[SOLVED] Not sure if I'm posting in the right section

[DR M]

Hello, flipper26.

Since my colleague axe0 is sick these days, I'll try to assist you with your computer issues. Obviously the system has many issues, not only in normal mode, and I'm not sure if it is repairable. However, I'll add my efforts to assist you and resolve the issues.

Since some days passed, I would like to see fresh FRST logs in Safe mode (Addition and FRST). Have in mind that my time zone is GMT +2, so I'll be able to review them tomorrow.

 

[flipper26]

I'm sorry to hear that, I hope that Axe is okay. I appreciate any help that you can provide. Attached please find the logs you requested. Let me know if there's anything else I can provide that may be helpful.

 

[DR M]

Hello.

I see that you used the computer downloading (and possibly using) programs while you were getting assistance. Now, I would like you to take in mind the following:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

 

[DR M]

Let's continue in Safe mode, since you are not able to sign in Normal mode yet.


1. Move FRST

Please move FRST tool from F on to your Desktop directly.


2. FRST fix

Please do the following to run a FRST fix. The fix will take time, and please DO NOT use the computer while it is running, even if you think it froze.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CloseProcesses:
ShellIconOverlayIdentifiers: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} =>  -> No File
ShellIconOverlayIdentifiers: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} =>  -> No File
ShellIconOverlayIdentifiers: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ContextMenuHandlers1: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} =>  -> No File
ContextMenuHandlers2: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} =>  -> No File
ContextMenuHandlers3: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} =>  -> No File
ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers4: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} =>  -> No File
ContextMenuHandlers4: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File
ContextMenuHandlers5: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
ContextMenuHandlers6: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service"
SearchScopes: HKU\S-1-5-21-1876214748-2417306340-1488581364-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1876214748-2417306340-1488581364-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1876214748-2417306340-1488581364-1002 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = &vendorConfigured=iac&cmpgn=oct21&gct=kwd&qsrc=2869
BHO: No Name -> {813E8B32-348A-4AD9-B1B8-16161E160703}' -> No File
BHO-x32: No Name -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> No File
BHO-x32: No Name -> {813E8B32-348A-4AD9-B1B8-16161E160703}' -> No File
MSCONFIG\Services: McAfee WebAdvisor => 2
HKU\S-1-5-21-1876214748-2417306340-1488581364-1002\...\StartupApproved\Run: => "btweb"
FirewallRules: [{B9EBA751-6BA3-45F1-BB07-CC81F4C2F07B}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe => No File
FirewallRules: [{3DF00CC8-F160-432D-9183-C899B99D5DF2}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe => No File
FirewallRules: [{7C86D801-4A0B-4884-995A-FB17C95E30F2}] => (Allow) C:\Users\flipper26\AppData\Roaming\BitTorrent Web\btweb.exe => No File
FirewallRules: [{5BC10EA6-7A82-4F14-858F-3E8D6E1F1FC0}] => (Allow) C:\Users\flipper26\AppData\Roaming\BitTorrent Web\btweb.exe => No File
FirewallRules: [TCP Query User{56CC75A7-A926-4203-9B86-E8607C4CC660}C:\programdata\regid.1993-06.com.microsoft\wmiprvse.exe] => (Block) C:\programdata\regid.1993-06.com.microsoft\wmiprvse.exe => No File
FirewallRules: [UDP Query User{031EA429-22BF-4FA1-9801-E966032F37A1}C:\programdata\regid.1993-06.com.microsoft\wmiprvse.exe] => (Block) C:\programdata\regid.1993-06.com.microsoft\wmiprvse.exe => No File
FirewallRules: [{A74EBD5B-3E5D-4651-AD1F-44DA33CA3C2D}] => (Allow) C:\Program Files\Fortect\MainService.exe => No File
FirewallRules: [{E136A8FC-419A-460C-9B60-B55EE6EB8F1B}] => (Allow) C:\Program Files\Fortect\MainService.exe => No File
FirewallRules: [{502cdf07-fbb7-4b22-8061-acfc2790b192}] => (Allow) C:\LDPlayer\LDPlayer9\dnplayer.exe => No File
FirewallRules: [{5C18DF22-2EBC-4BCF-AD2B-5581652333D1}] => (Allow) C:\Program Files (x86)\Nox\bin\Nox.exe => No File
FirewallRules: [{CCAE93E6-43EE-4D3D-A56A-62EC92A6A4E4}] => (Allow) C:\Program Files (x86)\Bignox\BigNoxVM\RT\NoxVMHandle.exe => No File
FirewallRules: [{62FF2DDF-B5B7-4A8A-8893-0C71AB22CE3F}] => (Allow) C:\Program Files\Norton\Driver Updater\NortonDriverUpdUI.exe => No File
FirewallRules: [{18742E79-DC66-483E-A917-7C711CF777D3}] => (Allow) C:\Program Files\Norton\Driver Updater\NortonDriverUpdUI.exe => No File
