• Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Solved On boot up I get there is no file extension in "c:\users\**** "

Status
Not open for further replies.
#21
That may indicate malicious activity. Please post the two logs requested in the link below, after running FRST


Information - [Prework] Please Read Before Posting

You must be Registered and Logged in to Follow this Procedure. Welcome to the PCHF Malware Removal Forums Please review the PCHF Security team Disclaimer prior to beginning your adventure through malware removal. Additionally, please read the Security Forum Guidelines before posting. Please...
pchelpforum.net pchelpforum.net
 
#22
Hi yeah will do
I will mention I've run a Windows Security offline scan last night and that too found nothing
So this file is hiding itself even from a Malwarebytes scan
Thanks will post back
 
#25
Thanks they are attached,i have never used Farbar,some of the apps/programs on that list are not on my PC anymore so there must be remnants remaining from when they were uninstalled.
 

Attachments

  • Addition.txt
    46.2 KB · Views: 0
  • FRST.txt
    28.3 KB · Views: 0
#26
The logs have been modified. Pieces are missing. FirewallRules: [{911CB2CE-C3DA-41D7-

Did you delete?

Also, what programs remain that you see trails of?




Copy the content of the code box below.
Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.

Code: 
Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKU\S-1-5-21-2192984707-2358445379-1302979691-1001\...\Run: [MicrosoftEdgeAutoLaunch_242E4C524F052A377EE29368EB4D3ABC] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start [3854376 2023-12-14] (Microsoft Corporation -> Microsoft Corporation)
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {27E20D5D-9228-4E1F-9C4C-1490F57B700A} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1566200 2023-09-20] (Adobe Inc. -> Adobe Inc.)
Task: {CD88E278-C214-4B25-B085-8D4FEB600954} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [714256 2023-12-05] (PIRIFORM SOFTWARE LIMITED -> Piriform Software Ltd)
Task: {9F9D260B-C808-4246-97E5-D0F4A3F54672} - System32\Tasks\CCleanerCrashReporting => C:\Program Files\CCleaner\CCleanerBugReport.exe [4703648 2023-12-05] (PIRIFORM SOFTWARE LIMITED -> Piriform Software) -> --product 90 --send dumps|report --path "C:\Program Files\CCleaner\LOG" --programpath "C:\Program Files\CCleaner" --guid "9880bd83-8eb4-46b7-8ec2-1df5113133a5" --version "6.19.10858" --silent
Task: {F993FA91-8686-4B05-B094-5605685844E3} - System32\Tasks\CCleanerSkipUAC - mart d => C:\Program Files\CCleaner\CCleaner.exe [37458848 2023-12-05] (PIRIFORM SOFTWARE LIMITED -> Piriform Software Ltd)
Task: {D8B8A6DD-7C26-4852-B7E4-37E056F91A7C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156968 2019-03-15] (Google Inc -> Google Inc.)
Task: {DEF0F1A1-D249-41CF-A48A-50AB245F97AA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156968 2019-03-15] (Google Inc -> Google Inc.)
Task: {491E0665-D717-429E-87E8-0AC6FA1B5A2A} - System32\Tasks\MicrosoftEdgeUpdateTaskMachineId => C:\WINDOWS\system32\wscript.exe [170496 2023-10-13] (Microsoft Windows -> Microsoft Corporation) -> C:\Users\mart d\AppData\Local\Microsoft\Windows\Explorer\SQLite.flush.vbs
Task: {4382CDDC-38DE-4CFB-B79F-9F4566E572BA} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-2192984707-2358445379-1302979691-1002 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  /reporting (No File)
Task: {2C6EBBB6-2667-4854-924D-F2A5E61503F6} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2192984707-2358445379-1302979691-1002 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  (No File)
Task: {F99E7810-7494-4F8A-8824-BF1E57DFA900} - System32\Tasks\Toolbox.exe_{6BAEEA95-59DA-4381-8DA4-2C6C2511F44E} => C:\Program Files\HP\HP DeskJet 2600 series\Bin\Toolbox.exe  CN83T5N5VF06PX:USB -cmd setup -virtualalerts off (No File)
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{0b3a9198-49ac-43d1-86c4-a64235e3c100}: [DhcpNameServer] 194.168.4.100 194.168.8.100
S4 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [173040 2023-09-20] (Adobe Inc. -> Adobe Inc.)
CustomCLSID: HKU\S-1-5-21-2192984707-2358445379-1302979691-1001_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\localserver32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2192984707-2358445379-1302979691-1001_Classes\CLSID\{24734139-2E14-88F8-FDDF-194FDB2B19C4}\InprocServer32 -> no filepath
C:\WINDOWS\system32\drivers\etc\hosts
Hosts:
FirewallRules: [{34823CB6-96DB-4289-B863-8341773A43CC}] => (Allow) LPort=1688
FirewallRules: [{F6942558-C91A-465B-9B20-1D4DDCC134FA}] => (Allow) LPort=5357
FirewallRules: [{AB58FCF7-F90F-4725-9F39-686DCB38D0C3}] => (Allow) LPort=1688
VirusTotal: C:\Users\mart d\AppData\Roaming\msregsvv.dll
C:\WINDOWS\system32\drivers\etc\hosts.ics
C:\Windows\system32\drivers\etc\hosts
Hosts:
cmd: net stop bits
Move: C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db.old
cmd: net start bits
cmd:  bitsadmin /list /allusers
CMD: del /f /s /q %windir%\prefetch\*.*
CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
CMD: del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*"
cmd: del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*.*"
cmd: del /s /q "%userprofile%\AppData\Local\Opera Software\Opera Stable\Cache\Cache_Data\*.*"
CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
CMD: ipconfig /flushdns
C:\Windows\Temp\*.*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
emptytemp:
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
Folder: C:\Windows\System32\Tasks
Reboot:
End::
Download Malwarebytes v.4 . Install and run.


