Solved Trojan:JS/Flafisi.D Malware Waned and Removed by Defender 10

Hewlett-packard 2000-210us 15.6" charcoa...
April 2, 2018 at 19:25:42
Specs: Windows 10, 8 G
On March 29th, the window defender warned me on Trojan:JS/Flafisi.D and requested to restart my Laptop to remove it And I restarted it and look like malware removed
This info is indicated as below:

Affected Items
file: C:\Users\timot\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TKA2DWC4\FlashPlayer[1].hta

today April 02 the window defender asked me to restart to remove this malware. I restarted and Window run a while to get in my account. Looked like it run faster

Can you help me to get more anti virus software to assist Window Defender removing fully this malware

Thank you so much

Truc C. Nguyen


See More: Trojan:JS/Flafisi.D Malware Waned and Removed by Defender 10

Reply ↓  Report •

✔ Best Answer
April 6, 2018 at 17:49:08
Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt) on the Desktop.
The logs are large, upload them using one of these. No time delays/Captcha-I'm not a Robot/account/registration needed. Give us the links please.
http://www.fileconvoy.com/index.php


#1
April 2, 2018 at 19:39:00
Try this free AV program: https://www.bitdefender.com/solutio...

Try these to get rid of malware:
adwcleaner - https://www.malwarebytes.com/adwcle...
malwarebytes free trial - https://www.malwarebytes.com/premium/

And use CCleaner-Slim to cleaner out internet junk files: https://www.ccleaner.com/ccleaner/b...


Reply ↓  Report •

#2
April 2, 2018 at 19:51:47
Copy & paste the contents of the logs in your next post, after cleaning please.

Reply ↓  Report •

#3
April 3, 2018 at 07:11:15
1- Install and scan the system this free AV program: https://www.bitdefender.com/solutio...

Results:
Phishing attempt
dnn506yrbagrg.cloudfront.net/pages/scripts/0067/8402.js?422989

2- Run Adwcleaner - https://www.malwarebytes.com/adwcle...

Logfile:
# AdwCleaner 7.0.8.0 - Logfile created on Tue Apr 03 14:05:17 2018
# Updated on 2018/08/02 by Malwarebytes
# Database: 2018-04-03.1
# Running on Windows 10 Home (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy, C:\Users\timot\AppData\Roaming\Wise Euask


***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\dotomi.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\s-usweb.dotomi.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dotomi.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\s-usweb.dotomi.com
PUP.Optional.WiseFolderLock, [Key] - HKLM\SOFTWARE\Classes\CLSID\{D4EF86C3-77D7-4F82-BBB8-6DFFAB6E2D32}


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [9318 B] - [2016/9/30 20:54:56]
C:/AdwCleaner/AdwCleaner[C1].txt - [5580 B] - [2017/11/17 1:34:20]
C:/AdwCleaner/AdwCleaner[S0].txt - [8771 B] - [2016/9/30 20:53:1]
C:/AdwCleaner/AdwCleaner[S1].txt - [5647 B] - [2017/11/17 1:26:19]


########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt ####

More to come ...

Thanks,

Truc C. Nguyen


Reply ↓  Report •

Related Solutions

#4
April 3, 2018 at 16:15:24
John and Riider

When using cleaner in Malwarebytes AdwCleaner, it showed "Caught unhandled unknown exception, terminating" in window pop up. And it went just 1/3 bar then hung at there (PUP.Optional.Legacy
PUP.Optional.WiseFolderLock)

3- Installed and run malwarebytes free trial - https://www.malwarebytes.com/premium/
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/3/18
Scan Time: 10:12 AM
Log File: 19d8bb7e-3749-11e8-8f86-204747c69673.json
Administrator: Yes

-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.4598
License: Trial

-System Information-
OS: Windows 10 (Build 16299.309)
CPU: x64
File System: NTFS
User: MRMONEY-MSLUCKY\timot

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 333933
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 7 min, 23 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

===============
4- Used CCleaner-Slim to cleaner out internet

I run Cleaner The program cleaned junks on browser. But I did NOT run cleaning Registry.

