lurker316

Thanks. It appears I already have Malwarebytes Browser Guard installed in Chrome. It must have been an add-on when I installed Malwarebytes to scan for the suspected trojan. I uninstalled Malwarebytes and reverted to Windows Security, but the browser extension remained in place. I will definitely keep it based on your recommendation. Is there any additional clean-up or follow up I should be doing?

The quick scan found no threats. I'm not ready for final clean-up. Thanks.

@Maurice Naggar Thank you for providing that explanation. I appreciate your patience and your ability to explain things in clear, easy-to-understand terms. You've been a tremendous help. I ran the new script. The log is attached. I checked my Windows Security protection history. It is now empty. Fixlog.txt

I understand IntelAudioService.exe is a legit driver, but one of the earlier scans you had me run said the file had been altered after it was signed. The equate quote was: "Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software." I thought that meant malware may have imbedded itself / be piggy-backing off of the legit driver?

The protection history is still there. Here's a screenshot:

Ok, I found the old copy of FRSTENGLISH.exe in my recycle bin. I restored it and ran it. The resulting log is attached. I then ran a quick scan with Windows Security. It found no threats. Fixlog.txt

I deleted the old version of Fixlist.txt and downloaded the new one. Where do I find FRSTENGLISH.exe? There's no file with that name in my download folder. I must have deleted the version I had previously. (Looking back through this thread, I'm not sure how I got that earlier copy. I don't see where you instructed me to download it.)

@Maurice Naggar Sorry for my late reply. I was away from my computer most of the day. I wasn't able to locate Sophos in the list of installed programs, so I wasn't able to right-click and select "uninstall". I search for the app a few other ways and couldn't find it. I guess it ran from the executable file without permanently installing??? Oh well, I'm not concerned about it. I ran the ESET online scanner. It didn't find anything. The log is attached. I realize that whatever Windows Security initially detected is most likely gone (or wasn't a true threat to being with), but I appreciate your helping me run other virus detection programs to be sure. It helps give me peace of mind. Thank you so much. eset online scanner log.txt

Sorry for bombarding you with questions, but I have one more follow-up... The scan noted that two of my drivers are suspicious because: "Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software." However, it didn't take any action against those drivers. By default, Sophos ignored them. Is that anything I should be concerned about?

Sorry, I forgot to attach the log. Here it is. SophosScanAndClean_20211204_1043.log

@Maurice Naggar I ran the scan. The log is attached. You asked me to confirm that it scanned certain areas of my computer. I'm not sure how to do that? Can you get that information from reviewing the attached log? It found no threats. It simply recommended deleting about a dozen cookies. However, after I clicked through a series of "next" prompts, the final screen said: "Malicious software was partially removed from your computer." (See screenshot below.) That confused me. If it found no threats, what "malicious software" did it remove? Is this a reference to the cookies it deleted? I don't think of cookies as software.

@Maurice Naggar Thank you for the reassurance that this threat isn't as serious as I believed. That makes me feel better. Nerveless, I will try the Sophos application for even more confidence and report back the results.

@Maurice Naggar Thanks again for all of your time and attention. I greatly appreciate it. I ran a Quick Scan, Full Scan and Offline Scan. None of them turned up a current threat. Is it possible the virus was successfully quarantined by Windows Security, despite the warnings of "remediation incomplete" and "quarantine failed"? This is a pretty serious virus, so I'm not sure I want to take any chances. The person assisting me on the MS forum is suggesting I do a system recovery to be safe, but for some reason I have no Windows' restore points. On a side note, I understand that the script your provide wasn't designed to -- and theoretically should not have -- affected my Quick Access in File Explorer, but it absolutely did. Prior to running the scrip I had numerous folders pinned there. After running the script they were all unpinned. Again, not a complaint or big deal -- just want you to be aware that the script could have minor unanticipated effects. As your above explanation points out, the script empties a number of directories -- one of those directories presumably contained my Quick Access preferences. Perhaps Windows 11 changed (relative to Windows 10) where Quick Access preferences are stored, and that new storage location coincides with a directory emptied by the script?

@Maurice Naggar Thanks. I ran it. The log is attached. After my computer rebooted, the folders I had pinned under "Quick Access" in File Explorer changed. The folders I pinned are no longer there. It looks like Quick Access was restored to its default. It's not a big deal and I can change it back, but I'm wondering if that's normal? Might the script have altered other customizations I've made to Windows that I should check? Fixlog.txt

@Maurice Naggar You say the script will run a "Windows 10 DISM". I'm running Windows 11, not 10. Does that make a difference?