FirewallRules: [{0CBBA2AE-F2F4-4441-9FE5-469FDCAAA960}] => (Allow) C:\Program Files\Fortect\MainService.exe => No File
FirewallRules: [{32B15DF5-2428-47A5-B2FD-17E7945E2611}] => (Allow) C:\Program Files\Fortect\MainService.exe => No File
FirewallRules: [{480C6602-A8F0-4CD4-AA2D-AB8069EA5E9D}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.65.78.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{9E6EFAB9-EFA3-4B1E-B67D-E4ECCBA59176}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.65.78.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{01DF0815-250E-4BEF-A399-C43432F6D46B}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.65.78.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{C9B70DF6-3CB5-42AC-9DE3-6A0E1C192420}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.65.78.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
HKLM\...\RunOnce: [!BingChatInstaller] => C:\Windows\Temp\MUBSTemp\BingChatInstaller.EXE [17685536 2024-01-12] (Microsoft Corporation -> Microsoft Corporation) <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKU\S-1-5-21-1876214748-2417306340-1488581364-1002\...\Run: [DriverFix] => "C:\Program Files (x86)\DriverFix\DriverFix.exe" -auto (No File)
HKU\S-1-5-21-1876214748-2417306340-1488581364-1002\...\Run: [Adobe Acrobat Synchronizer] => "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" (No File)
HKU\S-1-5-21-1876214748-2417306340-1488581364-1002\...\Run: [btweb] => "C:\Users\flipper26\AppData\Roaming\BitTorrent Web\btweb.exe" /MINIMIZED (No File)
HKU\S-1-5-21-1876214748-2417306340-1488581364-1002\...\RunOnce: [Delete Cached Update Binary] => C:\WINDOWS\system32\cmd.exe /q /c del /q "C:\Users\flipper26\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" (No File)
HKU\S-1-5-21-1876214748-2417306340-1488581364-1002\...\RunOnce: [Delete Cached Standalone Update Binary] => C:\WINDOWS\system32\cmd.exe /q /c del /q "C:\Users\flipper26\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" (No File)
HKU\S-1-5-21-1876214748-2417306340-1488581364-1002\...\RunOnce: [Uninstall 23.221.1024.0002] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\flipper26\AppData\Local\Microsoft\OneDrive\23.221.1024.0002" [0 2023-11-21] () <==== ATTENTION [zero byte File/Folder]
HKU\S-1-5-21-1876214748-2417306340-1488581364-1002\...\RunOnce: [!BingChatInstaller.exe] => C:\Windows\temp\MUBSTemp\BingChatInstaller.exe [17685536 2024-01-12] (Microsoft Corporation -> Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1876214748-2417306340-1488581364-1002\...\MountPoints2: {56df1b0a-53a9-11ea-88cf-426f2a4f26ef} - "D:\GSLoader.exe"
HKU\S-1-5-21-1876214748-2417306340-1488581364-1002\...\MountPoints2: {a8ba579a-df6a-11eb-892d-04d4c4e13efb} - "D:\GSLoader.exe"
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
Task: {E2EB017E-A785-423D-BCF0-FA99C5524065} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe  (No File)
Task: {9320DF53-1441-42DC-8486-341038B630BA} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_32_0_0_321_pepper.exe [1453624 2020-01-25] (Adobe Inc. -> Adobe)
Task: {EFE15B67-9F0C-4E30-BDD3-0B99428D0CF1} - System32\Tasks\ASUS\P508PowerAgent_sdk => C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ShareFromArmouryIII\Mouse\ROG STRIX CARRY\P508PowerAgent.exe  (No File)
Task: {C094AA86-7D6D-49A3-9810-2CB7716F0DC5} - System32\Tasks\Driver Easy Scheduled Scan => C:\Program Files\Easeware\DriverEasy\DriverEasy.exe  --scan (No File)
Task: {91233FA8-1F6D-40C7-97A9-52C913F500F1} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe  --automatic (No File)
Task: {6438D303-1CC1-450C-8DF3-85445603FEB3} - System32\Tasks\MEGA\MEGAsync Update Task S-1-5-21-1876214748-2417306340-1488581364-1002 => C:\ProgramData\MEGAsync\MEGAupdater.exe  (No File)
Task: {2512D9CE-7575-46AE-AF08-805A5CEDF784} - System32\Tasks\Mozilla\Firefox Default Browser Agent E7CF176E110C211B => C:\Program Files (x86)\Mozilla Firefox\default-browser-agent.exe  do-task "E7CF176E110C211B" (No File)
Task: {D33E53D6-82EC-4319-B214-849D53FFFCD1} - System32\Tasks\Norton\Norton Driver Updater Update => C:\Program Files\Common Files\Norton\Icarus\norton-du\icarus.exe  /update:norton-du /silent (No File)
Task: {F0847215-8456-48AD-B67F-A1F73A5EFED5} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-1876214748-2417306340-1488581364-1002 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  /reporting (No File)
Task: {47C2BA76-B0AC-4941-80A6-F59F1C7BCF55} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1876214748-2417306340-1488581364-1001 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  (No File)
Task: {143BAB4B-7DD9-40B3-9B1B-1F6A8C064EF3} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1876214748-2417306340-1488581364-1002 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  (No File)
