Jump to content

Same malware alert (phishing) as another post


Go to solution Solved by kevinf80,

Recommended Posts

Greetings

I have same 'Website blocked' message as https://forums.malwarebytes.com/topic/265325-constant-rtp-phishing-attempts-please-help/

I've followed most steps in the reply thread & attach relevant text files from the various scanning applications. Malwarebytes initial scan report is 'website blocked due to phishing.txt' 

Please let me know what my next step should be, or if I should also try the Sophos tool.

Much appreciated

 

Jeff

 

 

RKLog.txt Scan log.txt website blocked due to phishing.txt Addition.txt FRST.txt

Link to post
Share on other sites
Hello Jeff and welcome to Malwarebytes,

Thanks for those logs, continue please;

Let's re-run RogueKiller and remove all the items it found.
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, make sure every item listed in RED is checkmarked.
  • Then click the Removal button and wait until the removal process is complete.
  • When complete, click on Results.
  • Click Report.
  • Click Export and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.


Next,

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply



Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"
 

Let me see those logs in your reply...

Thank you,

Kevin

Link to post
Share on other sites
  • Solution

Hiya Joffa,

Thanks for those logs, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply, also let me know if there are any remaining issues or concerns....

Thank you,

Kevin

fixlist.txt

Link to post
Share on other sites

Thanks Kevin

Here's the FixLog.txt:

Fix result of Farbar Recovery Scan Tool (x64) Version: 24-10-2020
Ran by joffa (25-10-2020 10:56:34) Run:1
Running from C:\Users\joffa\Desktop
Loaded Profiles: joffa
Boot Mode: Normal
==============================================

fixlist content:
*****************
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
GroupPolicy: Restriction ? <==== ATTENTION
Task: {86384D59-D20F-4603-BFA3-0139DAA73417} - System32\Tasks\WinmendUpdateTask_joffa => C:\Program Files (x86)\WinMend\Folder Hidden\liveupdate.exe
Task: {D9856B18-DC1B-4C1A-A5D3-F97D4BBCD38F} - System32\Tasks\lr9kTbCXdRhS => lr9ktbcxdrhs.exe <==== ATTENTION
Tcpip\..\Interfaces\{11fe760f-e9fb-47af-90f1-f4fab472985c}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{26b11a49-585f-4b43-a90c-9af3c3d7b25b}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{3d70b7a1-b595-4413-90f8-79e23bad61b8}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{7d3abf3d-c4e5-4c2a-8c40-6076352c8c9a}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{853f65e9-d806-11e7-a41b-806e6f6e6963}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{b87cda5f-4b76-4524-9e26-b0ab7badcdbc}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{c0771a63-8492-4f6d-ad59-b440b74e9771}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{fdc8773b-61e9-4090-ab75-19e13768560b}: [NameServer] 8.8.8.8
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin: @videolan.org/vlc,version=2.2.6 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin: @videolan.org/vlc,version=3.0.0-git -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin: @videolan.org/vlc,version=3.0.10 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin: @videolan.org/vlc,version=3.0.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin: @videolan.org/vlc,version=3.0.6 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin: @videolan.org/vlc,version=3.0.7.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin: @videolan.org/vlc,version=3.0.8 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
S2 HPTouchpointAnalyticsService; "C:\Program Files\HP\HP Touchpoint Analytics Client\TouchpointAnalyticsClientService.exe" [X]
C:\WINDOWS\system32\Drivers\lvuvc.hs
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`29hfm [0]
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
AlternateDataStreams: C:\Users\joffa\Downloads\BFTinyHand-Regular.zip:com.dropbox.attributes [168]
BHO: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
BHO-x32: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
FirewallRules: [{CE4E9944-4BCC-4033-B2D0-31D5A95E6A78}] => (Allow) LPort=161
FirewallRules: [{D789CB08-10E7-4003-8628-3B06BD4021F4}] => (Allow) LPort=427
FirewallRules: [{097B7A11-2CD1-4D84-BD90-502DDE7D0263}] => (Allow) LPort=9100
FirewallRules: [{0BD1977D-7B8D-41C5-A2DC-FFFC644D5E67}] => (Allow) C:\Users\joffa\AppData\Local\Temp\7zS0E78\HPDiagnosticCoreUI.exe => No File
FirewallRules: [{1E53E772-B4EE-4192-8C32-3A33C61507E1}] => (Allow) C:\Users\joffa\AppData\Local\Temp\7zS0E78\HPDiagnosticCoreUI.exe => No File
FirewallRules: [{E9B6D101-E0B7-4025-A421-A3A922BAAB52}] => (Allow) C:\Users\joffa\AppData\Local\Temp\7zS0D3B\HPDiagnosticCoreUI.exe => No File
FirewallRules: [{1E42B33B-8E11-4ED2-8235-64C1CB027CDD}] => (Allow) C:\Users\joffa\AppData\Local\Temp\7zS0D3B\HPDiagnosticCoreUI.exe => No File
FirewallRules: [{61E3ECBB-952A-4148-9EF9-B080951BD55B}] => (Allow) %APPDATA%\Spotify\Spotify.exe => No File
FirewallRules: [{1AD7088A-5156-458D-9B14-0493253BCAEE}] => (Allow) LPort=31931
FirewallRules: [{E13A2FED-ECFF-4B8A-864A-7E07BB95EF23}] => (Allow) LPort=14714
FirewallRules: [{73B4BFB8-FC57-4669-A102-AAC3C16852FC}] => (Allow) LPort=12972
FirewallRules: [{FE46B88F-0E46-4CEB-8A86-06FBA5A8FB19}] => (Block) %ProgramFiles%\Skylum\Luminar 4\Luminar 4.exe => No File
FirewallRules: [UDP Query User{DE97DE2E-F35A-40CA-B350-FD5C9996EB8A}C:\users\joffa\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\joffa\appdata\roaming\spotify\spotify.exe => No File
FirewallRules: [TCP Query User{384E864F-42CA-4D94-9EFF-7BFCAB21A305}C:\users\joffa\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\joffa\appdata\roaming\spotify\spotify.exe => No File
FirewallRules: [{9649D109-608A-44F5-8900-D50191F343BE}] => (Allow) C:\Users\joffa\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{586EEF56-056C-41B5-A8CA-A03AB83F518C}] => (Allow) C:\Users\joffa\AppData\Roaming\Zoom\bin\airhost.exe => No File
File: C:\Users\joffa\EMPTIES.BAT
CMD: winmgmt /verifyrepository
cmd: sfc /scannow
EmptyTemp:

*****************

SystemRestore: On => completed
Restore point was successfully created.
Processes closed successfully.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{86384D59-D20F-4603-BFA3-0139DAA73417}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{86384D59-D20F-4603-BFA3-0139DAA73417}" => removed successfully
C:\WINDOWS\System32\Tasks\WinmendUpdateTask_joffa => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WinmendUpdateTask_joffa" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D9856B18-DC1B-4C1A-A5D3-F97D4BBCD38F}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D9856B18-DC1B-4C1A-A5D3-F97D4BBCD38F}" => removed successfully
C:\WINDOWS\System32\Tasks\lr9kTbCXdRhS => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\lr9kTbCXdRhS" => removed successfully
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{11fe760f-e9fb-47af-90f1-f4fab472985c}\\NameServer" => removed successfully
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26b11a49-585f-4b43-a90c-9af3c3d7b25b}\\NameServer" => removed successfully
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3d70b7a1-b595-4413-90f8-79e23bad61b8}\\NameServer" => removed successfully
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7d3abf3d-c4e5-4c2a-8c40-6076352c8c9a}\\NameServer" => removed successfully
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{853f65e9-d806-11e7-a41b-806e6f6e6963}\\NameServer" => removed successfully
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b87cda5f-4b76-4524-9e26-b0ab7badcdbc}\\NameServer" => removed successfully
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0771a63-8492-4f6d-ad59-b440b74e9771}\\NameServer" => removed successfully
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fdc8773b-61e9-4090-ab75-19e13768560b}\\NameServer" => removed successfully
HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.2.4 => removed successfully
HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.2.6 => removed successfully
HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=3.0.0-git => removed successfully
HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=3.0.10 => removed successfully
HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=3.0.3 => removed successfully
HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=3.0.6 => removed successfully
HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=3.0.7.1 => removed successfully
HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=3.0.8 => removed successfully
HKLM\System\CurrentControlSet\Services\HPTouchpointAnalyticsService => removed successfully
HPTouchpointAnalyticsService => service removed successfully
C:\WINDOWS\system32\Drivers\lvuvc.hs => moved successfully
C:\ProgramData\Reprise => ":wupeogjxlctlfudivq`qsp`29hfm" ADS removed successfully
C:\ProgramData\Reprise => ":wupeogjxldtlfudivq`qsp`27hfm" ADS removed successfully
C:\Users\joffa\Downloads\BFTinyHand-Regular.zip => ":com.dropbox.attributes" ADS removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13D67BB7-DB5F-48AA-884D-7A5D94168509} => removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13D67BB7-DB5F-48AA-884D-7A5D94168509} => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CE4E9944-4BCC-4033-B2D0-31D5A95E6A78}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D789CB08-10E7-4003-8628-3B06BD4021F4}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{097B7A11-2CD1-4D84-BD90-502DDE7D0263}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0BD1977D-7B8D-41C5-A2DC-FFFC644D5E67}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1E53E772-B4EE-4192-8C32-3A33C61507E1}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E9B6D101-E0B7-4025-A421-A3A922BAAB52}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1E42B33B-8E11-4ED2-8235-64C1CB027CDD}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{61E3ECBB-952A-4148-9EF9-B080951BD55B}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1AD7088A-5156-458D-9B14-0493253BCAEE}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E13A2FED-ECFF-4B8A-864A-7E07BB95EF23}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{73B4BFB8-FC57-4669-A102-AAC3C16852FC}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FE46B88F-0E46-4CEB-8A86-06FBA5A8FB19}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{DE97DE2E-F35A-40CA-B350-FD5C9996EB8A}C:\users\joffa\appdata\roaming\spotify\spotify.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{384E864F-42CA-4D94-9EFF-7BFCAB21A305}C:\users\joffa\appdata\roaming\spotify\spotify.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9649D109-608A-44F5-8900-D50191F343BE}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{586EEF56-056C-41B5-A8CA-A03AB83F518C}" => removed successfully