Thank you for your help.

Truc C. Nguyen


Reply ↓  Report •

#5
April 3, 2018 at 16:19:22
Stay online please Truc, back soon.

Reply ↓  Report •

#6
April 3, 2018 at 16:23:07
I think this will be our best next step.

Run ESET Online Scanner. Copy and Paste the contents of the log in your reply please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
Make sure these options are checked/ticked in Advanced settings.

Remove found threats, Scan archives, Scan for potentially unsafe applications, Enable Anti-Stealth technology.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
http://fs5.directupload.net/images/...

message edited by Johnw


Reply ↓  Report •

#7
April 3, 2018 at 22:12:46
Johnv

Is I enable detection of potentially unwanted applications?

Do I check on two options: enable detection of suspicious application and clean threat s automatically in advance setting?

Thanks,

Truc C. Nguyen


Reply ↓  Report •

#8
April 4, 2018 at 00:45:38
"enable detection of potentially unwanted applications"
Yes.
"enable detection of suspicious application"
Yes.
"clean threat s automatically"
No.

Reply ↓  Report •

#9
April 4, 2018 at 01:14:03
OK I must run it again because I said Yes to "clean threat s automatically"

Truc C. Nguyen


Reply ↓  Report •

#10
April 4, 2018 at 01:45:37
"OK I must run it again because I said Yes to "clean threat s automatically"
No need, all I want now is the log.

Reply ↓  Report •

#11
April 4, 2018 at 07:48:07
Johnw,

I finished running. I do not see the log Where is it located? Thanks,

Truc C. Nguyen


Reply ↓  Report •

#12
April 4, 2018 at 08:00:17
Do a search Truc.

Reply ↓  Report •

#13
April 4, 2018 at 19:11:22
John,

First, I had run ESET Online Scanner with "clean threat s automatically" Yes

I saw 2 threats

Then I stopped it after 2 hour run to change "clean threat s automatically" No

After more than 6 hour run, no threats found

Then I run it again, after 3:51:44 run, no threats found

No log file was found.

Truc C. Nguyen


Reply ↓  Report •

#14
April 4, 2018 at 19:18:24
"I saw 2 threats"

When threats are removed, usually there is a log.

I just googled how to find the log

17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...


Reply ↓  Report •

#15
April 4, 2018 at 20:11:06
Here we go:

