Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FRST Logs.


  • This topic is locked This topic is locked
6 replies to this topic

#1 Senvah

Senvah

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 28 February 2018 - 11:50 PM

Here are the logs from the FRST scan.

Attached Files



BC AdBot (Login to Remove)

 


#2 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 01 March 2018 - 12:53 AM

It's going to take me a while to look your logs over, I'll get back to you once I have, should be some time later today.



#3 Senvah

Senvah
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 01 March 2018 - 12:54 AM

Take your time Gary, thank you for helping me out.

If you have a place where I can donate or help out I will pay for your time.



#4 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 01 March 2018 - 01:06 AM

I don't take donations thanks, but thank you for the offer.

 

I see you've run your scan using the "Guest User" account, is this the account you usually log on with ?

 

I ask this because there's very little 3rd party software installed in this account (other than security stuff), so it doesn't tell me too much.

 

From what I can see you have 3 accounts .... WingusDingus & Guest User & solidsnail .... and if one of those is the one you more regularly use, then that's the one you should be running the FRST scan from.



#5 Senvah

Senvah
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 01 March 2018 - 03:59 AM

Yes I use Guest user the most, I figured if I did get something malicious it wouldn't have complete administrator rights on the computer.



#6 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 01 March 2018 - 04:53 AM

OK, no visible signs of Malware in the logs you've supplied.  

I do have a few comments to make on things I've seen.

First ....

I see you have a number of Ad Blocker extensions fitted in Chrome ...
 

CHR Extension: (Adblock Plus) - C:\Users\WingusDingus\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2018-02-23]
CHR Extension: (uBlock Origin) - C:\Users\WingusDingus\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2018-02-24]
CHR Extension: (AdBlock) - C:\Users\WingusDingus\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2018-02-24]


... these are just duplicating function, there is little or no overlap in coverage between them, I recommend you keep uBlock origin and "uninstall" the other two. The reason I recommend uBlock Origin being that it is less resource hungry than the others.

Next ....

You have a number of tools on your computer which you've been using to check it for malware ....
 

Autoruns
Process Explorer
ADWCleaner
Rogue Killer


These are not really suitable for use by untrained personnel, and I recommend you uninstall ... Autoruns, Process Explorer, and Rogue Killer.

To remove ADWCleaner ...
 

  • Double click AdwCleaner.exe to run it.
  • Click Uninstall.
  • Click Yes to the prompt.
  • AdwCleaner will close and uninstall itself

Note: If AdwCleaner prompts you an update is available, click Cancel and continue to uninstall.

Next ....

You have been using MSConfig to prevent a number of processes launching at startup ...



HKU\S-1-5-21-390732751-2260908807-2568724713-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-390732751-2260908807-2568724713-1001\...\StartupApproved\Run: => "Steam"
HKU\S-1-5-21-390732751-2260908807-2568724713-1001\...\StartupApproved\Run: => "GlassWire"
HKU\S-1-5-21-390732751-2260908807-2568724713-1003\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-390732751-2260908807-2568724713-1004\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-390732751-2260908807-2568724713-1004\...\StartupApproved\Run: => "OneDriveSetup"


MSConfig was not designed to permanently disable processes from auto launching, and it's not a good idea to use it this way. If you wish to disable those processes from launching at startup permanently then there are better ways to do it.

If you want me to do it for you, then please let me know.

In the meantime I recommend you do the following , which will re-enable the startup items you've disabled, and also remove a couple of redundant tasks that were indicated in your log.
 

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank notepad file named fixlist.txt will open.
  • Copy and paste the following into it ....
Task: {02C0326E-DCEC-43D7-9067-5C92FDDAA68E} - \Microsoft\Windows\SMB\UninstallSMB1ClientTask -> No File <==== ATTENTION
Task: {922DCE22-5601-423C-8CB4-648A0DCE5B27} - \Microsoft\Windows\SMB\UninstallSMB1ServerTask -> No File <==== ATTENTION
HKU\S-1-5-21-390732751-2260908807-2568724713-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-390732751-2260908807-2568724713-1001\...\StartupApproved\Run: => "Steam"
HKU\S-1-5-21-390732751-2260908807-2568724713-1001\...\StartupApproved\Run: => "GlassWire"
HKU\S-1-5-21-390732751-2260908807-2568724713-1003\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-390732751-2260908807-2568724713-1004\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-390732751-2260908807-2568724713-1004\...\StartupApproved\Run: => "OneDriveSetup"
  • Press Ctrl+s to save fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system


  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log

 

 



#7 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 13 March 2018 - 01:09 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users