========================= File: C:\Users\joffa\EMPTIES.BAT ========================

C:\Users\joffa\EMPTIES.BAT
File not signed
MD5: D41D8CD98F00B204E9800998ECF8427E <==== ATTENTION (zero byte File/Folder)
Creation and modification date: 2018-05-29 19:25 - 2018-05-29 19:28
Size: 000000000
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
VirusTotal: 0-byte

====== End of File: ======


========= winmgmt /verifyrepository =========

WMI repository is consistent

========= End of CMD: =========


========= sfc /scannow =========


Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 0% complete. Verification 1% complete. Verification 1% complete. Verification 2% complete. Verification 3% complete. Verification 3% complete. Verification 4% complete. Verification 5% complete. Verification 5% complete. Verification 6% complete. Verification 6% complete. Verification 7% complete. Verification 8% complete. Verification 8% complete. Verification 9% complete. Verification 10% complete. Verification 10% complete. Verification 11% complete. Verification 11% complete. Verification 12% complete. Verification 13% complete. Verification 13% complete. Verification 14% complete. Verification 15% complete. Verification 15% complete. Verification 16% complete. Verification 16% complete. Verification 17% complete. Verification 18% complete. Verification 18% complete. Verification 19% complete. Verification 20% complete. Verification 20% complete. Verification 21% complete. Verification 21% complete. Verification 22% complete. Verification 23% complete. Verification 23% complete. Verification 24% complete. Verification 25% complete. Verification 25% complete. Verification 26% complete. Verification 26% complete. Verification 27% complete. Verification 28% complete. Verification 28% complete. Verification 29% complete. Verification 30% complete. Verification 30% complete. Verification 31% complete. Verification 31% complete. Verification 32% complete. Verification 33% complete. Verification 33% complete. Verification 34% complete. Verification 35% complete. Verification 35% complete. Verification 36% complete. Verification 36% complete. Verification 37% complete. Verification 38% complete. Verification 38% complete. Verification 39% complete. Verification 40% complete. Verification 40% complete. Verification 41% complete. Verification 41% complete. Verification 42% complete. Verification 43% complete. Verification 43% complete. Verification 44% complete. Verification 45% complete. Verification 45% complete. Verification 46% complete. Verification 46% complete. Verification 47% complete. Verification 48% complete. Verification 48% complete. Verification 49% complete. Verification 50% complete. Verification 50% complete. Verification 51% complete. Verification 51% complete. Verification 52% complete. Verification 53% complete. Verification 53% complete. Verification 54% complete. Verification 55% complete. Verification 55% complete. Verification 56% complete. Verification 56% complete. Verification 57% complete. Verification 58% complete. Verification 58% complete. Verification 59% complete. Verification 60% complete. Verification 60% complete. Verification 61% complete. Verification 61% complete. Verification 62% complete. Verification 63% complete. Verification 63% complete. Verification 64% complete. Verification 65% complete. Verification 65% complete. Verification 66% complete. Verification 66% complete. Verification 67% complete. Verification 68% complete. Verification 68% complete. Verification 69% complete. Verification 70% complete. Verification 70% complete. Verification 71% complete. Verification 71% complete. Verification 72% complete. Verification 73% complete. Verification 73% complete. Verification 74% complete. Verification 75% complete. Verification 75% complete. Verification 76% complete. Verification 76% complete. Verification 77% complete. Verification 78% complete. Verification 78% complete. Verification 79% complete. Verification 80% complete. Verification 80% complete. Verification 81% complete. Verification 81% complete. Verification 82% complete. Verification 83% complete. Verification 83% complete. Verification 84% complete. Verification 85% complete. Verification 85% complete. Verification 86% complete. Verification 86% complete. Verification 87% complete. Verification 88% complete. Verification 88% complete. Verification 89% complete. Verification 90% complete. Verification 90% complete. Verification 91% complete. Verification 91% complete. Verification 92% complete. Verification 93% complete. Verification 93% complete. Verification 94% complete. Verification 95% complete. Verification 95% complete. Verification 96% complete. Verification 96% complete. Verification 97% complete. Verification 98% complete. Verification 98% complete. Verification 99% complete. Verification 100% complete.

