Solved Where do I post my FRST.txt and addition.txt files?

PaulTomasi

TS Member
Fix result of Farbar Recovery Scan Tool (x64) Version: 06-06-2019
Ran by pault (07-06-2019 19:24:05) Run:2
Running from C:\Users\pault\Desktop
Loaded Profiles: pault (Available Profiles: pault & PAUL)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
URLSearchHook: [S-1-5-21-1882311373-1252287477-1295940213-1001] ATTENTION => Default URLSearchHook is missing
S4 BraveElevationService; "C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\71.0.58.21\elevation_service.exe" [X]
U4 npcap_wifi; no ImagePath
2018-08-23 02:41 - 2018-08-23 02:41 - 000195887 _____ () C:\Users\pault\DispDiag-20180823-024105-4760-16808.dat
2017-11-30 21:58 - 2017-11-30 21:58 - 000000351 _____ () C:\Program Files (x86)\BootAnalyzerInstaller.log
2018-08-17 18:50 - 2018-11-23 20:48 - 000000096 _____ () C:\Users\pault\AppData\Roaming\Camdata.ini
2018-08-17 18:50 - 2018-11-23 20:48 - 000000408 _____ () C:\Users\pault\AppData\Roaming\CamLayout.ini
2018-08-17 18:50 - 2018-11-23 20:48 - 000000408 _____ () C:\Users\pault\AppData\Roaming\CamShapes.ini
2018-08-05 19:50 - 2018-11-23 20:48 - 000004536 _____ () C:\Users\pault\AppData\Roaming\CamStudio.cfg
2018-08-05 10:00 - 2018-11-23 20:47 - 000000096 _____ () C:\Users\pault\AppData\Roaming\version2.xml
2018-03-21 04:06 - 2018-05-13 00:00 - 000003584 _____ () C:\Users\pault\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2019-05-31 14:53 - 2019-05-31 14:53 - 000000937 _____ () C:\Users\pault\AppData\Local\recently-used.xbel
2017-11-16 11:13 - 2017-11-16 11:13 - 000000017 _____ () C:\Users\pault\AppData\Local\resmon.resmoncfg
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [476]
FirewallRules: [MCX-In-TCP] => (Block) %SystemRoot%\ehome\ehshell.exe No File
FirewallRules: [MCX-In-UDP] => (Block) %SystemRoot%\ehome\ehshell.exe No File
FirewallRules: [TCP Query User{890A273F-B2EE-4E7E-9535-D4601EC8A573}C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe] => (Allow) C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe No File
FirewallRules: [UDP Query User{17F6B1E2-62FD-4DC3-8E1B-40026CDCC595}C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe] => (Allow) C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe No File
FirewallRules: [TCP Query User{C7D31D39-9CFB-4D09-B4F4-9D87D60E4A02}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe No File
FirewallRules: [UDP Query User{EE810FFF-251F-4CAF-9B51-68C48C90CE71}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe No File


*****************

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => could not remove, key could be protected
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
Could not restore Default URLSearchHook.
HKLM\System\CurrentControlSet\Services\BraveElevationService => removed successfully
BraveElevationService => service removed successfully
HKLM\System\CurrentControlSet\Services\npcap_wifi => removed successfully
npcap_wifi => service removed successfully
C:\Users\pault\DispDiag-20180823-024105-4760-16808.dat => moved successfully
C:\Program Files (x86)\BootAnalyzerInstaller.log => moved successfully
C:\Users\pault\AppData\Roaming\Camdata.ini => moved successfully
C:\Users\pault\AppData\Roaming\CamLayout.ini => moved successfully
C:\Users\pault\AppData\Roaming\CamShapes.ini => moved successfully
C:\Users\pault\AppData\Roaming\CamStudio.cfg => moved successfully
C:\Users\pault\AppData\Roaming\version2.xml => moved successfully
C:\Users\pault\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => moved successfully
C:\Users\pault\AppData\Local\recently-used.xbel => moved successfully
C:\Users\pault\AppData\Local\resmon.resmoncfg => moved successfully
C:\Users\Public\Shared Files => ":VersionCache" ADS removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\MCX-In-TCP" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\MCX-In-UDP" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{890A273F-B2EE-4E7E-9535-D4601EC8A573}C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{17F6B1E2-62FD-4DC3-8E1B-40026CDCC595}C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{C7D31D39-9CFB-4D09-B4F4-9D87D60E4A02}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{EE810FFF-251F-4CAF-9B51-68C48C90CE71}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe" => removed successfully

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 07-06-2019 19:30:19)


Result of scheduled keys to remove after reboot:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => removed successfully

==== End of Fixlog 19:30:20 ====
 

Broni

Malware Annihilator
Last scans...

Download Security Check from here or here and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
  • Other Services

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.


Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


Download Sophos Free Virus Removal Tool and save it to your desktop.
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
 

PaulTomasi

TS Member
Results of screen317's Security Check version 1.014 --- 12/23/15
x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Defender
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
`````````Anti-malware/Other Utilities Check:`````````
Java version 32-bit out of Date!
Google Chrome (74.0.3729.169)
Google Chrome (SetupMetrics...)
````````Process Check: objlist.exe by Laurent````````
Windows Defender MSMpEng.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamtray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````
 

PaulTomasi

TS Member
Farbar Service Scanner Version: 27-01-2016
Ran by pault (administrator) on 08-06-2019 at 02:10:23
Running from "C:\Users\pault\Desktop"
Microsoft Windows 10 Pro (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Security Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Demand. The default start type is Auto.
The ImagePath of wuauserv: "%systemroot%\system32\svchost.exe -k netsvcs -p".
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****
 

PaulTomasi

TS Member
Results from TFC.EXE

Getting user folders.

Stopping running processes.

Emptying Temp folders.


User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: PAUL
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Google Chrome cache emptied: 5050736 bytes

User: pault
->Temp folder emptied: 33652766 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 387636613 bytes
->Flash cache emptied: 1534 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 135474 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 641 bytes

Emptying RecycleBin. Do not interrupt.

RecycleBin emptied: 5351877918 bytes
Process complete!

Total Files Cleaned = 5,511.00 mb
 

PaulTomasi

TS Member
Sophos was taking so long (after 5 hours it was still on maybe 2%). Sophos' scan does not show percentage values - just the progress bar itself. I had to abort the scan. There are no options for doing selective scans. It was scanning my 2 x 3TB RAID 1 archive drive which contains 2.5TB of small files numbering hundreds of thousands. Do you still want me to run Sophos?
 

Broni

Malware Annihilator
Run this instead...

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Under "I want a free one-time scan with ESET Online Scanner" click on "Scan now" button.
  • It'll download small file "esetonlinescanner_enu.exe".
  • Double click on downloaded file.
  • Click on Accept button.
  • Checkmark "Disable detection of potentially unwanted applications".
  • Click Scan
  • Accept any security warnings from your browser.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
 

PaulTomasi

TS Member
After several hours, I think the scan finished but the scan dialog box went blank, and would not respond to anything I did except move it around the screen. It's as though the application just hung. I had to close it using Task Manager. It did not generate a report.

I have attached an image of the hung dialog box.
 

Attachments

Broni

Malware Annihilator
Your computer is clean https://www.bleepstatic.com/fhost/uploads/6/snag-0004.jpg[/URL]]

1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
[COLOR=#ff0000][B]This is a very crucial step so make sure you don't skip it.[/B][/COLOR]
Download [IMG]http://www.imgdumper.nl/uploads6/51a5ce45267c1/51a5ce45263de-delfix.pngDelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:
  • Activate UAC (optional; some users prefer to keep it off)
  • Remove disinfection tools
  • Create registry backup
  • Purge System Restore
  • Reset system settings
Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.

2. Make sure Windows Updates are current.

3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Scan without installing plugin" and then on "Scan now")

5. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

6. Run Temporary File Cleaner (TFC) and AdwCleaner weekly (you need to redownload these tools since they were removed by DelFix).

7. (optional) If you want to keep all your programs up to date, download and install FileHippo App Manager.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

8. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

9. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry3187642

10. Please, let me know, how your computer is doing.
 

PaulTomasi

TS Member
Apologies for not replying sooner. I've been away. I will be continuing by responding to the 'Removal' processes...