Kevin Zoll

Kaspersky is most likely intercepting the Trojan first and deleting it from memory before Emsisoft has a chance to detect it. When one detects something and takes action the other security software will not because there is nothing to detect. Another scenario is that KIS and EAM are in conflict. Reboot the system to Safe Mode and uninstall EAM.

Got some stuff left to deal with. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKU\S-1-5-21-134639683-2103454891-1955695026-1001\...\MountPoints2: {13c274de-c4f0-11e2-be66-806e6f6e6963} - "H:\TT.exe" HKU\S-1-5-21-134639683-2103454891-1955695026-1004\...\Policies\Explorer: [NoViewContextMenu] 0 HKU\S-1-5-21-134639683-2103454891-1955695026-1005\...\Policies\Explorer: [NoViewContextMenu] 0 ProxyEnable: [.DEFAULT] => Proxy is enabled. ProxyServer: [.DEFAULT] => http=127.0.0.1:47574 SearchScopes: HKU\S-1-5-21-134639683-2103454891-1955695026-1004 -> DefaultScope {355AFF09-EA2C-4AC6-B74C-2BE76AE1E7B9} URL = SearchScopes: HKU\S-1-5-21-134639683-2103454891-1955695026-1004 -> {355AFF09-EA2C-4AC6-B74C-2BE76AE1E7B9} URL = SearchScopes: HKU\S-1-5-21-134639683-2103454891-1955695026-1005 -> DefaultScope {355AFF09-EA2C-4AC6-B74C-2BE76AE1E7B9} URL = SearchScopes: HKU\S-1-5-21-134639683-2103454891-1955695026-1005 -> {355AFF09-EA2C-4AC6-B74C-2BE76AE1E7B9} URL = Toolbar: HKU\S-1-5-21-134639683-2103454891-1955695026-1004 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Toolbar: HKU\S-1-5-21-134639683-2103454891-1955695026-1005 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File 2015-05-03 17:07 - 2015-05-13 11:08 - 0000133 _____ () C:\Users\Ash\AppData\Roaming\WB.CFG 2015-05-05 22:07 - 2015-05-05 22:07 - 0274045 _____ () C:\Users\Ash\AppData\Local\dsi1.dat 2015-05-05 22:07 - 2015-05-05 22:07 - 0161916 _____ () C:\Users\Ash\AppData\Local\dsi2.dat 2016-09-23 11:44 - 2016-09-23 11:44 - 0000000 ____H () C:\ProgramData\DP45977C.lfl 2013-05-24 23:32 - 2013-05-24 23:32 - 0000119 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log 2013-05-24 23:30 - 2013-05-24 23:30 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log 2013-05-24 23:30 - 2013-05-24 23:31 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log 2013-05-24 23:29 - 2013-05-24 23:30 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log 2013-05-24 23:31 - 2013-05-24 23:32 - 0000108 _____ () C:\ProgramData\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}.log 2017-04-28 10:36 - 2017-04-28 10:36 - 0739904 _____ (Oracle Corporation) C:\Users\Ash\AppData\Local\Temp\jre-8u131-windows-au.exe AlternateDataStreams: C:\Users\Ash\Desktop\bunk bed 2.jpeg:3or4kl4x13tuuug3Byamue2s4b [81] AlternateDataStreams: C:\Users\Ash\Desktop\guardianship.jpeg:3or4kl4x13tuuug3Byamue2s4b [81] AlternateDataStreams: C:\Users\Ash\Desktop\signature.jpeg:3or4kl4x13tuuug3Byamue2s4b [81] Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version.

