My PC is acting very strange

[DR M]

Let's set a password for Ayesha account.

• In the Search area type Control Panel and select it when it appears.
• Select View by category.
• Select User Accounts.
• Add or remove users accounts.
• Choose Ayesha.
• Select insert a password for the specific account and follow the prompts.
• Restart the computer.
• Take a screenshot of what you see before log in Windows.

 

[DR M]

Hi, Crystal.

Can you please take a look on this topic more often? The issue you are dealing with is not simple and being here once every now and then doesn't help at all.

Thanks.

 

[crystald3w]

Hello DR M,

Apologies for my late responses as work been getting in the way lately and I haven't been able to use my PC ever since so no changes were made.

I have created a password for Ayesha and after restarting, it actually asked for the pass. (picture attached)

 

[DR M]

I understand about work. However, replying to this topic in a more regular basis will help.

Yes! As I can see, there is an option for you to log in either with the Ayesha account or the Administrator.

Choose to log in as Administrator and from now on please do not use the Ayesha account.

After log in, let's download a fresh copy of FRST tool. I want you to make a new scan with it.

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.

If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

• Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach the content of these two logs in your next reply.

 

[DR M]

Crystal, I changed my instructions above, so you can download a fresh FRST copy instead of using the old one (if it's still there).

 

[crystald3w]

I have went back to get the link for FRST, downloaded it, saved it to my desktop ...but it kept showing me "This app can't run on your PC" and i have tried both versions. What could be the issue here?

 

[DR M]

If there is an option See more details, choose it and then Run anyway.

 

[crystald3w]

That's what i did. Even the thumbnail for FRST doesnt show up.

 

[DR M]

Go here and download FRST again. It seems that something went wrong with the download.

 

[crystald3w]

Still the same

 

[DR M]

Let's see if we can download FRST from Safe mode.

Restart with Safe mode

• Press the Windows icon on the keyboard together with the letter I, to get into the Settings.
• Choose Update and Security.
• From the menu at the left, choose Recovery.
• Under the title Advanced startup at the right, choose Restart now.
• From the window that will appear choose Troubleshoot and then Advanced options.
• Choose Startup Settings and then Restart.
• Press number 5, for choosing Safe mode with networking.
• You will know that you are in Safe mode, if the background is black and Safe mode is written at the four corners of the screen.

Download FRST, as instructed here, and check if you can perform a scan with it.

 

[crystald3w]

Done!
Here you go.

 

[DR M]

Thanks.

My reply, tomorrow. :)

 

[crystald3w]

Thank you!
Take your time

 

[DR M]

Hi, Crystal.

Having in mind that there is a corruption in the operating system which can lead us to its clean install at the end, let's try all the possible fixes we can. Along with the following, I would like you to get a USB drive (8GB) as we may need it at the next steps.


1. Boot in Safe mode with networking as administrator

Instructions here: My PC is acting very strange


2. Uninstall programs

• Press the Windows Key + R.
• Type appwiz.cpl in the Run box and click OK.
• The Add/Remove Programs list will open. Locate the following programs in the list:

fullscreensavers Toolbar
Microsoft Office Professional Plus 2019 - en-us
Microsoft Office Professional Plus 2019 - en-us.proof
There
Vegas Pro 11.0

• Select the above programs, one by one, and click Uninstall.
• Restart the computer in Safe mode with networking when you finish, and log in as Administrator.

In this step, please also uninstall every other not legally activated program you have installed.