Windows Resource Protection found corrupt files and successfully repaired them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8151040 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 180536422 B
Java, Flash, Steam htmlcache => 31301793 B
Windows/system/drivers => 2475801 B
Edge => 564250 B
Chrome => 873437 B
Firefox => 42308042 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 9270 B
LocalService => 52206 B
NetworkService => 55258 B
joffa => 3107059876 B
Administrator => 3221381888 B

RecycleBin => 9631019123 B
EmptyTemp: => 15.1 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:19:47 ====


---------------------------------------------------------------------------------------

Microsoft Safety Scanner v1.0, (build 1.325.1417.0)
Started On Mon Oct 26 09:39:46 2020
->Scan ERROR: resource process://pid:104,ProcessStart:132480622585852048 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:404,ProcessStart:132480622673049841 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:628,ProcessStart:132480622918848652 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:748,ProcessStart:132480622954333666 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:772,ProcessStart:132480622954608996 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:820,ProcessStart:132480622956317729 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:3012,ProcessStart:132480622991212583 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4736,ProcessStart:132480623024222486 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4640,ProcessStart:132480623778992851 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:1908,ProcessStart:132480624640838191 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2008,ProcessStart:132480624658086400 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:6340,ProcessStart:132481384033969039 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:6892,ProcessStart:132481390449907959 (code 0x0000012B (299))
->Scan ERROR: resource process://pid:4736,ProcessStart:132480623024222486 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4640,ProcessStart:132480623778992851 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:1908,ProcessStart:132480624640838191 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:6340,ProcessStart:132481384033969039 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2008,ProcessStart:132480624658086400 (code 0x00000005 (5))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33))
->Scan ERROR: resource process://pid:4736,ProcessStart:132480623024222486 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4736,ProcessStart:132480623024222486 (code 0x00000005 (5))

Quick Scan Results for 84DE5EFA-1A80-4EBC-AD3F-0251D1CB1990:
----------------
Threat detected: VirTool:Win32/DefenderTamperingRestore
    regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware
        SigSeq: 0x0000055555C57273

Quick Scan Removal Results
----------------
Start 'remove' for regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware
Operation succeeded !


Results Summary:
----------------
Found VirTool:Win32/DefenderTamperingRestore and Removed!
 

 

I don't have symptoms/warnings any more :-)

Link to post
Share on other sites

Hiya Joffa,

Thanks for those logs, good to hear symptoms have now ceased, continue to clean up:

Right click on FRST here: C:\Users\joffa\Desktop\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

Download and use a Password Management application. https://www.windowscentral.com/best-password-manager-windows

Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/

Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... http://www.bleepingcomputer.com/forums/public/style_emoticons/default/busy.gif

 

Link to post
Share on other sites
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Hiya Jeff,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"


Thank you,

Kevin..

Link to post
Share on other sites

Hiya Jeff,

Microsoft Edge is listed as your Default browser, do the website blocks only affect Edge or other browsers also..

Thank you,

Kevin...

Link to post
Share on other sites

Hi again Kevin.

I've used Chrome for a day now and, like with Edge, there's now no phising alert any more.

I'll try rebooting and see if I get the message tomorrow (& I'll try using Firefox only).

I really appreciate your help - can you leave this issue open for 24 hours more?

Thanks

Jeff

Link to post
Share on other sites
  • 2 weeks later...

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.