Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brand new PC install, wanna start from clean


  • This topic is locked This topic is locked
12 replies to this topic

#1 Sunbread1

Sunbread1

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 03 June 2017 - 02:40 PM

I would like to make sure i am starting from clean slate, i did some virus scans already but farbar logs would need to be analyzed.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:09 PM

Posted 04 June 2017 - 07:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your logs are clean.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#3 Sunbread1

Sunbread1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 06 June 2017 - 03:18 PM

Hello again. I decided to try new antivirus solution and i would like to get assurance that its doing its job. I have already done various other scans. Emsisoft antimalware is now my only real time protection. One thing im worried about though is, that i downloaded Zemana antimalware https://www.bleepingcomputer.com/download/zemana-antimalware/

I did not know it has real time protection automatically activating, so i just installed and ran the program. I know that using more than one real time protections can cause problems, so I went to settings and turned off the real time protection right away. But I was connected to internet during this whole thing, so I am worried it might have made me more vulnerable to attacks. Additional question is, does Zemana malware also include firewall? I couldnt find info about that, but if it did then it must have disabled the windows firewall which would have made me even more vulnerable.

Farbar logs are in attachments, thats the final piece to investigate if PC is clean or not, as virus scans show clean results.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:09 PM

Posted 07 June 2017 - 07:40 AM

Hi,

Your logs are clean.

Security is good.
 

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Emsisoft Anti-Malware (Enabled - Up to date) {701CB209-EBBC-AADC-11E6-DE73E7AF4C9D}
AS: Emsisoft Anti-Malware (Enabled - Up to date) {CB7D53ED-CD86-A552-2B56-E5019C280620}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

And your Windows Firewall is Enabled.


Zemana is a Malware removal tool. It does not protect against a Virus.
http://blog.zemana.com/2017/05/difference-between-antivirus-and-anti.html?_ga=2.255993996.646773421.1496838841-2008406233.1488479996

It will not interfere with Emsisoft.

#5 Sunbread1

Sunbread1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 07 June 2017 - 10:21 AM

I had to come back here again unfortunately, because today when i started using computer i noticed something black flashing in lower right corner of browser (i was browsing emsisoft page, so reputable site), and after that i went to downloads folder and noticed that the view settings of the folder was changed to large icons, so all the icons were large. I always had the view settings as default "details" and never changed them myself. So something weird is going on.

Worrying thing is also, that I had no malwarebytes real time protections running until now, because previously I though the real time protection layers would cause issues with Emsisofts real time layers, but after learning that they work OK together, i enabled malwarebytes real time layers too. But maybe its too late...

I scanned pc with emsisoft antimalware, malwarebytes, malwarebytes antirootkit, hitman pro, kaspersky virus removal tool, roguekiller, fsecure online scanner, sophos, adw cleaner. Nothing was found.

As I have not enough expertise to analyze the farbar still, I politely ask if you could review once again these new logs. This time i checked all the rest of the boxes too (List BCD, Drivers MD5) in farbar before scanning.

EDIT: Let me attach the logs in another post


Edited by Sunbread1, 07 June 2017 - 10:30 AM.


#6 Sunbread1

Sunbread1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 07 June 2017 - 10:34 AM

Here are the newest logs

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:09 PM

Posted 07 June 2017 - 12:50 PM


Your logs are clean.

You removed AVAST.
AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}

To make sure all traces of it are removed I suggests you run their uninstaller.
Navigate to this page. Download and run the application.
https://www.avast.com/uninstall-utility
===

and after that i went to downloads folder and noticed that the view settings of the folder was changed to large icons, so all the icons were large

The view settings for Icons size are set for each folder.

This article may help you select the size you want.
https://www.techsupportall.com/change-icon-text-size-windows-10/

#8 Sunbread1

Sunbread1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 07 June 2017 - 12:56 PM

I see you havent yet downloaded the FRST.txt

 

Avast was in the old windows install, i made new windows install in order start from clean when trying new antivirus solution. Now i was looking at event viewer and there are some weird things, for an example this with Event ID 1530

 

33 user registry handles leaked from \Registry\User\S-1-5-21-1776908731-2155016529-3854037204-1001:
Process 812 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\CA
Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\System\GameConfigStore\Parents
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\SystemCertificates
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\SystemCertificates
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\SystemCertificates
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\SystemCertificates
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\trust
Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\System\GameConfigStore
Process 1848 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\Windows\CloudContent
Process 3056 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall
Process 3032 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 4736 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1848 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows\CurrentVersion\Privacy
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\TrustedPeople
Process 3032 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 4736 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 1848 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\Windows\DataCollection
Process 3032 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 4736 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 3032 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Main
Process 4736 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Main
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\Root
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\Disallowed
Process 700 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows NT\CurrentVersion\Fonts
Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\System\GameConfigStore\Children
Process 3032 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Security
Process 4736 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Security
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
 


Edited by Sunbread1, 07 June 2017 - 12:58 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:09 PM

Posted 07 June 2017 - 01:30 PM


These were caused by an application.

33 user registry handles leaked from \Registry\User\S-1-5-21-1776908731-2155016529-3854037204-1001:
Process 812 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
Process 2364 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
etc...


These may be just some remnant items in the registry. Caused by reinstalling Windows.

If you want more information I suggest you ask in the Windows 10 forum.
An expert should be able to help you. That is not malware and not my forte.
Foruml Link"
https://www.bleepingcomputer.com/forums/f/229/windows-10-support/

#10 Sunbread1

Sunbread1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 07 June 2017 - 01:34 PM

They cant be because of windows reinstall, because i secure erased the ssd before so theres nothing left from old system. This "unknown" process could be malware, need more investigating.

I have alot of these events logged, where unknown process has done something.


Edited by Sunbread1, 07 June 2017 - 02:32 PM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:09 PM

Posted 08 June 2017 - 06:49 AM

Avast was in the old windows install, i made new windows install in order start from clean when trying new antivirus solution. Now i was looking at event viewer and there are some weird things, for an example this with Event ID 1530


Reinstalling Windows does not remove old registry entries.

Please run the Avast removal tool.

p.s.
If you have a virus you would have more problems then what you are founding.

#12 Sunbread1

Sunbread1
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 08 June 2017 - 10:48 AM

After learning that avast wasnt that good antivirus, i did secure erase which resets the disk leaving nothing. Then i installed new windows with new antivirus. Also, how could you say logs were clean when you didnt download the FRST.txt, only addition.txt? There is download count in the post for attachments, and it shows zero.


Edited by Sunbread1, 08 June 2017 - 10:55 AM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:09 PM

Posted 09 June 2017 - 06:46 AM

The FRST log is also clean.

How did you reset the disk leaving nothing in?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users