Do the following: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKU\S-1-5-21-2036737855-1592510443-1916522820-1001\...\MountPoints2: {b1957a76-8fa1-11e2-9a65-806e6f6e6963} - E:\autorun.exe SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = FF SearchEngineOrder.1: Mozilla\Firefox\Profiles\lnj2x8cg.default -> Ask.com FF SelectedSearchEngine: Mozilla\Firefox\Profiles\lnj2x8cg.default -> Ask.com FF Plugin: @microsoft.com/GENUINE -> disabled [No File] 2015-09-07 15:54 - 2015-09-07 15:54 - 48519888 _____ (Microsoft Corporation) C:\Users\Owner\AppData\Local\Temp\MouseKeyboardCenterx86_1033.exe 2012-10-02 13:15 - 2012-10-02 13:15 - 0612712 _____ (NVIDIA Corporation) C:\Users\Owner\AppData\Local\Temp\nvStInst.exe 2013-12-14 12:36 - 2013-12-14 12:36 - 44809728 _____ (Logitech, Inc.) C:\Users\Owner\AppData\Local\Temp\qc_a402013b_7656_4f6f_b57f_5a8ef69f5fc4_32.exe 2014-05-12 08:27 - 2009-01-22 15:10 - 0244224 _____ (Thomson Reuters) C:\Users\Owner\AppData\Local\Temp\Risweb32.exe CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" => No File CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\1.3.21.115\GoogleUpdateOnDemand.exe" => No File CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\1.3.21.115\GoogleUpdateOnDemand.exe" => No File CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\1.3.21.115\GoogleUpdateOnDemand.exe" => No File CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\localserver32 -> "C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.79\delegate_execute.exe" => No File CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.115\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\1.3.21.115\GoogleUpdateOnDemand.exe" => No File CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.115\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.111\psuser.dll => No File Task: {338B53FC-D00F-4C1C-996E-6E8C37CA3255} - \WPD\SqmUpload_S-1-5-21-2036737855-1592510443-1916522820-1000 -> No File <==== ATTENTION Task: {68A26E26-3DC5-4C4D-89BF-F8D94A5B12BB} - \GoogleUpdateTaskUserS-1-5-21-2036737855-1592510443-1916522820-1000UA -> No File <==== ATTENTION Task: {7715A9B4-D067-4697-A88D-E0760619FAAA} - \GoogleUpdateTaskUserS-1-5-21-2036737855-1592510443-1916522820-1000Core -> No File <==== ATTENTION Task: {EFD6ACC5-7D01-4774-A0FC-C9A108894A00} - System32\Tasks\{76F3F346-6DBB-4C4C-93DF-82CE57F216C3} => pcalua.exe -a C:\Users\Owner\Downloads\lide20lide30n670un676un1240uvst7031a_xpen\SetupSG.exe -d C:\Users\Owner\Downloads\lide20lide30n670un676un1240uvst7031a_xpen Shortcut: C:\Users\Owner\Documents\Scanlan\PhD\LeximancerProjects\Leximancer 3 Config.lnk -> C:\Documents and Settings\s310646\Leximancer-Desktop\Leximancer3Config.bat (No File) Shortcut: C:\Users\Owner\Documents\Scanlan\PhD\LeximancerProjects\Leximancer 3.lnk -> C:\Documents and Settings\s310646\Leximancer-Desktop\Leximancer3.bat (No File) Close Notepad. NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version.

