
                              Let’s do this, Boot into safe mode and then rename the driver from
                              C:\WINDOWS\System32\drivers\ElRawDsk.sys

                              To:
                              C:\WINDOWS\System32\drivers\ElRawDsk.[COLOR=rgb(184, 49, 47)]BAK

                              [COLOR=rgb(184, 49, 47)]This will disable the driver without ripping it out of the system since I do not know what program it is appended to.

                              I am not sure what program that driver is attached to and if this is a false positive it will cause that program to not work, this way you can re enable it if a program breaks or it causes system instability and if it is malicious and there is no ill effect we can remove it after you test the machine for a while.

                              Hit the windows key and r at the same time to copy and paste [COLOR=rgb(235, 107, 86)]C:\WINDOWS\System32\drivers into the run box hit enter then find the [COLOR=rgb(243, 121, 52)]ElRawDsk.sys driver, rename it then boot back into normal mode.

                              https://pchelpforum.net/r/how-to-boo...safe-mode.233/[/COLOR][/COLOR]
                              [COLOR=rgb(235, 107, 86)][COLOR=rgb(243, 121, 52)][/color][/color][/COLOR][/COLOR]

                              Comment

                              • Malnutrition
                                PCHF Moderator
                                • Jul 2016
                                • 7041

                                #45
                                You can rename the file with command prompt as well.

                                You will need to boot into safe mode as mentioned before.

                                Open an elevated command prompt.
                                Copy and paste the line blow then hit enter, it will not work in normal mode as it is running.
                                ren “C:\WINDOWS\System32\drivers\ElRawDsk.sys” “ElRawDsk.BAK”






                                [COLOR=rgb(97, 189, 109)]You recognize these; they are both programs that allow remote support, combined with the file above they could be used in conjunction for malicious activity. Although the programs are legit, it is just a matter of did you install them or not.

                                CHR Extension: ([COLOR=rgb(184, 49, 47)]Bomgar Remote Support) - [/COLOR][/COLOR]
                                [COLOR=rgb(97, 189, 109)][COLOR=rgb(184, 49, 47)]C:\Users\chredge\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\ipfljipbjloahhabacnofonhfbddnajm [2021-12-10]
                                [ICODE] Bomgar Remote Support, now known as BeyondTrust Remote Support, is a comprehensive remote access and support solution designed to enable IT support teams to securely connect to and troubleshoot devices from virtually anywhere in the world. This software allows technicians to remotely access and control computers, mobile devices, servers, and other endpoints across various operating systems including Windows, macOS, Linux, iOS, and Android. [/ICODE]



                                FF Plugin HKU\S-1-5-21-3466739526-2485095647-408758403-1009: [COLOR=rgb(184, 49, 47)]temasys.com.sg/TemWebRTCPlugin → C:\Users\chredge\AppData\Roaming\Tem\TemWebRTCPlug in\0.8.902\npTemWebRTCPlugin.dll [2017-10-26] (Temasys Communications Pte Ltd → Temasys)
                                StartMenuInternet: FIREFOX.EXE - firefox.exe
                                [ICODE] This plugin allows users to engage in real-time audio and video communication, as well as data sharing directly through their web browsers without the need for additional software installations. [/ICODE]




                                C:\WINDOWS\System32\drivers\ElRawDsk.sys
                                [ICODE]This driver allows applications to access raw disk data directly, bypassing the standard security restrictions imposed by the Windows operating system. It enables user-mode applications to read and write to hard-drive and flash-disk partitions at a low level, which can be particularly useful for forensic analysis, data recovery, and undelete operations.[/ICODE][/COLOR][/color][/color]

                                Comment

                                Working...