01:03:03 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=
# end=init
# utc_time=2018-04-04 05:03:02
# local_time=2018-04-04 01:03:02 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
01:03:09 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# end=init
# utc_time=2018-04-04 05:03:08
# local_time=2018-04-04 01:03:08 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
01:16:55 RecursiveRemoveDirectoryAndAllFiles: C:\Users\timot\AppData\Local\ESET\ESETOnlineScanner\Quarantine\
01:18:35 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# end=init
# utc_time=2018-04-04 05:18:32
# local_time=2018-04-04 01:18:32 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
01:18:38 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# end=init
# utc_time=2018-04-04 05:18:37
# local_time=2018-04-04 01:18:37 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
01:19:04 RecursiveRemoveDirectoryAndAllFiles: C:\Users\timot\AppData\Local\ESET\ESETOnlineScanner\Quarantine\
01:21:41 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# end=init
# utc_time=2018-04-04 05:21:41
# local_time=2018-04-04 01:21:41 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
01:21:46 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# end=init
# utc_time=2018-04-04 05:21:45
# local_time=2018-04-04 01:21:45 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
01:23:43 Updating
01:23:43 Update Init
01:23:45 Update Download
01:25:03 esets_scanner_reload returned 0
01:25:03 g_uiModuleBuild: 36928
01:25:03 Update Finalize
01:25:03 Call m_esets_charon_send
01:25:03 Call m_esets_charon_destroy
01:25:03 Updated modules version: 36928
01:25:14 Call m_esets_charon_setup_create
01:25:14 Call m_esets_charon_create
01:25:14 m_esets_charon_create OK
01:25:14 Call m_esets_charon_start_send_thread
01:25:14 Call m_esets_charon_setup_set
01:25:14 m_esets_charon_setup_set OK
01:25:14 Scanner engine: 36928
04:14:01 Call m_esets_charon_send
04:14:01 Call m_esets_charon_destroy
04:14:03 RecursiveRemoveDirectoryAndAllFiles: C:\Users\timot\AppData\Local\ESET\ESETOnlineScanner\Quarantine\
04:14:28 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# end=init
# utc_time=2018-04-04 08:14:28
# local_time=2018-04-04 04:14:28 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
04:14:34 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# end=init
# utc_time=2018-04-04 08:14:34
# local_time=2018-04-04 04:14:34 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
04:15:58 Call m_esets_charon_setup_create
04:15:58 Call m_esets_charon_create
04:15:58 m_esets_charon_create OK
04:15:58 Call m_esets_charon_start_send_thread
04:15:58 Call m_esets_charon_setup_set
04:15:58 m_esets_charon_setup_set OK
04:16:04 Updating
04:16:04 Update Init
04:16:14 Call m_esets_charon_setup_create
04:16:14 Call m_esets_charon_create
04:16:15 m_esets_charon_setup_set ERROR
04:16:15 Update Download
04:16:16 esets_scanner_update returned -1 esets_gle=53251
04:16:16 g_uiModuleBuild: 36928
04:16:16 Update Finalize
04:16:16 Call m_esets_charon_send
04:16:16 Call m_esets_charon_destroy
04:16:16 Updated modules version: 36928
04:16:27 Call m_esets_charon_setup_create
04:16:27 Call m_esets_charon_create
04:16:27 m_esets_charon_setup_set ERROR
04:16:27 Scanner engine: 36928
10:44:47 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# engine=36928
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# sfx_checked=true
# utc_time=2018-04-04 14:44:46
# local_time=2018-04-04 10:44:46 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=10.0.16299 NT
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 0 15239007 0 0
# scanned=2
# found=0
# cleaned=0
# scan_time=23309
10:45:27 Call m_esets_charon_send
10:45:27 Call m_esets_charon_destroy
10:45:28 RecursiveRemoveDirectoryAndAllFiles: C:\Users\timot\AppData\Local\ESET\ESETOnlineScanner\Quarantine\
10:49:41 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# end=init
# utc_time=2018-04-04 14:49:40
# local_time=2018-04-04 10:49:40 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
10:49:47 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# end=init
# utc_time=2018-04-04 14:49:46
# local_time=2018-04-04 10:49:46 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
10:50:19 RecursiveRemoveDirectoryAndAllFiles: C:\Users\timot\AppData\Local\ESET\ESETOnlineScanner\Quarantine\