Do the following: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. 2017-06-14 22:26 - 2017-06-14 22:41 - 00000000 ____D C:\ProgramData\54F3DE4E-B7BA-4EBD-8B3B-385D272CC583 2017-06-05 19:06 - 2017-06-05 19:06 - 00000000 ____D C:\PFS9.6PE_TMP CustomCLSID: HKU\S-1-5-21-1859121148-3297737988-798245751-1004_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\d_hen_000\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1859121148-3297737988-798245751-1004_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\d_hen_000\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1859121148-3297737988-798245751-1004_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\d_hen_000\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1859121148-3297737988-798245751-1004_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\d_hen_000\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1859121148-3297737988-798245751-1004_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\d_hen_000\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1859121148-3297737988-798245751-1004_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\d_hen_000\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1859121148-3297737988-798245751-1004_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\d_hen_000\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1859121148-3297737988-798245751-1004_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\d_hen_000\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1859121148-3297737988-798245751-1004_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\d_hen_000\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1859121148-3297737988-798245751-1004_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\d_hen_000\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-1859121148-3297737988-798245751-1004_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\d_hen_000\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File Task: {009A5F0D-2DA9-44B6-A2A3-43B2BC86C63E} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {02B012DA-7929-4E4E-8279-5C3C5B691CB1} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {0D115502-8943-4445-A192-CF379FC9BAD7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {29306902-F836-48FA-9E8F-1C70114EDDBA} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {3284DCB1-3182-4B95-A243-E1B547D8B1C9} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {342252F4-2004-4BF6-8B90-7563C8B21CEC} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {504597F3-8644-4F70-A673-7101E2BE69E8} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {894D167C-5C65-4907-9A8C-8E9F5067FC9F} - \WPD\SqmUpload_S-1-5-21-1859121148-3297737988-798245751-1004 -> No File <==== ATTENTION Task: {9E5764F5-DDE1-477A-8817-D42578B8BA4D} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION Task: {A0D07939-409B-4409-82FE-F078BE0A6668} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {C5A95ED7-F259-4D55-BAA5-159FAB629E01} - \WPD\SqmUpload_S-1-5-21-1859121148-3297737988-798245751-1001 -> No File <==== ATTENTION Task: {CE0E0E10-4C9E-423C-94FE-F0D40E2CCBA0} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {DBCD8EFD-260A-4493-AAE0-C04545DA5192} - \WPD\SqmUpload_S-1-5-21-1859121148-3297737988-798245751-1011 -> No File <==== ATTENTION Task: {E09AB2D2-B65D-4B94-9F96-BB9475659087} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION AlternateDataStreams: C:\ProgramData\TEMP:7FFED16F [251] C:\WINDOWS\TEMP\_ir_sf_temp_0 C:\WINDOWS\TEMP\_ir_sf_temp_1 F:\Users\David_Admin\AppData\Local\temp\searchprotector.exe C:\Windows\Temp\{0DAE4005-BC0C-4E11-BEC3-5914B3F1090C}\{E7B72F44-8204-42D5-8DB6-A609B3698D2A}\{CDF00FAA-65ED-4215-A4D0-EDAA9994F65B}\{B639BC47-FAE6-483A-BE73-F16B8F4E5161}\IFA2.exe C:\Windows\Temp\{0DAE4005-BC0C-4E11-BEC3-5914B3F1090C}\{E7B72F44-8204-42D5-8DB6-A609B3698D2A}\{CDF00FAA-65ED-4215-A4D0-EDAA9994F65B}\{B639BC47-FAE6-483A-BE73-F16B8F4E5161} C:\Windows\Temp\{0DAE4005-BC0C-4E11-BEC3-5914B3F1090C}\{E7B72F44-8204-42D5-8DB6-A609B3698D2A}\{CDF00FAA-65ED-4215-A4D0-EDAA9994F65B} C:\Windows\Temp\{0DAE4005-BC0C-4E11-BEC3-5914B3F1090C}\{E7B72F44-8204-42D5-8DB6-A609B3698D2A} C:\Windows\Temp\{0DAE4005-BC0C-4E11-BEC3-5914B3F1090C}\{59BDD013-15C8-4E4D-A383-9C5E30D52EA2}\IFA2.exe C:\Windows\Temp\{0DAE4005-BC0C-4E11-BEC3-5914B3F1090C}\{59BDD013-15C8-4E4D-A383-9C5E30D52EA2} C:\Windows\Temp\{0DAE4005-BC0C-4E11-BEC3-5914B3F1090C}\{A9F02E8A-BC32-4CB5-AB6B-F815101B7E09}\IFA2.exe C:\Windows\Temp\{0DAE4005-BC0C-4E11-BEC3-5914B3F1090C}\{A9F02E8A-BC32-4CB5-AB6B-F815101B7E09} C:\Windows\Temp\{0DAE4005-BC0C-4E11-BEC3-5914B3F1090C} C:\Users\David\AppData\Local\Temp\NVI2_29.DLL Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version.

We do not ask you to change any of the settings in FRST, for a reason. Re-run FRST with its default settings and send me the new FRST logs.

Hello, I have sent you a private message. I will be handling this issue via the private message system. So, please reply there for the duration of your support request.

Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running.

Hello David, PClock (Updated) encrypted files cannot be decrypted for free. You can try a data recovery tool like Recuva or EaseUS Data Recovery Wizard, but there is no guarantee that either one will be able to recover the original files. Alternatively, you may want to look into hiring a company that specializes in forensic data recovery, that can be expensive.

Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM-x32\...\Run: [AnonymizerGadget] => C:\Users\Ash\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe [349704 2017-04-03] (Jetico ltd) <===== ATTENTION HKLM\...\Policies\Explorer: [NoViewContextMenu] 0 HKU\S-1-5-21-134639683-2103454891-1955695026-1001\...\Run: [Zoom] => [X] HKU\S-1-5-21-134639683-2103454891-1955695026-1001\...\Policies\Explorer: [NoViewContextMenu] 0 HKU\S-1-5-21-134639683-2103454891-1955695026-1001\...\MountPoints2: {13c274de-c4f0-11e2-be66-806e6f6e6963} - "H:\TT.exe" GroupPolicyUsers\S-1-5-21-134639683-2103454891-1955695026-1005\User: Restriction <======= ATTENTION GroupPolicyUsers\S-1-5-21-134639683-2103454891-1955695026-1004\User: Restriction <======= ATTENTION GroupPolicyUsers\S-1-5-21-134639683-2103454891-1955695026-1001\User: Restriction <======= ATTENTION ProxyEnable: [.DEFAULT] => Proxy is enabled. ProxyServer: [.DEFAULT] => http=127.0.0.1:47574 ProxyEnable: [S-1-5-21-134639683-2103454891-1955695026-1001] => Proxy is enabled. ProxyServer: [S-1-5-21-134639683-2103454891-1955695026-1001] => http=127.0.0.1:47574 ManualProxies: 1http=127.0.0.1:47574 SearchScopes: HKU\S-1-5-21-134639683-2103454891-1955695026-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-134639683-2103454891-1955695026-1001 -> {355AFF09-EA2C-4AC6-B74C-2BE76AE1E7B9} URL = Toolbar: HKU\S-1-5-21-134639683-2103454891-1955695026-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File CHR HomePage: Default -> homepage.ssoextension.com CHR DefaultSearchKeyword: Default -> ssoextension.com CHR DefaultSuggestURL: Default -> hxxp://suggest.ssoextension.com/suggest?q={searchTerms} S2 slinit; C:\ProgramData\Microsoft\Windows\WinLogonUpdater\slinit.exe [7074304 2017-03-27] () [File not signed] 2015-11-01 16:01 - 2015-11-01 16:01 - 0000000 _____ () C:\Users\Ash\AppData\Local\{4EAA2E0C-1969-4665-96F5-9E82458CE586} 2015-10-24 03:59 - 2015-11-01 15:59 - 0000000 _____ () C:\Users\Ash\AppData\Local\{F9FC633F-B9D5-47FA-A7A0-5553CE12CA16} C:\Users\Ash\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe Task: {0F5BA732-C930-4C5D-A826-7C368D10309E} - \WPD\SqmUpload_S-1-5-21-134639683-2103454891-1955695026-1005 -> No File <==== ATTENTION Task: {105E5B4A-817E-435D-8A99-0507B8F3581C} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION Task: {165255A7-58B6-42A2-9CFF-3F1B7D3EC517} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {181BDE66-051B-4E11-853C-4A8DB2BCD193} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {4A415C87-2C26-43A0-80B3-2AE3F7DB76D3} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {4D790CB4-24F0-438F-97AB-0A46E33BF4F0} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {527B0568-EF43-4D1C-A71E-4DF355FE4A50} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION Task: {58294E5C-3EB6-46C4-81AB-F7CA786CCFFC} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {5BF9F377-52DC-4123-B4E1-400E9D11CEA1} - System32\Tasks\{A7889A8A-262C-4890-B4EE-65AD5399AAB7} => pcalua.exe -a C:\Users\Ash\AppData\Roaming\istart123\UninstallManager.exe -c -ptid=tugs Task: {5D041C88-0155-45E0-97A6-4433386012FB} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {6D97C1B2-7FDC-44DC-887D-F472C7FC445C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {772E5CFD-F3AB-4827-820C-288B5842933C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {9647DBC9-4F99-4A78-B145-29E094E0BCF4} - \WebDiscover Browser Launch Task -> No File <==== ATTENTION Task: {9F4EAC7E-089A-4BD3-AA71-6FB82A262351} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {AD37586E-976F-415F-80E7-9C9477E02116} - \WPD\SqmUpload_S-1-5-21-134639683-2103454891-1955695026-1001 -> No File <==== ATTENTION Task: {E3F22BB6-3BAA-4B31-BD25-3277BABF2679} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {F2FA8D7B-0733-4804-B4E0-4981173AF6F0} - \WebDiscover Browser Update Task -> No File <==== ATTENTION Task: {FA808367-BD5B-41CF-AEA7-80559ED110DE} - \WPD\SqmUpload_S-1-5-21-134639683-2103454891-1955695026-1004 -> No File <==== ATTENTION AlternateDataStreams: C:\Users\Ash\Desktop\bunk bed 2.jpeg:3or4kl4x13tuuug3Byamue2s4b [81] AlternateDataStreams: C:\Users\Ash\Desktop\bunk bed 2.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0] AlternateDataStreams: C:\Users\Ash\Desktop\guardianship.jpeg:3or4kl4x13tuuug3Byamue2s4b [81] AlternateDataStreams: C:\Users\Ash\Desktop\guardianship.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0] AlternateDataStreams: C:\Users\Ash\Desktop\signature.jpeg:3or4kl4x13tuuug3Byamue2s4b [81] AlternateDataStreams: C:\Users\Ash\Desktop\signature.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0] C:\ProgramData\Microsoft\Windows\WinLogonUpdater\slinit.exe Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version.

I have sent you a private message.

Donna, Which protection guard is not starting?

Edge should do a default browser check when it starts unless you tell it not to. It should also ask you about add-ons and the sending usage information when it is started for the first time.

Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Whether or not EEK finds anything we still want the log. Your logs look fine. I see no signs of malware in the logs.