[SOLVED] Win 10 Pro -ran WinDefender Threat Found & removed- PUA:Win32/AskToolbar,still comes back, request help permanently remove Also

Status
Not open for further replies.
O

officomputer

Well-known member
Joined
Aug 13, 2024
Posts
79
Good evening

-ran WinDefender Threat Found & removed- PUA:Win32/AskToolbar,still comes back, request help permanently remove Also unable to fully install Malwarbytes that was first plan defense, only gets to 19% and then not completes, followed site instructions to add to WIn Defender and also did the port add. As well the browsers all have become slow like molasses for most part and seemed to happen at same time right after microsoft win did a install update without authorization as well as microsoft edge seems to be only one mostly usable fully at this point- the browser do not even want but forced to have. Any helps appreciated. Running Ran the FRST64 per site instructions and attached.
Noticed something about remote- allowed (do not want any remote allowed- any suggestions as thought had all disabled for remote other than RPC?) Also this computer was Window 7 or8 but was 'upgraded' to 10 .

wind 10 pro x64 Intel R core TM i5 3350P CPU @ 3.10 GHz 3.10 GHz Installed Ram 8.0 GB 640 bit,

Thank you much
 

Attachments

Hello and welcome to Sysnative Forums.
EPFGbk7.gif


I will be assisting you regarding your computer's issues. Here, we will check your computer for malware.

Please, adhere to the guidelines below. As soon as I have your consent, I'll start the cleaning procedure.

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.
 
Hello Dk M- grecian geek,
Was not sure if post was showing up...agree to start the cleaning procedure and thank you for helps.
 
Hello.

You had installed RemotePC and now you have installed TeamViewer which is a remote access program. If you don't want it, please uninstall now.


What about these entries in the Hosts file?

0.0.0.0 in.appcenter.ms
0.0.0.0 applicationinsights.azure.com
0.0.0.0 aimon.applicationinsights.azure.com
0.0.0.0 in.aimon.applicationinsights.azure.com
0.0.0.0 westcentralus-global.in.aimon.applicationinsights.azure.com
0.0.0.0 api.applicationinsights.azure.com
0.0.0.0 dc.applicationinsights.azure.com
0.0.0.0 in.applicationinsights.azure.com
0.0.0.0 australiaeast-0.in.applicationinsights.azure.com
0.0.0.0 australiaeast-1.in.applicationinsights.azure.com
0.0.0.0 australiaeast-global.in.applicationinsights.azure.com
0.0.0.0 australiasoutheast-0.in.applicationinsights.azure.com
0.0.0.0 brazilsouth-0.in.applicationinsights.azure.com
0.0.0.0 brazilsouth-1.in.applicationinsights.azure.com
0.0.0.0 canadacentral-0.in.applicationinsights.azure.com
0.0.0.0 canadacentral-1.in.applicationinsights.azure.com
0.0.0.0 canadaeast-0.in.applicationinsights.azure.com
0.0.0.0 centralindia-0.in.applicationinsights.azure.com
0.0.0.0 centralus.in.applicationinsights.azure.com
0.0.0.0 centralus-0.in.applicationinsights.azure.com
0.0.0.0 centralus-2.in.applicationinsights.azure.com
0.0.0.0 centralus-3.in.applicationinsights.azure.com
0.0.0.0 eastasia-0.in.applicationinsights.azure.com
0.0.0.0 eastus-0.in.applicationinsights.azure.com
0.0.0.0 eastus-1.in.applicationinsights.azure.com
0.0.0.0 eastus-2.in.applicationinsights.azure.com
0.0.0.0 eastus-3.in.applicationinsights.azure.com
0.0.0.0 eastus-4.in.applicationinsights.azure.com
0.0.0.0 eastus-5.in.applicationinsights.azure.com
0.0.0.0 eastus-6.in.applicationinsights.azure.com

There are 311 more lines.
 
If it was installed in last 3 years - did not install ilt, seems it showed up
Team VIewer is disabled and was installed years ago
 
Hi.

As I said in my previous post, "You had installed RemotePC". You don't have it installed now.