3. FRST fix

You are log in Safe mode with networking, as Administrator.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-4099092214-71007489-655330686-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com/?SearchSource=10&ctid=CT2060826
URLSearchHook: HKLM-x32 - (No Name) - {fae389d5-e97e-4abd-8242-d9080c709167} - No File
URLSearchHook: HKU\S-1-5-21-4099092214-71007489-655330686-1001 - (No Name) - {fae389d5-e97e-4abd-8242-d9080c709167} - No File
SearchScopes: HKLM-x32 -> DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2060826
SearchScopes: HKLM-x32 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2060826
SearchScopes: HKU\S-1-5-21-4099092214-71007489-655330686-1001 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2060826
BHO-x32: No Name -> {fae389d5-e97e-4abd-8242-d9080c709167} -> No File
Toolbar: HKLM-x32 - No Name - {fae389d5-e97e-4abd-8242-d9080c709167} -  No File
FirewallRules: [{8ED9E21B-ADE8-452C-8CEC-BAFD71DE494D}] => (Allow) C:\Users\Ayesha\AppData\Local\Temp\download\MiniThunderPlatform.exe => No File
FirewallRules: [{12FDA7F2-C4D9-49D4-9106-C0F1EF3E5EEC}] => (Allow) C:\Users\Ayesha\AppData\Local\Temp\download\MiniThunderPlatform.exe => No File
FirewallRules: [{6D2CC7F7-9C72-4A76-9C79-FB2B4DFFB4A8}] => (Allow) C:\Program Files (x86)\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe => No File
FirewallRules: [{1064B3A3-B8FF-4D4D-812E-546FB4002100}] => (Allow) C:\Program Files (x86)\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe => No File
FirewallRules: [{5CB18097-1763-4C95-8F5F-D8ACAB29748B}] => (Allow) C:\Program Files\BlueStacks\HD-Player.exe => No File
FirewallRules: [{F98066A8-89F7-4881-9B80-7FB283941B0B}] => (Allow) C:\Makena\There\ThereClient\There.exe (Makena Technologies, Inc. -> There, Inc.)
FirewallRules: [{6AFC67F8-F2C4-4903-927F-FFD4D536F694}] => (Allow) C:\Makena\There\ThereClient\There.exe (Makena Technologies, Inc. -> There, Inc.)
FirewallRules: [TCP Query User{230F2AE8-70AD-410E-A79F-C51D3BB0D9E4}C:\users\ayesha\downloads\microsoft office 2019\files\bin\kmss.exe] => (Allow) C:\users\ayesha\downloads\microsoft office 2019\files\bin\kmss.exe => No File
FirewallRules: [UDP Query User{FE07E7B8-050E-47CA-A41D-4C28EA78A010}C:\users\ayesha\downloads\microsoft office 2019\files\bin\kmss.exe] => (Allow) C:\users\ayesha\downloads\microsoft office 2019\files\bin\kmss.exe => No File
C:\Users\Ayesha\Downloads\Ableton live suite v10 by KickAssCracks.com
C:\Users\Ayesha\Downloads\Microsoft Office 2019
HKLM\...\Policies\Explorer: [NoWindowsUpdate] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-4099092214-71007489-655330686-1001\...\Run: [RGSC] => C:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
HKU\S-1-5-21-4099092214-71007489-655330686-1001\...\Policies\Explorer: [NoSecurityTab] 1
HKU\S-1-5-21-4099092214-71007489-655330686-1001\...\MountPoints2: {0e869115-c507-11eb-8db1-1c6f65ca2958} - "D:\AutoRun.exe" 
HKU\S-1-5-21-4099092214-71007489-655330686-1001\...\MountPoints2: {2d8d9512-7d47-11eb-8d99-1c6f65ca2958} - "D:\AutoRun.exe" 
HKU\S-1-5-21-4099092214-71007489-655330686-1001\...\MountPoints2: {49138940-79e9-11eb-8d99-1c6f65ca2958} - "D:\AutoRun.exe" 
HKU\S-1-5-21-4099092214-71007489-655330686-1001\...\MountPoints2: {4913952c-79e9-11eb-8d99-1c6f65ca2958} - "D:\AutoRun.exe" 
HKU\S-1-5-21-4099092214-71007489-655330686-1001\...\MountPoints2: {b8a34d2c-78eb-11eb-8d98-1c6f65ca2958} - "D:\HiSuiteDownLoader.exe" 
HKU\S-1-5-21-4099092214-71007489-655330686-1001\...\MountPoints2: {b8a34e84-78eb-11eb-8d98-1c6f65ca2958} - "D:\AutoRun.exe" 
HKU\S-1-5-21-4099092214-71007489-655330686-1001\...\MountPoints2: {d30ee1a5-7784-11eb-8d95-1c6f65ca2958} - "D:\AutoRun.exe" 
HKU\S-1-5-21-4099092214-71007489-655330686-1001\...\MountPoints2: {d30ee1cd-7784-11eb-8d95-1c6f65ca2958} - "D:\AutoRun.exe" 
IFEO\dismHost.exe: [Debugger] *
IFEO\EOSNOTIFY.EXE: [Debugger] *
IFEO\InstallAgent.exe: [Debugger] *
IFEO\MusNotification.exe: [Debugger] *
