Joffa Posted October 22, 2020 ID:1415732 Share Posted October 22, 2020 Greetings I have same 'Website blocked' message as https://forums.malwarebytes.com/topic/265325-constant-rtp-phishing-attempts-please-help/ I've followed most steps in the reply thread & attach relevant text files from the various scanning applications. Malwarebytes initial scan report is 'website blocked due to phishing.txt' Please let me know what my next step should be, or if I should also try the Sophos tool. Much appreciated Jeff RKLog.txt Scan log.txt website blocked due to phishing.txt Addition.txt FRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted October 22, 2020 ID:1415766 Share Posted October 22, 2020 Hello Jeff and welcome to Malwarebytes, Thanks for those logs, continue please; Let's re-run RogueKiller and remove all the items it found. Right-click on the RogueKiller file and select Run as administrator to start the tool. Click Yes to accept the UAC security warning that may appear. Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open. Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button. When the scan is complete, make sure every item listed in RED is checkmarked. Then click the Removal button and wait until the removal process is complete. When complete, click on Results. Click Report. Click Export and select "Text file". Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it. Click the Finish button and close RogueKiller window. Copy and paste the entire contents of that log into your next reply. Next, Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following: Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Let me see those logs in your reply... Thank you, Kevin Link to post Share on other sites More sharing options...
Joffa Posted October 24, 2020 Author ID:1416156 Share Posted October 24, 2020 Here are the log files of these applications. I'm no longer getting the MalwareBytes pop up about phishing - happy 🙂 Thanks, Jeff RKLog.txtAdwCleaner[S01].txtAddition.txtFRST.txt Link to post Share on other sites More sharing options...
Solution kevinf80 Posted October 24, 2020 Solution ID:1416190 Share Posted October 24, 2020 Hiya Joffa, Thanks for those logs, continue: Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.Note: If the tool warned you about an outdated version please download and run the updated version.NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system....https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply, also let me know if there are any remaining issues or concerns.... Thank you, Kevin fixlist.txt Link to post Share on other sites More sharing options...
Joffa Posted October 25, 2020 Author ID:1416425 Share Posted October 25, 2020 Thanks Kevin Here's the FixLog.txt: Fix result of Farbar Recovery Scan Tool (x64) Version: 24-10-2020 Ran by joffa (25-10-2020 10:56:34) Run:1 Running from C:\Users\joffa\Desktop Loaded Profiles: joffa Boot Mode: Normal ============================================== fixlist content: ***************** SystemRestore: On CreateRestorePoint: CloseProcesses: GroupPolicy: Restriction ? <==== ATTENTION Task: {86384D59-D20F-4603-BFA3-0139DAA73417} - System32\Tasks\WinmendUpdateTask_joffa => C:\Program Files (x86)\WinMend\Folder Hidden\liveupdate.exe Task: {D9856B18-DC1B-4C1A-A5D3-F97D4BBCD38F} - System32\Tasks\lr9kTbCXdRhS => lr9ktbcxdrhs.exe <==== ATTENTION Tcpip\..\Interfaces\{11fe760f-e9fb-47af-90f1-f4fab472985c}: [NameServer] 8.8.8.8 Tcpip\..\Interfaces\{26b11a49-585f-4b43-a90c-9af3c3d7b25b}: [NameServer] 8.8.8.8 Tcpip\..\Interfaces\{3d70b7a1-b595-4413-90f8-79e23bad61b8}: [NameServer] 8.8.8.8 Tcpip\..\Interfaces\{7d3abf3d-c4e5-4c2a-8c40-6076352c8c9a}: [NameServer] 8.8.8.8 Tcpip\..\Interfaces\{853f65e9-d806-11e7-a41b-806e6f6e6963}: [NameServer] 8.8.8.8 Tcpip\..\Interfaces\{b87cda5f-4b76-4524-9e26-b0ab7badcdbc}: [NameServer] 8.8.8.8 Tcpip\..\Interfaces\{c0771a63-8492-4f6d-ad59-b440b74e9771}: [NameServer] 8.8.8.8 Tcpip\..\Interfaces\{fdc8773b-61e9-4090-ab75-19e13768560b}: [NameServer] 8.8.8.8 FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File] FF Plugin: @videolan.org/vlc,version=2.2.6 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File] FF Plugin: @videolan.org/vlc,version=3.0.0-git -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File] FF Plugin: @videolan.org/vlc,version=3.0.10 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File] FF Plugin: @videolan.org/vlc,version=3.0.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File] FF Plugin: @videolan.org/vlc,version=3.0.6 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File] FF Plugin: @videolan.org/vlc,version=3.0.7.