If you don't need TeemViewer, uninstall it also. Otherwise, keep it and let me know about it.

What about the entries in the Hosts file? Are you aware of them? Not something malicious, but it's good to know what you are doing.
 
Ok uninstalled Team Viewer,


no to the hoste entries none of them on that page that are visible look familiar
meantime now seems like browser is hacked on chrome for yahoo, not able to search emails, that search daily thank you
 
See some things from malwarbytes however uninstalled it and attempted to remove all accessories to it

Also, noticed under Accounts:
has several listings
we have Marty and Other and Guest- Other is Administrator or supposed to be
not sure on other lisitings. perhaps they are from the previous install with windows 7.or 8
==========================================================


==================== Accounts: =============================


(If an entry is included in the fixlist, it will be removed.)

Administrator (S-1-5-21-117359660-1638003740-2463772522-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-117359660-1638003740-2463772522-503 - Limited - Disabled)
Guest (S-1-5-21-117359660-1638003740-2463772522-501 - Limited - Disabled)
Marty (S-1-5-21-117359660-1638003740-2463772522-1000 - Administrator - Enabled) => C:\Users\Marty
other (S-1-5-21-117359660-1638003740-2463772522-1003 - Administrator - Enabled) => C:\Users\other
QBDataServiceUser29 (S-1-5-21-117359660-1638003740-2463772522-1004 - Limited - Enabled) => C:\Users\QBDataServiceUser29
WDAGUtilityAccount (S-1-5-21-117359660-1638003740-2463772522-504 - Limited - Disabled)
 
There is nothing weird in the account list.

Let's do some initial cleaning.


FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code: 
Start::
CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-117359660-1638003740-2463772522-1000_Classes\CLSID\{BCA9D37C-CA60-4160-9115-97A00F24702D}\localserver32 -> "C:\Users\other\AppData\Local\Vivaldi\Application\5.3.2679.70\notification_helper.exe" => No File
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Users\other\Downloads\7-Zip\7-zip.dll -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Users\other\Downloads\7-Zip\7-zip.dll -> No File
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\WINDOWS\system32\nvshext.dll [2017-10-27] (NVIDIA Corporation -> NVIDIA Corporation)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Users\other\Downloads\7-Zip\7-zip.dll -> No File
Toolbar: HKU\S-1-5-21-117359660-1638003740-2463772522-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
HKLM\...\StartupApproved\Run: => "Bdagent"
HKLM\...\StartupApproved\Run: => "BdVpnApp"
HKLM\...\StartupApproved\Run: => "CL-26-1FB7E468-5DAC-47CF-A7B0-74B2C9310A0F"
FirewallRules: [{960B49E4-C65E-445B-88D7-FC5B353B31BE}] => (Allow) C:\Program Files (x86)\RemotePC\RPCSuite.exe => No File
FirewallRules: [{0DE289DD-CC0F-442E-B9DA-41AEC7ABF5BB}] => (Allow) C:\Program Files (x86)\RemotePC\RPCSuite.exe => No File
FirewallRules: [{E237D4AA-73EE-4D44-9CBF-665910B73726}] => (Allow) C:\Program Files (x86)\RemotePC\RPCCoreViewer.exe => No File
FirewallRules: [{12F291F8-F8AD-482A-A9C5-5BD2EC3CFBAC}] => (Allow) C:\Program Files (x86)\RemotePC\RPCCoreViewer.exe => No File
FirewallRules: [{58F8442D-D39F-46DE-A6F6-E6CEE5AF5750}] => (Allow) C:\Program Files (x86)\RemotePC\RemotePCDesktop.exe => No File
FirewallRules: [{5277386C-20E5-4CE2-B6EB-D6BE16EA5266}] => (Allow) C:\Program Files (x86)\RemotePC\RemotePCDesktop.exe => No File
FirewallRules: [{435E68CB-E52E-49D4-93B3-8BA36A0EDFD1}] => (Allow) C:\Program Files (x86)\RemotePC\RemotePCService.exe => No File
FirewallRules: [{287BB51D-7125-4FAF-9FB5-1117C71838C1}] => (Allow) C:\Program Files (x86)\RemotePC\RemotePCService.exe => No File
FirewallRules: [{92F43F5E-C9BB-4551-9BC8-9B15A89CD654}] => (Allow) C:\Program Files (x86)\RemotePC\RemoteSoundServ.exe => No File
FirewallRules: [{80DBC40A-D6C6-4184-A9C2-44CB79B34325}] => (Allow) C:\Program Files (x86)\RemotePC\RemoteSoundServ.exe => No File
FirewallRules: [{DEA3710F-2BE5-41B5-B3AB-BFBD4A744D1B}] => (Allow) C:\Program Files (x86)\RemotePC\RemoteSoundPlayer.exe => No File
FirewallRules: [{D0BE2EB6-6EDB-41C3-9E70-CD1FFDA02D03}] => (Allow) C:\Program Files (x86)\RemotePC\RemoteSoundPlayer.exe => No File
FirewallRules: [{824107A2-D656-4208-A88D-04EAF914DA89}] => (Allow) C:\Program Files (x86)\RemotePC\RPCSuite.exe => No File
FirewallRules: [{9ED63A79-4BA8-49C4-9743-C0EAB6FD3C05}] => (Allow) C:\Program Files (x86)\RemotePC\RPCSuite.exe => No File
FirewallRules: [{05E8E50B-7E10-4156-BE53-3B4F16FD4A28}] => (Allow) C:\Program Files (x86)\RemotePC\RPCCoreViewer.exe => No File
FirewallRules: [{CE6604E9-EF1B-43B8-83F6-A89024032F49}] => (Allow) C:\Program Files (x86)\RemotePC\RPCCoreViewer.exe => No File
FirewallRules: [{2A20EC9C-4151-45ED-A60B-133D8FA37DA5}] => (Allow) C:\Program Files (x86)\RemotePC\RemotePCDesktop.exe => No File
FirewallRules: [{A803CB5C-9117-40FC-AB40-C1A9B7931BDF}] => (Allow) C:\Program Files (x86)\RemotePC\RemotePCDesktop.exe => No File
FirewallRules: [{A2EC4B8A-845A-44D9-9E8C-7DAB54D612B3}] => (Allow) C:\Program Files (x86)\RemotePC\RemotePCService.exe => No File
FirewallRules: [{5717D43E-7B92-46EE-B2CD-5B1D2799A899}] => (Allow) C:\Program Files (x86)\RemotePC\RemotePCService.exe => No File
FirewallRules: [{ACDB1242-BF31-46C9-9608-D8013D4A8372}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin64\snac64.exe => No File
FirewallRules: [{488378E3-9769-4B10-9AD2-0CDF9F2E3204}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin64\snac64.exe => No File
FirewallRules: [{8791EF07-BA34-4D6B-B1C2-7734404ACB0D}] => (Block) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin\Smc.exe => No File
FirewallRules: [{36252115-ED09-4801-B4AE-1AC28173D414}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin\Smc.exe => No File