IFEO\MUSNOTIFICATIONUX.EXE: [Debugger] *
IFEO\remsh.exe: [Debugger] *
IFEO\SIHClient.exe: [Debugger] *
IFEO\UpdateAssistant.exe: [Debugger] *
IFEO\UPFC.EXE: [Debugger] *
IFEO\UsoClient.exe: [Debugger] *
IFEO\WaaSMedic.exe: [Debugger] *
IFEO\WaasMedicAgent.exe: [Debugger] *
IFEO\Windows10Upgrade.exe: [Debugger] *
IFEO\WINDOWS10UPGRADERAPP.EXE: [Debugger] *
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
S2 ElevationService; C:\Program Files (x86)\Wondershare\Wondershare dr.fone\Addins\Recovery\ElevationService.exe [913408 2021-06-04] () [File not signed]
S2 SU10Guard; C:\Windows\F1VPIJD6\SU10Guard.exe [72776 2020-05-30] (Greatis Software LLC -> Greatis Software, LLC)
S2 Wondershare InstallAssist; C:\ProgramData\Wondershare\Service\InstallAssistService.exe [262880 2021-06-04] (Wondershare Technology Co.,Ltd -> Wondershare)
S2 DFWSIDService; C:\Program Files (x86)\Wondershare\Wondershare dr.fone\WsidService.exe [X]
S3 hsstap; \SystemRoot\System32\drivers\hsstap.sys [X]
C:\Windows\F1VPIJD6
C:\Program Files (x86)\Rockstar Games
2021-06-15 20:09 - 2021-06-15 20:09 - 000000000 ____D C:\Program Files\Ableton
2021-06-15 20:08 - 2021-06-15 20:08 - 000000000 ____D C:\Users\Ayesha\Documents\Max 8
2021-06-15 20:08 - 2021-06-15 20:08 - 000000000 ____D C:\Users\Ayesha\AppData\Roaming\Cycling '74
2021-06-15 20:08 - 2021-06-15 20:08 - 000000000 ____D C:\ProgramData\Max 8
2021-06-15 20:07 - 2021-06-15 20:08 - 000000000 ____D C:\Users\Ayesha\Documents\Ableton
2021-06-15 20:06 - 2021-06-15 20:06 - 000000000 ____D C:\Users\Ayesha\AppData\Roaming\Ableton
2021-06-15 20:06 - 2021-06-15 20:06 - 000000000 ____D C:\Users\Ayesha\AppData\Local\Ableton
2021-06-15 20:06 - 2021-06-15 20:06 - 000000000 ____D C:\Program Files\Common Files\Propellerhead Software
2021-06-15 20:04 - 2021-06-15 20:07 - 004487109 _____ C:\Users\Ayesha\Downloads\Unconfirmed 293607.crdownload
2021-06-15 19:54 - 2021-06-15 19:54 - 000000871 _____ C:\Users\Ayesha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ableton Live 10 Suite.lnk
2021-06-15 18:50 - 2021-06-15 20:16 - 000000000 ____D C:\Users\Ayesha\Downloads\Ableton live suite v10 by KickAssCracks.com
2021-06-14 22:12 - 2021-06-15 00:08 - 1728969119 _____ C:\Users\Ayesha\Downloads\Ableton live suite v10 by KickAssCracks.com.zip
2021-06-12 02:46 - 2021-06-12 02:46 - 002826192 _____ (Adobe Systems, Inc.) C:\Users\Ayesha\Downloads\InstFlash10AX (1).exe
2021-06-12 02:46 - 2021-06-12 02:46 - 001503928 _____ (Adobe) C:\Users\Ayesha\Downloads\uninstall_flash_player.exe
2021-06-12 02:45 - 2021-06-12 02:45 - 001250504 _____ (Adobe Inc) C:\Users\Ayesha\Downloads\flashplayer32pp_en_install.exe
2021-06-12 02:43 - 2021-06-12 02:43 - 000000000 ____D C:\ProgramData\WsAppHelper
2021-06-12 02:40 - 2021-06-12 02:40 - 021646392 _____ (Adobe) C:\Users\Ayesha\Downloads\install_flash_player-32.0.0.445.exe
2021-06-12 02:37 - 2021-06-12 02:38 - 002826192 _____ (Adobe Systems, Inc.) C:\Users\Ayesha\Downloads\InstFlash10AX.exe
2021-06-12 01:35 - 2021-06-12 01:35 - 000000000 ____D C:\Users\Ayesha\Downloads\MS OFFICE FREE
2021-06-12 01:30 - 2021-06-14 20:09 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools
2021-06-12 01:30 - 2021-06-12 01:30 - 000002451 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk
2021-06-12 01:30 - 2021-06-12 01:30 - 000002450 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk
2021-06-12 01:30 - 2021-06-12 01:30 - 000002413 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk
2021-06-12 01:30 - 2021-06-12 01:30 - 000002407 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook.lnk
2021-06-12 01:30 - 2021-06-12 01:30 - 000000000 ____D C:\Program Files\Common Files\DESIGNER
2021-06-12 01:29 - 2021-06-21 11:22 - 000000000 ____D C:\Program Files\Microsoft Office
2021-06-12 01:29 - 2021-06-12 02:47 - 000212992 _____ C:\WINDOWS\system32\ClickToRun_Pipeline16
2021-06-12 01:29 - 2021-06-12 01:29 - 000000000 ____D C:\Program Files\Microsoft Office 15