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File] FF Plugin: @videolan.org/vlc,version=3.0.8 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File] S2 HPTouchpointAnalyticsService; "C:\Program Files\HP\HP Touchpoint Analytics Client\TouchpointAnalyticsClientService.exe" [X] C:\WINDOWS\system32\Drivers\lvuvc.hs AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`29hfm [0] AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0] AlternateDataStreams: C:\Users\joffa\Downloads\BFTinyHand-Regular.zip:com.dropbox.attributes [168] BHO: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File BHO-x32: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File FirewallRules: [{CE4E9944-4BCC-4033-B2D0-31D5A95E6A78}] => (Allow) LPort=161 FirewallRules: [{D789CB08-10E7-4003-8628-3B06BD4021F4}] => (Allow) LPort=427 FirewallRules: [{097B7A11-2CD1-4D84-BD90-502DDE7D0263}] => (Allow) LPort=9100 FirewallRules: [{0BD1977D-7B8D-41C5-A2DC-FFFC644D5E67}] => (Allow) C:\Users\joffa\AppData\Local\Temp\7zS0E78\HPDiagnosticCoreUI.exe => No File FirewallRules: [{1E53E772-B4EE-4192-8C32-3A33C61507E1}] => (Allow) C:\Users\joffa\AppData\Local\Temp\7zS0E78\HPDiagnosticCoreUI.exe => No File FirewallRules: [{E9B6D101-E0B7-4025-A421-A3A922BAAB52}] => (Allow) C:\Users\joffa\AppData\Local\Temp\7zS0D3B\HPDiagnosticCoreUI.exe => No File FirewallRules: [{1E42B33B-8E11-4ED2-8235-64C1CB027CDD}] => (Allow) C:\Users\joffa\AppData\Local\Temp\7zS0D3B\HPDiagnosticCoreUI.exe => No File FirewallRules: [{61E3ECBB-952A-4148-9EF9-B080951BD55B}] => (Allow) %APPDATA%\Spotify\Spotify.exe => No File FirewallRules: [{1AD7088A-5156-458D-9B14-0493253BCAEE}] => (Allow) LPort=31931 FirewallRules: [{E13A2FED-ECFF-4B8A-864A-7E07BB95EF23}] => (Allow) LPort=14714 FirewallRules: [{73B4BFB8-FC57-4669-A102-AAC3C16852FC}] => (Allow) LPort=12972 FirewallRules: [{FE46B88F-0E46-4CEB-8A86-06FBA5A8FB19}] => (Block) %ProgramFiles%\Skylum\Luminar 4\Luminar 4.exe => No File FirewallRules: [UDP Query User{DE97DE2E-F35A-40CA-B350-FD5C9996EB8A}C:\users\joffa\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\joffa\appdata\roaming\spotify\spotify.exe => No File FirewallRules: [TCP Query User{384E864F-42CA-4D94-9EFF-7BFCAB21A305}C:\users\joffa\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\joffa\appdata\roaming\spotify\spotify.exe => No File FirewallRules: [{9649D109-608A-44F5-8900-D50191F343BE}] => (Allow) C:\Users\joffa\AppData\Roaming\Zoom\bin\airhost.exe => No File FirewallRules: [{586EEF56-056C-41B5-A8CA-A03AB83F518C}] => (Allow) C:\Users\joffa\AppData\Roaming\Zoom\bin\airhost.exe => No File File: C:\Users\joffa\EMPTIES.BAT CMD: winmgmt /verifyrepository cmd: sfc /scannow EmptyTemp: ***************** SystemRestore: On => completed Restore point was successfully created. Processes closed successfully. C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{86384D59-D20F-4603-BFA3-0139DAA73417}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{86384D59-D20F-4603-BFA3-0139DAA73417}" => removed successfully C:\WINDOWS\System32\Tasks\WinmendUpdateTask_joffa => moved successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WinmendUpdateTask_joffa" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D9856B18-DC1B-4C1A-A5D3-F97D4BBCD38F}" => removed successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D9856B18-DC1B-4C1A-A5D3-F97D4BBCD38F}" => removed successfully C:\WINDOWS\System32\Tasks\lr9kTbCXdRhS => moved successfully "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\lr9kTbCXdRhS" => removed successfully "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{11fe760f-e9fb-47af-90f1-f4fab472985c}\\NameServer" => removed successfully "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26b11a49-585f-4b43-a90c-9af3c3d7b25b}\\NameServer" => removed successfully "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3d70b7a1-b595-4413-90f8-79e23bad61b8}\\NameServer" => removed successfully "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7d3abf3d-c4e5-4c2a-8c40-6076352c8c9a}\\NameServer" => removed successfully "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{853f65e9-d806-11e7-a41b-806e6f6e6963}\\NameServer" => removed successfully "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b87cda5f-4b76-4524-9e26-b0ab7badcdbc}\\NameServer" => removed successfully "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0771a63-8492-4f6d-ad59-b440b74e9771}\\NameServer" => removed successfully "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fdc8773b-61e9-4090-ab75-19e13768560b}\\NameServer" => removed successfully HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.2.4 => removed successfully HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.2.6 => removed successfully HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=3.0.0-git => removed successfully HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=3.0.10 => removed successfully HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=3.0.3 => removed successfully HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=3.0.6 => removed successfully HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=3.0.7.1 => removed successfully HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=3.0.8 => removed successfully HKLM\System\CurrentControlSet\Services\HPTouchpointAnalyticsService => removed successfully HPTouchpointAnalyticsService => service removed successfully C:\WINDOWS\system32\Drivers\lvuvc.hs => moved successfully C:\ProgramData\Reprise => ":wupeogjxlctlfudivq`qsp`29hfm" ADS removed successfully C:\ProgramData\Reprise => ":wupeogjxldtlfudivq`qsp`27hfm" ADS removed successfully C:\Users\joffa\Downloads\BFTinyHand-Regular.zip => ":com.dropbox.attributes" ADS removed successfully HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13D67BB7-DB5F-48AA-884D-7A5D94168509} => removed successfully HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13D67BB7-DB5F-48AA-884D-7A5D94168509} => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CE4E9944-4BCC-4033-B2D0-31D5A95E6A78}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D789CB08-10E7-4003-8628-3B06BD4021F4}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{097B7A11-2CD1-4D84-BD90-502DDE7D0263}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0BD1977D-7B8D-41C5-A2DC-FFFC644D5E67}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1E53E772-B4EE-4192-8C32-3A33C61507E1}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E9B6D101-E0B7-4025-A421-A3A922BAAB52}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1E42B33B-8E11-4ED2-8235-64C1CB027CDD}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{61E3ECBB-952A-4148-9EF9-B080951BD55B}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1AD7088A-5156-458D-9B14-0493253BCAEE}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E13A2FED-ECFF-4B8A-864A-7E07BB95EF23}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{73B4BFB8-FC57-4669-A102-AAC3C16852FC}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FE46B88F-0E46-4CEB-8A86-06FBA5A8FB19}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{DE97DE2E-F35A-40CA-B350-FD5C9996EB8A}C:\users\joffa\appdata\roaming\spotify\spotify.exe" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{384E864F-42CA-4D94-9EFF-7BFCAB21A305}C:\users\joffa\appdata\roaming\spotify\spotify.exe" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9649D109-608A-44F5-8900-D50191F343BE}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{586EEF56-056C-41B5-A8CA-A03AB83F518C}" => removed successfully ========================= File: C:\Users\joffa\EMPTIES.BAT ======================== C:\Users\joffa\EMPTIES.BAT File not signed MD5: D41D8CD98F00B204E9800998ECF8427E <==== ATTENTION (zero byte File/Folder) Creation and modification date: 2018-05-29 19:25 - 2018-05-29 19:28 Size: 000000000 Attributes: ----A Company Name: Internal Name: Original Name: Product: Description: File Version: Product Version: Copyright: VirusTotal: 0-byte ====== End of File: ====== ========= winmgmt /verifyrepository ========= WMI repository is consistent ========= End of CMD: ========= ========= sfc /scannow ========= Beginning system scan. This process will take some time. Beginning verification phase of system scan. Verification 0% complete. Verification 1% complete. Verification 1% complete. Verification 2% complete. Verification 3% complete. Verification 3% complete. Verification 4% complete. Verification 5% complete. Verification 5% complete. Verification 6% complete. Verification 6% complete. Verification 7% complete. Verification 8% complete. Verification 8% complete. Verification 9% complete. Verification 10% complete. Verification 10% complete. Verification 11% complete. Verification 11% complete. Verification 12% complete. Verification 13% complete. Verification 13% complete. Verification 14% complete. Verification 15% complete. Verification 15% complete. Verification 16% complete. Verification 16% complete. Verification 17% complete. Verification 18% complete. Verification 18% complete. Verification 19% complete. Verification 20% complete. Verification 20% complete. Verification 21% complete. Verification 21% complete. Verification 22% complete. Verification 23% complete. Verification 23% complete. Verification 24% complete. Verification 25% complete. Verification 25% complete. Verification 26% complete. Verification 26% complete. Verification 27% complete. Verification 28% complete. Verification 28% complete. Verification 