security problem

flashh4 · Jun 8, 2023

@Harleygjc , some clean up is needed so i will be back in a few with a fix ! If you no longer use "Steam" i can add some files to the clean up that belongs to Steam ??
Let me know about the steam files before i type up a fix ???

Harleygjc · Jun 8, 2023

@flashh4 I still use steam most days so you can leave it please! same with most the other gaming platforms,and eq2

flashh4 · Jun 8, 2023

@Harleygjc .... ok leaving "Steam" out of the fix !

Highlight the entire content of the quote box below

Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:

HKU\S-1-5-21-267369651-1272909813-2013845668-1001\...\Run: [GalaxyClient] => [X]
S2 rsDNSClientSvc; C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe [X]
S2 rsDNSResolver; "C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" [X]
S2 rsDNSSvc; "C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe" [X]
S3 cpuz154; \??\C:\windows\temp\cpuz154\cpuz154_x64.sys [X]
S3 DIRECTIO; \??\C:\Windows\pcsinstall\BurnTest\DirectIo64.sys [X]
S3 HWiNFO_165; \??\C:\Users\ADMINI~1\AppData\Local\Temp\HWiNFO64A_165.SYS [X] <==== ATTENTION
Toolbar: HKLM-x32 - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

EMPTYTEMP:
End::

Right click on the highlighted text and select Copy.
Start FRST (FRST64) with Administrator privileges
Press the Fix button. FRST will process the lines copied above from the clipboard.
When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

Harleygjc · Jun 8, 2023

@flashh4 sorry I haven't had the chance to run the script yet,just one question,I noticed it shows the galaxy client,I think this is the platform for a site called GOG if I run this will it stop it from running in the future?

flashh4 · Jun 8, 2023

@Harleygjc ..... leave it out of the fix !!

Harleygjc · Jun 9, 2023

@flashh4
below is the log result from the script,let me know if you need anything else!

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-05-2023
Ran by Harle (09-06-2023 12:13:04) Run:1
Running from C:\Users\Harle\Desktop
Loaded Profiles: Harle
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:

HKU\S-1-5-21-267369651-1272909813-2013845668-1001\...\Run: => [X]
S2 rsDNSClientSvc; C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe [X]
S2 rsDNSResolver; "C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" [X]
S2 rsDNSSvc; "C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe" [X]
S3 cpuz154; \??\C:\windows\temp\cpuz154\cpuz154_x64.sys [X]
S3 DIRECTIO; \??\C:\Windows\pcsinstall\BurnTest\DirectIo64.sys [X]
S3 HWiNFO_165; \??\C:\Users\ADMINI~1\AppData\Local\Temp\HWiNFO64A_165.SYS [X] <==== ATTENTION
Toolbar: HKLM-x32 - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

EMPTYTEMP:
End::
*****************

SystemRestore: On => completed
Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-267369651-1272909813-2013845668-1001\Software\Microsoft\Windows\CurrentVersion\Run\\HKU\S-1-5-21-267369651-1272909813-2013845668-1001\...\Run: => [X]" => not found
HKLM\System\CurrentControlSet\Services\rsDNSClientSvc => removed successfully
rsDNSClientSvc => service removed successfully
HKLM\System\CurrentControlSet\Services\rsDNSResolver => removed successfully
rsDNSResolver => service removed successfully
HKLM\System\CurrentControlSet\Services\rsDNSSvc => removed successfully
rsDNSSvc => service removed successfully
HKLM\System\CurrentControlSet\Services\cpuz154 => removed successfully
cpuz154 => service removed successfully
HKLM\System\CurrentControlSet\Services\DIRECTIO => removed successfully
DIRECTIO => service removed successfully
HKLM\System\CurrentControlSet\Services\HWiNFO_165 => removed successfully
HWiNFO_165 => service removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => removed successfully

=========== EmptyTemp: ==========

FlushDNS => completed
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 352235537 B
Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 598422755 B
Windows/system/drivers => 12275087 B
Edge => 0 B
Chrome => 907671226 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 1214376 B
systemprofile32 => 1214376 B
LocalService => 1243154 B
NetworkService => 1549994 B
Harle => 186932003 B

RecycleBin => 33941539 B
EmptyTemp: => 2 GB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 12:13:40 ====

ShamrockRig · Jun 9, 2023

flashh4 said:
@Harleygjc if you would like for me to take a deep look at your system you can run Farbar this must be downloaded to your desk top ! These logs will be very long, you may have to zip them up or just send to my email at flashh4@hotmail.com !!

Download Farbar Recover Scan Tool for 64 bit systems <<<< Downloading Farbar Recovery Scan Tool >>> and save it to your Desktop. <<< Important
If your computer language is other than English right click on the FRST64 icon and rename it to FRST64english
Right click on the icon and select Run as administrator
Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
Click Yes to the disclaimer
Click Scan and allow the program to run
Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
2 Notepad documents should now be open on your desktop.
Please copy and paste the contents of each report in separate reply windows

So after asking him to go do that and post back, Dyou plan on reading his logs since you asked for them? or...

flashh4 · Jun 9, 2023

@ShamrockRig ............ NO i was just going to leave him hanging ! Why do you ask ?

flashh4 · Jun 9, 2023

@Harleygjc .......... that cleaned up nicely ! Now you can remove/delete all tools & their logs used in the cleaning ! I have a program that will remove everything but it will remove Malwarebytes if you run it so i will let you remove/delete everything ! I don't see anything we cleaned that might fix your problem that you had ! Good Luck & you are all clean !

This fix was for this machine only, running it on another may be harmful to your computer !

Harleygjc · Jun 9, 2023

@flashh4 many thanks for the help!! I can say that I've not had this issue happens since, and I'm quite relived to read I'm all clean,I always try to a program official site,I gues I just got unlucky somehow,but thanks so much for the help,it is appreciated!

WXC · Jun 9, 2023

Harleygjc said:
@flashh4 many thanks for the help!! I can say that I've not had this issue happens since, and I'm quite relived to read I'm all clean,I always try to a program official site,I gues I just got unlucky somehow,but thanks so much for the help,it is appreciated!

Hello, Harley.

I'm pleased to read that you, with the help of @flashh4, were able to get everything squared away.

Take care.

ShamrockRig · Jun 9, 2023

flashh4 said:
@ShamrockRig ............ NO i was just going to leave him hanging ! Why do you ask ?

Oh just asking someone to run a program and post the logs and then just hit clean defeats the purpose in the logs, what was the issue within the logs? I mainly ask for my own knowledge as well, For example a bsod log when posted, Someone will then explain what the issue is and where etc, Thus we all learn:)

flashh4 · Jun 9, 2023

@ShamrockRig , i worked to hard to just give up all the secrets of reading logs. Just go to Malware school and learn like i did 1-1/2 yrs of school learning what program to run (there are many we use) and then you must warn others that this fix is for only them, if others use it no telling what may happen ! I just like helping others ! Just ask Brink it is not as simple as trying to tell you what & how i know what to delete ! This is my final discussion with you ! Have a great day !!

ShamrockRig · Jun 9, 2023

flashh4 said:
@ShamrockRig , i worked to hard to just give up all the secrets of reading logs. Just go to Malware school and learn like i did 1-1/2 yrs of school learning what program to run (there are many we use) and then you must warn others that this fix is for only them, if others use it no telling what may happen ! I just like helping others ! Just ask Brink it is not as simple as trying to tell you what & how i know what to delete ! This is my final discussion with you ! Have a great day !!

well i can read those logs and i didnt do any of that, Its not a state kept secret mate, I doubt many people would take blind instructions all the time and just trust you itll all work out, Be nice and kind to others and share knowledge, No one is competing with you. Get over it this isn't some government assignment you must keep secret or else lol
also " Malware School"

pokeefe0001 · Jun 12, 2023

Harleygjc said:
Hi all I have a really odd and very annoying problem,to start at the beginning,a little while back I downloaded a program called VLC media player,just to play some dvds via a external drive I have.

Now I hardly ever dl anything and I'm always careful,I used what I was sure what their legit site,and it seems,although I can't be sure but as this is the only program I have dl,recently I picked up a unwanted passenger,namely reason labs,and it installed without me knowing, and took over as the main "protection" I took ages to try and get rid of it,I stopped all the services and managed,at least I thought to get rid of it!

For what it's worth, I've used VLC for years and never had its installation process install any unintended software. I don't remember if it asked to install PUPs in the past, but I just tried it's installation and it didn't try installing anything but VLC. The website has lots of installation packages - 32 bit vs 64 bit, exe vs msi, etc. I tried only the x64 exe version, but it was clean.