Solved "Redline Stealer" infection

  • Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Status
Not open for further replies.
Download RogueKiller and install the program.
Once downloaded and installed, right click and run as admin.
Click the check for updates button.
Go to scan setting then slide the MalPE option right to activate.
Then go to scan, then start a full scan on your machine.
Then click report when the scan completes.
Under Share my report click on open then select text file.
Copy it and paste the results here.
Make sure you do not remove anything detected until I see the log please.





Download Autologger to your desktop.
Disable your Anitivirus/Defender prior to running.


  • Unzip it there. -- If you are unsure how to unzip a program, then use ---- http://www.7-zip.org/ ----
  • Right click Autologger and run as admin. (Xp user double click)
  • AVZ4 will open and scan your machine, allow this to complete.
  • Upload Collectionlog.zip to your next reply.
 
Code: 
Program            : RogueKiller Anti-Malware
Version            : 15.12.1.0
x64                : Yes
Program Date       : Sep 18 2023
Location           : C:\Program Files\RogueKiller\RogueKiller64.exe
Premium            : No
Company            : Adlice Software
Website            : https://www.adlice.com/
Contact            : https://adlice.com/contact/
Website            : https://adlice.com/download/roguekiller/
Operating System   : Windows 10 (10.0.19045) 64-bit
64-bit OS          : Yes
Startup            : 0
WindowsPE          : No
User               : Bohauo
User is Admin      : Yes
Date               : 2023/09/22 12:29:51
Type               : Scan
Aborted            : No
Scan Mode          : Standard
Duration           : 859
Found items        : 7
Total scanned      : 124277
Signatures Version : 20230918_094309
Truesight Driver   : Yes
Updates Count      : 14

************************* Warnings *************************

************************* Updates *************************
CPUID CPU-Z 1.99 (64-bit), version 1.99
  [+] Available Version        : 2.07
  [+] Size                     : 4,96 MB
  [+] Wow6432                  : No
  [+] Portable                 : No
  [+] update_location          : C:\Program Files\CPUID\CPU-Z\

HWiNFO64 Version 6.28 (64-bit), version 6.28
  [+] Available Version        : 7.62
  [+] Size                     : 5,27 MB
  [+] Wow6432                  : No
  [+] Portable                 : No
  [+] update_location          : C:\Program Files\HWiNFO64\

Notepad++ (64-bit x64) (64-bit), version 8.5.6
  [+] Available Version        : 8.5.7
  [+] Size                     : 16,6 MB
  [+] Wow6432                  : No
  [+] Portable                 : No

VLC media player (64-bit), version 3.0.16
  [+] Available Version        : 3.0.18
  [+] Wow6432                  : No
  [+] Portable                 : No
  [+] update_location          : D:\Program\VideoLAN\VLC

Malwarebytes version 4.6.1.280 (64-bit), version 4.6.1.280
  [+] Available Version        : 4.6.2
  [+] Wow6432                  : No
  [+] Portable                 : No
  [+] update_location          : C:\Program Files\Malwarebytes\Anti-Malware

ImageGlass (64-bit), version 8.7.11.6
  [+] Available Version        : 8.9.6.9
  [+] Size                     : 44,8 MB
  [+] Wow6432                  : No
  [+] Portable                 : No
  [+] update_location          : C:\Users\bohau\AppData\Local\Programs\ImageGlass\

paint.net (64-bit), version 5.0.7
  [+] Available Version        : 5.0.9
  [+] Size                     : 208 MB
  [+] Wow6432                  : No
  [+] Portable                 : No

LibreOffice 7.4.0.3 (64-bit), version 7.4.0.3
  [+] Available Version        : 7.6.1
  [+] Size                     : 831 MB
  [+] Wow6432                  : No
  [+] Portable                 : No
  [+] update_location          : D:\Program\LibreOffice\

Oracle VM VirtualBox 6.1.12 (64-bit), version 6.1.12
  [+] Available Version        : 7.0.10
  [+] Size                     : 216 MB
  [+] Wow6432                  : No
  [+] Portable                 : No

