Hi axe0, thanks for your support the answer is yes.
[SOLVED] Need some help here.
- Thread starter jccruz
- Start date
Hi axe0, thanks for your support the answer is yes.
Hi jccruz,
DR M will be taking things over from me.
DR M and I have been discussing your problem and is up to date on the situation.
Unfortunately, I won't be having enough time to continue the troubleshooting and have requested DR M to take over.
DR M will be taking things over from me.
DR M and I have been discussing your problem and is up to date on the situation.
Unfortunately, I won't be having enough time to continue the troubleshooting and have requested DR M to take over.
- Feb 12, 2015
- 1,884
Hi, jccruz.
As axe0 said, I'll try to help you with your computer's issues, since he is very busy right now.
Please sign in Windows with the Utilizator account. To make sure that you are signed in with this account, please do the following:
As axe0 said, I'll try to help you with your computer's issues, since he is very busy right now.
Please sign in Windows with the Utilizator account. To make sure that you are signed in with this account, please do the following:
- In the Search area type Command Prompt, and select to run it as Administrator.
- In the command window type whoami and press Enter.
- Please give me a screenshot of what you see.
Hi axe0, thanks for your cooperation and support.
Hi DR M, thanks for your support, here is a screenshot confirming that i´m logged as "utilizator" (utilizador)
- Feb 12, 2015
- 1,884
Good.
Please do the following to run a FRST fix.
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
The computer will restart to complete the fix. Let me know if it signs in immediately (without a password) with the Administrador account or if you have the opportunity to choose among the accounts you use. If you have the opportunity to choose, please choose Administrador account.
Please do the following to run a FRST fix.
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
- Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
CMD: net user administrador /active:yes
deletekey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500.bak
EmptyTemp:
End::- Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
- Press the Fix button once and wait.
- FRST will process fixlist.txt
- When finished, it will produce a log fixlog.txt on your Desktop.
- Please post the log in your next reply.
The computer will restart to complete the fix. Let me know if it signs in immediately (without a password) with the Administrador account or if you have the opportunity to choose among the accounts you use. If you have the opportunity to choose, please choose Administrador account.
Hi DR M, thanks for your support, sorry to my delayed answer,, i attached the Fixlog.txt, i had to choose to enter in the "administrador" account after the computer reboot, it created the account as if it were the first time after an installation of Windows 10, e.g "Hi, please wait, we´re preparing evething for you...aso"(...)
- Feb 12, 2015
- 1,884
Thanks, jccruz.
From now on, please sign in with the Administrador account.
1. Provide Profile.txt
2. Some things I would like to see now
Users
Users accounts from Control Panel
In your next reply please post:
From now on, please sign in with the Administrador account.
1. Provide Profile.txt
- Open Command Prompt as Administrator.
- Copy and paste the following command line and press Enter.
Code:
reg export "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" C:\Profile.txt- Go to C: and find Profile.txt
- Double click to open it.
- Select the content of the file, copy and paste it in your next reply.
2. Some things I would like to see now
Users
- Go to C and then double click to open Users.
- Please take a screenshot of what you see.
Users accounts from Control Panel
- In the Search area type Control Panel and select it.
- Select View by Large Icons and find Users accounts. Select it.
- Please take a screenshot of what you see.
