Is the computer still infected or corrupted?

Hello,

 

For about a month now my computer will randomly crash. No BSOD just straight black screen, it takes multiple tries of force booting it to get it up and running again but the issue stays consistent. It's very random when it happens so its nothing specific that I do that triggers it. I have tried cleaning the computer numerous times but nothing seems to really fix the issue. ADWcleaner catches 1-2 malware but even after deleting them in quarantine the same two come back. Even so I didn't think the computer was really infected until I ran FRST which revealed these two items. 

 

Hello robo_623, and welcome to Bleeping Computer Forums.

I will be assisting you regarding your computer's issues. Here, we will check your computer for malware.

Please, adhere to the guidelines below. As soon as I have your consent, we will continue with the check/cleaning procedure. 

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

No Problem, appreciate the help. Just let me know what I should do about the ESET scan that's been running since I made the post.

Edited by robo_623, 18 September 2023 - 04:26 AM.

Let the Eset scan finish, and post the results in your next reply. We will continue from there. 

ESET scan finished it came back with nothing but as I mentioned before ADWcleaner would do the same after finding and deleting the two malware but they would still show up later on so I'm not sure if the results are acccurate. It does look like from the log that it wasnt able to access quite a number of files as well.

 

I ran the ESET scan as administrator and in-depth scan too.

 

Hi, robo_623.
 

bl (HKLM-x32\...\{2A075BB4-E976-4278-BF3F-E5C6945D84C0}) (Version: 1.0.0 - Your Company Name) Hidden
ph (HKLM-x32\...\{185F9795-9663-4F13-9EF9-307A282ADB5A}) (Version: 1.0.0 - Your Company Name) Hidden

 
The above items are not malware. They are related to Adobe products, and you have plenty of them installed in your system. With the fix you ran earlier, you didn't remove them, anyway, but I would like you to take in mind that you must not use any fix with FRST tool or similar tools, without the assistance of a training person. Otherwise, you could cause a damage in your system which can be unreversible. 
 
These are my first comments/instructions regarding your logs:
 
 
1. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-19\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\69.0.0.0\GoogleDriveFS.exe --startup_mode (No File)
HKU\S-1-5-20\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\69.0.0.0\GoogleDriveFS.exe --startup_mode (No File)
HKU\S-1-5-21-2411417109-725361432-2374949271-1001\...\Run: [Toolkit] => "C:\Program Files (x86)\Toolkit\Toolkit.exe" /WinStart**憁∀耀썐*6*6***C:\Users\robco\AppData\Roaming\Toolkit\Log [0 2022-03-14] () <==== ATTENTION [zero byte File/Folder]
HKU\S-1-5-21-2411417109-725361432-2374949271-1001\...\Policies\Explorer: [] 
HKU\S-1-5-18\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\69.0.0.0\GoogleDriveFS.exe --startup_mode (No File)
HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] -> 
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe  (No File)
Task: {9AFAF137-AE1C-42C2-975C-E22E2B665BDF} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval => %systemroot%\system32\MusNotification.exe  Display (No File)
Task: {6ECC17BA-2F21-4D1D-A937-AF5B7E29ED7A} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot => %systemroot%\system32\MusNotification.exe  ReadyToReboot (No File)
Task: {AAD74948-ED0D-4BF3-98A1-B3131106B708} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe  /RunOnAC RebootDialog (No File)
Task: {B2B6D341-B53D-4803-AB16-A661A4ACEAD2} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe  /RunOnBattery RebootDialog (No File)
Task: {C7253B1F-F1A2-4EC5-A8B2-62D9A72E1DDA} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_Broker_Display => %systemroot%\system32\MusNotification.exe  Display (No File)
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (No File)
Task: {BB734A47-2F4A-4F28-BE12-6E3C6783BEAB} - System32\Tasks\OneDrive Standalone Update Task v2 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  (No File)
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
CHR HKLM-x32\...\Chrome\Extension: [aegnopegbbhjeeiganiajffnalhlkkjb]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki]
CHR HKLM-x32\...\Chrome\Extension: [mfhcmdonhekjhfbjmeacdjbhlfgpjabp]
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} =>  -> No File
ContextMenuHandlers4: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} =>  -> No File
ContextMenuHandlers5: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} =>  -> No File
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access.lnk:A1B76439FE [4138]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk:B96E9B8455 [4138]
EmptyTemp:
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

 

2. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.

• Double click AdwCleaner.exe to run it.
• Click Scan Now.
  • When the scan has finished, a Scan Results window will open.
  • Click Cancel (at this point do not attempt to Quarantine anything that is found)
• Now click the Log Files tab.
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
  • A Notepad file will open containing the results of the scan.
  • Please post the contents of the file in your next reply.

 

3. Run Malwarebytes (scan only)

• Download Malwarebytes and save it to your Desktop.
• Once downloaded, close all programs and Windows on your computer.
• Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
• Follow the instructions to install the program.
• When finished, double click the program's icon created on your Desktop.
• Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
  

  Under the title Scan Options, all the options are checked.
  Under the title Windows Security Center (Premium only) the option is NOT checked.
  Under the title Potentially unwanted items all options are set to Always.

• Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
• When finished, you will see the Threat Scan Summary window open.
• If threats are not found, click View Report and proceed to the two last steps below.
  
  If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

 

 

In your next reply please post:

1. The fixlog.txt
2. The AdwCleaner[S0*].txt
3. The Malwarebytes report

FRST scan

 

Hello.
 
You have Google Sync option enabled, and that is the reason the PUPs detected return at every scan. Turn this option OFF on all the devices you are using. Do not turn it ON, until I tell you.
 
After turning the Google Sync option OFF, on all your devices, please do the following to clean the computer:
 

1. Run Malwarebytes (Clean mode)

• Double click the program's icon on your Desktop, as you did before.
• Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
  

  Under the title Scan Options, all the options are checked.
  Under the title Windows Security Center (Premium only) the option is unchecked.
  Under the title Potentially unwanted items all options are set to Always.

• Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
• When finished, you will see the Thread Scan Summary window open.
• If threats are not found, click View Report and proceed to the two last steps below.
• If threats are found, make sure that all threats are selected, and click on Quarantine/Remove selected.
• You may need to restart the computer.
• Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
• Find the report with the most recent date and double click on it.
• Click on Export and then Copy to Clipboard.
• Paste its content here, in your next reply.

 

2. AdwCleaner (Clean mode)

• Double click AdwCleaner.exe on your Desktop, to run it as you did before.
• Click Scan Now.
• When the scan has finished a Scan Results window will open.
• Please check all the boxes and then click Quarantine.
• Click Next.
  • If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
  • Check any pre-installed software items you want to remove.
  • Click Quarantine.
• A prompt to save your work will appear.
  • Click Continue when you're ready to proceed.
• A prompt to restart your computer will appear.
  • Click Restart Now.
• Once your computer has restarted:
  • If it doesn't open automatically, please start AdwCleaner.
  • Click the Log Files tab.
  • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
  • A Notepad file will open containing the results of the removal.
  • Please post the contents of the file in your next reply.

 

 

In your next reply please post:

1. The AdwCleaner[C0*].txt
2. The Malwarebytes report

I had to run the steps twice as I forgot about an old device that still had the chrome sync enabled. First time threats were found and I quarantined them, but then remembered the other device. After the second follow through no threats were found. I only use the web browser Brave so If I can uninstall the other browsers after this, that would be great.

 

Malwarebytes Scan 1st time

 

Malwarebytes

OK, good job. 

 

Let's finish from here first. You can uninstall whatever you want later.

 

For now, I would like to see fresh FRST logs, Addition and FRST (attached).

FRST log

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-09-2023

I'll review your logs tomorrow, since it's late for me now. Just a quick question: now you have Eset Security installed. Are you going to keep it as your primary security solution? 

Hello.
 
The computer is clean now, and the following will just do some maintenance.
 
 
FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
S3 MpKsl5a8b5655; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{94C72476-79D9-45C0-AA2C-6002F4ABD452}\MpKslDrv.sys [X]
S3 MpKslb1789ece; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{94C72476-79D9-45C0-AA2C-6002F4ABD452}\MpKslDrv.sys [X]
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: SFC /scannow
EmptyTemp:
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

 

 

In your next reply please post:

1. The fixlog.txt
2. Feedback: How is the computer running now? Any remaining issues/questions/concerns? 

im not sure about keeping ESET i was planning to keep malwarebytes but if ESET is better then I would make the switch. Computer seems to be running better now no instances where it will crash and I need to hard reboot. So everything looks good, thank you.

 

FRST Fixlog

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-09-2023

Edited by robo_623, 20 September 2023 - 02:20 PM.

Security Update for SQL Server 2014 Service Pack 3 GDR (KB5021037) install issue 0x80070643

 

I still cannot seem to download or install this SQL update this is what the windows update gives me for info, so everytime i start my computer it keeps trying to install the update does the process about 3_4 times then just boots past it