FirewallRules: [{35477C16-02CC-487B-8AB7-738EE8459405}] => (Allow) C:\Users\Marty\AppData\Local\Temp\7zS05D4\HPDiagnosticCoreUI.exe => No File
FirewallRules: [{133247E6-1115-4F63-B01A-40E6B4524DFC}] => (Allow) C:\Users\Marty\AppData\Local\Temp\7zS05D4\HPDiagnosticCoreUI.exe => No File
FirewallRules: [{C56C8A31-79EA-47D5-AA32-3179EA2A404D}] => (Allow) C:\Users\Marty\AppData\Local\Temp\7zS586C\HPDiagnosticCoreUI.exe => No File
FirewallRules: [{4AB944D1-4790-459C-857F-E068AB0A4A9C}] => (Allow) C:\Users\Marty\AppData\Local\Temp\7zS586C\HPDiagnosticCoreUI.exe => No File
FirewallRules: [{40FE8EB9-A9D8-49AE-984B-BFE64C7C6714}] => (Allow) C:\Users\other\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{2AFC0F6C-22CB-4BFD-8F55-D65917F27FD7}] => (Allow) C:\Users\other\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{F7481BBA-9566-44C3-9875-9E81C930F7E0}] => (Allow) C:\Users\Marty\AppData\Local\Temp\7zS0CCC\HPDiagnosticCoreUI.exe => No File
FirewallRules: [{D467499C-B0EB-4927-8903-F162AB1C8434}] => (Allow) C:\Users\Marty\AppData\Local\Temp\7zS0CCC\HPDiagnosticCoreUI.exe => No File
FirewallRules: [{3052AC16-D906-47B1-9403-BBBAD387C513}] => (Allow) C:\Users\Marty\Desktop\ultdata-android.exe => No File
FirewallRules: [{CCCD649C-4B5F-4862-894A-7563B4D1E2DA}] => (Allow) C:\Users\Marty\Desktop\ultdata-android.exe => No File
FirewallRules: [{64C9CDBC-083C-4D3B-8B65-2127F2F1E066}] => (Allow) C:\Users\other\Desktop\ultdata-android.exe => No File
FirewallRules: [{D7583368-528C-4178-B745-6F34B2A94460}] => (Allow) C:\Users\other\Desktop\ultdata-android.exe => No File
FirewallRules: [{45A545AD-1234-4E4C-83FB-19513753A733}] => (Allow) K:\2022 data recovery\ultdata-android.exe => No File
FirewallRules: [{FC3050E5-3BEB-4B01-A9B1-244EB2ED02BE}] => (Allow) K:\2022 data recovery\ultdata-android.exe => No File
FirewallRules: [{0FDB6FBD-44C3-44D1-80A0-8D113F903DCA}] => (Allow) C:\Program Files\Bitdefender\Bitdefender Security\bdntwrk.exe => No File
FirewallRules: [{D7CB0C8D-30B2-437A-912B-2A8085016814}] => (Allow) C:9\2 20 2023 alcatel 2 blk screen\ultdata-android wout root .exe => No File
FirewallRules: [{3E36CA42-E143-4546-9D2F-8B74C4173654}] => (Allow) C:9\2 20 2023 alcatel 2 blk screen\ultdata-android wout root .exe => No File
HKLM\...\Run: [CL-26-1FB7E468-5DAC-47CF-A7B0-74B2C9310A0F] => "C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-1FB7E468-5DAC-47CF-A7B0-74B2C9310A0F\setuplauncher.exe" /run:Installer.exe /args:"/setup-folder:"CL-26-1FB7E468-5DAC-47CF-A7B0-74B2C93 (the data entry has 7 more characters). (No File)
HKU\S-1-5-21-117359660-1638003740-2463772522-1003\...\Run: [VeePN] => C:\Program Files (x86)\VeePN\VeePN.exe (No File)
HKLM\Software\...\Authentication\Credential Providers: [{503739d0-4c5e-4cfd-b3ba-d881334f0df2}] -> 
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {D7BF671E-7A6C-47F3-89C2-00328F7B111E} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {D4C102CA-3FE1-4C95-A00A-243C1860C554} - System32\Tasks\Bitdefender Agent WatchDog_65D6944A0EF74FDAB96E31112AD39864 => C:\Program Files\Bitdefender Agent\26.0.1.246\WatchDog.exe  -> C:\Program Files\Bitdefender Agent\26.0.1.246\repair
Task: {ACFD96B5-02AA-4EC5-9470-9A314457C588} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_CN6893J6YW => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe  /ForDevice:CN6893J6YW (No File)
Task: {15874708-C526-4129-B52A-582905B3D953} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe  /DeviceScanR6 (No File)
Task: {E180AF37-F5DD-4609-85E9-261D2D1253EB} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => %SystemRoot%\ehome\ehPrivJob.exe  /DoActivateWindowsSearch (No File)
Task: {1CC6B491-ED0B-4F4E-BD3B-45BB909E68BD} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => %SystemRoot%\ehome\ehPrivJob.exe  /DoConfigureInternetTimeService (No File)
Task: {847282A1-1D63-4D9E-AAB2-2632E812AF10} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => %SystemRoot%\ehome\ehPrivJob.exe  /DoRecoveryTasks $(Arg0) (No File)
Task: {534B30FF-BF27-45FA-A28C-175D636A3816} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => %SystemRoot%\ehome\ehPrivJob.exe  /DRMInit (No File)
Task: {C1B9CCD1-4C52-4388-9915-A757D6B30615} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => %SystemRoot%\ehome\ehPrivJob.exe  /InstallPlayReady $(Arg0) (No File)