In your next reply please post:
- The Profile.txt
- The 2 screenshots
Hi, DR M, thanks for your support, here is the content of profile.txt and the two screenshots.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList]
"Default"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,00,\
76,00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,44,00,65,00,66,\
00,61,00,75,00,6c,00,74,00,00,00
"ProfilesDirectory"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,\
00,69,00,76,00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,00,00
"ProgramData"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,\
00,76,00,65,00,25,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,44,00,\
61,00,74,00,61,00,00,00
"Public"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,00,76,\
00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,50,00,75,00,62,00,\
6c,00,69,00,63,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18]
"Flags"=dword:0000000c
"ProfileImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,63,00,6f,00,6e,00,66,00,69,00,67,00,5c,00,73,00,79,00,73,00,74,00,65,\
00,6d,00,70,00,72,00,6f,00,66,00,69,00,6c,00,65,00,00,00
"RefCount"=dword:00000001
"Sid"=hex:01,01,00,00,00,00,00,05,12,00,00,00
"State"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]
"Flags"=dword:00000000
"ProfileImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,50,00,\
72,00,6f,00,66,00,69,00,6c,00,65,00,73,00,5c,00,4c,00,6f,00,63,00,61,00,6c,\
00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00
"State"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20]
"Flags"=dword:00000000
"ProfileImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,50,00,\
72,00,6f,00,66,00,69,00,6c,00,65,00,73,00,5c,00,4e,00,65,00,74,00,77,00,6f,\
00,72,00,6b,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00
"State"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-1001]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,55,00,74,00,69,00,6c,00,69,00,7a,00,61,00,64,00,6f,00,72,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00000100
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,e9,03,00,00
"LocalProfileLoadTimeLow"=dword:c46aac26
"LocalProfileLoadTimeHigh"=dword:01d8856a
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"LocalProfileUnloadTimeLow"=dword:886eaf09
"LocalProfileUnloadTimeHigh"=dword:01d8803c
"RunLogonScriptSync"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-1002]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,6a,00,63,00,72,00,75,00,7a,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00000204
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,ea,03,00,00
"LocalProfileLoadTimeLow"=dword:a36277d8
"LocalProfileLoadTimeHigh"=dword:01d73c05
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RunLogonScriptSync"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,41,00,64,00,6d,00,69,00,6e,00,69,00,73,00,74,00,72,00,61,00,64,00,6f,00,\
72,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00000100
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,f4,01,00,00
"LocalProfileLoadTimeLow"=dword:3377aa71
"LocalProfileLoadTimeHigh"=dword:01d88566
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RunLogonScriptSync"=dword:00000000
"LocalProfileUnloadTimeLow"=dword:2e39e3be
"LocalProfileUnloadTimeHigh"=dword:01d88566
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList]
"Default"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,00,\
76,00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,44,00,65,00,66,\
00,61,00,75,00,6c,00,74,00,00,00
"ProfilesDirectory"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,\
00,69,00,76,00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,00,00
"ProgramData"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,\
00,76,00,65,00,25,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,44,00,\
61,00,74,00,61,00,00,00
"Public"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,00,76,\
00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,50,00,75,00,62,00,\
6c,00,69,00,63,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18]
"Flags"=dword:0000000c
"ProfileImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,63,00,6f,00,6e,00,66,00,69,00,67,00,5c,00,73,00,79,00,73,00,74,00,65,\
00,6d,00,70,00,72,00,6f,00,66,00,69,00,6c,00,65,00,00,00
"RefCount"=dword:00000001
"Sid"=hex:01,01,00,00,00,00,00,05,12,00,00,00
"State"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]
"Flags"=dword:00000000
"ProfileImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,50,00,\
72,00,6f,00,66,00,69,00,6c,00,65,00,73,00,5c,00,4c,00,6f,00,63,00,61,00,6c,\
00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00
"State"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20]
"Flags"=dword:00000000
"ProfileImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,50,00,\
72,00,6f,00,66,00,69,00,6c,00,65,00,73,00,5c,00,4e,00,65,00,74,00,77,00,6f,\
00,72,00,6b,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00
"State"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-1001]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,55,00,74,00,69,00,6c,00,69,00,7a,00,61,00,64,00,6f,00,72,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00000100
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,e9,03,00,00
"LocalProfileLoadTimeLow"=dword:c46aac26
"LocalProfileLoadTimeHigh"=dword:01d8856a
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"LocalProfileUnloadTimeLow"=dword:886eaf09
"LocalProfileUnloadTimeHigh"=dword:01d8803c
"RunLogonScriptSync"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-1002]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,6a,00,63,00,72,00,75,00,7a,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00000204
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,ea,03,00,00
"LocalProfileLoadTimeLow"=dword:a36277d8
"LocalProfileLoadTimeHigh"=dword:01d73c05
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RunLogonScriptSync"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,41,00,64,00,6d,00,69,00,6e,00,69,00,73,00,74,00,72,00,61,00,64,00,6f,00,\
72,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00000100
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,f4,01,00,00
"LocalProfileLoadTimeLow"=dword:3377aa71
"LocalProfileLoadTimeHigh"=dword:01d88566
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RunLogonScriptSync"=dword:00000000
"LocalProfileUnloadTimeLow"=dword:2e39e3be
"LocalProfileUnloadTimeHigh"=dword:01d88566
- Feb 12, 2015
- 1,884
Thanks!