Google Chrome (32-bit), version 116.0.5845.188
  [+] Available Version        : 117.0.5938.89
  [+] Wow6432                  : Yes
  [+] Portable                 : No
  [+] update_location          : C:\Program Files\Google\Chrome\Application

K-Lite Mega Codec Pack 17.7.1 (32-bit), version 17.7.1
  [+] Available Version        : 17.8.0
  [+] Size                     : 168 MB
  [+] Wow6432                  : Yes
  [+] Portable                 : No
  [+] update_location          : C:\Program Files (x86)\K-Lite Codec Pack\

Ubisoft Connect (32-bit), version 2.0.0.0
  [+] Available Version        : 145.1.0.10933
  [+] Wow6432                  : Yes
  [+] Portable                 : No
  [+] update_location          : D:\Program\Ubisoft\Ubisoft Game Launcher\

Spotify (64-bit), version 1.2.16.947.gcfbaa410
  [+] Available Version        : 1.2.18.999.g9b38fc27
  [+] Wow6432                  : No
  [+] Portable                 : No
  [+] update_location          : C:\Users\bohau\AppData\Roaming\Spotify

Microsoft Visual Studio Code (User) (64-bit), version 1.45.1
  [+] Available Version        : 1.82
  [+] Size                     : 234 MB
  [+] Wow6432                  : No
  [+] Portable                 : No
  [+] update_location          : C:\Users\bohau\AppData\Local\Programs\Microsoft VS Code\


************************* Processes *************************

************************* Modules *************************

************************* Services *************************

************************* Scheduled Tasks *************************

************************* Registry *************************
>>>>>> XX - System Policies
└── [PUM.Policies (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System|ConsentPromptBehaviorAdmin -- 0 -> Found

************************* WMI *************************

************************* Hosts File *************************
is_too_big      : No
hosts_file_path : C:\Windows\System32\drivers\etc\hosts


************************* Filesystem *************************
[PUP.HackTool (Potentially Malicious)] (file) TrSpeedHack_x64.dll -- C:\Users\bohau\AppData\Local\FLiNGTrainer\TrSpeedHack_x64.dll -> Found
[PUP.HackTool (Potentially Malicious)] (file) me33-Bohauo.exe -- C:\Users\bohau\Documents\My Trainers\me33-Bohauo.exe -> Found
[PUP.HackTool (Potentially Malicious)] (file) MechWarrior 5 Mercenaries v1.0-v1.1.323 Plus 15 Trainer.exe -- C:\Users\bohau\Documents\My Trainers\MechWarrior 5 Mercenaries v1.0-v1.1.323 Plus 15 Trainer.exe -> Found
[PUP.HackTool (Potentially Malicious)] (file) No Mans Sky v1.0 Plus 25 Trainer.exe -- C:\Users\bohau\Documents\My Trainers\No Mans Sky v1.0 Plus 25 Trainer.exe -> Found
[Cloud.Generic (Malicious)] (file) unl-graw.exe -- C:\Users\bohau\Documents\My Trainers\unl-graw.exe -> Found
[Cloud.Generic (Malicious)] (file) w2-Bohauo.exe -- C:\Users\bohau\Documents\My Trainers\w2-Bohauo.exe -> Found

************************* Web Browsers *************************

************************* Antirootkit *************************
 
Navigate to this file location. (You can use everything search engine to get to it quickly)
C:\WINDOWS\system32\drivers\yvkurxwa.sys
Click to expand...
Right click the file and select rename.
Rename the end of the file to .bak instead of .sys
I am unfamiliar with this file and am not finding any information on it, so let's disable it; instead of nuking it.
Look in the Autologger folder and drag out the Check_Browsers_LNK.log
To your desktop.

AutoLogger\CheckBrowserLnk
Click to expand...
Drag and drop onto the ClearLNK utility .
After saving ClearLNK to desktop.
move.gif
Run HijackThis! as admin! (located in the folder ...Autologger\HijackThis)
Do a system scan, then check each item below, make sure and only check the items listed.
Then click Fix checked.
The computer will need to reboot, allow it to do so.


O22 - Tasks_Migrated: \Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner - C:\WINDOWS\system32\mitigationscanner.exe (file missing)
O22 - Tasks_Migrated: \Microsoft\Windows\termsrv\RemoteFX\RemoteFXvGPUDisableTask - C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe Disable (file missing)
O22 - Tasks_Migrated: \Microsoft\Windows\termsrv\RemoteFX\RemoteFXWarningTask - C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe Warning (file missing)
Click to expand...
Download and Run No Bot.
Click Check for updates.
Go to scan tab.
Choose threat scan.
Screen shot any detection.
Remove if any....
 
Malnutrition said:
Navigate to this file location. (You can use everything search engine to get to it quickly)

Right click the file and select rename.
Rename the end of the file to .bak instead of .sys
I am unfamiliar with this file and am not finding any information on it, so let's disable it; instead of nuking it.
Click to expand...

So, i couldn't find that file anywhere with "everyting" i checked the whole computer.
 
Malnutrition said:
Look in the Autologger folder and drag out the Check_Browsers_LNK.log
To your desktop.


Drag and drop onto the ClearLNK utility .
After saving ClearLNK to desktop.
move.gif
Click to expand...

I couldn't download the file via the address you posted, MBAM freaked out with this info:

Code: 
Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 23/09/2023
Protection Event Time: 10:05
Log File: ec860678-59e7-11ee-97ad-309c239ad9b7.json

-Software Information-
Version: 4.6.2.281
Components Version: 1.0.2131
Update Package Version: 1.0.75575
Licence: Premium

-System Information-
OS: Windows 10 (Build 19045.3448)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Users\bohau\AppData\Local\Programs\Opera GX\opera.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: RiskWare
Domain: dragokas.com
IP Address: 172.67.184.162
Port: 443
Type: Outbound
File: C:\Users\bohau\AppData\Local\Programs\Opera GX\opera.exe



(end)

So i downloaded the file from "Majorgeeks" i hope that is alright, here is the log from ClearLNK

Code: 
ClearLNK by Alex Dragokas                                 ver. 2.9.0.18

OS:       x64 Windows 10 Pro, 10.0.19045.3448, Service Pack: 0
Time:     23.09.2023 - 10:08
Language: OS: en-GB (0x809). Display: en-GB (0x809). Non-Unicode: en-GB (0x809)
Elevated: Yes
User:     Bohauo    (group: Administrator)

_____________________________ Begin of Log ______________________________
.
[ OK ] 15 "C:\Users\bohau\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Snipping Tool (2).lnk"    -> [ "C:\WINDOWS\system32\SnippingTool.exe" ]   (icon has been recovered)
[ OK ] 23 "C:\Users\bohau\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Snipping Tool.lnk"    -> [ "C:\WINDOWS\system32\SnippingTool.exe" ]   (icon has been recovered)
[ OK ] 27 "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk"    -> [ "C:\WINDOWS\system32\osk.exe" ]   (icon has been recovered)
[ OK ] 28 "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk"    -> [ "C:\WINDOWS\system32\narrator.exe" ]   (icon has been recovered)
[ OK ] 29 "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk"    -> [ "C:\Windows\System32\wfs.exe" ]   (Method RN-S)   (OK)
[ OK ] 69 "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk"    -> [ "C:\WINDOWS\system32\osk.exe" ]   (icon has been recovered)
.
[DEL ] 1  "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TQ Game Launcher.lnk"    (target was not recovered)
[DEL ] 2  "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LOOT.lnk"    (target was not recovered)
[DEL ] 3  "C:\Users\Public\Desktop\LOOT.lnk"    (target was not recovered)
[DEL ] 4  "C:\Users\bohau\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\b243764c816c0b67\karrynsprison50.lnk"    (target was not recovered)
[DEL ] 5  "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WhoreCraft\Microsoft .NET Framework 4.lnk"    (target was not recovered)
[DEL ] 6  "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WhoreCraft\Epic Redist Package.lnk"    (target was not recovered)
[DEL ] 7  "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WhoreCraft\Unreal Development Kit.lnk"    (target was not recovered)
[DEL ] 8  "C:\Users\bohau\Desktop\Other Software\KeePass 2.lnk"    (target was not recovered)
[DEL ] 9  "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PassFab for Word\PassFab for Word.lnk"    (target was not recovered)
[DEL ] 10 "C:\Users\bohau\Desktop\Other Software\PassFab for Word.lnk"    (target was not recovered)
[DEL ] 11 "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PassFab for Word\Uninstall PassFab for Word.lnk"    (target was not recovered)
[DEL ] 12 "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diablo Immortal\Diablo Immortal.lnk"    (target was not recovered)
[DEL ] 13 "C:\Users\bohau\Desktop\Games\Diablo Immortal.lnk"    (target was not recovered)
[DEL ] 14 "C:\ProgramData\Microsoft\Windows\GameExplorer\{DE71236A-30E7-4970-96E0-4FE914BA3034}\PlayTasks\0\Play.lnk"    (target was not recovered)
[DEL ] 16 "C:\Users\bohau\Desktop\Games\Command & Conquer™ Remastered Collection.lnk"    (target was not recovered)
[DEL ] 17 "C:\ProgramData\Microsoft\Windows\GameExplorer\{DE71236A-30E7-4970-96E0-4FE914BA3034}\PlayTasks\1\Game Manual.lnk"    (target was not recovered)
[DEL ] 18 "C:\ProgramData\Microsoft\Windows\GameExplorer\{DE71236A-30E7-4970-96E0-4FE914BA3034}\PlayTasks\2\ReadMe.txt.lnk"    (target was not recovered)
[DEL ] 19 "C:\Users\bohau\Desktop\Other Software\MailWasherPro.lnk"    (target was not recovered)
[DEL ] 20 "C:\Users\bohau\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\b9d4a50bea9a196\name.lnk"    (target was not recovered)
[DEL ] 21 "C:\Users\bohau\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\PERPET~1\DSINST~1.LNK"    (target was not recovered)
[DEL ] 22 "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Perpetual Change\Perpetual Change.lnk"    (target was not recovered)
[DEL ] 24 "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tixati\Tixati.lnk"    (target was not recovered)
[DEL ] 25 "C:\Users\bohau\Desktop\Other Software\Cheat Engine.lnk"    (target was not recovered)
[DEL ] 26 "C:\Users\bohau\Desktop\Other Software\ImageGlass.lnk"    (target was not recovered)
[DEL ] 31 "C:\Users\bohau\Desktop\Other Software\Mail Washer Pro.lnk"    (target was not recovered)
[DEL ] 32 "C:\Users\bohau\Desktop\Games\NFS Underground.lnk"    (target was not recovered)
[DEL ] 33 "C:\Users\Public\Desktop\ImageGlass.lnk"    (target was not recovered)
[DEL ] 34 "C:\Users\bohau\Desktop\Games\Airport Simulator 2019.lnk"    (target was not recovered)
[DEL ] 35 "C:\Users\bohau\Desktop\Games\BattleTech Mod Manager.lnk"    (target was not recovered)
[DEL ] 36 "C:\Users\bohau\Desktop\Games\Assassin's Creed IV Black Flag.lnk"    (target was not recovered)
[DEL ] 37 "C:\Users\bohau\Desktop\Games\Fallout 4 (F4SE).lnk"    (target was not recovered)
[DEL ] 38 "C:\Users\bohau\Desktop\Games\Fallout Mod Manager.lnk"    (target was not recovered)
[DEL ] 39 "C:\Users\bohau\Desktop\Games\Grand Theft Auto IV.lnk"    (target was not recovered)
[DEL ] 40 "C:\Users\bohau\Desktop\Games\Hitman Absolution.lnk"    (target was not recovered)
[DEL ] 41 "C:\Users\bohau\Desktop\Games\Pizza Tycoon 2.lnk"    (target was not recovered)
[DEL ] 42 "C:\Users\bohau\Desktop\Games\Rescue 2013.lnk"    (target was not recovered)
[DEL ] 43 "C:\Users\bohau\Desktop\Games\Skyrim (SKSE).lnk"    (target was not recovered)
[DEL ] 44 "C:\Users\bohau\Desktop\Games\Space Station Sim.lnk"    (target was not recovered)
[DEL ] 45 "C:\Users\bohau\Desktop\Games\Start The Witcher 2.lnk"    (target was not recovered)
[DEL ] 46 "C:\Users\bohau\Desktop\Games\The Sims 4.lnk"    (target was not recovered)
[DEL ] 47 "C:\Users\bohau\Desktop\Games\THE WITCHER 3 WILD HUNT.lnk"    (target was not recovered)
[DEL ] 48 "C:\Users\bohau\Desktop\Games\TruckersMP.lnk"    (target was not recovered)
[DEL ] 49 "C:\Users\bohau\Desktop\Games\World of Warships.lnk"    (target was not recovered)
[DEL ] 50 "C:\Users\bohau\Desktop\Games\Halo The Master Chief Collection Halo Combat Evolved Anniversary.lnk"    (target was not recovered)
[DEL ] 51 "C:\Users\bohau\Desktop\Games\MechWarrior 5 Mercenaries.lnk"    (target was not recovered)
[DEL ] 52 "C:\Users\bohau\Desktop\Other Software\Mod Organizer - Skyrim SE.lnk"    (target was not recovered)
[DEL ] 53 "C:\Users\bohau\Desktop\Games\The Outer Worlds.lnk"    (target was not recovered)
[DEL ] 54 "C:\Users\bohau\Desktop\Other Software\Tobii Game Hub.lnk"    (target was not recovered)
[DEL ] 55 "C:\Users\bohau\Desktop\Utilites\AORUS ENGINE.lnk"    (target was not recovered)
[DEL ] 56 "C:\Users\bohau\Desktop\Utilites\Defraggler.lnk"    (target was not recovered)
[DEL ] 57 "C:\Users\bohau\Desktop\Utilites\RGBFusion 2.0.lnk"    (target was not recovered)
[DEL ] 58 "C:\Users\bohau\Desktop\Utilites\Ron's Editor.lnk"    (target was not recovered)
[DEL ] 59 "C:\Users\bohau\Desktop\Utilites\Tixati.lnk"    (target was not recovered)
[DEL ] 60 "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oblivion Mod Manager\Oblivion Mod Manager.lnk"    (target was not recovered)
[DEL ] 61 "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oblivion Mod Manager\Oblivion Mod Manager (Safe Mode).lnk"    (target was not recovered)
[DEL ] 62 "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oblivion Mod Manager\BSA creator.lnk"    (target was not recovered)
[DEL ] 63 "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oblivion Mod Manager\BSA browser.lnk"    (target was not recovered)
[DEL ] 64 "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oblivion Mod Manager\Run launcher.lnk"    (target was not recovered)
[DEL ] 65 "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oblivion Mod Manager\Conflict detector.lnk"    (target was not recovered)
[DEL ] 66 "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oblivion Mod Manager\NIF viewer.lnk"    (target was not recovered)
[DEL ] 67 "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oblivion Mod Manager\obmm Readme.lnk"    (target was not recovered)
[DEL ] 68 "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oblivion Mod Manager\Uninstall Oblivion Mod Manager.lnk"    (target was not recovered)
[DEL ] 70 "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wargaming.net\World_of_Warships_EU\World_of_Warships_EU.lnk"    (target was not recovered)
[DEL ] 71 "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wargaming.net\World_of_Warships_EU\Uninstall World_of_Warships_EU.lnk"    (target was not recovered)
[DEL ] 72 "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Diaperquest Launcher\Diaperquest Launcher.lnk"    (target was not recovered)
[DEL ] 73 "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Diaperquest Launcher\Uninstall Diaperquest Launcher.lnk"    (target was not recovered)
[DEL ] 74 "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Diaperquest Launcher\Uninstall  Diaperquest Launcher.lnk"    (target was not recovered)
[DEL ] 75 "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Health Check.lnk"    (target was not recovered)
[DEL ] 76 "C:\Users\bohau\Desktop\Games\Alderon Games Launcher.lnk"    (target was not recovered)
.
[WARN] 30 "C:\Users\bohau\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk"    -> [ "C:\WINDOWS\system32\mblctr.exe" ]   (already cured)
.
____________________________ Icons location _____________________________
.
[ OK ] "C:\Users\bohau\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Snipping Tool (2).lnk"     ->     [ ".", index=1 ]  (Method: 3)
[ OK ] "C:\Users\bohau\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Snipping Tool.lnk"     ->     [ ".", index=1 ]  (Method: 3)
[ OK ] "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk"     ->     [ ".", index=1 ]  (Method: 3)
[ OK ] "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk"     ->     [ ".", index=1 ]  (Method: 3)
[ OK ] "C:\Users\bohau\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk"     ->     [ ".", index=1 ]  (Method: 6)
[ OK ] "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk"     ->     [ ".", index=1 ]  (Method: 3)
.
______________________________ Statistics _______________________________
Cure ran per today: 1 times.

