Jump to content

LRKS

Members
  • Content Count

    19
  • Joined

  • Last visited

About LRKS

  • Rank
    New Member
  1. Windows Defender Virus & Threat protection Unauthorized changes blocked Controlled Folder Access blocked c:\prog...BPinstaller.exe from making changes to the folder %common_desktop%\
  2. it seems as though windows defender isn't allowing bitdefender to install Should I allow it through windows defender "controlled folder access"?
  3. Thanks again, I'm doing everything on your list & will be way more careful now # DelFix v1.013 - Logfile created 14/06/2018 at 10:54:30 # Updated 17/04/2016 by Xplode # Username : lrksi - LAURASISSOKOAFW # Operating System : Windows 10 Home (64 bits) ~ Activating UAC ... OK ~ Removing disinfection tools ... Deleted : C:\FRST Deleted : C:\AdwCleaner Deleted : C:\Users\lrksi\Downloads\FRST-OlderVersion Deleted : C:\Users\lrksi\Desktop\mbar Deleted : C:\Users\lrksi\Desktop\AdwCleaner[C02].txt Deleted : C:\Users\Public\Desktop\RogueKiller.lnk Deleted : C:\Users\lrksi\Downloads\Addition(1).txt Deleted : C:\Users\lrksi\Downloads\Addition.txt Deleted : C:\Users\lrksi\Downloads\adwcleaner_7.2.0.exe Deleted : C:\Users\lrksi\Downloads\Fixlog.txt Deleted : C:\Users\lrksi\Downloads\FRST(1).txt Deleted : C:\Users\lrksi\Downloads\FRST.txt Deleted : C:\Users\lrksi\Downloads\FRST64.exe Deleted : C:\Users\lrksi\Downloads\RogueKiller_setup.exe ~ Creating registry backup ... OK ~ Cleaning system restore ... Deleted : RP #110 [Windows Backup | 06/11/2018 23:33:10] Deleted : RP #111 [Windows Backup | 06/12/2018 00:38:36] Deleted : RP #112 [Windows Backup | 06/12/2018 11:45:01] Deleted : RP #113 [Windows Backup | 06/12/2018 14:37:08] New restore point created ! ~ Resetting system settings ... OK ########## - EOF - ##########
  4. Everything is back to normal it seems. Thanks a lot! ?
  5. YOU DID IT!!!! YAY!!!! THANKS SO MUCH!!!!!! Fix result of Farbar Recovery Scan Tool (x64) Version: 06.06.2018 01 Ran by lrksi (14-06-2018 09:02:18) Run:4 Running from C:\Users\lrksi\Downloads Loaded Profiles: lrksi (Available Profiles: lrksi & Administrator) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION GroupPolicy: Restriction ? <==== ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION CHR HKU\.DEFAULT\SOFTWARE\Policies\Google: Restriction <==== ATTENTION CHR HKU\S-1-5-21-4277511259-3474119083-1154518114-1001\SOFTWARE\Policies\Google: Restriction <==== ATTENTION S3 773667A3; C:\WINDOWS\system32\drivers\773667A3.sys [255928 2018-06-06] (Malwarebytes) S4 pkghqfik; C:\WINDOWS\System32\drivers\bejvtgmm.sys [79064 2018-05-26] (Malwarebytes) S4 xasjyk; C:\WINDOWS\System32\drivers\mketespn.sys [79064 2018-05-23] (Malwarebytes) S4 eizmnw; System32\drivers\sccprvae.sys [X] S3 vdrive; \SystemRoot\System32\drivers\vdrive.sys [X] Task: {4B26855A-90C7-4060-800C-5BBF3A2CAF17} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION Task: {7D82C6D3-A37E-489F-8234-98293C74D517} - System32\Tasks\dimwitteddimwitted => C:\Program Files (x86)\Detractor\kozinski.exe [2018-05-22] () Task: {86608235-CF08-4E3E-9BD2-EE9EAD950F06} - System32\Tasks\dimwitted => C:\Program Files (x86)\Detractor\kozinski.exe [2018-05-22] () Task: {A04C176B-6CD1-4AE0-9A7E-87C27F6BB26F} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`28hfm [0] FirewallRules: [{97655D4B-5E57-45B6-AF43-14E9E2F3A57F}] => (Allow) C:\Program Files (x86)\Reforma\Washrooms.exe FirewallRules: [{CCE71322-895F-4B2B-AC4A-A6E533624D7E}] => (Allow) C:\Program Files (x86)\Fc\Washrooms.exe FirewallRules: [{7F2B0573-77E8-4F6C-BCA4-4BAE5EA1932D}] => (Allow) C:\Program Files (x86)\naim\Glynn.exe FirewallRules: [{86171A9E-C7F4-4246-B4A3-51CDC3D8B993}] => (Allow) C:\Program Files (x86)\Fc\Glynn.exe C:\p0tybmetxmh4v36 C:\Program Files (x86)\longbottom C:\Program Files (x86)\Reforma C:\Program Files (x86)\naim C:\Program Files (x86)\Fc C:\Program Files (x86)\paralysed C:\Program Files (x86)\Detractor C:\Users\lrksi\AppData\Local\rabvilt C:\Users\lrksi\AppData\Local\cwkgplu C:\Users\lrksi\AppData\Local\ianbktg C:\Users\lrksi\AppData\Local\zaroxed C:\Users\lrksi\AppData\Local\pshrvax C:\Users\lrksi\AppData\Local\pconzei C:\Users\lrksi\AppData\Local\pcarvzb C:\Users\lrksi\AppData\Local\csoklxm C:\Users\lrksi\AppData\Local\vdbwokm C:\Users\lrksi\AppData\Local\csenvbr C:\Users\lrksi\AppData\Local\mbixets C:\Users\lrksi\AppData\Local\reohisd C:\Users\lrksi\AppData\Local\weskzxr C:\Users\lrksi\AppData\Local\aunkmzc C:\Users\lrksi\AppData\Local\vsrpotk C:\Users\lrksi\AppData\Local\wisazou C:\Users\lrksi\AppData\Local\nveogdb C:\Users\lrksi\AppData\Local\dtmcrgh C:\Users\lrksi\AppData\Local\wdaeuvn C:\Users\lrksi\AppData\Local\zanpoiu C:\Users\lrksi\AppData\Local\nvicwax C:\Users\lrksi\AppData\Local\pcawnok C:\Users\lrksi\AppData\Local\cwitgro C:\Users\lrksi\AppData\Local\msoznhl C:\Users\lrksi\AppData\Local\wertopd C:\Users\lrksi\AppData\Local\cgbneum C:\Users\lrksi\AppData\Local\lscxhek C:\Users\lrksi\AppData\Local\snhrceo C:\Users\lrksi\AppData\Local\niihptx C:\Users\lrksi\AppData\Local\sboruvh C:\Users\lrksi\AppData\Local\sihgpuo C:\Users\lrksi\AppData\Local\dwotxrg C:\Users\lrksi\AppData\Local\timahon C:\Users\lrksi\AppData\Local\rtaxugw C:\Users\lrksi\AppData\Local\usezcbr C:\Users\lrksi\AppData\Local\vsngkma C:\Users\lrksi\AppData\Local\widnxcu C:\Users\lrksi\AppData\Local\wecbzln C:\Users\lrksi\AppData\Local\pwnalvx C:\Users\lrksi\AppData\Local\snmbdkv C:\Users\lrksi\AppData\Local\senhxdt C:\Users\lrksi\AppData\Local\lshozpv C:\Users\lrksi\AppData\Local\raiecgo C:\Users\lrksi\AppData\Local\vsrcldz C:\Users\Administrator\AppData\Local\mbskcpu C:\Users\Administrator\AppData\Local\mbhpscx C:\Users\Administrator\AppData\Local\exrpcdm C:\Users\Administrator\AppData\Local\resilgv C:\Users\lrksi\AppData\Local\Washrooms.exe C:\Users\lrksi\AppData\Roaming\c C:\Users\lrksi\AppData\Roaming\et C:\WINDOWS\b51289218 C:\WINDOWS\uninstaller.dat C:\WINDOWS\system32\nisrxvo C:\WINDOWS\system32\snrwipksvc.exe C:\WINDOWS\system32\Drivers\322244A7.sys C:\WINDOWS\system32\Drivers\4436D1DB.sys C:\WINDOWS\system32\Drivers\3262C5EB.sys C:\WINDOWS\system32\Drivers\472666EB.sys C:\WINDOWS\system32\Drivers\34117788.sys C:\WINDOWS\system32\Drivers\1376F2F0.sys C:\WINDOWS\system32\Drivers\773667A3.sys C:\WINDOWS\system32\Drivers\45E3927A.sys C:\WINDOWS\system32\Drivers\bejvtgmm.sys C:\WINDOWS\system32\Drivers\2141D2AA.sys C:\WINDOWS\system32\Drivers\3675D4B7.sys C:\WINDOWS\system32\Drivers\mketespn.sys C:\Windows\System32\Drivers\rthvvbei.sys C:\WINDOWS\SysWOW64\nisrxvo Hosts: EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" => removed successfully C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully "HKLM\SOFTWARE\Policies\Google" => removed successfully "HKU\.DEFAULT\SOFTWARE\Policies\Google" => removed successfully "HKU\S-1-5-21-4277511259-3474119083-1154518114-1001\SOFTWARE\Policies\Google" => removed successfully "HKLM\System\CurrentControlSet\Services\773667A3" => removed successfully 773667A3 => service removed successfully "HKLM\System\CurrentControlSet\Services\pkghqfik" => removed successfully pkghqfik => service removed successfully "HKLM\System\CurrentControlSet\Services\xasjyk" => removed successfully xasjyk => service removed successfully "HKLM\System\CurrentControlSet\Services\eizmnw" => removed successfully eizmnw => service removed successfully "HKLM\System\CurrentControlSet\Services\vdrive" => removed successfully vdrive => service removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4B26855A-90C7-4060-800C-5BBF3A2CAF17}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4B26855A-90C7-4060-800C-5BBF3A2CAF17}" => removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OneDrive Standalone Update Task v2 => not found "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7D82C6D3-A37E-489F-8234-98293C74D517}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7D82C6D3-A37E-489F-8234-98293C74D517}" => removed successfully C:\WINDOWS\System32\Tasks\dimwitteddimwitted => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\dimwitteddimwitted" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{86608235-CF08-4E3E-9BD2-EE9EAD950F06}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{86608235-CF08-4E3E-9BD2-EE9EAD950F06}" => removed successfully C:\WINDOWS\System32\Tasks\dimwitted => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\dimwitted" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A04C176B-6CD1-4AE0-9A7E-87C27F6BB26F}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A04C176B-6CD1-4AE0-9A7E-87C27F6BB26F}" => removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => not found C:\ProgramData\Reprise => ":wupeogjxlctlfudivq`qsp`28hfm" ADS removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{97655D4B-5E57-45B6-AF43-14E9E2F3A57F}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CCE71322-895F-4B2B-AC4A-A6E533624D7E}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7F2B0573-77E8-4F6C-BCA4-4BAE5EA1932D}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{86171A9E-C7F4-4246-B4A3-51CDC3D8B993}" => removed successfully C:\p0tybmetxmh4v36 => moved successfully C:\Program Files (x86)\longbottom => moved successfully C:\Program Files (x86)\Reforma => moved successfully C:\Program Files (x86)\naim => moved successfully C:\Program Files (x86)\Fc => moved successfully C:\Program Files (x86)\paralysed => moved successfully "C:\Program Files (x86)\Detractor" folder move: Could not move "C:\Program Files (x86)\Detractor" => Scheduled to move on reboot. C:\Users\lrksi\AppData\Local\rabvilt => moved successfully C:\Users\lrksi\AppData\Local\cwkgplu => moved successfully C:\Users\lrksi\AppData\Local\ianbktg => moved successfully C:\Users\lrksi\AppData\Local\zaroxed => moved successfully C:\Users\lrksi\AppData\Local\pshrvax => moved successfully C:\Users\lrksi\AppData\Local\pconzei => moved successfully C:\Users\lrksi\AppData\Local\pcarvzb => moved successfully C:\Users\lrksi\AppData\Local\csoklxm => moved successfully C:\Users\lrksi\AppData\Local\vdbwokm => moved successfully C:\Users\lrksi\AppData\Local\csenvbr => moved successfully C:\Users\lrksi\AppData\Local\mbixets => moved successfully C:\Users\lrksi\AppData\Local\reohisd => moved successfully C:\Users\lrksi\AppData\Local\weskzxr => moved successfully C:\Users\lrksi\AppData\Local\aunkmzc => moved successfully C:\Users\lrksi\AppData\Local\vsrpotk => moved successfully C:\Users\lrksi\AppData\Local\wisazou => moved successfully C:\Users\lrksi\AppData\Local\nveogdb => moved successfully C:\Users\lrksi\AppData\Local\dtmcrgh => moved successfully C:\Users\lrksi\AppData\Local\wdaeuvn => moved successfully C:\Users\lrksi\AppData\Local\zanpoiu => moved successfully C:\Users\lrksi\AppData\Local\nvicwax => moved successfully C:\Users\lrksi\AppData\Local\pcawnok => moved successfully C:\Users\lrksi\AppData\Local\cwitgro => moved successfully C:\Users\lrksi\AppData\Local\msoznhl => moved successfully C:\Users\lrksi\AppData\Local\wertopd => moved successfully C:\Users\lrksi\AppData\Local\cgbneum => moved successfully C:\Users\lrksi\AppData\Local\lscxhek => moved successfully C:\Users\lrksi\AppData\Local\snhrceo => moved successfully C:\Users\lrksi\AppData\Local\niihptx => moved successfully C:\Users\lrksi\AppData\Local\sboruvh => moved successfully C:\Users\lrksi\AppData\Local\sihgpuo => moved successfully C:\Users\lrksi\AppData\Local\dwotxrg => moved successfully C:\Users\lrksi\AppData\Local\timahon => moved successfully C:\Users\lrksi\AppData\Local\rtaxugw => moved successfully C:\Users\lrksi\AppData\Local\usezcbr => moved successfully C:\Users\lrksi\AppData\Local\vsngkma => moved successfully C:\Users\lrksi\AppData\Local\widnxcu => moved successfully C:\Users\lrksi\AppData\Local\wecbzln => moved successfully C:\Users\lrksi\AppData\Local\pwnalvx => moved successfully C:\Users\lrksi\AppData\Local\snmbdkv => moved successfully C:\Users\lrksi\AppData\Local\senhxdt => moved successfully C:\Users\lrksi\AppData\Local\lshozpv => moved successfully C:\Users\lrksi\AppData\Local\raiecgo => moved successfully C:\Users\lrksi\AppData\Local\vsrcldz => moved successfully C:\Users\Administrator\AppData\Local\mbskcpu => moved successfully C:\Users\Administrator\AppData\Local\mbhpscx => moved successfully C:\Users\Administrator\AppData\Local\exrpcdm => moved successfully C:\Users\Administrator\AppData\Local\resilgv => moved successfully C:\Users\lrksi\AppData\Local\Washrooms.exe => moved successfully C:\Users\lrksi\AppData\Roaming\c => moved successfully C:\Users\lrksi\AppData\Roaming\et => moved successfully C:\WINDOWS\b51289218 => moved successfully C:\WINDOWS\uninstaller.dat => moved successfully C:\WINDOWS\system32\nisrxvo => moved successfully C:\WINDOWS\system32\snrwipksvc.exe => moved successfully C:\WINDOWS\system32\Drivers\322244A7.sys => moved successfully C:\WINDOWS\system32\Drivers\4436D1DB.sys => moved successfully C:\WINDOWS\system32\Drivers\3262C5EB.sys => moved successfully C:\WINDOWS\system32\Drivers\472666EB.sys => moved successfully C:\WINDOWS\system32\Drivers\34117788.sys => moved successfully C:\WINDOWS\system32\Drivers\1376F2F0.sys => moved successfully C:\WINDOWS\system32\Drivers\773667A3.sys => moved successfully C:\WINDOWS\system32\Drivers\45E3927A.sys => moved successfully C:\WINDOWS\system32\Drivers\bejvtgmm.sys => moved successfully C:\WINDOWS\system32\Drivers\2141D2AA.sys => moved successfully C:\WINDOWS\system32\Drivers\3675D4B7.sys => moved successfully C:\WINDOWS\system32\Drivers\mketespn.sys => moved successfully C:\Windows\System32\Drivers\rthvvbei.sys => moved successfully C:\WINDOWS\SysWOW64\nisrxvo => moved successfully C:\Windows\System32\Drivers\etc\hosts => moved successfully Hosts restored successfully. =========== EmptyTemp: ========== BITS transfer queue => 7888896 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 24702252 B Java, Flash, Steam htmlcache => 1982 B Windows/system/drivers => 117182936 B Edge => 1394634 B Chrome => 692966645 B Firefox => 454723364 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 41822 B NetworkService => 617784 B lrksi => 140722412 B Administrator => 26870203 B RecycleBin => 15060617 B EmptyTemp: => 1.4 GB temporary data Removed. ================================ Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 14-06-2018 10:02:31) C:\Program Files (x86)\Detractor => Is moved successfully ==== End of Fixlog 10:02:31 ====
  6. ?I can't thank you enough for your help Addition.txt FRST.txt
  7. i restarted my machine just now, and I reset my chrome browser. Still the same popup ads on shopping sites and not able to google search. also get a security warning about virus protection not being on, and malwarebytes keeps blocking an expolit
  8. # ------------------------------- # Malwarebytes AdwCleaner 7.2.0.0 # ------------------------------- # Build: 06-05-2018 # Database: 2018-06-12.1 # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 06-12-2018 # Duration: 00:00:00 # OS: Windows 10 Home # Cleaned: 0 # Failed: 0 ***** [ Services ] ***** No malicious services cleaned. ***** [ Folders ] ***** No malicious folders cleaned. ***** [ Files ] ***** No malicious files cleaned. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks cleaned. ***** [ Registry ] ***** No malicious registry entries cleaned. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries cleaned. ***** [ Chromium URLs ] ***** No malicious Chromium URLs cleaned. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner[S00].txt - [4017 octets] - [06/06/2018 16:41:48] AdwCleaner[C00].txt - [3601 octets] - [06/06/2018 16:42:07] AdwCleaner[S01].txt - [1364 octets] - [06/06/2018 16:47:10] AdwCleaner[C01].txt - [1550 octets] - [06/06/2018 16:47:56] AdwCleaner[S02].txt - [1599 octets] - [12/06/2018 18:35:44] AdwCleaner[C02].txt - [1711 octets] - [12/06/2018 18:36:03] AdwCleaner[S03].txt - [1608 octets] - [12/06/2018 20:19:12] AdwCleaner[C03].txt - [1794 octets] - [12/06/2018 20:21:25] AdwCleaner[S04].txt - [1730 octets] - [12/06/2018 20:31:47] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C04].txt ########## RogueKiller V12.12.21.0 (x64) [Jun 11 2018] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 10 (10.0.16299) 64 bits version Started in : Normal mode User : lrksi [Administrator] Started from : C:\Program Files\RogueKiller\RogueKiller64.exe Mode : Delete -- Date : 06/12/2018 20:40:33 (Duration : 01:53:29) ¤¤¤ Processes : 1 ¤¤¤ [VT.Unknown] kozinski.exe(6848) -- C:\Program Files (x86)\Detractor\kozinski.exe[-] -> Killed [TermProc] ¤¤¤ Registry : 8 ¤¤¤ [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-4277511259-3474119083-1154518114-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba15.msn.com/?pc=TBTE -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome) [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-4277511259-3474119083-1154518114-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba15.msn.com/?pc=TBTE -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome) [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F306DE8B-9FC1-4B9D-B531-193047DF42C4} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\lrksi\AppData\Local\Temp\7zS156D\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0015CF80-7ED0-4731-96EE-8E4A8F0117E4} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\lrksi\AppData\Local\Temp\7zS156D\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0DB5723A-660F-4AF6-A1A0-7C723861D9A1} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\lrksi\AppData\Local\Temp\7zS295D\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {342025BC-4A7C-45F7-9302-ABDB4338995F} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\lrksi\AppData\Local\Temp\7zS295D\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Deleted [PUP.HackTool|VT.Detected] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {08B31A0B-963A-4F39-BBA2-94F1C3924507} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=1688|App=C:\Windows\AutoKMS\AutoKMS.exe|Name=AutoKMS| [-] -> Deleted [PUP.HackTool|VT.Detected] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A57A4A49-4430-4822-BCA6-57576015593E} : v2.27|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|LPort=1688|App=C:\Windows\AutoKMS\AutoKMS.exe|Name=AutoKMS| [-] -> Deleted ¤¤¤ Tasks : 1 ¤¤¤ [PUP.HackTool|VT.Detected] \AutoKMS -- C:\Windows\AutoKMS\AutoKMS.exe -> Deleted ¤¤¤ Files : 11 ¤¤¤ [PUP.HackTool][Folder] C:\Windows\AutoKMS -> Deleted [PUP.HackTool][File] C:\Windows\AutoKMS\AutoKMS.exe -> Deleted [PUP.HackTool][File] C:\Windows\AutoKMS\AutoKMS.log -> Deleted [Root.Wajam][File] C:\Windows\System32\drivers\7e2f9ee28fadd34d17bd68b3ebc53314.sys -> Deleted [PUP.uTorrentAds][File] C:\Users\lrksi\AppData\Roaming\uTorrent\updates\3.4.6_42178\utorrentie.exe -> Deleted [PUP.uTorrentAds][File] C:\Users\lrksi\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Deleted [PUP.uTorrentAds][File] C:\Users\lrksi\AppData\Roaming\uTorrent\updates\3.4.8_42449\utorrentie.exe -> Deleted [PUP.uTorrentAds][File] C:\Users\lrksi\AppData\Roaming\uTorrent\updates\3.4.8_42576\utorrentie.exe -> Deleted [PUP.uTorrentAds][File] C:\Users\lrksi\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Deleted [PUP.uTorrentAds][File] C:\Users\lrksi\AppData\Roaming\uTorrent\updates\3.5.0_43916\utorrentie.exe -> Deleted [PUP.uTorrentAds][File] C:\Users\lrksi\AppData\Roaming\uTorrent\updates\3.5.0_44294\utorrentie.exe -> Deleted [PUP.uTorrentAds][File] C:\Users\lrksi\AppData\Roaming\uTorrent\updates\3.5.1_44332\utorrentie.exe -> Deleted [PUP.uTorrentAds][File] C:\Users\lrksi\AppData\Roaming\uTorrent\updates\3.5.3_44396\utorrentie.exe -> Deleted ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: HGST HTS541010A9E680 +++++ --- User --- [MBR] a84dd93b5b19931ceaddbccc47850486 [BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code Partition table: 0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB 1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 16 MB 2 - Basic data partition | Offset (sectors): 567296 | Size: 952689 MB 3 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 1951676416 | Size: 902 MB User = LL1 ... OK User = LL2 ... OK
  9. Sorry, Malwarebytes shows everything is turned *on* and working
  10. Alright, so I went through the steps again, and got the same results. So, I then went into safe mode and ran malwarebytes and mbar, this time it worked with removing wmcagent and trojan.yelloader (It didn't when this first started to happen and I used malwarbytes in safemode). But things were still weird with adware popups when I went to amazon and google searches still jumped to yahoo. my attempt at a backup stopped at 97%, but I was able to make a system image And now I can easily enter windowsRE, so I went into command prompt and this time it only let me run FRST64.exe for my malwarebytes scan there were no threats detected, but I keep getting a warning about exploits being blocked mbar came clean then I ran malwarebytes adware cleaner it found 4 adware programs, I restarted, checked the internet and there are still adware popups and searches still redirect. Also, I got a "computer not protected" Windows defender and Malwarbytes aren't working, but Malwarebytes shows everything turned off and Defender says I'm protected and malwarebytes is providing antivirus protection The FRST.txt is from running in winRE FRST(1) and addition(1) are from the scans I ran just now exploit blocked report.txt malwarebytes export summary.txt AdwCleaner[C02].txt FRST.txt FRST(1).txt Addition(1).txt
  11. okay, is it a problem that I can only access the RE from csm boot? I tried every way listed in this guide and wasn't able to. I could only do it by changing the bios settings to csm boot
  12. I didn't download or try to instal any new software, but I did try to save files to my external hard drive but the backup using file history failed so I manually saved my most important files.
  13. system-log.txt is the mbar system log I am running a Toshiba Satellite, and had a difficult time getting to the recovery environment. I was able to access it, by opening the boot menu and turning off uefi boot and switching to csm, maybe that's where I went wrong. system-log.txt FRST.txt Fixlog.txt
  14. There still seems to be something wrong. wmcagent file is still there and when I do a google search, it still redirects to bing or yahoo. I'm running mbar right now
  15. Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/10/18 Scan Time: 4:26 PM Log File: 9a15d71c-6cec-11e8-889b-74852a30289a.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.374 Update Package Version: 1.0.5426 License: Trial -System Information- OS: Windows 10 (Build 16299.431) CPU: x64 File System: NTFS User: LAURASISSOKOAFW\lrksi -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 353574 Threats Detected: 1 Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 6 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 Trojan.Yelloader, C:\USERS\LRKSI\APPDATA\LOCAL\wmcagent, Removal Failed, [2659], [521697],1.0.5426 File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)
×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.