Now, I will need fresh FRST logs. Since now it's late here, 12:00 a.m., I'll review them tomorrow and be back to you as soon as I'm ready.
Now, I will need fresh FRST logs. Since now it's late here, 12:00 a.m., I'll review them tomorrow and be back to you as soon as I'm ready.
- Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
- Press Scan button and wait for a while.
- The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
- Please attach these two logs in your next reply.
- Feb 12, 2015
- 1,884
Hello, jccruz.
Please do the following to run a FRST fix.
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
Please do the following to run a FRST fix.
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
- Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
RemoveProxy:
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: SFC /scannow
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service
Powershell: wevtutil el | Foreach-Object {wevtutil cl "$_"}
EmptyTemp:
End::- Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
- Press the Fix button once and wait.
- FRST will process fixlist.txt
- When finished, it will produce a log fixlog.txt on your Desktop.
- Please post the log in your next reply.
Last edited:
- Feb 12, 2015
- 1,884
Hi, jccruz.
We have now completely got rid of the temporary profile accounts, which was a critical issue for your computer.
There is something else I would like to investigate, related to the profile accounts. Also, since we are in the Security Arena Forum, we could make a few more checks, to ensure that everything is clean.
However, before investigate the above, I would like you to take into consideration the following, with regard to your initial request for help.
Initially, and before I translated the detections/warnings, I thought that these could not be deleted due to the temporary profiles. One thing someone experiences with a temp profile is doing some things, but with the next restart everything is reversed.
So, since the temporary profiles are not the case here, something else is the case.
As axe0 noticed, you have the Controlled folder access, in the Ransomware Protection, enabled. This feature, embedded in Windows Defender, provides an additional layer of protection when programs try to make changes to files in your personal data folders, like your Documents, Pictures, and Desktop folders. Normally, any program running on your system could do anything it liked to these folders. With this new feature enabled, only “apps determined by Microsoft as friendly” or applications you specifically allow will be able to make changes to your personal files in these folders.
Although the concept is great, its execution got a lot of users in trouble when they started to notice a continuous bombardment of ‘protected memory access blocked’ messages on their screens. What, actually, happens, is the addition of a new warning in your Protection History, every time you are using a non Microsoft application.
Although some people recommends to turn off the Control folder access to stop these warnings, I don't agree. It is a security feature, and since a user chooses to have it enabled, it must be enabled. I don't have it enabled, but if I decided to enable it I would not like someone to come and tell me to disable it to avoid the warnings about the "non trusted" applications.
What you have to do, if you didn't already do:
Go to the Protection History, expand the little arrow as shown below, check the app/process blocked, and either allow or not allow (do nothing) its execution. Do that for every warning referring to Protected folder access blocked.
If you choose Allow, then go to the Ransomware Protection settings and click on the Allow an app through controlled folder access, you will see the app you already accepted as trusted:
Although this will stop the warnings every time you want to use the specific application, the warnings in the Protection History will remain there.
The Service folder we repeatedly deleted, is related only to standard detections, e.g. a malicious executable of an app. To clear other detections, like the detections by the Controlled Folder Access, this file needs to be deleted:
C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db
The problem is that this file is locked by the Windows Defender service and you can't stop it under normal circumstances. Even when we stop the Windows Defender Real-time protection, Coud-delivered protection and Tampered protection, this file doesn't give us access to be deleted. However, it can be deleted in the Recovery Environment. As soon as you do this, the detections/warnings in the Protection History will disappear, until next time you run a new "untrusted" app.
The point is: does the result make the effort worthwhile? I would say no. In my effort to see what is happening here, I left my 2 computers with a list of warnings in the Protection History. Since I am sure they are related to trusted apps, I don't care about them being there. I would worry, however, if the warnings were related with a malicious detection, e.g. a trojan or something else.
Is everything clear now?
Let me know about your thoughts, so I can proceed to some other checks, as I mentioned at the beginning of this rather long post.
We have now completely got rid of the temporary profile accounts, which was a critical issue for your computer.
There is something else I would like to investigate, related to the profile accounts. Also, since we are in the Security Arena Forum, we could make a few more checks, to ensure that everything is clean.
However, before investigate the above, I would like you to take into consideration the following, with regard to your initial request for help.
Initially, and before I translated the detections/warnings, I thought that these could not be deleted due to the temporary profiles. One thing someone experiences with a temp profile is doing some things, but with the next restart everything is reversed.
So, since the temporary profiles are not the case here, something else is the case.
As axe0 noticed, you have the Controlled folder access, in the Ransomware Protection, enabled. This feature, embedded in Windows Defender, provides an additional layer of protection when programs try to make changes to files in your personal data folders, like your Documents, Pictures, and Desktop folders. Normally, any program running on your system could do anything it liked to these folders. With this new feature enabled, only “apps determined by Microsoft as friendly” or applications you specifically allow will be able to make changes to your personal files in these folders.
Although the concept is great, its execution got a lot of users in trouble when they started to notice a continuous bombardment of ‘protected memory access blocked’ messages on their screens. What, actually, happens, is the addition of a new warning in your Protection History, every time you are using a non Microsoft application.
Although some people recommends to turn off the Control folder access to stop these warnings, I don't agree. It is a security feature, and since a user chooses to have it enabled, it must be enabled. I don't have it enabled, but if I decided to enable it I would not like someone to come and tell me to disable it to avoid the warnings about the "non trusted" applications.
What you have to do, if you didn't already do:
Go to the Protection History, expand the little arrow as shown below, check the app/process blocked, and either allow or not allow (do nothing) its execution. Do that for every warning referring to Protected folder access blocked.
If you choose Allow, then go to the Ransomware Protection settings and click on the Allow an app through controlled folder access, you will see the app you already accepted as trusted:
Although this will stop the warnings every time you want to use the specific application, the warnings in the Protection History will remain there.
The Service folder we repeatedly deleted, is related only to standard detections, e.g. a malicious executable of an app. To clear other detections, like the detections by the Controlled Folder Access, this file needs to be deleted:
C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db
The problem is that this file is locked by the Windows Defender service and you can't stop it under normal circumstances. Even when we stop the Windows Defender Real-time protection, Coud-delivered protection and Tampered protection, this file doesn't give us access to be deleted. However, it can be deleted in the Recovery Environment. As soon as you do this, the detections/warnings in the Protection History will disappear, until next time you run a new "untrusted" app.
The point is: does the result make the effort worthwhile? I would say no. In my effort to see what is happening here, I left my 2 computers with a list of warnings in the Protection History. Since I am sure they are related to trusted apps, I don't care about them being there. I would worry, however, if the warnings were related with a malicious detection, e.g. a trojan or something else.
Is everything clear now?
Let me know about your thoughts, so I can proceed to some other checks, as I mentioned at the beginning of this rather long post.
Hi DR M, thanks for your support and efforts about "this issue", which by now i interily agree, it´s not relevant assuming that it´s all ok and secure with the system, this history protection is not "bothering" anymore and like you said;
ok it´s a build up characteristic of Windows Defender...let's move on and by the time you see that all is fine we can close this thread, thanks once again for your effort and full explanation of this particular "(no)issue"...
I will donate Sysnative forum as soon as possible, thanks DR M, axe0 and all of the staff!
ok it´s a build up characteristic of Windows Defender...let's move on and by the time you see that all is fine we can close this thread, thanks once again for your effort and full explanation of this particular "(no)issue"...
I will donate Sysnative forum as soon as possible, thanks DR M, axe0 and all of the staff!
- Feb 12, 2015
- 1,884
You are very welcome. I can say that your question made us all learn something more. We are all learners after all.
Since we are fine with the Protection History thing, let's proceed to some other checks. Please continue with the Administrador account.
1. Run AdwCleaner (scan only)
Download AdwCleaner and save it to your desktop.
2. Run Malwarebytes (scan only)
If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
In your next reply, please post:
Since we are fine with the Protection History thing, let's proceed to some other checks. Please continue with the Administrador account.
1. Run AdwCleaner (scan only)
Download AdwCleaner and save it to your desktop.
- Double click AdwCleaner.exe to run it.
- Click Scan Now.
- When the scan has finished, a Scan Results window will open.
- Click Cancel (at this point do not attempt to Quarantine anything that is found)
- Now click the Log Filestab.
- Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
- A Notepad file will open containing the results of the scan.
- Please post the contents of the file in your next reply.
2. Run Malwarebytes (scan only)
- Open Malwarebytes you have already installed.
- Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
Code:Under the title Scan Options, all the options are checked. Under the title Windows Security Center (Premium only) the option is NOT checked. Under the title Potentially unwanted items all options are set to Always. - Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
- When finished, you will see the Threat Scan Summary window open.
If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
- Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
- Find the report with the most recent date and double click on it.
- Click on Export and then Copy to Clipboard.
- Paste its content here, in your next reply.
In your next reply, please post:
- The AdwCleaner[S0*].txt
- The Malwarebytes report
Hi DR M, thanks once again here are the logs (Malwarebytes is in portuguese, sorry);
PS. I use Malwarebytes Premium version on my old goldy "Win7 Home" machine,
Malwarebytes
www.malwarebytes.com
-Detalhes de Relatório-
Data da Verificação: 23/06/22
Hora da Verificação: 15:50
Ficheiro de Registo: e35320a0-f303-11ec-a52a-705a0f8881fe.json
-Informação de Software-
Versão: 4.5.9.198
Versão dos Componentes: 1.0.1699
Versão do Pacote de Atualização: 1.0.56423
Licença: Gratuita
-Informação do Sistema-
SO: Windows 10 (Build 19044.1766)
CPU: x64
Sistema de Ficheiros: NTFS
Utilizador: JCCRUZ\Administrador
-Resumo da Verificação-
Tipo de Verificação: Verificação de Ameaças
Verificação Iniciada Por: Manual
Resultado: Concluída
Objetos Verificados: 340724
Ameaças Detetadas: 0
Ameaças Movidas para Quarentena: 0
Tempo Decorrido: 2 min, 51 s
-Opções de Verificação-
Memória: Ativado
Arranque: Ativado
Sistema de Ficheiros: Ativado
Arquivos: Ativado
Rootkits: Desativado
Heurística: Ativado
PPI: Detetar
MPI: Detetar
-Detalhes da Verificação-
Processo: 0
(Nenhum item malicioso detetado)
Módulo: 0
(Nenhum item malicioso detetado)
Chave de Registo: 0
(Nenhum item malicioso detetado)
Valor de Registo: 0
(Nenhum item malicioso detetado)
Dados de Registo: 0
(Nenhum item malicioso detetado)
Fluxo de Dados: 0
(Nenhum item malicioso detetado)
Pasta: 0
(Nenhum item malicioso detetado)
Ficheiro: 0
(Nenhum item malicioso detetado)
Setor Físico: 0
(Nenhum item malicioso detetado)
WMI: 0
(Nenhum item malicioso detetado)
(end)
PS. I use Malwarebytes Premium version on my old goldy "Win7 Home" machine,
Malwarebytes
www.malwarebytes.com
-Detalhes de Relatório-
Data da Verificação: 23/06/22
Hora da Verificação: 15:50
Ficheiro de Registo: e35320a0-f303-11ec-a52a-705a0f8881fe.json
-Informação de Software-
Versão: 4.5.9.198
Versão dos Componentes: 1.0.1699
Versão do Pacote de Atualização: 1.0.56423
Licença: Gratuita
-Informação do Sistema-
SO: Windows 10 (Build 19044.1766)
CPU: x64
Sistema de Ficheiros: NTFS
Utilizador: JCCRUZ\Administrador
-Resumo da Verificação-
Tipo de Verificação: Verificação de Ameaças
Verificação Iniciada Por: Manual
Resultado: Concluída
Objetos Verificados: 340724
Ameaças Detetadas: 0
Ameaças Movidas para Quarentena: 0
Tempo Decorrido: 2 min, 51 s
-Opções de Verificação-
Memória: Ativado
Arranque: Ativado
Sistema de Ficheiros: Ativado
Arquivos: Ativado
Rootkits: Desativado
Heurística: Ativado
PPI: Detetar
MPI: Detetar
-Detalhes da Verificação-
Processo: 0
(Nenhum item malicioso detetado)
Módulo: 0
(Nenhum item malicioso detetado)
Chave de Registo: 0
(Nenhum item malicioso detetado)
Valor de Registo: 0
(Nenhum item malicioso detetado)
Dados de Registo: 0
(Nenhum item malicioso detetado)
Fluxo de Dados: 0
(Nenhum item malicioso detetado)
Pasta: 0
(Nenhum item malicioso detetado)
Ficheiro: 0
(Nenhum item malicioso detetado)
Setor Físico: 0
(Nenhum item malicioso detetado)
WMI: 0
(Nenhum item malicioso detetado)
(end)
- Feb 12, 2015
- 1,884
Nothing bad is detected, and, to be honest, it was expected.
The section at the bottom of the AdwCleaner log, under Preinstalled Software, is software that was apparently installed when the device was new, which you may or may not use. Personally, I do not keep anything I don't use/need. But it's your computer, so your decision.
If you would like to remove it:
Regardless of the above, let me now check fresh FRST logs, Addition and FRST. This time, select the option 90 Days Files before you start the Scan.
The section at the bottom of the AdwCleaner log, under Preinstalled Software, is software that was apparently installed when the device was new, which you may or may not use. Personally, I do not keep anything I don't use/need. But it's your computer, so your decision.
If you would like to remove it:
- Double click AdwCleaner.exe on your Desktop, to run it as you did before.
- Click Scan Now.
- When the scan has finished a Scan Results window will open.
- Please check all the boxes and then click Quarantine.
- Click Next.
- If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
- Check any pre-installed software items you want to remove.
- Click Quarantine.
- A prompt to save your work will appear.
- Click Continue when you're ready to proceed.
- A prompt to restart your computer will appear.
- Click Restart Now.
- Once your computer has restarted:
- If it doesn't open automatically, please start AdwCleaner.
- Click the Log Files tab.
- Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
- A Notepad file will open containing the results of the removal.
- Please post the contents of the file in your next reply.
Regardless of the above, let me now check fresh FRST logs, Addition and FRST. This time, select the option 90 Days Files before you start the Scan.
Has Sysnative Forums helped you? Please consider donating to help us support the site!