13:03:27 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# end=init
# utc_time=2018-04-04 17:03:27
# local_time=2018-04-04 13:03:27 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
13:03:32 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# end=init
# utc_time=2018-04-04 17:03:32
# local_time=2018-04-04 13:03:32 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
13:03:55 Call m_esets_charon_setup_create
13:03:55 Call m_esets_charon_create
13:03:55 m_esets_charon_create OK
13:03:55 Call m_esets_charon_start_send_thread
13:03:55 Call m_esets_charon_setup_set
13:03:55 m_esets_charon_setup_set OK
13:03:56 Updating
13:03:56 Update Init
13:04:08 Call m_esets_charon_setup_create
13:04:08 Call m_esets_charon_create
13:04:08 m_esets_charon_setup_set ERROR
13:04:08 Update Download
13:04:08 esets_scanner_update returned -1 esets_gle=12
13:04:08 g_uiModuleBuild: 36928
13:04:08 Update Finalize
13:04:08 Call m_esets_charon_send
13:04:08 Call m_esets_charon_destroy
13:04:08 Retrying Update
13:04:08 Updating
13:04:09 Update Init
13:04:19 Call m_esets_charon_setup_create
13:04:19 Call m_esets_charon_create
13:04:19 m_esets_charon_setup_set ERROR
13:04:19 Update Download
13:04:19 esets_scanner_update returned -1 esets_gle=12
13:04:19 g_uiModuleBuild: 36928
13:04:19 Update Finalize
13:04:19 Call m_esets_charon_send
13:04:19 Call m_esets_charon_destroy
13:04:20 Retrying Update
13:04:20 Updating
13:04:20 Update Init
13:04:30 Call m_esets_charon_setup_create
13:04:30 Call m_esets_charon_create
13:04:30 m_esets_charon_setup_set ERROR
13:04:30 Update Download
13:04:30 esets_scanner_update returned -1 esets_gle=12
13:04:30 g_uiModuleBuild: 36928
13:04:30 Update Finalize
13:04:30 Call m_esets_charon_send
13:04:30 Call m_esets_charon_destroy
13:04:42 Call m_esets_charon_setup_create
13:04:42 Call m_esets_charon_create
13:04:42 m_esets_charon_setup_set ERROR
13:05:19 Call m_esets_charon_send
13:05:19 Call m_esets_charon_destroy
13:05:20 RecursiveRemoveDirectoryAndAllFiles: C:\Users\timot\AppData\Local\ESET\ESETOnlineScanner\Quarantine\
17:57:57 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# end=init
# utc_time=2018-04-04 21:57:55
# local_time=2018-04-04 17:57:55 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
17:58:03 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# end=init
# utc_time=2018-04-04 21:58:01
# local_time=2018-04-04 17:58:01 (-0500, Eastern Daylight Time)
# country="United States"
# osver=10.0.16299 NT
17:58:32 Call m_esets_charon_setup_create
17:58:32 Call m_esets_charon_create
17:58:32 m_esets_charon_create OK
17:58:32 Call m_esets_charon_start_send_thread
17:58:32 Call m_esets_charon_setup_set
17:58:32 m_esets_charon_setup_set OK
17:58:33 Updating
17:58:33 Update Init
17:58:44 Call m_esets_charon_setup_create
17:58:44 Call m_esets_charon_create
17:58:44 m_esets_charon_setup_set ERROR
17:58:44 Update Download
17:59:21 esets_scanner_reload returned 0
17:59:21 g_uiModuleBuild: 36936
17:59:21 Update Finalize
17:59:21 Call m_esets_charon_send
17:59:21 Call m_esets_charon_destroy
17:59:21 Updated modules version: 36936
17:59:32 Call m_esets_charon_setup_create
17:59:32 Call m_esets_charon_create
17:59:32 m_esets_charon_setup_set ERROR
17:59:32 Scanner engine: 36936
21:51:07 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.19.0
# EOSSerial=bab7aac16b336348bb34f833db38da04
# engine=36936
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# sfx_checked=true
# utc_time=2018-04-05 01:51:06
# local_time=2018-04-04 21:51:06 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=10.0.16299 NT
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 0 15278987 0 0
# scanned=2
# found=0
# cleaned=0
# scan_time=13904
22:10:37 Call m_esets_charon_send
22:10:37 Call m_esets_charon_destroy
22:10:38 RecursiveRemoveDirectoryAndAllFiles: C:\Users\timot\AppData\Local\ESET\ESETOnlineScanner\Quarantine\
22:10:38 Cleaning up
22:10:38 RecursiveRemoveDirectoryAndAllFiles: C:\Users\timot\AppData\Local\ESET\ESETOnlineScanner\Modules\
22:10:38 RecursiveRemoveDirectoryAndAllFiles: C:\Users\timot\AppData\Local\ESET\ESETOnlineScanner\OldModules\
22:10:38 DeleteEstsApi: C:\Users\timot\AppData\Local\ESET\ESETOnlineScanner
22:10:38 DeleteApiStgFile: C:\Users\timot\AppData\Local\ESET\ESETOnlineScanner
22:10:38 RecursiveRemoveDirectoryAndAllFiles: C:\Users\timot\AppData\Local\ESET\ESETOnlineScanner\Char_Cache\

Truc C. Nguyen


Reply ↓  Report •

#16
April 4, 2018 at 20:34:51
I need to look at the Eset log or logs, before this time.

Extracts from the logs.

"# utc_time=2018-04-04 05:03:02
# local_time=2018-04-04 01:03:02 (-0500, Eastern Daylight Time)"

"# found=0
# cleaned=0"

message edited by Johnw


Reply ↓  Report •

#17
April 5, 2018 at 06:14:36
John,

I remember I started the first run around 01:03 am Local time April 04
That is all

I do not see anymore log

Truc C. Nguyen


Reply ↓  Report •

#18
April 5, 2018 at 13:57:46
"I do not see anymore log"
Ok Truc.

Next steps.

1: Run DelFix. Copy & Paste the contents of the log please.
https://toolslib.net/downloads/view...
Run the tool by right click on the DelFix icon and Run as Administrator option.
Have only these checked
Remove disinfection tools
Create registry backup
Click Run and wait until the tool completes it's work.
Tool will create an report for you (C:\DelFix.txt)

2: Download & run Adwcleaner again.
Close all open programs and internet browsers


Reply ↓  Report •

#19
April 5, 2018 at 17:40:45
1: Run DelFix.

# DelFix v1.013 - Logfile created 05/04/2018 at 19:50:16
# Updated 17/04/2016 by Xplode
# Username : timot - MRMONEY-MSLUCKY
# Operating System : Windows 10 Home (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\timot\Desktop\Addition Old 2016.txt
Deleted : C:\Users\timot\Desktop\Addition.txt
Deleted : C:\Users\timot\Desktop\Fixlog Old 2016.txt
Deleted : C:\Users\timot\Desktop\Fixlog.txt
Deleted : C:\Users\timot\Desktop\FRST.exe
Deleted : C:\Users\timot\Desktop\FRST.txt
Deleted : C:\Users\timot\Desktop\FRST64 Old 2016.exe
Deleted : C:\Users\timot\Desktop\FRST64.exe
Deleted : C:\Users\timot\Desktop\JRT.txt

~ Creating registry backup ... OK

########## - EOF - ##########

Run Adwcleaner again

# AdwCleaner 7.0.8.0 - Logfile created on Thu Apr 05 23:58:21 2018
# Updated on 2018/08/02 by Malwarebytes
# Database: 2018-04-04.2
# Running on Windows 10 Home (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy, C:\Users\timot\AppData\Roaming\Wise Euask


***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.WiseFolderLock, [Key] - HKLM\SOFTWARE\Classes\CLSID\{D4EF86C3-77D7-4F82-BBB8-6DFFAB6E2D32}


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########

Thanks

Truc C. Nguyen


Reply ↓  Report •

#20
April 5, 2018 at 17:52:54
Next step.

How to Reset Microsoft Edge in Windows 10
http://www.howtogeek.com/237527/how...
How to reset Internet Explorer settings
http://support.microsoft.com/kb/923...
https://support.microsoft.com/en-us...
http://windows.microsoft.com/en-au/...
Or,
Control Panel > Internet Options > Advanced > Reset button.


Reply ↓  Report •

#21
April 6, 2018 at 17:43:57
John,

I reset them. What will I do next? Thanks,

Truc C. Nguyen


Reply ↓  Report •

#22
April 6, 2018 at 17:49:08
✔ Best Answer
Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt) on the Desktop.
The logs are large, upload them using one of these. No time delays/Captcha-I'm not a Robot/account/registration needed. Give us the links please.
http://www.fileconvoy.com/index.php

Reply ↓  Report •

#23
April 6, 2018 at 19:22:35
http://www.fileconvoy.com/dfl.php?i...

