New control with last HiJackThis

[renatosottile]

Hello, I have some problems with my Windows Explorer 7 for some time. I wanted to kindly ask if, from this log, you notice something irregular that could motivate my problems. Thank you. log 25-12-2018.txt

[dragokas]

Hi, thank you for the log. If you need our assistance:

• Read carefully: How to make a request for help in the PC cure section

• Attach 'Collection-[Date].zip' log created by AutoLogger

• Describe your problem in details.

---

Please, note that only members of VIRUSNET-Association are allowed to respond in PC cure topics. Ignore any recommendations given by other users, including PM !!!

Assistance is provided free of charge at our free time. If you found our help useful, you can thank us with any amount using this form or you can leave a feedback in Guestbook.

[renatosottile]

Hi, thank you for the log. If you need our assistance:

• Read carefully: How to make a request for help in the PC cure section
• Attach 'Collection-[Date].zip' log created by AutoLogger
• Describe your problem in details.

To better explain my problem, every time I open explorer, any operation I try to do (such as opening a hard disk) the mouse starts to run in circles and, even waiting a long time, I have to click on reset in order to use my operating system again.

[dragokas]

To investigate your problem we need Collection.zip log.

[renatosottile]

I do not know what the collection.zip is I attach the txt file that results from the HiJackThis control in zip format. log 25-12-2018.zip

[dragokas]

Collection log is a zip file creted by program Autologger: https://safezone.cc/resources/autologger-regist-drongo.59/download?version=648

[renatosottile]

Thanks for the advice and for the program, I did not know it. Attached CollectionLog-2018.12.26-11.13.zip the requested file. Thanks again.

[Sandor-Helper]

Hello,

Please uninstall unwanted (or unrecommended) programs via Control Panel - Uninstall:

IObit Uninstaller 8 IObit Unlocker

Please answer: Did you edit hosts file by yourself?

[renatosottile]

Good morning, I uninstalled the two programs as required. I had edited the hosts file some time ago. Could you please tell me a good uninstaller to install in place of iobit? CollectionLog-2018.12.27-11.40.zip I had a reboot and I made the Collection log file again.

[Sandor-Helper]

In most cases the standard Windows uninstall is enough. If not, use Revo Uninstall for example.

Download AdwCleaner (by Malwarebytes) and save it to Desktop. Run (it should be run by right-clicking as Administrator), press "Scan" and wait. At the end of the scan log will be found at: C:\AdwCleaner\Logs\AdwCleaner[Sxx].txt (where x is any digit). Attach it to your next post here.

[renatosottile]

Thanks for the advice. Attached the requested file. AdwCleaner[C01].txt

[Sandor-Helper]

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce logs called FRST.txt and Addition.txt in the same directory the tool is run from.
• Please attach the logs back here.

[renatosottile]

Here they are Addition.txt FRST.txt

[Sandor-Helper]

Temporarily turn off any antivirus. Highlight following code:

Start::
CreateRestorePoint:
GroupPolicy: Restriction ? <==== ATTENTION
ProxyServer: [S-1-5-21-2002345239-655225903-965150095-1000] => localhost:8080
Hosts:
CHR HomePage: Default -> hxxps://www.google.com/
CHR StartupUrls: Default -> "hxxps://www.google.com/","hxxps://www.google.com/","hxxps://www.google.com/","hxxps://www.google.com/","hxxps://www.google.com/","hxxp://www.google.com","hxxps://www.google.com/"
2018-12-27 12:01 - 2016-11-18 15:01 - 000000000 ____D C:\Users\Renato\AppData\Roaming\IObit
2018-12-25 19:03 - 2016-11-18 15:02 - 000000000 ____D C:\ProgramData\ProductData
2018-12-25 18:56 - 2016-11-18 15:02 - 000000000 ____D C:\Users\Renato\AppData\LocalLow\IObit
HKU\S-1-5-21-2002345239-655225903-965150095-1000\...\ChromeHTML: ->  <==== ATTENTION
ContextMenuHandlers4: [IObitUnstaler] -> {836AB26C-2DE4-41D3-AC24-4C6C2699B960} => C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll -> No File
ContextMenuHandlers4: [SpyEmergency] -> {2E9FFF5C-4375-494d-951F-098BAA42239E} =>  -> No File
ContextMenuHandlers6: [IObitUnstaler] -> {836AB26C-2DE4-41D3-AC24-4C6C2699B960} => C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll -> No File
ContextMenuHandlers6: [SpyEmergency] -> {2E9FFF5C-4375-494d-951F-098BAA42239E} =>  -> No File
ContextMenuHandlers6: [UnLockerMenu] -> {410BF280-86EF-4E0F-8279-EC5848546AD3} => C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlockerExtension.dll -> No File
AlternateDataStreams: C:\Windows\SysWOW64\MicrosoftUpdateCatalogWebControl.dll:BDU [0]
EmptyTemp:
Reboot:
End::

Copy highlighted text (right click - Copy). Run FRST (FRST64) as Administrator. Press Fix button once and wait. Program will create (Fixlog.txt). Attach it to the next post.

PC will reboot.

[renatosottile]

What should I do with the copied text?

[Sandor-Helper]

Do nothing, just follow instruction :) Script will be executed from the clipboard.

[renatosottile]

Done Fixlog.txt

[Sandor-Helper]

Now check and tell us - what kind of problems remains?

[renatosottile]

Apparently nothing. I've tried making changes on the explorer.exe page and on the recycle bin and everything seems to work properly without the blocks I had before. Thank you so much for the help.

[Sandor-Helper]

Final steps:

1. Run adwcleaner.exe - Settings - scroll down to Remove AdwCleaner and press Remove. Rename frst64.exe to uninstall.exe and run it. PC will reboot.

2. Run script in AVZ while Internet is connected:

var
LogPath : string;
ScriptPath : string;
begin
LogPath := GetAVZDirectory + 'log\avz_log.txt';
if FileExists(LogPath) Then DeleteFile(LogPath);
ScriptPath := GetAVZDirectory +'ScanVuln.txt';
if DownloadFile('http://dataforce.ru/~kad/ScanVuln.txt', ScriptPath, 1) then ExecuteScript(ScriptPath) else begin
if DownloadFile('http://dataforce.ru/~kad/ScanVuln.txt', ScriptPath, 0) then ExecuteScript(ScriptPath) else begin
ShowMessage('It is impossible to download AVZ script for finding vulnerability!');
exit;
end;
end;
if FileExists(LogPath) Then ExecuteFile('notepad.exe', LogPath, 1, 0, false)
end.

After script ends and if it find vulnerabilities file avz_log.txt will be open in the Notepad and there'll be download links in it. First of all it depends to browsers, Java, Adobe Acrobat/Reader and Adobe Flash Player. You should download and install needful programs if they exist in avz_log.txt.

Reboot your PC. Run script again to ensure that all vulnerabilities gone. Please follow an after treatment recommendations.

[renatosottile]

Thanks again for the support. Happy Holidays.

[Sandor-Helper]

Good luck!

[renatosottile]

Thank you.

[renatosottile]

Excuse me, what is AVZ? "Run script in AVZ while Internet is connected"

[Sandor-Helper]

https://github.com/dragokas/hijackthis/wiki/AVZ:-How-to-execute-script

[renatosottile]

All done (see attached). Thanks again. avz_log.txt

[dragokas]

Sorry, we missed your answer.

Turn ON user accounts countrol at maximum level to increase security and prevent some velnerabilities. https://docs.microsoft.com/en-us/intune-user-help/you-need-to-enable-uac-windows

Have a nice day!