Task: {A343BDFC-1D16-457D-9151-CE7E107B25AF} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => %SystemRoot%\ehome\mcupdate  $(Arg0) (No File)
Task: {00FB9023-B7FD-4A9F-AA40-F8EF84DDB413} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => %SystemRoot%\ehome\mcupdate  -crl -hms -pscn 15 (No File)
Task: {7AC076A5-EA66-4F5A-BB4A-26072CE25ECC} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => %SystemRoot%\ehome\mcupdate.exe  -MediaCenterRecoveryTask (No File)
Task: {1B3E4823-9FB3-48A8-B9D9-72AB47972665} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => %SystemRoot%\ehome\mcupdate.exe  -ObjectStoreRecoveryTask (No File)
Task: {A2421A64-A5D1-424F-9C4F-E9FCD1C66E9A} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => %SystemRoot%\ehome\ehPrivJob.exe  /OCURActivate (No File)
Task: {9A2ED790-B2AA-4E2E-B2A2-1AC440B6DB91} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => %SystemRoot%\ehome\ehPrivJob.exe  /OCURDiscovery $(Arg0) (No File)
Task: {958A017D-54DB-4F69-855D-85CE385D187A} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => %SystemRoot%\ehome\ehPrivJob.exe  /PBDADiscovery (No File)
Task: {8A21329D-26A0-46C0-ABBE-CD8B1A913BAC} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => %SystemRoot%\ehome\ehPrivJob.exe  /wait:7 /PBDADiscovery (No File)
Task: {F4CA9EA6-8637-4BD8-B8D1-1F14F411AF54} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => %SystemRoot%\ehome\ehPrivJob.exe  /wait:90 /PBDADiscovery (No File)
Task: {88B517C9-F96A-4CC6-AD9D-2EBA2071C294} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => %windir%\ehome\MCUpdate.exe  -pscn 0 (No File)
Task: {325362D0-EBC3-4013-93CA-96156B560742} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => %SystemRoot%\ehome\mcupdate.exe  -PvrRecoveryTask (No File)
Task: {0241A5A0-7BBC-45EC-BBB7-57FA67DED42C} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => %SystemRoot%\ehome\mcupdate.exe  -PvrSchedule (No File)
Task: {097A303D-C21B-4A09-A46F-2D92EDAB30C9} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => %SystemRoot%\ehome\ehrec  /RestartRecording (No File)
Task: {2BD3B0BA-A1DE-48D8-8A13-D962C6CD2570} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => %SystemRoot%\ehome\ehPrivJob.exe  /DoRegisterSearch $(Arg0) (No File)
Task: {B5FD71B0-852B-4FD6-8A90-D7DE152EEA60} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => %SystemRoot%\ehome\ehPrivJob.exe  /DoReindexSearchRoot (No File)
Task: {71B2D043-86CB-4B79-A73E-3B832181E953} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => %SystemRoot%\ehome\mcupdate.exe  -SqlLiteRecoveryTask (No File)
Task: {50281B53-16CE-4C61-8E2B-7E4BB329EAFB} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => %SystemRoot%\ehome\ehrec  /StartRecording (No File)
Task: {3AE458C1-BD92-4E9E-961B-95A6128B3F12} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => %SystemRoot%\ehome\ehPrivJob.exe  /DoUpdateRecordPath $(Arg0) (No File)
Task: {6EE8431F-8890-4224-960E-E1F5CE874633} - System32\Tasks\Microsoft\Windows\Setup\EOSNotify => %windir%\system32\EOSNotify.exe  (No File)
Task: {25A92C92-ABDB-486F-81A1-2CB700747423} - System32\Tasks\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler => "%ProgramFiles%\RUXIM\PLUGscheduler.exe"  (No File)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
S2 AvgWscReporter; "C:\Program Files\AVG\Antivirus\wsc_proxy.exe" /runassvc /rpcserver [X]
S4 BDAuxSrv; "C:\Program Files\Bitdefender\Bitdefender Security\bdservicehost.exe" "settings/services/configs/bdauxsrv_config.json" [X]
S2 BDProtSrv; "C:\Program Files\Bitdefender\Bitdefender Security\bdservicehost.exe" "settings\services\configs\bdprotsrv_config.json" [X]
S2 HPSupportSolutionsFrameworkService; "C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe" [X]
S4 VSSERV; "C:\Program Files\Bitdefender\Bitdefender Security\bdservicehost.exe" "settings/services/configs/bdshieldsrv_config.json" [X]
S3 hsstap; \SystemRoot\System32\drivers\hsstap.sys [X]
U3 idsvc; no ImagePath
RemoveProxy:
Hosts:
Unlock: C:\WINDOWS\UpdateAssistant
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.[/*]
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.