Task: {7C39CD21-1F8D-4CEC-B69E-D1643E7978B2} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1876214748-2417306340-1488581364-500 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  (No File)
Task: {F06D0C0A-127E-42EF-8E67-CC7D4B81A524} - System32\Tasks\PowerToys\Autorun for flipper26 => C:\Program Files\PowerToys\PowerToys.exe  (No File)
Task: C:\Windows\Tasks\Driver Easy Scheduled Scan.job => C:\Program Files\Easeware\DriverEasy\DriverEasy.exe
Task: C:\Windows\Tasks\Tweaking.com - Windows Repair Tray Icon.job => C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)Tweaking.com - Windows Repair)Created By Tweaking.com
Winsock: Catalog9 17 %windir%\system32\vsocklib.dll => No File
Winsock: Catalog9 18 %windir%\system32\vsocklib.dll => No File
Winsock: Catalog9-x64 17 %windir%\system32\vsocklib.dll => No File
Winsock: Catalog9-x64 18 %windir%\system32\vsocklib.dll => No File
Edge Extension: (Online Security) - C:\Users\OWNER\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jcpgbnbdnakoblgfkbgggankeidkfcdl [2024-01-02]
Edge HKU\S-1-5-21-1876214748-2417306340-1488581364-1002\SOFTWARE\Microsoft\Edge\Extensions\...\Edge\Extension: [jcpgbnbdnakoblgfkbgggankeidkfcdl]
Edge HKLM-x32\...\Edge\Extension: [jcpgbnbdnakoblgfkbgggankeidkfcdl]
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF HKLM-x32\...\Firefox\Extensions: [VIP2X@verisign.com] - C:\Program Files (x86)\Symantec\VIP Access Client => not found
FF HKLM-x32\...\Firefox\Extensions: [{338950EA-82DB-44C1-930D-0C28E023C9F0}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => not found
FF HKLM-x32\...\Firefox\Extensions: [VIP3X@verisign.com] - C:\Program Files (x86)\Symantec\VIP Access Client => not found
CHR HKU\S-1-5-21-1876214748-2417306340-1488581364-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [llbcnfanfmjhpedaedhbcnpgeepdnnok]
CHR HKLM-x32\...\Chrome\Extension: [llbcnfanfmjhpedaedhbcnpgeepdnnok]
S4 EsgShKernel; C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe [17418784 2023-10-01] (EnigmaSoft Limited -> EnigmaSoft Limited)
S4 ShMonitor; C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe [2525216 2023-10-01] (EnigmaSoft Limited -> EnigmaSoft Limited)
S4 AdobeARMservice; "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [X]
S4 AdobeUpdateService; "C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe" [X]
S2 com.geocomply.internal-updater-microservice; C:\Program Files (x86)\GeoComply\//PlayerLocationCheck///Application/com.geocomply.internal-updater-microservice.exe [X]
S2 com.geocomply.process-scanner-microservice; C:\Program Files (x86)\GeoComply\//PlayerLocationCheck///Application/com.geocomply.process-scanner-microservice.exe [X]
S2 com.geocomply.vm-detector-microservice; C:\Program Files (x86)\GeoComply\//PlayerLocationCheck///Application/com.geocomply.vm-detector-microservice.exe [X]
S2 com.geocomply.wifi-scanner-microservice; C:\Program Files (x86)\GeoComply\//PlayerLocationCheck///Application/com.geocomply.wifi-scanner-microservice.exe [X]
S3 CryptoTabBrowserElevationService; "C:\Program Files\CryptoTab Browser\Application\112.0.5615.138\elevation_service.exe" [X]
S2 Player Location Check; C:\Program Files (x86)\GeoComply\//PlayerLocationCheck///Application/service.exe [X]
S3 WdNisSvc; "%ProgramData%\Microsoft\Windows Defender\platform\4.18.1910.4-0\NisSrv.exe" [X]
S2 BdDci; C:\Windows\system32\DRIVERS\bddci.sys [367096 2023-04-19] (Bitdefender SRL -> Bitdefender)
S3 cpuz148; \??\C:\WINDOWS\temp\cpuz148\cpuz148_x64.sys [X]
S3 cpuz157; \??\C:\WINDOWS\temp\cpuz157\cpuz157_x64.sys [X]
S3 SI2023-12-17 10:08 - 2023-11-29 21:03 - 000084032 _____ (EnigmaSoft Limited) C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys
USBXP; \??\C:\Windows\system32\drivers\SiUSBXp.sys [X]
C:\Program Files\Easeware
C:\Program Files (x86)\Tweaking.com
C:\Program Files\EnigmaSoft
C:\Users\flipper26\b1freearchiver.exe
C:\Windows\system32\DRIVERS\bddci.sys
C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys
cmd: netsh winsock reset
DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2
DeleteKey: HKU\S-1-5-21-1876214748-2417306340-1488581364-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\btweb
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverEasy_is1
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverFix_is1
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstal{26A24AE4-039D-4CA4-87B4-2F64180333F0}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SqZl0LkEtJzbWHP6 LLC_is1
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Tweaking.com - Windows Repair
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BDD8C463-1183-4A91-9EC8-BF68E4ECA9B6}
EmptyTemp:
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