2021-06-12 01:22 - 2021-06-12 01:24 - 000000000 ____D C:\Users\Ayesha\Downloads\Microsoft Office 2019
2021-06-11 16:17 - 2021-06-12 02:52 - 000000000 ____D C:\Program Files\Wondershare
2021-06-11 15:26 - 2021-06-11 15:33 - 000000000 ____D C:\Users\Ayesha\AppData\Roaming\Wondershare
2021-06-11 15:22 - 2021-06-12 02:52 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare
2021-06-11 15:21 - 2021-06-12 02:52 - 000000000 ____D C:\ProgramData\Wondershare
2021-06-11 16:14 - 2021-06-11 16:15 - 001390520 _____ C:\Users\Ayesha\Downloads\recoverit_setup_full4134.exe
2021-06-11 15:21 - 2021-06-11 15:21 - 001000040 _____ C:\Users\Ayesha\Downloads\drfone_recover_setup_full3366.exe
2021-06-11 15:21 - 2021-06-11 15:21 - 000000000 ____D C:\Program Files (x86)\Wondershare
2021-06-11 15:20 - 2021-06-11 16:17 - 000000000 ____D C:\Users\Public\Documents\Wondershare
2021-06-11 15:20 - 2021-06-11 15:20 - 000997600 _____ C:\Users\Ayesha\Downloads\win-drfone_setup_full3360.exe
2021-06-11 15:20 - 2021-06-11 15:20 - 000997600 _____ C:\Users\Ayesha\Downloads\win-drfone_setup_full3360 (2).exe
2021-06-11 15:20 - 2021-06-11 15:20 - 000997600 _____ C:\Users\Ayesha\Downloads\win-drfone_setup_full3360 (1).exe
2021-05-29 00:14 - 2021-05-29 00:14 - 000000000 ____D C:\Users\Ayesha\Downloads\Ableton.Live.Suite.11.v11.0.0.Incl.Patched.and.Keygen-R2R
2021-05-28 23:00 - 2021-05-28 23:13 - 2338452248 _____ C:\Users\Ayesha\Downloads\Ableton.Live.Suite.11.v11.0.0.Incl.Patched.and.Keygen-R2R.rar
2021-05-28 22:12 - 2021-05-28 22:30 - 969356480 _____ (Image-Line) C:\Users\Ayesha\Downloads\flstudio_win_20.8.0.2115.exe
2021-05-28 21:09 - 2021-05-28 21:12 - 145495560 _____ (8cell, Inc. ) C:\Users\Ayesha\Downloads\Buildbox2.exe
2021-06-15 19:57 - 2021-02-25 16:11 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rockstar Games
2021-06-12 02:47 - 2019-12-07 12:14 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed
2021-06-12 02:47 - 2019-12-07 12:14 - 000000000 ____D C:\WINDOWS\system32\Macromed
2021-06-12 02:46 - 2021-01-24 00:48 - 000000000 ____D C:\Users\Ayesha\AppData\Roaming\Adobe
2021-06-12 02:40 - 2019-12-07 12:18 - 000842296 _____ (Adobe) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2021-06-12 02:40 - 2019-12-07 12:18 - 000175160 _____ (Adobe) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2021-06-10 22:00 - 2021-05-24 19:25 - 000000000 ____D C:\Riot Games
2021-06-10 22:00 - 2021-05-24 19:25 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Riot Games
2021-06-10 21:58 - 2021-04-17 05:08 - 000000000 ____D C:\Users\Ayesha\AppData\Local\Glyph
2021-06-10 21:58 - 2021-04-17 05:08 - 000000000 ____D C:\Program Files (x86)\Glyph
2021-06-10 21:58 - 2021-04-10 13:45 - 000000000 ____D C:\Program Files\VirtualDJ
2021-06-10 21:56 - 2021-03-26 19:01 - 000000000 ____D C:\Program Files (x86)\Virtual DJ Studio 8
2021-06-10 21:53 - 2021-04-17 05:08 - 000000000 ____D C:\ProgramData\Glyph
2021-06-10 21:53 - 2021-04-06 17:58 - 000000000 ____D C:\Users\Ayesha\AppData\Local\Bluestacks
2021-05-28 17:26 - 2021-05-24 19:25 - 000000000 ____D C:\ProgramData\Riot Games
c:\program files\ableton
C:\Program Files (x86)\FullScreensavers.ini
Task: {0B128DF3-671F-43BB-BFAA-994F57CC0FFF} - System32\Tasks\Microsoft\Windows\Google\GoogleUpdateTaskMachineIS => C:\WINDOWS\SysWOW64\XPSViewer\TasksG\G-1-91-23\TG_1.4.30.54.exe [67896 2019-12-07] () [File not signed] <==== ATTENTION
Task: {83B2E839-B34D-4648-867F-BA8183963040} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\SysInfo => C:\Users\Administrator\AppData\Roaming\\toolsyshost\\sihost.exe <==== ATTENTION
Task: {EAB23DCD-6370-4357-958D-B2C4AC15B8A2} - System32\Tasks\{494D10FF-2C00-4364-8D5A-941DDB6172A8} => C:\Windows\system32\pcalua.exe -a "E:\programs\New  (4) Player\RealPlayer10GOLD.exe" -d "E:\programs\New  (4) Player"
VirusTotal: C:\Users\Administrator\AppData\Roaming\toolsyshost\sihost.exe;C:\WINDOWS\SysWOW64\XPSViewer\TasksG\G-1-91-23\TG_1.4.30.54.exe
EmptyTemp:
End::

• Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, the computer will restart. Log in as Administrator.
• A fixlog.txt will be produced on your Desktop.
• Please post the log in your next reply.

4. Fresh FRST logs

The computer will restart in normal mode from the previous step. Try to SCAN with the FRST tool, attaching the two logs (FRST and Addition.txt) in your next reply.

If no luck (FRST can't run), then restart in Safe mode with networking again and perform a SCAN with the FRST tool, attaching the two logs (FRST and Addition.txt) in your next reply.


In your next reply please post:

1. Any issues regarding the uninstalling procedure in Step 2 above
2. The fixlog.txt
3. The fresh FRST logs

 

[crystald3w]

Hello DR M!

Apologies for my slow replies again...im trying!

So as i was following your instructions, i have a question....is it normal that it takes so long for things to respond in "Safe Mode" ?

I've only managed to uninstall "There" ...and have attached pictures of the errors when i tried uninstalling the rest. :/

 

[DR M]

Hi, Crystal.

Continue with the fix in Safe mode (Step 3 above).

Restart in Normal mode and try to run FRST (SCAN), providing the two produced logs.

 

[crystald3w]

Will update you about it tomorrow...seems like its gonna take a while..

 

[crystald3w]

Hello DR M!

Here you go.

 

[DR M]

OK, Crystal.

Let's see what we have here. Give me some time to review the logs.