P.S. My time zone is UTC+2, so it's rather late for me now. I'll be back to you tomorrow, my time.
 
ok just saw and waiting for fix to finish. Thank you again and hope you have a enjoyable evening
 
Hello.

Have you got the fixlog.txt?
 
Good day. not yet...
The fix log has been running still since yesterday afternoon. It is 852 Am Eastern time here . Still at deleting temporary files C\usrers other \ app data\local \Temp - has remained there at that point since after first hour started running it. During that time all history for google chrome browser was deleted as well as for firefox browser.
 
also, posted earlier about malwarebytes - forgetting had also re installed it on the Other User- that is still there. Will uninstall when get go ahead as it would not complete full install when ran i- yet the icon shows up on other- desktop.
 
1105 Am eastern will not be able to check here for about 3 to 4 hours - it is still at same place on fix
thank you
 
Hello.

No, it's not normal for the fix to take more than 30 minutes. Try to close FRST. Can you do that?
 
Since I'm shutting down for today:

When you are able to stop the tool, check if a fixlog.txt file has been created on your Desktop.

If yes, then attach it in your next reply.

If not, restart and run the tool again. It should not take more than 30 minutes maximum. Attach the fixlog.txt in your next reply.
 
There are twp mew text fo;es pm desktop show from 8 14 yesterday? Attached
Also, had to use task manager to end the currently running one and no new text files showed up, so not sure what happened
thank you
 

Attachments

1. Run Malwarebytes (scan only)
  • Open Malwarebytes you have already installed.
  • Click the little gear on the top right (Settings) and when it opens, click the General tab. Under the title Windows Security Center, make sure the option is disabled.
  • Click the Scan and Detections tab and under the Scan options title, enable Scan for rootkits option. Do not change any other option.
  • Return to the Dashboard and choose Scan.
  • When finished, you will see the Threat Scan Summary window open.
  • If threats are not found, click View Report and proceed to the two last steps below.

    If threats are found, make sure that all threats are not selected,close the program and proceed to the next steps below.
    • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
    • Find the report with the most recent date and double click on it.
    • Click on Export and then Copy to Clipboard.
    • Paste its content here, in your next reply.

2. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click the Scan Now button.
  • Once the scan completes, AdwCleaner shows you all detected PUPs and adware. DO NOT check anything found, and click Next.
  • If any preinstalled software was detected on your device, a message notifies you that your action is requested. DO NOT check anything, and click Cancel to continue.
  • Click the Log Files tab.
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
  • A Notepad file will open containing the results of the removal.
  • Please post the contents of the file in your next reply.
Note: Click Skip Basic Repair if you are asked to.




In your next reply, please post:
  1. The Malwarebytes report
  2. The AdwCleaner[S0*].txt
 
Good day,
The Malwarebytes scan has been running since around 4pm yesterday, still says scanning?
 
Last edited:
Status
Not open for further replies.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top