29% complete. Verification 30% complete. Verification 30% complete. Verification 31% complete. Verification 31% complete. Verification 32% complete. Verification 33% complete. Verification 33% complete. Verification 34% complete. Verification 35% complete. Verification 35% complete. Verification 36% complete. Verification 36% complete. Verification 37% complete. Verification 38% complete. Verification 38% complete. Verification 39% complete. Verification 40% complete. Verification 40% complete. Verification 41% complete. Verification 41% complete. Verification 42% complete. Verification 43% complete. Verification 43% complete. Verification 44% complete. Verification 45% complete. Verification 45% complete. Verification 46% complete. Verification 46% complete. Verification 47% complete. Verification 48% complete. Verification 48% complete. Verification 49% complete. Verification 50% complete. Verification 50% complete. Verification 51% complete. Verification 51% complete. Verification 52% complete. Verification 53% complete. Verification 53% complete. Verification 54% complete. Verification 55% complete. Verification 55% complete. Verification 56% complete. Verification 56% complete. Verification 57% complete. Verification 58% complete. Verification 58% complete. Verification 59% complete. Verification 60% complete. Verification 60% complete. Verification 61% complete. Verification 61% complete. Verification 62% complete. Verification 63% complete. Verification 63% complete. Verification 64% complete. Verification 65% complete. Verification 65% complete. Verification 66% complete. Verification 66% complete. Verification 67% complete. Verification 68% complete. Verification 68% complete. Verification 69% complete. Verification 70% complete. Verification 70% complete. Verification 71% complete. Verification 71% complete. Verification 72% complete. Verification 73% complete. Verification 73% complete. Verification 74% complete. Verification 75% complete. Verification 75% complete. Verification 76% complete. Verification 76% complete. Verification 77% complete. Verification 78% complete. Verification 78% complete. Verification 79% complete. Verification 80% complete. Verification 80% complete. Verification 81% complete. Verification 81% complete. Verification 82% complete. Verification 83% complete. Verification 83% complete. Verification 84% complete. Verification 85% complete. Verification 85% complete. Verification 86% complete. Verification 86% complete. Verification 87% complete. Verification 88% complete. Verification 88% complete. Verification 89% complete. Verification 90% complete. Verification 90% complete. Verification 91% complete. Verification 91% complete. Verification 92% complete. Verification 93% complete. Verification 93% complete. Verification 94% complete. Verification 95% complete. Verification 95% complete. Verification 96% complete. Verification 96% complete. Verification 97% complete. Verification 98% complete. Verification 98% complete. Verification 99% complete. Verification 100% complete. Windows Resource Protection found corrupt files and successfully repaired them. For online repairs, details are included in the CBS log file located at windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline repairs, details are included in the log file provided by the /OFFLOGFILE flag. ========= End of CMD: ========= =========== EmptyTemp: ========== BITS transfer queue => 8151040 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 180536422 B Java, Flash, Steam htmlcache => 31301793 B Windows/system/drivers => 2475801 B Edge => 564250 B Chrome => 873437 B Firefox => 42308042 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 9270 B LocalService => 52206 B NetworkService => 55258 B joffa => 3107059876 B Administrator => 3221381888 B RecycleBin => 9631019123 B EmptyTemp: => 15.1 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 11:19:47 ==== --------------------------------------------------------------------------------------- Microsoft Safety Scanner v1.0, (build 1.325.1417.0) Started On Mon Oct 26 09:39:46 2020 ->Scan ERROR: resource process://pid:104,ProcessStart:132480622585852048 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:404,ProcessStart:132480622673049841 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:628,ProcessStart:132480622918848652 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:748,ProcessStart:132480622954333666 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:772,ProcessStart:132480622954608996 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:820,ProcessStart:132480622956317729 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:3012,ProcessStart:132480622991212583 