  • Once the MBAM dashboard opens, click on Settings (gear icon).
  • Click on Security tab and make sure that all four Scan options are enabled.
  • Close Settings and click on the Scan button on the dashboard.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.
  • If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and include that log on your next reply.
 
#27
No I didn't delete firewall rules,I don't really use the firewalI I may have on the BS5 game

Where do I paste the code?
Took a while to download Farbar ,Windows Smartscreen kept popping up and stopping it downloading
 
#28
You don’t paste anything. Copy the entire code, right click Frst run as admin and hit fix. The tool does the work. It was designed that way due to over the years people not understanding the process, it was simplified by the creator of the tool to make the helpers job easier.
 
#29
Hi well you know what MWB found nothing but the CODE run with FRST has FIXED the Problem!!!!!!!
Thats just great
Logs attached
Thanks
 

Attachments

  • Fixlog.txt
    352.2 KB · Views: 0
  • MWB Scan.txt
    1.2 KB · Views: 0
#30
It was this scheduled task that was the issue.

Task: {491E0665-D717-429E-87E8-0AC6FA1B5A2A} - System32\Tasks\MicrosoftEdgeUpdateTaskMachineId => C:\WINDOWS\system32\wscript.exe [170496 2023-10-13] (Microsoft Windows -> Microsoft Corporation) -> C:\Users\mart d\AppData\Local\Microsoft\Windows\Explorer\SQLite.flush.vbs
Click to expand...
In the FRST script I sent this file to Virus Total, Although nothing turned up on the scanners I am a bit suspicious of this file. Open the file location and rename it to .bak instead of .dll if any issues arise rename it back to .dll It is not a windows file, so it will not break the system.

C:\Users\mart d\AppData\Roaming\msregsvv.dll

Also, this part of the log is missing deleted by you by mistake? I'd like to know what the entry was....

1703207028707.png

What is this in your startup folder?

[HKU\S-1-5-21-2192984707-2358445379-1302979691-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]

"Lync"="03000000e21730c1074ad501"
There are remnants of Avira.

C:\Windows\System32\Tasks\Avira\System Speedup
C:\Windows\System32\Tasks\Avira
Bitlocker is running on your machine and known to slow a computer
As well if you do not use one drive....

learn.microsoft.com

Autoruns for Windows - Sysinternals

See what programs are configured to startup automatically when your system boots and you login.
learn.microsoft.com

Sppextcomobjhook.dll is a file that is installed on a system when the user runs software crack tools (AutoKMS) and other license activators intended to crack MS Windows and/or MS Office. Are you aware of this?

"C:\WINDOWS\System32\SppExtComObjPatcher.exe"="0"
"C:\WINDOWS\System32\SppExtComObjHook.dll"="0"
 
#31
Hi no idea about the firewall,I have Fl20 and the game Modern warfare blocked ,FL 20 ,I don't know what the other file is? I'll see if I can find it

" Lync" never seen it dunno what it is,should I delete it?

Kms was for Office 16 but I thought id removed it as I changed over to libre office

Avira I had installed at one time because defender wouldn't run on it's own ,it would only do an on demand scan .

No I didn't know bitlocker was running,no I don't use One drive

Lot to look into there
 
#32
Ok, we are gonna remove the remnants of Avira and Kms, then we will reset the firewall. Let’s use one more software tool to give me a look at other areas of the machine.

Download ZHP Suite to your desktop.
Right Click Run as admin.
Hit the scanner button.
Once it is complete a file name ZHPdiag.txt will be on your desktop.
Attach it.
 
#33
Hi ZHP suite doesn't download,sits there saying getting files together for 30 mins

One problem solved now I have another Google chrome has suddenly defaulted back to default,I've lost all my bookmarks
Google tells me theres a back up in C:\users\name\appdata\local\Google\Chrome\user data\default
The folders empty
Has this anything to do with FRST ?
 
#34
We deleted the cache data from within Chrome. This standard practice when I help users, you can see this command only deletes the cache.

CMD: del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*"

This would be a first if your bookmarks were deleted. Which is not indicated in the fixlog, you can look there and see everything that was deleted from your machine via FRST

Zhp uploaded for you.
 

Attachments

  • ZHPSuite.zip
    2.9 MB · Views: 0
#35
Hi yeah it's the loss of the bookmarks that's annoyed me but not only that,it's a full reset of Chrome,no browser extensions or history.
50% redone today adding bookmarks,it was just something I've not seen before.

My son came today he's a bit more PC savvy than me,so he -
Renamed the suspicious msregsvv.dll to .bak
Removed the Avira remnants
Turned off bitlocker
Removed the two Auto Kms files
He's not sure if " Lync" in Windows start up isn't something to do with MS Office

Anyway I'm going to say this is resolved,I can only thank you for your help and I've learnt along the way,some good tools that can be put to use

I will be travelling to my Daughter's today to spend Christmas 🎄 with her and my Grandson.

Hope you have a good Christmas and Happy New Year
Thank you once again 😁
 
Status
Not open for further replies.
Top Bottom
Back
Forums
Resources
Menu