PCBungler

I posted one set for PC and one for laptop. You gave me the fix commands for the laptop which is now sorted (see above log) apart from an orphan sys tray icon. It was my bad for posting about two devices at once. I am going to nuke the PC and rebuild it as it is mainly a gaming box. We can close this now. Thanks for you help!

Hi Other topic done and dusted. I tried the clean option on MBAM support to no avail. I tried the registry hack to reset the sys tray to no avail. Not 100% happy about posting a ton of detailed logs openly on the internet as I have no idea what they contain. I may just nuke the machine and start again.

All done. Log looks ok? Fix result of Farbar Recovery Scan Tool (x64) Version: 26-02-2020 Ran by PCBungler (04-03-2020 14:31:38) Run:1 Running from C:\Users\PCBungler\Downloads Loaded Profiles: PCBungler (Available Profiles: PCBungler) Boot Mode: Normal ============================================== fixlist content: ***************** SystemRestore: On CreateRestorePoint: CloseProcesses: ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File FirewallRules: [{1C1C7FD2-9CA3-44D3-8280-99C2818F589E}] => (Allow) C:\Users\PCBungler\AppData\Roaming\Zoom\bin\airhost.exe No File CMD: netsh int ip reset CMD: ipconfig /flushDNS EmptyTemp: ***************** SystemRestore: On => completed Restore point was successfully created. Processes closed successfully. HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1C1C7FD2-9CA3-44D3-8280-99C2818F589E}" => removed successfully ========= netsh int ip reset ========= Resetting Compartment Forwarding, OK! Resetting Compartment, OK! Resetting Control Protocol, OK! Resetting Echo Sequence Request, OK! Resetting Global, OK! Resetting Interface, OK! Resetting Anycast Address, OK! Resetting Multicast Address, OK! Resetting Unicast Address, OK! Resetting Neighbor, OK! Resetting Path, OK! Resetting Potential, OK! Resetting Prefix Policy, OK! Resetting Proxy Neighbor, OK! Resetting Route, OK! Resetting Site Prefix, OK! Resetting Subinterface, OK! Resetting Wakeup Pattern, OK! Resetting Resolve Neighbor, OK! Resetting , OK! Resetting , OK! Resetting , OK! Resetting , OK! Resetting , failed. Access is denied. Resetting , OK! Resetting , OK! Resetting , OK! Resetting , OK! Resetting , OK! Resetting , OK! Resetting , OK! Restart the computer to complete this action. ========= End of CMD: ========= ========= ipconfig /flushDNS ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= =========== EmptyTemp: ========== BITS transfer queue => 11034624 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 279228810 B Java, Flash, Steam htmlcache => 0 B Windows/system/drivers => 99952205 B Edge => 2082380 B Chrome => 0 B Firefox => 822482794 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 11742 B NetworkService => 111374 B PCBungler => 248166902 B RecycleBin => 0 B EmptyTemp: => 1.4 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 14:33:53 ====

Cool Those are the laptop ones - will get on it!

Thanks Since I posted logs for my PC and laptop (just to be awkward 😃) can I confirm which log this fix file is from? I think it is the laptop one as that is the only device I installed Zoom web conferencing on? Cheers!

Cheers Am tight for time right now but will get to it as soon as I can.

Cheers. The ghost icon does not appear in the actual tray but only in the control panel screen to edit which icons to show. A reboot has not yet clobbered it.

Following the latest update when I try and edit which icons to show in the tray, I see two options for MWB. One works as per. The other has an orange triangle with a ! in it and is not visible. Any ideas? PCB

Hi nasdaq Could you explain what the commands in the file do please and why they are there (I think I know the first set :))? Can you confirm was this for the PC or laptop FRST versions as I included both? It is mainly that laptop that I am concerned about as that is my office one and the PC is mainly gaming. Start:: SystemRestore: On CreateRestorePoint: CloseProcesses: ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File FirewallRules: [{1C1C7FD2-9CA3-44D3-8280-99C2818F589E}] => (Allow) C:\Users\PCBungler\AppData\Roaming\Zoom\bin\airhost.exe No File CMD: netsh int ip reset CMD: ipconfig /flushDNS EmptyTemp: End:: Thanks for clarifying the risk issue. I had a further thought about the blocks. Both the laptop and the PC had the VPN plugin but it was only the PC that had the js adware trojan detected by MSS and only the PC that had the popups. I wonder therefore if the blockers were related to that rather than the VPN. Since the plugin did not get picked up as a virus whilst installed and anything involving a login I did when it was installed would have been over HTTPS or equivalent, I am reasonably sure that even if the VPN was iffy, I should be ok the perspective of the messages being snifffed en route. Make sense?

Also (sorry to be a pain) I assume that the "nothing suspicious" covers both the PC and laptop logs?

Oh, I coild not see a fixlist attachment to download?

Thanks. A relief! I will do so shortly. Regarding the VPN FF plugin, the suspicious website blocks and the fact that they went after I removed the plugin - do you think there is a risk I have had any data compromised whilst the plugin was installed bearing in mind I have Defender, MWB premium and MWB FF Browser plugin running? I really do not want to have to go and reset all the passwords for the sites I have used since I stupidly put in the VPN plugin? Thanks again!

Here are th ye laptop logs. If you could review these as well I would be grateful. Interestingly, I note that both the PC and laptop have a "No Name" extension. Thanks in advance. Addition - laptop.txt FRST - laptop.txt

Edit: Am also curious as to why the Trojan only appeared when I clicked on certain sites? Were these sites that the Trojan used to phone home?

Updated information I realised I had FF sync across my PC and laptop so checked that out (in the middle of the night as I could not sleep). It had the VPN plugin. Oddly with that installed but turned off it did not cause the blocked Trojan pop up like it did on the PC. The version on the laptop had the user information filled in on the plugin page which the PC one did not. When I clicked on the developer link, I got a 404 saying Mozilla had removed it under TOS. Clearly it was dodgy. Being half asleep I deleted it from the lap top which with the sync means it is no longer on the PC either so can't run FRST with it on there - am still doing that and will add here anyway (doh!). I ran ADWCleaner overnightt (before I deleted it) and that reported clean. Microsoft Safety Scanner (again overnight before I rfemoved the plugin) detected go.microsoft.com/fwlink/?linkid=139454&name=Adware:JS/InjectorAd.A which it removed. I am currently running a deep MWB scan (currently 10 hours). Would still appreciate an assessment of the FRST report so I can do a threat assessment on whether I need to change a bazillion passwords or rebuild my machines Lesson learned - do not install VPN plugins on Firefox.