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:4736,ProcessStart:132480623024222486 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:4640,ProcessStart:132480623778992851 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:1908,ProcessStart:132480624640838191 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:2008,ProcessStart:132480624658086400 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:6340,ProcessStart:132481384033969039 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:6892,ProcessStart:132481390449907959 (code 0x0000012B (299)) ->Scan ERROR: resource process://pid:4736,ProcessStart:132480623024222486 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:4640,ProcessStart:132480623778992851 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:1908,ProcessStart:132480624640838191 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:6340,ProcessStart:132481384033969039 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:2008,ProcessStart:132480624658086400 (code 0x00000005 (5)) ->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33)) ->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33)) ->Scan ERROR: resource process://pid:4736,ProcessStart:132480623024222486 (code 0x00000005 (5)) ->Scan ERROR: resource process://pid:4736,ProcessStart:132480623024222486 (code 0x00000005 (5)) Quick Scan Results for 84DE5EFA-1A80-4EBC-AD3F-0251D1CB1990: ---------------- Threat detected: VirTool:Win32/DefenderTamperingRestore regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware SigSeq: 0x0000055555C57273 Quick Scan Removal Results ---------------- Start 'remove' for regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware Operation succeeded ! Results Summary: ---------------- Found VirTool:Win32/DefenderTamperingRestore and Removed! I don't have symptoms/warnings any more :-) Link to post Share on other sites More sharing options...
kevinf80 Posted October 25, 2020 ID:1416426 Share Posted October 25, 2020 Hiya Joffa, Thanks for those logs, good to hear symptoms have now ceased, continue to clean up: Right click on FRST here: C:\Users\joffa\Desktop\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator" If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall That action will remove FRST and all created files and folders... Next, Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2 Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/ Download and use a Password Management application. https://www.windowscentral.com/best-password-manager-windows Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/ Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee From there you should be good to go... Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... http://www.bleepingcomputer.com/forums/public/style_emoticons/default/busy.gif Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 25, 2020 Root Admin ID:1416428 Share Posted October 25, 2020 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
kevinf80 Posted October 26, 2020 ID:1416480 Share Posted October 26, 2020 Topic has been reopened per request. Thanks Link to post Share on other sites More sharing options...
kevinf80 Posted October 26, 2020 ID:1416481 Share Posted October 26, 2020 Hiya Jeff, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Thank you, Kevin.. Link to post Share on other sites More sharing options...
Joffa Posted October 27, 2020 Author ID:1416660 Share Posted October 27, 2020 Addition.txtFRST.txt Thanks mate PS Windows Update has completed now. Cheers Jeff Link to post Share on other sites More sharing options...
kevinf80 Posted October 27, 2020 ID:1416744 Share Posted October 27, 2020 Hiya Jeff, Microsoft Edge is listed as your Default browser, do the website blocks only affect Edge or other browsers also.. Thank you, Kevin... Link to post Share on other sites More sharing options...
Joffa Posted October 29, 2020 Author ID:1417137 Share Posted October 29, 2020 Hi again Kevin. I've used Chrome for a day now and, like with Edge, there's now no phising alert any more. I'll try rebooting and see if I get the message tomorrow (& I'll try using Firefox only). I really appreciate your help - can you leave this issue open for 24 hours more? Thanks Jeff Link to post Share on other sites More sharing options...
kevinf80 Posted October 29, 2020 ID:1417150 Share Posted October 29, 2020 Hiya Jeff, Thanks for the update, yes your thread will stay open for you. Catch up later... Thanks, Kevin.. Link to post Share on other sites More sharing options...
kevinf80 Posted November 7, 2020 ID:1419259 Share Posted November 7, 2020 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts