Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New control with last HiJackThis #58

Closed
renatosottile opened this issue Dec 25, 2018 · 26 comments
Closed

New control with last HiJackThis #58

renatosottile opened this issue Dec 25, 2018 · 26 comments
Labels

Comments

@renatosottile
Copy link

Hello, I have some problems with my Windows Explorer 7 for some time. I wanted to kindly ask if, from this log, you notice something irregular that could motivate my problems.
Thank you.
log 25-12-2018.txt

@dragokas
Copy link
Owner

Hi,
thank you for the log.
If you need our assistance:


Please, note that only members of VIRUSNET-Association are allowed to respond in PC cure topics.
Ignore any recommendations given by other users, including PM !!!

Assistance is provided free of charge at our free time. If you found our help useful, you can thank us with any amount using this form or you can leave a feedback in Guestbook.

@renatosottile
Copy link
Author

Hi,
thank you for the log.
If you need our assistance:

To better explain my problem, every time I open explorer, any operation I try to do (such as opening a hard disk) the mouse starts to run in circles and, even waiting a long time, I have to click on reset in order to use my operating system again.

@dragokas
Copy link
Owner

To investigate your problem we need Collection.zip log.

@renatosottile
Copy link
Author

I do not know what the collection.zip is
I attach the txt file that results from the HiJackThis control in zip format.
log 25-12-2018.zip

@dragokas
Copy link
Owner

Collection log is a zip file creted by program Autologger:
https://safezone.cc/resources/autologger-regist-drongo.59/download?version=648

@renatosottile
Copy link
Author

Thanks for the advice and for the program, I did not know it. Attached
CollectionLog-2018.12.26-11.13.zip
the requested file.
Thanks again.

@Sandor-Helper
Copy link

Hello,

Please uninstall unwanted (or unrecommended) programs via Control Panel - Uninstall:

IObit Uninstaller 8
IObit Unlocker

Please answer:
Did you edit hosts file by yourself?

@renatosottile
Copy link
Author

renatosottile commented Dec 27, 2018

Good morning, I uninstalled the two programs as required. I had edited the hosts file some time ago.
Could you please tell me a good uninstaller to install in place of iobit?
CollectionLog-2018.12.27-11.40.zip
I had a reboot and I made the Collection log file again.

@Sandor-Helper
Copy link

In most cases the standard Windows uninstall is enough. If not, use Revo Uninstall for example.

Download AdwCleaner (by Malwarebytes) and save it to Desktop.
Run (it should be run by right-clicking as Administrator), press "Scan" and wait.
At the end of the scan log will be found at:
C:\AdwCleaner\Logs\AdwCleaner[Sxx].txt (where x is any digit).
Attach it to your next post here.

@renatosottile
Copy link
Author

renatosottile commented Dec 27, 2018

Thanks for the advice. Attached the requested file.
AdwCleaner[C01].txt

@Sandor-Helper
Copy link

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce logs called FRST.txt and Addition.txt in the same directory the tool is run from.
  • Please attach the logs back here.

@renatosottile
Copy link
Author

Here they are
Addition.txt
FRST.txt

@Sandor-Helper
Copy link

Temporarily turn off any antivirus.
Highlight following code:

Start::
CreateRestorePoint:
GroupPolicy: Restriction ? <==== ATTENTION
ProxyServer: [S-1-5-21-2002345239-655225903-965150095-1000] => localhost:8080
Hosts:
CHR HomePage: Default -> hxxps://www.google.com/
CHR StartupUrls: Default -> "hxxps://www.google.com/","hxxps://www.google.com/","hxxps://www.google.com/","hxxps://www.google.com/","hxxps://www.google.com/","hxxp://www.google.com","hxxps://www.google.com/"
2018-12-27 12:01 - 2016-11-18 15:01 - 000000000 ____D C:\Users\Renato\AppData\Roaming\IObit
2018-12-25 19:03 - 2016-11-18 15:02 - 000000000 ____D C:\ProgramData\ProductData
2018-12-25 18:56 - 2016-11-18 15:02 - 000000000 ____D C:\Users\Renato\AppData\LocalLow\IObit
HKU\S-1-5-21-2002345239-655225903-965150095-1000\...\ChromeHTML: ->  <==== ATTENTION
ContextMenuHandlers4: [IObitUnstaler] -> {836AB26C-2DE4-41D3-AC24-4C6C2699B960} => C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll -> No File
ContextMenuHandlers4: [SpyEmergency] -> {2E9FFF5C-4375-494d-951F-098BAA42239E} =>  -> No File
ContextMenuHandlers6: [IObitUnstaler] -> {836AB26C-2DE4-41D3-AC24-4C6C2699B960} => C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll -> No File
ContextMenuHandlers6: [SpyEmergency] -> {2E9FFF5C-4375-494d-951F-098BAA42239E} =>  -> No File
ContextMenuHandlers6: [UnLockerMenu] -> {410BF280-86EF-4E0F-8279-EC5848546AD3} => C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlockerExtension.dll -> No File
AlternateDataStreams: C:\Windows\SysWOW64\MicrosoftUpdateCatalogWebControl.dll:BDU [0]
EmptyTemp:
Reboot:
End::

Copy highlighted text (right click - Copy).
Run FRST (FRST64) as Administrator.
Press Fix button once and wait. Program will create (Fixlog.txt). Attach it to the next post.

PC will reboot.

@renatosottile
Copy link
Author

What should I do with the copied text?

@Sandor-Helper
Copy link

Do nothing, just follow instruction :)
Script will be executed from the clipboard.

@renatosottile
Copy link
Author

Done
Fixlog.txt

@Sandor-Helper
Copy link

Now check and tell us - what kind of problems remains?

@renatosottile
Copy link
Author

Apparently nothing. I've tried making changes on the explorer.exe page and on the recycle bin and everything seems to work properly without the blocks I had before. Thank you so much for the help.

@Sandor-Helper
Copy link

Final steps:

  1. Run adwcleaner.exe - Settings - scroll down to Remove AdwCleaner and press Remove.
    Rename frst64.exe to uninstall.exe and run it. PC will reboot.

  2. Run script in AVZ while Internet is connected:

var
LogPath : string;
ScriptPath : string;
begin
LogPath := GetAVZDirectory + 'log\avz_log.txt';
if FileExists(LogPath) Then DeleteFile(LogPath);
ScriptPath := GetAVZDirectory +'ScanVuln.txt';
if DownloadFile('http://dataforce.ru/~kad/ScanVuln.txt', ScriptPath, 1) then ExecuteScript(ScriptPath) else begin
if DownloadFile('http://dataforce.ru/~kad/ScanVuln.txt', ScriptPath, 0) then ExecuteScript(ScriptPath) else begin
ShowMessage('It is impossible to download AVZ script for finding vulnerability!');
exit;
end;
end;
if FileExists(LogPath) Then ExecuteFile('notepad.exe', LogPath, 1, 0, false)
end.

After script ends and if it find vulnerabilities file avz_log.txt will be open in the Notepad and there'll be download links in it. First of all it depends to browsers, Java, Adobe Acrobat/Reader and Adobe Flash Player. You should download and install needful programs if they exist in avz_log.txt.

Reboot your PC.
Run script again to ensure that all vulnerabilities gone.
Please follow an after treatment recommendations.

@renatosottile
Copy link
Author

Thanks again for the support. Happy Holidays.

@Sandor-Helper
Copy link

Good luck!

@renatosottile
Copy link
Author

Thank you.

@renatosottile
Copy link
Author

Excuse me, what is AVZ?
"Run script in AVZ while Internet is connected"

@renatosottile
Copy link
Author

All done (see attached). Thanks again.
avz_log.txt

@dragokas
Copy link
Owner

dragokas commented Jan 3, 2019

Sorry, we missed your answer.

Turn ON user accounts countrol at maximum level to increase security and prevent some velnerabilities.
https://docs.microsoft.com/en-us/intune-user-help/you-need-to-enable-uac-windows

Have a nice day!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants