Error log on startup
Solved
Anonymous user
-
Malekal_morte- Posted messages 178136 Registration date Status Moderator, Security Contributor Last intervention -
Malekal_morte- Posted messages 178136 Registration date Status Moderator, Security Contributor Last intervention -
Hello,
I had a virus that I thought I had managed to remove, but now two Notepad errorlog windows open at startup.
Could you help me solve the problem?
I had a virus that I thought I had managed to remove, but now two Notepad errorlog windows open at startup.
Could you help me solve the problem?
2 answers
-
Hi,
Start with FRST:
Follow the FRST tutorial. ( take your time to read carefully - everything is well explained ).
Download and run the FRST scan,
Wait for the scan to finish, a message will indicate that the analysis is complete.
Three FRST reports will be generated:- FRST.txt
- Shortcut.txt
- Additionnal.txt
Upload these 3 reports to the site https://pjjoint.malekal.com/ to share them.
In return give me the 3 pjjoint links that point to the reports here in a new reply so we can review them.
--
Please press any key to continue with the disinfection...-
Hello, Thank you for agreeing to help me. I'm not very tech-savvy, so I'm not sure I did it right, but I hope so... https://pjjoint.malekal.com/files.php?id=FRST_20180413_d9t9c6e12x13 https://pjjoint.malekal.com/files.php?id=20180413_i12u13l14z6u6 https://pjjoint.malekal.com/files.php?id=20180413_k10h11t9i15g15 Best regards
-
Here is the correction to perform with FRST. You can use this explanatory note with screenshots.
Relaunch FRST then on your keyboard press the CTRL + Y keys.
Notepad will open, copy/paste the following.
CreateRestorePoint:
CloseProcesses:
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\errorlog.txt [2018-04-11] ()
Startup: C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\errorlog.txt [2018-04-11] ()
EmptyTemp:
RemoveProxy:
Reboot:
Save the content via the File menu then Save.
Close Notepad, return to FRST and click the "Fix" button.
A restart may be required and automatic.
A text file will appear, copy/paste the contents here in a new message.
Restart the computer.
2)To protect yourself from removable infections like Wscript (Windows Script Host)
Download and install Marmiton
Click Disable at the Windows Script Host level.
Marmiton will block malicious scripts (VBS, VBE, JavaScript etc) especially those used to spread ransomware like Locky.
3)
To clean removable drives virus USB, follow the steps in the tutorial in order: insert one by one all your USB keys and external hard drives to clean them. Then send the reports to https://pjjoint.malekal.com/ and provide the links to these reports so we can review them.
Connect all USB keys and other removable devices.- Download Remediate VBS Worm
- Run the option B
- Type the drive letter of the USB, for example, E, then Enter
[color=red]WARNING: DO NOT SPECIFY THE DRIVE LETTER OF YOUR HARD DRIVE![/color]- Go to "My Computer" then the "C" drive, a report named "Rem-VBS.log" should be found there.
Open this report with Notepad and copy/paste its contents here in your next reply.
--
Please press any key to continue with the disinfecting...-
Here is the content of the notepad.
My PC is in Japanese. Thus some letters may be unreadable for you.
I hope this won’t cause any problems....
Rem-VBSworm v8.0
=========== - General info:
Running under: USER on profile: C:\Users\USER
Computer name: J10
Operating System:
Microsoft Windows 8.1 Pro
Boot Mode:
Normal boot
Antivirus software installed:
Avira Antivirus
Windows Defender
Malwarebytes
Executed on: 2018/04/13 @ 20:35:44.90
=========== - Drive info:
Listing currently attached drives:
Caption Description VolumeName
C: ローカル固定ディスク
G: ローカル固定ディスク TRANSCEND
Physical drives information:
C: \Device\HarddiskVolume2 NTFS
G: \Device\HarddiskVolume3 exFAT
=========== - Disinfection info:
=========== - USB drive info:
G: selected
USB Device ID:
SCSI\DISK&VEN_SANDISK&PROD_SDSSDA240G\4&365B8C26&0&000000
SCSI\DISK&VEN_STOREJET&PROD_TS128GESD400K\000000
WARNING... Possible Andromeda/Gamarue infection...
Listing root contents of G:
ドライブ G のボリューム ラベルは TRANSCEND です
ボリューム シリアル番号は 8063-66A0 です
G:\ のディレクトリ
2004/01/08 13:30 510,976 prec.exe
2004/01/08 13:34 2,600 readme.txt
2004/01/08 13:35 767 prec.cnt
2004/01/08 13:35 123,424 prec.hlp
2010/11/07 10:10 <DIR> papa retraite
2012/09/03 11:08 21,415,874 audacity-win-2.0.2.exe
2013/12/11 19:49 <DIR> 図
2014/04/10 16:28 <DIR> 大学教科書2012
2014/04/10 19:43 <DIR> HP Photo Creations
2014/04/10 19:45 <DIR> Sony
2014/04/13 17:58 <DIR> Iriver Plus4
2014/04/13 18:05 <DIR> alphabet majuscule
2014/04/17 22:11 <DIR> 本に使う図JPG
2014/04/18 12:21 <DIR> Epm
2014/05/24 20:24 11,458 神経学者歴史表.xlsx
2014/06/08 16:38 4,737,447 fr niv 2 exo 3.docx
2014/06/08 16:38 <DIR> 仏検2級 exo 1 et 3
2014/08/09 19:13 23,718,584 honto_setup.exe
2014/12/10 06:08 <DIR> coloriage petits garcon
2014/12/18 15:01 <DIR> cours de conversation adulte
2015/01/18 16:13 <DIR> dictee
2015/02/24 10:50 <DIR> 本2015
2015/03/05 12:39 <DIR> alphabet minuscule
2015/06/05 11:48 108,728,624 iTunesSetup.exe
2015/09/26 16:01 <DIR> プレゼン用写真
2015/10/19 10:39 <DIR> histoires exo enfant
2015/12/08 09:51 82,095,136 WacomTablet_6.3.15-1.exe
2016/01/22 08:29 <DIR> 小島比呂志ファイル
2016/04/01 15:37 <DIR> 日本語の本
2016/04/20 21:44 <DIR> cours de fac
2016/05/13 22:23 <DIR> 論文 USB recovery
2016/05/13 22:25 <DIR> diskdigger usb recovery appli
2016/08/24 20:13 <DIR> Izuki cours fr
2016/09/15 10:07 <DIR> cours de francais feuilles
2016/09/16 14:36 <DIR> images
2016/09/20 11:59 24,210,616 audacity-win-2.1.0.exe
2016/10/24 21:19 <DIR> Temp
2016/10/24 21:24 <DIR> vaio 98
2016/10/24 21:27 <DIR> cours de francais mama
2016/12/21 14:18 <DIR> pictures
2017/02/14 11:52 <DIR> Creema
2017/02/24 11:35 <DIR> yukisan
2017/03/21 23:01 <DIR> brain
2017/03/26 10:14 <DIR> le mystere des scientifique
2017/03/27 12:12 <DIR> job
2017/03/28 09:53 <DIR> Plats du jour
2017/03/31 09:37 <DIR> dialogues
2017/03/31 09:43 <DIR> delf
2017/03/31 09:59 <DIR> art
2017/04/04 11:02 <DIR> guerlain
2017/04/06 11:47 <DIR> Windows Live Mail
2017/04/10 10:26 <DIR> $RECYCLE.BIN
2017/06/20 15:11 <DIR> Banques
2017/12/11 13:05 <DIR> ukulele
2018/01/10 09:53 <DIR> FOUND.000
2018/01/28 17:38 <DIR> credit agricole
2018/03/23 15:32 494,530 商品送付書印刷 _ ネットオフ.pdf
2018/04/11 21:20 <DIR> Autorun.inf
12 個のファイル 266,050,036 バイト
47 個のディレクトリ 105,400,500,224 バイトの空き領域
USB drive disinfected and files unhidden!!
=====================================================
Scan finished at: 20:36:54.06
Send this log only if requested by a helper.
=====================================================
Made by @bartblaze
Tool to delete VBS autorun worm and unhide files
Quarantine folder on: C:\Rem-VBSqt
Info: https://bartblaze.blogspot.com/2014/02/remediate-vbs-malware.html -
-
-
-
ok =) Delete the C:\FRST folder Finish with a cleanup Malwarebytes - Malwarebytes tutorial in free version https://www.commentcamarche.net/telecharger/securite/14361-malwarebytes-anti-malware/ https://www.malekal.com/tutoriel-malwarebyte-anti-malware/ rel='noopener noreferrer' target='_blank' Avoid regular scans and cleanups ZHPCleaner, AdwCleaner, not useful.