  Total processed:  76

         Cured:     6
         Deleted:   69
         Warnings:  1
______________________________ End of Log _______________________________
______________________________ Debug Info _______________________________
- Shortcut is damaged: "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Health Check.lnk" (1153 bytes)
2023-09-23 10:08:13 - Parser.GetLinkInfoTarget - #5 (Access is denied.) Invalid procedure call or argument. LastDllError = 0. File:  C:\Users\bohau\Desktop\Games\Alderon Games Launcher.lnk Stady: 18 

___________________________ End of debugging ____________________________
 
Malnutrition said:
Run HijackThis! as admin! (located in the folder ...Autologger\HijackThis)
Do a system scan, then check each item below, make sure and only check the items listed.
Then click Fix checked.
The computer will need to reboot, allow it to do so.
Click to expand...

No Reboot was "mandatory" from HijackThis! so i manually rebooted my system.
 
Malnutrition said:
Download and Run No Bot.
Click Check for updates.
Go to scan tab.
Choose threat scan.
Screen shot any detection.
Remove if any....
Click to expand...

OK, i can't do this step, NoBot is closing down after around 3% scan, i have rebooted the computer after installing it, and it has "administrative" privileges, (right click and "Run as administrator")

No logs are produced either, meaning the log folder is empty.
 
OK, skip nobot...

Are there any issues with the machine now?
 
well, i couldn't tell, i didn't even know i had a problem before, it was the CISO (IT Security) that notified me of my problem. ;-)
both MBAM and Windows Defender only discover issues with some of the apps you wanted me to download.
 
There were some questionable files that I removed, and also a couple of open ports on your firewall.


These.

C:\Users\bohau\AppData\Local\9305404043
C:\WINDOWS\system32\Drivers\yvkurxwa.sys
FirewallRules: [{D7117FA5-FDC3-42CB-8879-AA0FB29EF7FF}] => (Allow) LPort=32976
FirewallRules: [{7440A2B4-816E-4193-8B25-FE149001ACA1}] => (Allow) LPort=17771

So yes there was something active which was removed. But no active malware, seems to be pieces of left over infection. Or at the time of these scans not active. But everything that needed to be removed was.



As far as the anti keylogging softwware that is up to you, would not hurt to have an extra layer of protection, but that is up to you.




Update your older programs with Patch My PC home Edition.

We will clean all the tools we used...

Download KpRM
Save to Desktop
Check Delete Tools'
Check Delete Restore points.
Create Restore point.
Click delete quarantines.
Then click run.
I suggest:
Ublock Origin
O&O Shutup Ten
O&O App Buster
 
The intent is to block telemetry, and uninstall useless to you apps. You can be the judge of what you want or do not want blocked.
 
so what anti logger do you suggest???
Zemana didn't work since both MBAM and Windows Defender reacted on some .sys files, and they did also interferer with the installation of zemana
 
Status
Not open for further replies.
Top Bottom