 

[flipper26]

Hello Dr M,
Attached please find the fixlog. Thanks.

 

[DR M]

Good job!

Let me know what happens if you try to sign in using normal mode now.

If you are still unable to sign in using normal mode, please do the following:


1. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.

• Double click AdwCleaner.exe to run it.
• Click Scan Now.
  • When the scan has finished, a Scan Results window will open.
  • Click Cancel (at this point do not attempt to Quarantine anything that is found)
• Now click the Log Filestab.
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)[/*]
  • A Notepad file will open containing the results of the scan.
  • Please post the contents of the file in your next reply.

2. Run Malwarebytes (scan only)

• Download Malwarebytes and save it to your Desktop.
• Once downloaded, close all programs and Windows on your computer.
• Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
• Follow the instructions to install the program.
• When finished, double click the program's icon created on your Desktop.
• Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
  

  Under the title Scan Options, all the options are checked.
  Under the title Windows Security Center (Premium only) the option is NOT checked.
  Under the title Potentially unwanted items all options are set to Always.

• Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
• When finished, you will see the Threat Scan Summary window open.
• If threats are not found, click View Report and proceed to the two last steps below.
  
  If threats are found, make sure that all threats are not selected,close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

In your next reply, please post:

1. What happens if you try to sign in using normal mode
2. The AdwCleaner[S0*].txt
3. The Malwarebytes report

 

[flipper26]

1. When I try to sign in using normal mode it's the same as before, screen saver comes up, login then the system goes to black screen with mouse pointer.
2. No issues found. Txt file attached.
3. 1 PUP detected, file attached.

thanks

 

[DR M]

OK...

I want to be sure that the computer is clean, and then try anything else.

1. Run Malwarebytes (Clean mode)

• Double click the program's icon on your Desktop, as you did before.
• Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
  

  Under the title Scan Options, all the options are checked.
  Under the title Windows Security Center (Premium only) the option is unchecked.
  Under the title Potentially unwanted items all options are set to Always.

• Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
• When finished, you will see the Thread Scan Summary window open.
• If threats are not found, click View Report and proceed to the two last steps below.
• If threats are found, make sure that all threats are selected, and click on Quarantine/Remove selected.
• You may need to restart the computer.
• Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
• Find the report with the most recent date and double click on it.
• Click on Export and then Copy to Clipboard.
• Paste its content here, in your next reply.

2. ESET Online Scan

Download ESET Online Scanner and save it to your desktop.

• Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
• When the tool opens, click Get Started.
• Read and accept the license agreement.
• At the Welcome to ESET Online Scanner window, click Get Started.
• Select whether you would like to send anonymous data to ESET.
• Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
• Click on the Full Scan option.
• Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
• ESET will now begin scanning your computer. This may take some time.
• When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
• ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
• On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
• Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

3. Fresh FRST logs

Run FRST once more and attach for me fresh FRST logs to check.


In your next reply, please post:

1. The Malwarebytes report
2. The eset.txt
3. Fresh FRST logs, Addition and FRST

 

[flipper26]

1. Attached please find the Malwarebytes report.
2. Eset took a long time to run, had to let it run overnight. It found 3 items - 2 of them pertained to the OWNER profile which Axe setup in one of the fixes so well after my issues started. I didn't see any option to save the log so I closed the application and re-opened it looking for Tools on the menu (as per their website) and didn't have this option. I re-ran a Quick scan which is clean and have attached it (found the save option in small print at the bottom).
3. Attached please find the latest FRST and Addition logs.
Thanks

 

[DR M]

Hello.

1. Malwarebytes

You didn't send the detected item to Quarantine as instructed here (step 1). Please run the tool once more and make sure you do so.


2. Eset

To view the log after ESET Online Scanner has been closed, Show hidden files and folders must be enabled in File Explorer. New logs are appended to the existing log files when multiple scans are run. The path to the log file is the following: C:\Users\username\AppData\Local\Temp\log.txt
Change the username with your username (Owner) and copy/paste the log created when you performed the full scan, in your next reply.


3. Norton

Do you have the paid version of Norton? If not, I would like it to get uninstalled. Sometimes the specific antivirus causes issues, and I would like to check about it.


4. Uninstall programs

We already uninstalled some programs, but more they need to be uninstalled (e.g. Adobe Flash Player, Java, SpyHunter, QnswnbsXi...).

In addition...

Although axe0 already talked about pirated programs when you started this topic more than a month ago, and although I also warned about the risks when having such programs, I am not sure if your huge list of installed programs includes only genuine activated programs. Since there is an increased possibility the cause of your issue to be a 3rd party program, I would like you to let me know which programs are not activated with a genuine license. Normally, I would ask you to uninstall them, but you said that you are not able to do that. Since I can do this using the FRST tool, please let me know. It's not that I'm trying to put you in a difficult situation, but since we are trying to find a solution for a very long time now, I really would like your sincere contribution.

Examples of programs I wonder if they are legit:

Able2Extract Professional 18.0
Active@ Partition Recovery Ultimate 15
Adobe Lightroom Classic
Adobe Photoshop 2022
Adobe Photoshop CS6 Extended 13.0
Advanced IP Scanner 2.5
ApowerRecover
BB FlashBack Pro
FILERECOVERY Professional
Jing
MEmu
Software Imperial Data Recovery Wizard
Stellar Data Recovery
Stellar Repair for Word
TextCrawler Pro 3.1.3
Topaz DeNoise AI 3.7.2
Topaz Photo AI 1.2.10
Topaz Sharpen AI
Wondershare Recoverit



In your next reply please post:

1. The correct Malwarebytes report
2. The eset.txt (from the full scan you did )
3. A reply about Norton
4. Programs which are not activated with a genuine license and must get uninstalled

 

[flipper26]

Hello Mr M:

1. I actually did send the item to Quarantine but thought you wanted to see what the detection was. I ran MB again today and have attached the clean report.

2. Thanks for this info, report attached.

3. Yes, Norton is a paid subscription.

4. I thought some of these were already uninstalled. Most of what you've listed is really old and hasn't been used for quite awhile so could be uninstalled.

The last thing Axe asked me to do was try to uninstall the latest Microsoft Security Module (which I wasn't able to do). This module was installed on Nov 22nd (my issues started either the evening of Nov 21 or Nov 22). I had the update scheduled to run at the end of the month but because of the virus warning I shut down the laptop immediately - I believe that automatically triggered the update to start installing. When I restarted I got the blue screen with the message, "Hello,...." I thought it was a virus and immediately shutdown (found out later it's a valid Windows install message) but I think shutting down like that may have impacted the update installation.

Thanks

 

[DR M]

Hi, flipper26.

It would be very helpful if you gave me a list of the programs needing uninstall, because they are not activated as they should be.

But what concerned me most, after seeing the eset report, is that the KMS Service was detected:

C:\Users\flipper26\Downloads\MAS_1.7_Password_1234\MAS_1.7\Separate-Files-Version\Online_KMS_Activation\Activate.cmd

This program is used to illegally activate Microsoft's products, such as Windows or Office. If the Office is the case, you must uninstall it. If, however, the operating system is activated with the use of KMS, then I won't be able to assist you further. Aside of the legal/ethical part of the situation, it is a waste of time to try to clean a system which is not legally activated, since it is going to get infected again.

Let me know about your thoughts.

 

[flipper26]

Okay, I will need to go through my list of programs. Yes, I have a long list as I've been using laptops since the 1990's and just copy everything over from old computer to new computer. Some of the programs you mentioned like Jing or Photoshop CS6 are over 10 years old. I use Jing once every few years (it just does screenshots) but have no idea the last time I even opened CS6. Today almost everything requires a license but back then many products did not. Many of the Adobe products have a trial period which do not uninstall when the trial is over but they remain as installed programs.

Before my first posting on this forum I did run Malwarebytes and several virus checkers like Kaspersky and Dr. Who and a few others and the machine was supposedly clean of malware or viruses before we started.

I don't know anything about KMS programs. I bought my laptop new from a respected computer retailer with Windows pre-installed and a valid license. We used to have Office 365 through some sort of family plan for multiple machines. I would need to check if that's still active. If you want to delete it in any case it wouldn't be an issue.

 

[DR M]

Hello.

Before my first posting on this forum I did run Malwarebytes and several virus checkers like Kaspersky and Dr. Who and a few others and the machine was supposedly clean of malware or viruses before we started.

Yes, I saw that you used several security programs. Have in mind that more than one of those programs may conflict with each other and cause the following:

• False positives: When the anti virus software tells you that your PC has a virus when it actually doesn't.
• Conflicts: Your system may lock up due to both products attempting to access the same file at the same time.
• Low performance: More that one antivirus will cause your PC to become slow and it may even crash or blue screen.
• Less protection: Two antivirus trying to scan the same file may interfere with the process and allow a malicious file onto the computer without notice to you.

FYI, your FRST logs revealed the computer was not completely clean. And as I understood, you referred to a virus that you thought it caused the startup issue to the system. So, the first thing we do in such cases, is to clean the system and then check about anything else.

I don't know anything about KMS programs. I bought my laptop new from a respected computer retailer with Windows pre-installed and a valid license. We used to have Office 365 through some sort of family plan for multiple machines. I would need to check if that's still active. If you want to delete it in any case it wouldn't be an issue.

I don't have reasons not to believe that you bought the computer with Windows pre-installed and activated with a valid license. Without implying that this happened in your case, I owe to say that some sellers sell Volume licenses, which are mainly used by large companies, to ordinary users. They claim that they sell in a low price, but this type of licenses may cause issues at a later stage. In other words, they are not legal for ordinary users.

Let's check the license you have for your Window.

• Press Windows icon on your Desktop, together with the letter R.
• Type cmd, and press Ctrl + Shift + Enter to run Command Prompt as administrator.
• Copy and paste the following command and press Enter:

slmgr /dli

• After running the command, you will get a report. Please take a screenshot of what you got and attach it in your next reply.

 

[flipper26]

I had to do this in Safe mode as Windows+R doesn't do anything. Attached is a copy of the error message. I have researched this online and this error is not unusual if Windows has been corrupted, it doesn't necessarily mean that the copy of Windows is not legitimate.

 

[DR M]

Hello.

Error 0xc0020036 is an error that appears when activating Windows, indicating that you might have a pirated version of Windows even when you know your copy of Windows is genuine (source: Error 0xc0020036 - the Product Key You Entered Did Not Work - MajorGeeks).

Go to Settings > Update & Security > Activation

Take a screenshot of what you see.

 

[flipper26]

I cannot access settings. In safe mode I have gone through command prompt to access Security and Maintenance but I cannot do anything with Activation, it is grayed out. Picture attached.

 

[DR M]

This is not what I would like to see.

What do you mean you can't access Settings? What happens when you try to do so?

 

[flipper26]

Absolutely nothing. I click on settings as shown on the menu in the attached picture the menu will just close and nothing happens. Not all items on this menu are accessible to me. For instance if I click on device manager here same thing, menu will close, I have to access device manager through control panel.

 

[DR M]

Do the following and let me know the result:

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CMD: slmgr /dli
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• While doing that, a small window will pop up.
• Take a screenshot of what you see and paste it in your next reply. Do not click OK, until you reply.
• Close the window by cicking OK.
• Close the notepad and the FRST tool.