[SOLVED] Microsoft Defender and Security Center Restricted

aliseb · Jul 7, 2024

Hello,

I recently contacted malware on my computer and after restarting, my windows defender would no longer open upon startup. When trying to open the defender, I am met with a black window. Trying to open Virus and Threat Protection specifically, I am greeted with the message:

"Your IT administrator has limited access to some areas of this app, and the item you tried to access is not available. Contact IT help desk for more information."

I found out about Farbar Recovery Scan Tool and installed it. I ran a scan and have attached the FRST and Addition text files below. A major thing I noticed was this:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center: Restriction <==== ATTENTION
HKLM\Software\Policies\...\system: [EnableSmartScreen] 0

If anyone can assist me in returning my computer to normal without having to reset it, I would greatly appreciate it. Thank you.

DR M · Jul 9, 2024

Hi, aliseb.

Welcome to Sysnative Forums!

Your computer is heavily infected.

Before we begin, please, adhere to the guidelines below. As soon as I have your consent, I'll start the cleaning procedure.

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

aliseb · Jul 9, 2024

Yes! I understand and am willing to continue. Would you like me to run any new scans? Also, I'm not sure which items on my computer are considered pirated. How do I know what to delete? I tried my best to make sure none were left. Please let me know what to do and I will follow.

DR M · Jul 10, 2024

Hello!

If you uninstalled any program, yes, I'll need fresh logs.

aliseb · Jul 10, 2024

DR M said:
Hello!

If you uninstalled any program, yes, I'll need fresh logs.

Here they are.

DR M · Jul 11, 2024

Hi, aliseb.

Let's begin.

1. Remove FireShield

Open Edge, click on the 3 dots at the right, choose Extensions. Click Manage extension, find FireShield and click Remove.

2. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Code:

Start::
CreateRestorePoint:
CloseProcesses:
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [8798]
AlternateDataStreams: C:\Users\tspep\Application Data:03febd35b92b3fd6bae1a449c3baa293 [394]
AlternateDataStreams: C:\Users\tspep\Application Data:a4f3a4460331e5db92483d18f7474c91 [394]
AlternateDataStreams: C:\Users\tspep\AppData\Roaming:03febd35b92b3fd6bae1a449c3baa293 [394]
AlternateDataStreams: C:\Users\tspep\AppData\Roaming:a4f3a4460331e5db92483d18f7474c91 [394]
HKLM\...\StartupApproved\Run: => "Geraghty"
HKLM\...\StartupApproved\Run: => "Carmelita"
HKLM\...\StartupApproved\Run: => "BalmyBalmy"
HKLM\...\StartupApproved\Run: => "Balmy"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "WhodunnitWhodunnit"
HKLM\...\StartupApproved\Run32: => "Farge"
HKLM\...\StartupApproved\Run32: => "Doobie"
HKLM\...\StartupApproved\Run32: => "Whodunnit"
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\StartupApproved\Run: => "Bradlee"
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\StartupApproved\Run: => "Purplish"
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\StartupApproved\Run: => "Conducts"
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\StartupApproved\Run: => "Switchers"
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\StartupApproved\Run: => "Yn"
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\StartupApproved\Run: => "Directs"
FirewallRules: [TCP Query User{EC4E499F-EB7E-45BF-B7D3-5C9E6836D8E4}C:\users\tspep\desktop\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe] => (Allow) C:\users\tspep\desktop\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe => No File
FirewallRules: [UDP Query User{086D44DC-0640-435F-B5EE-CEA1751C07DE}C:\users\tspep\desktop\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe] => (Allow) C:\users\tspep\desktop\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe => No File
FirewallRules: [TCP Query User{05C790F9-E313-4DF4-AA2C-AE8DF402ABF1}C:\users\tspep\desktop\library\games\steamunlocked\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe] => (Allow) C:\users\tspep\desktop\library\games\steamunlocked\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe => No File
FirewallRules: [UDP Query User{38BB8D63-9C2F-490F-AF37-1AB74E5D4DFE}C:\users\tspep\desktop\library\games\steamunlocked\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe] => (Allow) C:\users\tspep\desktop\library\games\steamunlocked\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe => No File
FirewallRules: [TCP Query User{DFA74E16-D36E-4A6A-8348-62E130182546}C:\users\tspep\desktop\library\games\steamunlocked\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\spider-man.exe] => (Allow) C:\users\tspep\desktop\library\games\steamunlocked\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\spider-man.exe => No File
FirewallRules: [UDP Query User{D8C00304-CF03-4C6C-9827-6DAE9D5C8652}C:\users\tspep\desktop\library\games\steamunlocked\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\spider-man.exe] => (Allow) C:\users\tspep\desktop\library\games\steamunlocked\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\spider-man.exe => No File
FirewallRules: [{CE4F9E9F-A2AD-4F35-9E87-0C5E72DB7F8D}] => (Allow) C:\Users\tspep\AppData\Local\Programs\Opera GX\109.0.5097.142\opera.exe => No File
FirewallRules: [TCP Query User{9EAB43D4-6DA2-45EB-A8E7-1806F8437F64}C:\programdata\regid.1993-06.com.microsoft\wmiprvse.exe] => (Block) C:\programdata\regid.1993-06.com.microsoft\wmiprvse.exe => No File
FirewallRules: [UDP Query User{0C2A6D3E-4ADB-47BF-9C8A-4FAE38A9AF00}C:\programdata\regid.1993-06.com.microsoft\wmiprvse.exe] => (Block) C:\programdata\regid.1993-06.com.microsoft\wmiprvse.exe => No File
FirewallRules: [{D40E11CB-5C21-41FB-9C2F-F01F48F16FF5}] => (Allow) C => No File
FirewallRules: [{D44068B7-E7FF-415F-A5C7-98AF39A9A58F}] => (Allow) C => No File
FirewallRules: [{31792B5C-6438-4C00-AC21-F14AED696BB4}] => (Allow) C => No File
FirewallRules: [{5697D26D-D481-4A7D-9B67-8B59E595B231}] => (Allow) C => No File
FirewallRules: [{A02B8705-3202-45B5-8926-36754CAA40A8}] => (Allow) C => No File
FirewallRules: [{2BE9EDFA-9491-4723-8B69-9751C5B38DDB}] => (Allow) C => No File
FirewallRules: [{B591DC67-9F5D-4BCF-B378-7FD16FDB6A3F}] => (Allow) C => No File
FirewallRules: [{4A814BC5-76CC-4F7C-A5B9-B6C0F805DFA2}] => (Allow) C => No File
FirewallRules: [{4EDF2B4F-A16D-4BA4-AC1C-A31C7D6C0AFC}] => (Allow) C => No File
FirewallRules: [{2A741DE8-15C7-488B-9D88-847A6B485457}] => (Allow) C => No File
HKLM\...\Run: [Carmelita] => C:\Program Files (x86)\Rancid\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotg (the data entry has 102 more characters). (No File)
HKLM\...\Run: [Geraghty] => C:\Program Files (x86)\militaristic\Polymerase.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyct (the data entry has 110 more characters). (No File)
HKLM\...\Run: [Balmy] => C:\Program Files (x86)\Shagging\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyo (the data entry has 104 more characters). (No File)
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [Farge] => C:\Program Files (x86)\Rancid\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotg (the data entry has 102 more characters). (No File)
HKLM-x32\...\Run: [Doobie] => C:\Program Files (x86)\militaristic\Polymerase.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyct (the data entry has 110 more characters). (No File)
HKLM-x32\...\Run: [Whodunnit] => C:\Program Files (x86)\Shagging\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyo (the data entry has 104 more characters). (No File)
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center: Restriction <==== ATTENTION
HKLM\Software\Policies\...\system: [EnableSmartScreen] 0
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [GalaxyClient] => [X]
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [Bradlee] => C:\Program Files (x86)\Rancid\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotg (the data entry has 102 more characters). (No File)
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [Purplish] => C:\Program Files (x86)\militaristic\Polymerase.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyct (the data entry has 110 more characters). (No File)
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [Conducts] => C:\Program Files (x86)\Shagging\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyo (the data entry has 104 more characters). (No File)
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [Switchers] => C:\Program Files (x86)\Rancid\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotg (the data entry has 102 more characters). (No File)
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [Yn] => C:\Program Files (x86)\militaristic\Polymerase.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyct (the data entry has 110 more characters). (No File)
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [Directs] => C:\Program Files (x86)\Shagging\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyo (the data entry has 104 more characters). (No File)
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
Task: {5D9E1D8E-C5FC-43EE-B398-BB2FBAF86D02} - \Microsoft\Office\Background Update -> No File <==== ATTENTION
Task: {DE2F99A6-AC38-4CCD-A358-071F9FF50E2D} - \FreeDownloadManagerHelperService -> No File <==== ATTENTION
Task: {F2C4D6ED-987A-4AD6-B52A-8D01DA9FD76D} - System32\Tasks\0oyp7v\zmki26\yj4f56\tx0rkn\1wb95d\df30ls\q4cmla\9f6eg1\jh7aej\ydlovn\zoqzo2\4qijf5\nmpaxn\o7il65\gcqkmy\9tkh36\e33fib => %PROGRAMFILES(x86)%\Shagging\Abingdon.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {AEC85283-2E01-493C-8E4D-1431DF63E29A} - System32\Tasks\1az1x4\vtlq79\81gemi\ft3w4a\gpqeb0\k6huw8\kstn44\4vljz3\y3yj89\tj2xwy\m1w9ey\d7iutg\wzw10l\r01r49\ngzoxu\6uet2l\qmptkr => %localappdata%\Polymerase.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {7C16B8E2-7676-48BE-8EE2-47F3FF10F66D} - System32\Tasks\6zxypa\0wx3q5\dppmp3\l0yaki\o5dbc4\cpzxp5\8jjjoi\7zs9jz\bwys0h\4hwqlq\xsfxqt\rdd3ij\gy211g\3io605\do6r57\5datdo\4a5sbr => %PROGRAMFILES(x86)%\Shagging\Polymerase.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {FB513E84-DAFE-4A32-9B61-07222F0463FB} - System32\Tasks\7xl3z9\jmohvr\2uzp0t\ybmetx\mh4v36\hx1zop\h9d7jl\14v5cy\hl7j16\sw5msr\3s5clh\36mc9s\6hev8n\lq4nwl\a0oov3\k2xnnt\1yetrm => %PROGRAMFILES(x86)%\Rancid\Abingdon.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {1D5EAF28-29AF-4A71-98D8-A86C228DD50B} - System32\Tasks\al05d3\ukawlk\8y9chl\y0wc1c\upuerm\4gnego\a4vfgm\fbfpsc\7t27ln\vqsagd\869kxe\tdci6e\h2rtu1\qpmmi8\zdfpe7\idkub2\mjfy6j => %PROGRAMFILES(x86)%\Rancid\verifies.exe  (No File) <==== ATTENTION
Task: {39E051F2-1662-4A2C-9DC0-7507E36EC8D7} - System32\Tasks\gwqaj3\s8xcak\wh3rve\zwzobs\510a4q\f1i57p\fltuxq\9n2pbx\n2q4wq\0l6ejq\uahzd5\99kgiq\o4e5wc\gh0n0b\eyxl17\rri7xu\nupd51 => %PROGRAMFILES(x86)%\Rancid\jazzmen.exe  (No File) <==== ATTENTION
Task: {794240CE-1523-41AE-915B-F8A0399071E1} - System32\Tasks\kax79p\i96rfn\4tbozj\x29nkk\rxyfo9\3w2z1p\tsz81y\b9adet\1j7gdr\db5dq9\92l6xg\ihl6vd\19y6t3\pvnidj\fhioq8\22ebnx\98bod1 => %PROGRAMFILES(x86)%\militaristic\Polymerase.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {0F896D58-6BDF-41AB-A46B-26C312576584} - System32\Tasks\l6xdyb\jjrcjc\3p5idb\dw49di\nmeq3a\mbzitw\k4jmt5\lbp8ne\09ceoo\qhs782\jd2q59\wq41ed\tbbekd\grznah\251mok\ab1mtn\qenzgu => %localappdata%\gaster.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {4EB2483C-7A0F-4834-8D1F-A6273697EFA2} - System32\Tasks\Microsoft\Windows\NetTrace\RefreshNetworkInfo => C:\ProgramData\NetTrace\1.0.0\refreshNetworkInfo.cmd [95 2024-07-01] () [File not signed] ->  <==== ATTENTION
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (No File)
Task: {A9D4FDED-F07D-4077-9DB4-1B12C4D414F5} - System32\Tasks\nfrcga\qfe5vx\bl612o\rqw9it\dhjp08\6arl19\mf0zoo\rcyoyo\42bbz5\x30h47\jpd159\xsr8y4\7w1ovq\45fyt7\ibktuu\wyimza\xgwi5o => %localappdata%\Abingdon.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {05F8AD7E-E1AC-41EB-BDB7-FB18653F613F} - System32\Tasks\nhb8wy\q1nda5\qyebkh\p2x67y\138g5w\fwm1mx\o3dpi9\gzuol4\mldqhl\rg1sad\caoodu\rhkcl6\znouq0\wygvbb\krm8s9\1foapx\j4qgdu => %localappdata%\eliasson.exe  (No File) <==== ATTENTION
Task: {1A51B470-0B34-4EBF-BF5C-A4B622D27FDA} - System32\Tasks\svah52\07yg3i\3jbzzy\tgqb79\uux9sp\k4i5r5\rshj5c\0q553u\2cqn3y\qhd76m\3qmqou\lejghk\dc9nak\hso82n\opsgz7\uy0fnf\itb6y9 => %localappdata%\Abingdon.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {9DD89C62-57D5-4C51-9FB8-8439BECE6FA4} - System32\Tasks\zo8rnm\4lwmax\oykv1v\lho0k5\gykuia\cyewcl\32b806\1vvch9\obpgv6\xcbyc3\dexl2x\jrq9q8\q30t6w\fjajvc\fmhuad\ojghf6\cchb2g => %PROGRAMFILES(x86)%\militaristic\Polymerase.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
Edge DefaultSearchURL: Default -> hxxps://search.onfireshield.com/?dsf&yh&q={searchTerms}
Edge DefaultSearchKeyword: Default -> FireShield
Edge DefaultSuggestURL: Default -> hxxps://ext.onfireshield.com/api/ext/suggest?q={searchTerms}
U3 Sense; no ImagePath
2024-07-03 11:50 - 2024-07-03 11:50 - 000009225 _____ C:\Users\tspep\Downloads\ToggleDefender.bat
2024-07-03 00:58 - 2024-07-03 00:58 - 000012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2024-07-03 00:54 - 2024-07-03 04:06 - 000000000 ____D C:\KVRT2020_Data
2024-07-03 00:54 - 2024-07-03 00:54 - 111068528 _____ (AO Kaspersky Lab) C:\Users\tspep\Downloads\KVRT.exe
2024-07-03 00:43 - 2024-07-03 00:50 - 000000000 ____D C:\Users\tspep\AppData\Local\NPE
2024-07-03 00:43 - 2024-07-03 00:43 - 016995528 _____ (NortonLifeLock Inc.) C:\Users\tspep\Downloads\NPE.exe
2024-07-02 00:50 - 2024-07-02 00:50 - 000000000 ____D C:\Users\tspep\AppData\Local\Total_Security
2024-07-02 00:50 - 2024-07-02 00:50 - 000000000 ____D C:\Users\tspep\AppData\Local\ToastNotificationManagerCompat
2024-07-01 23:37 - 2024-07-03 00:51 - 000000000 ___HD C:\ProgramData\fdda557e-6041-414a-a514-ed8aa1604885
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Windows\system32\Tasks\zo8rnm
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Windows\system32\Tasks\nfrcga
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Windows\system32\Tasks\kax79p
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Windows\system32\Tasks\6zxypa
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Windows\system32\Tasks\0oyp7v
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\ProgramData\NetTrace
2024-07-01 23:36 - 2024-07-01 23:36 - 000004150 _____ C:\Windows\system32\Tasks\Opera GX scheduled Autoupdate 1719891387
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\svah52
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\nhb8wy
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\l6xdyb
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\gwqaj3
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\al05d3
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\7xl3z9
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\1az1x4
2024-06-07 15:35 - 2024-06-07 15:36 - 000000250 _____ () C:\Users\tspep\AppData\Roaming\MelonLoader.Installer.cfg
2024-02-09 15:57 - 2024-02-09 15:57 - 000000182 _____ () C:\Users\tspep\AppData\Local\Abingdon.exe.config
2024-02-09 15:57 - 2024-02-09 15:57 - 000000182 _____ () C:\Users\tspep\AppData\Local\App.exe.config
2024-02-09 15:57 - 2024-02-09 15:57 - 000000182 _____ () C:\Users\tspep\AppData\Local\Polymerase.exe.config
Folder: C:\SolaraTab
RemoveProxy:
EmptyTemp:
End::

Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
Press the Fix button once and wait.
FRST will process fixlist.txt
When finished, it will produce a log fixlog.txt on your Desktop.
Post the log in your next reply.

In your next reply, please post:

If you successfully removed FireShield.
The fixlog.txt

aliseb · Jul 11, 2024

DR M said:

Hi, aliseb.

Let's begin.

1. Remove FireShield

Open Edge, click on the 3 dots at the right, choose Extensions. Click Manage extension, find FireShield and click Remove.

2. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Code:

Start::
CreateRestorePoint:
CloseProcesses:
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [8798]
AlternateDataStreams: C:\Users\tspep\Application Data:03febd35b92b3fd6bae1a449c3baa293 [394]
AlternateDataStreams: C:\Users\tspep\Application Data:a4f3a4460331e5db92483d18f7474c91 [394]
AlternateDataStreams: C:\Users\tspep\AppData\Roaming:03febd35b92b3fd6bae1a449c3baa293 [394]
AlternateDataStreams: C:\Users\tspep\AppData\Roaming:a4f3a4460331e5db92483d18f7474c91 [394]
HKLM\...\StartupApproved\Run: => "Geraghty"
HKLM\...\StartupApproved\Run: => "Carmelita"
HKLM\...\StartupApproved\Run: => "BalmyBalmy"
HKLM\...\StartupApproved\Run: => "Balmy"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "WhodunnitWhodunnit"
HKLM\...\StartupApproved\Run32: => "Farge"
HKLM\...\StartupApproved\Run32: => "Doobie"
HKLM\...\StartupApproved\Run32: => "Whodunnit"
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\StartupApproved\Run: => "Bradlee"
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\StartupApproved\Run: => "Purplish"
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\StartupApproved\Run: => "Conducts"
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\StartupApproved\Run: => "Switchers"
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\StartupApproved\Run: => "Yn"
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\StartupApproved\Run: => "Directs"
FirewallRules: [TCP Query User{EC4E499F-EB7E-45BF-B7D3-5C9E6836D8E4}C:\users\tspep\desktop\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe] => (Allow) C:\users\tspep\desktop\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe => No File
FirewallRules: [UDP Query User{086D44DC-0640-435F-B5EE-CEA1751C07DE}C:\users\tspep\desktop\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe] => (Allow) C:\users\tspep\desktop\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe => No File
FirewallRules: [TCP Query User{05C790F9-E313-4DF4-AA2C-AE8DF402ABF1}C:\users\tspep\desktop\library\games\steamunlocked\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe] => (Allow) C:\users\tspep\desktop\library\games\steamunlocked\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe => No File
FirewallRules: [UDP Query User{38BB8D63-9C2F-490F-AF37-1AB74E5D4DFE}C:\users\tspep\desktop\library\games\steamunlocked\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe] => (Allow) C:\users\tspep\desktop\library\games\steamunlocked\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.v2024.01.18\ultrakill.exe => No File
FirewallRules: [TCP Query User{DFA74E16-D36E-4A6A-8348-62E130182546}C:\users\tspep\desktop\library\games\steamunlocked\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\spider-man.exe] => (Allow) C:\users\tspep\desktop\library\games\steamunlocked\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\spider-man.exe => No File
FirewallRules: [UDP Query User{D8C00304-CF03-4C6C-9827-6DAE9D5C8652}C:\users\tspep\desktop\library\games\steamunlocked\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\spider-man.exe] => (Allow) C:\users\tspep\desktop\library\games\steamunlocked\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\marvels.spider.man.remastered.v2.1012.0.0\spider-man.exe => No File
FirewallRules: [{CE4F9E9F-A2AD-4F35-9E87-0C5E72DB7F8D}] => (Allow) C:\Users\tspep\AppData\Local\Programs\Opera GX\109.0.5097.142\opera.exe => No File
FirewallRules: [TCP Query User{9EAB43D4-6DA2-45EB-A8E7-1806F8437F64}C:\programdata\regid.1993-06.com.microsoft\wmiprvse.exe] => (Block) C:\programdata\regid.1993-06.com.microsoft\wmiprvse.exe => No File
FirewallRules: [UDP Query User{0C2A6D3E-4ADB-47BF-9C8A-4FAE38A9AF00}C:\programdata\regid.1993-06.com.microsoft\wmiprvse.exe] => (Block) C:\programdata\regid.1993-06.com.microsoft\wmiprvse.exe => No File
FirewallRules: [{D40E11CB-5C21-41FB-9C2F-F01F48F16FF5}] => (Allow) C => No File
FirewallRules: [{D44068B7-E7FF-415F-A5C7-98AF39A9A58F}] => (Allow) C => No File
FirewallRules: [{31792B5C-6438-4C00-AC21-F14AED696BB4}] => (Allow) C => No File
FirewallRules: [{5697D26D-D481-4A7D-9B67-8B59E595B231}] => (Allow) C => No File
FirewallRules: [{A02B8705-3202-45B5-8926-36754CAA40A8}] => (Allow) C => No File
FirewallRules: [{2BE9EDFA-9491-4723-8B69-9751C5B38DDB}] => (Allow) C => No File
FirewallRules: [{B591DC67-9F5D-4BCF-B378-7FD16FDB6A3F}] => (Allow) C => No File
FirewallRules: [{4A814BC5-76CC-4F7C-A5B9-B6C0F805DFA2}] => (Allow) C => No File
FirewallRules: [{4EDF2B4F-A16D-4BA4-AC1C-A31C7D6C0AFC}] => (Allow) C => No File
FirewallRules: [{2A741DE8-15C7-488B-9D88-847A6B485457}] => (Allow) C => No File
HKLM\...\Run: [Carmelita] => C:\Program Files (x86)\Rancid\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotg (the data entry has 102 more characters). (No File)
HKLM\...\Run: [Geraghty] => C:\Program Files (x86)\militaristic\Polymerase.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyct (the data entry has 110 more characters). (No File)
HKLM\...\Run: [Balmy] => C:\Program Files (x86)\Shagging\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyo (the data entry has 104 more characters). (No File)
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [Farge] => C:\Program Files (x86)\Rancid\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotg (the data entry has 102 more characters). (No File)
HKLM-x32\...\Run: [Doobie] => C:\Program Files (x86)\militaristic\Polymerase.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyct (the data entry has 110 more characters). (No File)
HKLM-x32\...\Run: [Whodunnit] => C:\Program Files (x86)\Shagging\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyo (the data entry has 104 more characters). (No File)
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center: Restriction <==== ATTENTION
HKLM\Software\Policies\...\system: [EnableSmartScreen] 0
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [GalaxyClient] => [X]
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [Bradlee] => C:\Program Files (x86)\Rancid\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotg (the data entry has 102 more characters). (No File)
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [Purplish] => C:\Program Files (x86)\militaristic\Polymerase.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyct (the data entry has 110 more characters). (No File)
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [Conducts] => C:\Program Files (x86)\Shagging\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyo (the data entry has 104 more characters). (No File)
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [Switchers] => C:\Program Files (x86)\Rancid\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotg (the data entry has 102 more characters). (No File)
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [Yn] => C:\Program Files (x86)\militaristic\Polymerase.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyct (the data entry has 110 more characters). (No File)
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [Directs] => C:\Program Files (x86)\Shagging\Abingdon.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyo (the data entry has 104 more characters). (No File)
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
Task: {5D9E1D8E-C5FC-43EE-B398-BB2FBAF86D02} - \Microsoft\Office\Background Update -> No File <==== ATTENTION
Task: {DE2F99A6-AC38-4CCD-A358-071F9FF50E2D} - \FreeDownloadManagerHelperService -> No File <==== ATTENTION
Task: {F2C4D6ED-987A-4AD6-B52A-8D01DA9FD76D} - System32\Tasks\0oyp7v\zmki26\yj4f56\tx0rkn\1wb95d\df30ls\q4cmla\9f6eg1\jh7aej\ydlovn\zoqzo2\4qijf5\nmpaxn\o7il65\gcqkmy\9tkh36\e33fib => %PROGRAMFILES(x86)%\Shagging\Abingdon.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {AEC85283-2E01-493C-8E4D-1431DF63E29A} - System32\Tasks\1az1x4\vtlq79\81gemi\ft3w4a\gpqeb0\k6huw8\kstn44\4vljz3\y3yj89\tj2xwy\m1w9ey\d7iutg\wzw10l\r01r49\ngzoxu\6uet2l\qmptkr => %localappdata%\Polymerase.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {7C16B8E2-7676-48BE-8EE2-47F3FF10F66D} - System32\Tasks\6zxypa\0wx3q5\dppmp3\l0yaki\o5dbc4\cpzxp5\8jjjoi\7zs9jz\bwys0h\4hwqlq\xsfxqt\rdd3ij\gy211g\3io605\do6r57\5datdo\4a5sbr => %PROGRAMFILES(x86)%\Shagging\Polymerase.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {FB513E84-DAFE-4A32-9B61-07222F0463FB} - System32\Tasks\7xl3z9\jmohvr\2uzp0t\ybmetx\mh4v36\hx1zop\h9d7jl\14v5cy\hl7j16\sw5msr\3s5clh\36mc9s\6hev8n\lq4nwl\a0oov3\k2xnnt\1yetrm => %PROGRAMFILES(x86)%\Rancid\Abingdon.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {1D5EAF28-29AF-4A71-98D8-A86C228DD50B} - System32\Tasks\al05d3\ukawlk\8y9chl\y0wc1c\upuerm\4gnego\a4vfgm\fbfpsc\7t27ln\vqsagd\869kxe\tdci6e\h2rtu1\qpmmi8\zdfpe7\idkub2\mjfy6j => %PROGRAMFILES(x86)%\Rancid\verifies.exe  (No File) <==== ATTENTION
Task: {39E051F2-1662-4A2C-9DC0-7507E36EC8D7} - System32\Tasks\gwqaj3\s8xcak\wh3rve\zwzobs\510a4q\f1i57p\fltuxq\9n2pbx\n2q4wq\0l6ejq\uahzd5\99kgiq\o4e5wc\gh0n0b\eyxl17\rri7xu\nupd51 => %PROGRAMFILES(x86)%\Rancid\jazzmen.exe  (No File) <==== ATTENTION
Task: {794240CE-1523-41AE-915B-F8A0399071E1} - System32\Tasks\kax79p\i96rfn\4tbozj\x29nkk\rxyfo9\3w2z1p\tsz81y\b9adet\1j7gdr\db5dq9\92l6xg\ihl6vd\19y6t3\pvnidj\fhioq8\22ebnx\98bod1 => %PROGRAMFILES(x86)%\militaristic\Polymerase.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {0F896D58-6BDF-41AB-A46B-26C312576584} - System32\Tasks\l6xdyb\jjrcjc\3p5idb\dw49di\nmeq3a\mbzitw\k4jmt5\lbp8ne\09ceoo\qhs782\jd2q59\wq41ed\tbbekd\grznah\251mok\ab1mtn\qenzgu => %localappdata%\gaster.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {4EB2483C-7A0F-4834-8D1F-A6273697EFA2} - System32\Tasks\Microsoft\Windows\NetTrace\RefreshNetworkInfo => C:\ProgramData\NetTrace\1.0.0\refreshNetworkInfo.cmd [95 2024-07-01] () [File not signed] ->  <==== ATTENTION
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (No File)
Task: {A9D4FDED-F07D-4077-9DB4-1B12C4D414F5} - System32\Tasks\nfrcga\qfe5vx\bl612o\rqw9it\dhjp08\6arl19\mf0zoo\rcyoyo\42bbz5\x30h47\jpd159\xsr8y4\7w1ovq\45fyt7\ibktuu\wyimza\xgwi5o => %localappdata%\Abingdon.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {05F8AD7E-E1AC-41EB-BDB7-FB18653F613F} - System32\Tasks\nhb8wy\q1nda5\qyebkh\p2x67y\138g5w\fwm1mx\o3dpi9\gzuol4\mldqhl\rg1sad\caoodu\rhkcl6\znouq0\wygvbb\krm8s9\1foapx\j4qgdu => %localappdata%\eliasson.exe  (No File) <==== ATTENTION
Task: {1A51B470-0B34-4EBF-BF5C-A4B622D27FDA} - System32\Tasks\svah52\07yg3i\3jbzzy\tgqb79\uux9sp\k4i5r5\rshj5c\0q553u\2cqn3y\qhd76m\3qmqou\lejghk\dc9nak\hso82n\opsgz7\uy0fnf\itb6y9 => %localappdata%\Abingdon.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
Task: {9DD89C62-57D5-4C51-9FB8-8439BECE6FA4} - System32\Tasks\zo8rnm\4lwmax\oykv1v\lho0k5\gykuia\cyewcl\32b806\1vvch9\obpgv6\xcbyc3\dexl2x\jrq9q8\q30t6w\fjajvc\fmhuad\ojghf6\cchb2g => %PROGRAMFILES(x86)%\militaristic\Polymerase.exe  "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyttgbnhyotgbnhyptgbnhygtgbnhyltgbnhyatgbnhyrtgbnhyetgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhykt2jh0jh2jtgbnhyh4jh0dj7djtgbnhy0kt1ktjhbhtgbnhytml7QOtVndtgbnhyLvK2S8EADEtgbnhyLhv" (No File) <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
Edge DefaultSearchURL: Default -> hxxps://search.onfireshield.com/?dsf&yh&q={searchTerms}
Edge DefaultSearchKeyword: Default -> FireShield
Edge DefaultSuggestURL: Default -> hxxps://ext.onfireshield.com/api/ext/suggest?q={searchTerms}
U3 Sense; no ImagePath
2024-07-03 11:50 - 2024-07-03 11:50 - 000009225 _____ C:\Users\tspep\Downloads\ToggleDefender.bat
2024-07-03 00:58 - 2024-07-03 00:58 - 000012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2024-07-03 00:54 - 2024-07-03 04:06 - 000000000 ____D C:\KVRT2020_Data
2024-07-03 00:54 - 2024-07-03 00:54 - 111068528 _____ (AO Kaspersky Lab) C:\Users\tspep\Downloads\KVRT.exe
2024-07-03 00:43 - 2024-07-03 00:50 - 000000000 ____D C:\Users\tspep\AppData\Local\NPE
2024-07-03 00:43 - 2024-07-03 00:43 - 016995528 _____ (NortonLifeLock Inc.) C:\Users\tspep\Downloads\NPE.exe
2024-07-02 00:50 - 2024-07-02 00:50 - 000000000 ____D C:\Users\tspep\AppData\Local\Total_Security
2024-07-02 00:50 - 2024-07-02 00:50 - 000000000 ____D C:\Users\tspep\AppData\Local\ToastNotificationManagerCompat
2024-07-01 23:37 - 2024-07-03 00:51 - 000000000 ___HD C:\ProgramData\fdda557e-6041-414a-a514-ed8aa1604885
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Windows\system32\Tasks\zo8rnm
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Windows\system32\Tasks\nfrcga
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Windows\system32\Tasks\kax79p
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Windows\system32\Tasks\6zxypa
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Windows\system32\Tasks\0oyp7v
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\ProgramData\NetTrace
2024-07-01 23:36 - 2024-07-01 23:36 - 000004150 _____ C:\Windows\system32\Tasks\Opera GX scheduled Autoupdate 1719891387
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\svah52
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\nhb8wy
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\l6xdyb
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\gwqaj3
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\al05d3
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\7xl3z9
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Windows\system32\Tasks\1az1x4
2024-06-07 15:35 - 2024-06-07 15:36 - 000000250 _____ () C:\Users\tspep\AppData\Roaming\MelonLoader.Installer.cfg
2024-02-09 15:57 - 2024-02-09 15:57 - 000000182 _____ () C:\Users\tspep\AppData\Local\Abingdon.exe.config
2024-02-09 15:57 - 2024-02-09 15:57 - 000000182 _____ () C:\Users\tspep\AppData\Local\App.exe.config
2024-02-09 15:57 - 2024-02-09 15:57 - 000000182 _____ () C:\Users\tspep\AppData\Local\Polymerase.exe.config
Folder: C:\SolaraTab
RemoveProxy:
EmptyTemp:
End::

Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
Press the Fix button once and wait.
FRST will process fixlist.txt
When finished, it will produce a log fixlog.txt on your Desktop.
Post the log in your next reply.

In your next reply, please post:

If you successfully removed FireShield.
The fixlog.txt

Good afternoon, my friend,

Thank you for your continued help.

1. I followed your instructions; however, I was unable to find any extension on Microsoft Edge named "FireShield". Could it be possible that it is hidden from my view, or disguised? Please advise.
2. I followed your instructions and have attached the fixlog.txt below. Upon restarting the computer following the fix, it should be noted that Windows Defender is still giving me the same issue: it won't start. I took the liberty of conducting a new scan following the fix and have attached those files below. I hope those can help. Please advise on what to do next.

Once again, thank you!

DR M · Jul 12, 2024

Hello!

Things are much better, but there is a lot to be done yet.

A couple of questions first.

You have these lines in your logs:

2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Users\tspep\AppData\Roaming\npm
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Program Files\nodejs
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Users\tspep\AppData\Local\NetSupport
2024-07-01 23:12 - 2024-07-01 23:12 - 000000000 ____D C:\SolaraTab

They have to do with code building or so. Do you recognize them?

What about the following policies set:

2024-07-02 15:13 - 2024-07-02 15:13 - 000024821 _____ C:\Windows\SysWOW64\IntegratedServicesRegionPolicySet.json
2024-07-02 15:12 - 2024-07-02 15:12 - 000024821 _____ C:\Windows\system32\IntegratedServicesRegionPolicySet.json

As to your Defender, it looks like it's running. Can you please give me a screenshot with the message you get about not starting?

I'll be waiting for your answers before i give further instructions.

aliseb · Jul 12, 2024

DR M said:
Hello!

Things are much better, but there is a lot to be done yet.

A couple of questions first.

You have these lines in your logs:

2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Users\tspep\AppData\Roaming\npm
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js
2024-07-01 23:37 - 2024-07-01 23:37 - 000000000 ____D C:\Program Files\nodejs
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Users\tspep\AppData\Local\NetSupport
2024-07-01 23:12 - 2024-07-01 23:12 - 000000000 ____D C:\SolaraTab

They have to do with code building or so. Do you recognize them?

What about the following policies set:

2024-07-02 15:13 - 2024-07-02 15:13 - 000024821 _____ C:\Windows\SysWOW64\IntegratedServicesRegionPolicySet.json
2024-07-02 15:12 - 2024-07-02 15:12 - 000024821 _____ C:\Windows\system32\IntegratedServicesRegionPolicySet.json

As to your Defender, it looks like it's running. Can you please give me a screenshot with the message you get about not starting?

I'll be waiting for your answers before i give further instructions.

Good morning,

It's nice to hear that things are improved.

Regarding those first logs, I do not recognize any of those except for "Node.js" and "SolaraTab". I play a game called Minecraft, so I am familiar with Node.js, as the game runs on JavaScript. However, I recently activated my Malwarebytes trial over a week ago and noticed suspicious activity even while I wasn't playing Minecraft. I was bombarded repeatedly with warnings from the Real-Time Protection, with the following warning (images attached):

Now, all of these warnings/detections seem to have stopped after the fixlist.txt was used yesterday around 3:30-3:50 pm. However, it has only been a short time since then, so I am not sure.

As for the "SolaraTab" folder, I recognize it, and I do NOT want it. It was acquired during my crusade of trying to download hacks for a game, and I recognize the name "Solara" from one of the products.

As for the rest of those files in the first logs you sent, I do not want them if they are not meant to be on this computer, as I don't recognize them.

Moving on to the policies set, I do not recognize it, unless it was part of my attempt to fix my issue with my Windows Defender not starting. That is because I remember contracting the malware on July 1st (07/01/2024), since that was the date which I was looking for on the files I was trying to get rid of. You will notice that specific date on many files that needed to be removed because they were malware.

Attached will be all of the messages I see with my Windows Defender (including the black screen):

Allow me to restart my computer to take a picture of the other two messages that show upon startup.

Thank you for the help! I'll follow up shortly.

aliseb · Jul 12, 2024

aliseb said:
Good morning,

It's nice to hear that things are improved.

Regarding those first logs, I do not recognize any of those except for "Node.js" and "SolaraTab". I play a game called Minecraft, so I am familiar with Node.js, as the game runs on JavaScript. However, I recently activated my Malwarebytes trial over a week ago and noticed suspicious activity even while I wasn't playing Minecraft. I was bombarded repeatedly with warnings from the Real-Time Protection, with the following warning (images attached):

View attachment 104674 View attachment 104675

Now, all of these warnings/detections seem to have stopped after the fixlist.txt was used yesterday around 3:30-3:50 pm. However, it has only been a short time since then, so I am not sure.

As for the "SolaraTab" folder, I recognize it, and I do NOT want it. It was acquired during my crusade of trying to download hacks for a game, and I recognize the name "Solara" from one of the products.

As for the rest of those files in the first logs you sent, I do not want them if they are not meant to be on this computer, as I don't recognize them.

Moving on to the policies set, I do not recognize it, unless it was part of my attempt to fix my issue with my Windows Defender not starting. That is because I remember contracting the malware on July 1st (07/01/2024), since that was the date which I was looking for on the files I was trying to get rid of. You will notice that specific date on many files that needed to be removed because they were malware.

Attached will be all of the messages I see with my Windows Defender (including the black screen):

View attachment 104676 View attachment 104677

Allow me to restart my computer to take a picture of the other two messages that show upon startup.

Thank you for the help! I'll follow up shortly.

aliseb · Jul 12, 2024

aliseb said:
Good morning,

It's nice to hear that things are improved.

Regarding those first logs, I do not recognize any of those except for "Node.js" and "SolaraTab". I play a game called Minecraft, so I am familiar with Node.js, as the game runs on JavaScript. However, I recently activated my Malwarebytes trial over a week ago and noticed suspicious activity even while I wasn't playing Minecraft. I was bombarded repeatedly with warnings from the Real-Time Protection, with the following warning (images attached):

View attachment 104674 View attachment 104675

Now, all of these warnings/detections seem to have stopped after the fixlist.txt was used yesterday around 3:30-3:50 pm. However, it has only been a short time since then, so I am not sure.

As for the "SolaraTab" folder, I recognize it, and I do NOT want it. It was acquired during my crusade of trying to download hacks for a game, and I recognize the name "Solara" from one of the products.

As for the rest of those files in the first logs you sent, I do not want them if they are not meant to be on this computer, as I don't recognize them.

Moving on to the policies set, I do not recognize it, unless it was part of my attempt to fix my issue with my Windows Defender not starting. That is because I remember contracting the malware on July 1st (07/01/2024), since that was the date which I was looking for on the files I was trying to get rid of. You will notice that specific date on many files that needed to be removed because they were malware.

Attached will be all of the messages I see with my Windows Defender (including the black screen):

View attachment 104676 View attachment 104677

Allow me to restart my computer to take a picture of the other two messages that show upon startup.

Thank you for the help! I'll follow up shortly.

I used www.iplocation.net to search up the IP from the Malwarebytes protection message shared in my previous post and this is what I got from the website. Hopefully it helps:

It seems that they are all Amazon. Is this normal?

DR M · Jul 12, 2024

OK, aliseb.

Thanks for the info. Actually, I missed the Node.js, already installed in your computer.

Let's see what the next scans will show.

1. Run Malwarebytes (scan only)

Open Malwarebytes.
Click the little gear on the top right (Settings) and when it opens, click the General tab. Under the title Windows Security Center, make sure the option is disabled.
Click the Scan and Detections tab and under the Scan options title, enable Scan for rootkits option. Do not change any other option.
Return to the Dashboard and choose Scan.
When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected,close the program and proceed to the next steps below.
- Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
- Find the report with the most recent date and double click on it.
- Click on Export and then Copy to Clipboard.
- Paste its content here, in your next reply.

2. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.

Double click AdwCleaner.exe to run it.
Click the Scan Now button.
Once the scan completes, AdwCleaner shows you all detected PUPs and adware. DO NOT check anything found, and click Next.
If any preinstalled software was detected on your device, a message notifies you that your action is requested. DO NOT check anything, and click Cancel to continue.
Click the Log Files tab.
Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
A Notepad file will open containing the results of the removal.
Please post the contents of the file in your next reply.

Note: Click Skip Basic Repair if you are asked to.

In your next reply, please post:

The Malwarebytes report
The AdwCleaner[S0*].txt

DR M · Jul 12, 2024

Something to mention, so the communication is more effective:

Do not Quote my reply to you. Just write your reply in the reply area under my last reply.

aliseb · Jul 12, 2024

Got it, no more quoting.

No threats were found:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/12/2024
Scan Time: 7:05 AM
Log File: 9fb125d8-403e-11ef-a969-d843ae26b744.json

-Software Information-
Version: 5.1.6.117
Components Version: 1.0.1270
Update Package Version: 1.0.86760
License: Trial

-System Information-
OS: Windows 11 (Build 22631.3737)
CPU: x64
File System: NTFS
User: MSI\tspep

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 266570
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 1 min, 34 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
File system: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

AdwCleaner Report (also attached as .txt):
# -------------------------------
# Malwarebytes AdwCleaner 8.4.2.0
# -------------------------------
# Build: 03-04-2024
# Database: 2024-03-04.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 07-12-2024
# Duration: 00:00:04
# OS: Windows 11 (Build 22631.3737)
# Scanned: 32094
# Detected: 1

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.PCProtect HKLM\System\CurrentControlSet\Services\EventLog\Application\SecurityService

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

DR M · Jul 12, 2024

OK, Malwarebytes results are good. Let's clean what was detected by AdwCleaner.

AdwCleaner (Clean mode)

To proceed, please do the following:

Double click AdwCleaner.exe on your Desktop, to run it as you did before.
Click Scan Now.
Once the scan completes, AdwCleaner shows you what it found on your computer. Check the boxes next to any items you want to quarantine and disable, then click Next.
Now, AdwCleaner will show you any preinstalled software it found on your device. Again, check the boxes next to any items you want to quarantine and disable. If nothing found, you won't see this message. If you don't want to remove any preinstalled software, click Cancel and continue.
Click Continue, then click Restart now, and you’re done.
Once your computer has restarted:
- Click the Log Files tab.
- Click Skip Basic Repair to finish the cleaning process
- Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
- A Notepad file will open containing the results of the removal.
- Please post the contents of the file in your next reply.

aliseb · Jul 12, 2024

Logs are below.

Should I delete the file from quarantine?

# -------------------------------
# Malwarebytes AdwCleaner 8.4.2.0
# -------------------------------
# Build: 03-04-2024
# Database: 2024-03-04.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 07-12-2024
# Duration: 00:00:00
# OS: Windows 11 (Build 22631.3737)
# Cleaned: 1
# Failed: 0

***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted HKLM\System\CurrentControlSet\Services\EventLog\Application\SecurityService

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.

*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1491 octets] - [12/07/2024 07:09:34]
AdwCleaner[S01].txt - [1552 octets] - [12/07/2024 07:21:19]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########

DR M · Jul 12, 2024

Yes, you should delete it, and, as I see, you deleted it.

Next:

ESET Online Scan

Download ESET Online Scanner and save it to your desktop.

Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
When the tool opens, click Get Started.
Read and accept the license agreement.
At the Welcome to ESET Online Scanner window, click Get Started.
Select whether you would like to send anonymous data to ESET.
Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
Click on the Full Scan option.
Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
ESET will now begin scanning your computer. This may take some time.
When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

aliseb · Jul 12, 2024

Hello Dr. M,

My scan has finally completed. There were three detections. Here are the results:

7/12/2024 11:11:01 AM
Scanned files: 829455
Detected files: 3
Cleaned files: 3
Total scan time 03:35:15
Scan status: Finished
C:\ProgramData\regid.1993-06.com.microsoft\client32.ini Win32/NetSupportManager.AD trojan cleaned by deleting

C:\ProgramData\regid.1993-06.com.microsoft\client32u.ini Win32/NetSupportManager.AD trojan cleaned by deleting

C:\ProgramData\regid.1993-06.com.microsoft\NSM.LIC Win32/RiskWare.RemoteAdmin.NetSupportManager.V application cleaned by deleting

DR M · Jul 12, 2024

Great!

I would now ask you to remove HitmanPro 3.8.

After that, please give me fresh FRST logs (Addition and FRST).

aliseb · Jul 12, 2024

Done!

[SOLVED] Microsoft Defender and Security Center Restricted

Active member

Attachments

Sysnative Staff, Security Analyst

Active member

Sysnative Staff, Security Analyst

Active member

Attachments

Sysnative Staff, Security Analyst

Active member

Attachments

Sysnative Staff, Security Analyst

Active member

Active member

Active member

Sysnative Staff, Security Analyst

Sysnative Staff, Security Analyst

Active member

Attachments

Sysnative Staff, Security Analyst

Active member

Attachments

Sysnative Staff, Security Analyst

Active member

Sysnative Staff, Security Analyst

Active member

Attachments