Thanks,

Truc C. Nguyen


Reply ↓  Report •

#24
April 6, 2018 at 19:35:49
Extract from the Addition log.
Wise Disk Cleaner 9.5.8 (HKLM-x32\...\Wise Disk Cleaner_is1) (Version: 9.5.8 - WiseCleaner.com, Inc.)
Wise Registry Cleaner 9.5.2 (HKLM-x32\...\Wise Registry Cleaner_is1) (Version: 9.5.2 - WiseCleaner.com, Inc.)
Both are out of date, update them & run. I shall be back in about 1/2 an hour.

1: Wise Disk Cleaner ( Run the 1st three tabs, left to right. I use default settings, leave boxes that are unchecked, unchecked ) Reboot when finished.
http://www.softpedia.com/get/System...
http://www.freewarefiles.com/Wise-D...
http://www.freewarefiles.com/screen...
http://www.wisecleaner.com/download...
http://i.imgur.com/Jecnfvb.gif
http://i.imgur.com/0xHwdom.gif
http://fs5.directupload.net/images/...
https://i.imgur.com/q8GRvVw.gif
https://i.imgur.com/2teVsjI.gif
https://i.imgur.com/ad7SEKM.gif

2: Wise Registry Cleaner ( Only use Registry Cleaner & with default settings. Don't use System Tuneup, that is for Experts, you really have to know what you are doing ) Reboot when finished.
http://www.softpedia.com/get/Tweak/...
http://www.freewarefiles.com/Wise-R...
http://www.freewarefiles.com/screen...
http://www.wisecleaner.com/wiseregi...
http://i.imgur.com/Qy7HWcA.gif
http://fs1.directupload.net/images/...
http://fs1.directupload.net/images/...
http://fs1.directupload.net/images/...


Reply ↓  Report •

#25
April 6, 2018 at 19:54:35
Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CreateRestorePoint:
emptytemp:
closeprocesses:
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
Task: {2184D3D2-031F-46ED-88E9-29BFF2133040} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION

Open FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.
Refer these SS if needed.
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...


Reply ↓  Report •

#26
April 6, 2018 at 19:56:39
After doing posts #24 & #25, are you having any problems?

Reply ↓  Report •

#27
April 7, 2018 at 10:52:02
Yes

It showed black when I get back my admin account

Truc C. Nguyen


Reply ↓  Report •

#28
April 7, 2018 at 10:55:33
A black screen with gi log created

Then I powered off then powered on and log in my admin account

It looks normal now:)

Truc C. Nguyen


Reply ↓  Report •

#29
April 7, 2018 at 11:00:05
Fixlog.txt Thanks

Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by timot (07-04-2018 13:34:56) Run:1
Running from C:\Users\timot\Desktop
Loaded Profiles: timot (Available Profiles: timot & MsLuc)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
emptytemp:
closeprocesses:
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
Task: {2184D3D2-031F-46ED-88E9-29BFF2133040} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui" => removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2184D3D2-031F-46ED-88E9-29BFF2133040}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2184D3D2-031F-46ED-88E9-29BFF2133040}" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => could not remove. Access Denied.

=========== EmptyTemp: ==========

BITS transfer queue => 10510336 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 147304995 B
Java, Flash, Steam htmlcache => 1184 B
Windows/system/drivers => 62107642 B
Edge => 31351239 B
Chrome => 385343876 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 1642 B
NetworkService => 0 B
timot => 116424452 B
MsLuc => 0 B

RecycleBin => 0 B
EmptyTemp: => 718.2 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 07-04-2018 13:46:33)


Result of scheduled keys to remove after reboot:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => could not remove. Access Denied.

==== End of Fixlog 13:47:15 ====

Truc C. Nguyen


Reply ↓  Report •

#30
April 7, 2018 at 15:03:08
"It looks normal now:)"
Ok Truc, let us know if you get any further problems

Reply ↓  Report •

#31
April 7, 2018 at 15:30:51
Thank you so much for your diligence to help me!

Truc C. Nguyen


Reply ↓  Report •

Ask Question