Kevin Zoll

Any AV/AM you install is going to have always-on components. There is no way getting around it, they all install services that are always running in the background.

FRSTshows that Malwarebytes is installed but not in Windows Security Center as being installed. Uninstall Malwarebytes and let me know if that resolves the issue or not.

You are welcome.

Hi, Yes, your system needed the KB4012213 update for ExternalBlue vulnerable SMB services.

Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Globemaster 2.0 cannot be decrypted. Having backups of your data is the best line of defense against ransomware.

Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

That video was made 18 months ago, using EAM version 12. There has been a myriad of improvements in EAM since that video was made. What you are asking for will add a lot of overhead to EAM and goes beyond what an Anti-Malware is supposed to do. We strive to keep EAM bloat free and lightweight.

Michiel, The email was likely a hoax. I do not see any signs that the computer is infected, in your logs, but there are several orphaned registry entries that should be fixed. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. FF HKLM-x32\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\McAfee\MSK => niet gevonden FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [Geen bestand] FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [Geen bestand] CustomCLSID: HKU\S-1-5-21-2331795345-1990132498-1874067920-1001_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\Michiel\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll => Geen bestand CustomCLSID: HKU\S-1-5-21-2331795345-1990132498-1874067920-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Michiel\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => Geen bestand CustomCLSID: HKU\S-1-5-21-2331795345-1990132498-1874067920-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Michiel\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => Geen bestand CustomCLSID: HKU\S-1-5-21-2331795345-1990132498-1874067920-1001_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\Michiel\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => Geen bestand CustomCLSID: HKU\S-1-5-21-2331795345-1990132498-1874067920-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Michiel\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => Geen bestand ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> Geen bestand Task: {00FE41CA-7B29-4559-BD28-2AE7A3A59290} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Geen bestand <==== AANDACHT Task: {079B0A72-DB4A-478E-8688-919A977C1F4B} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Geen bestand <==== AANDACHT Task: {10869C67-F4D4-4B69-9F51-975881154AB0} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> Geen bestand <==== AANDACHT Task: {184075DB-7837-4CBA-AC89-55974322EE17} - \DistromaticSearchProtect-hourly -> Geen bestand <==== AANDACHT Task: {1FC3A4BB-BA26-46B3-86B8-49D2D9DA3EC3} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Geen bestand <==== AANDACHT Task: {2D827E64-AD92-4B4D-A15F-B0514BD0EB4F} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Geen bestand <==== AANDACHT Task: {349378EF-9EC8-49B0-8ED8-52082D951866} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Geen bestand <==== AANDACHT Task: {38853BFC-97F1-4A9D-9538-A03F9D5CA97B} - \DistromaticUpdater-periodic -> Geen bestand <==== AANDACHT Task: {3A25382F-3CA6-4A50-9CEC-FC583C09FA9B} - \DistromaticUpdater-logon -> Geen bestand <==== AANDACHT Task: {4115FACE-0727-4F2C-8981-84D75B2B2EB0} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Geen bestand <==== AANDACHT Task: {7EDA7545-3726-4F0F-9BEB-F067372D964F} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> Geen bestand <==== AANDACHT Task: {90165556-E732-4AC6-BC39-DFC8A8B566A9} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Geen bestand <==== AANDACHT Task: {A0DC9528-6628-4FD4-AA0F-7641F39F09B4} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Geen bestand <==== AANDACHT Task: {BB453D9F-B1E2-48E9-9064-58C2F8BC6C84} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> Geen bestand <==== AANDACHT Task: {C318C674-3ADA-4DEA-B764-B70D01962B47} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Geen bestand <==== AANDACHT Task: {C74C24DD-F8C1-4360-AB2D-B8D1D7E9EF52} - \WPD\SqmUpload_S-1-5-21-2331795345-1990132498-1874067920-1004 -> Geen bestand <==== AANDACHT Task: {CD16DF04-C397-4477-BE4A-159FC2BD9DBF} - \WPD\SqmUpload_S-1-5-21-2331795345-1990132498-1874067920-1001 -> Geen bestand <==== AANDACHT Task: {CEF0F84B-8DB6-42B6-A198-31E23D964D24} - \DistromaticSearchProtect-logon -> Geen bestand <==== AANDACHT Task: {CF24D2A2-C4C0-4254-B88B-AE008FA00C6D} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Geen bestand <==== AANDACHT Task: {D0B558E8-9F5A-47D1-9179-ED11BDEA9A5F} - \CCleanerSkipUAC -> Geen bestand <==== AANDACHT Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version.

You are welcome, happy to be of assistance. Thread Closed Reason: Resolved The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Unless you are having problems, it is time to do the final steps. Now to remove most of the tools that we have used in fixing your machine: Download Delfix from here and save it to your desktop. Ensure Remove disinfection tools is checked. Also place a checkmark next to: Create registry backup Purge system restore Click the Run button. When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad. Empty the Recycle Bin You can delete and uninstall any programs I had you download, that you do not wish to keep on the system. To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK Run Windows Update and update your Windows Operating System. Articles to Read: How to Protect Your Computer From Malware How to keep you and your Windows PC happy Web, email, chat, password and kids safety How Did I Get Infected? That should take care of everything. Safe Surfing!

Your FRST logs look fine. Looks like everything is gone. How are things running?

Copy the below code to Notepad; Save As fixlist.txt to your Desktop. S3 WinmonFS; \??\C:\Windows\System32\drivers\WinmonFS.sys [X] C:\Windows\System32\drivers\WinmonFS.sys 2018-03-18 21:23 - 2018-03-18 21:23 - 000000180 _____ () C:\Users\user\AppData\Local\Temp\00e481b5e22dbe1f649fcddd505d3eb7.dll 2018-03-18 21:23 - 2018-03-18 21:36 - 000000017 _____ () C:\Users\user\AppData\Local\Temp\c0d13d4a83dca5f1ae6fcf4f5f92f277.dll 2018-03-20 03:08 - 2018-03-18 12:59 - 001665384 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\dllnt_dump.dll 2018-03-22 00:05 - 2018-03-22 00:05 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180321210523231.dll 2018-03-22 00:05 - 2018-03-22 00:05 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180321210524449.dll 2018-03-22 00:05 - 2018-03-22 00:05 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180321210525243.dll 2018-03-22 00:05 - 2018-03-22 00:05 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180321210555743.dll 2018-03-22 00:06 - 2018-03-22 00:06 - 002153984 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180321210626608.dll AlternateDataStreams: C:\Users\Public\AppData:CSM [478] Reg: reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinmonFS" /f Reg: reg delete "HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinmonFS" /f Reg: reg delete "HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WinmonFS" /f Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version.

Run a fresh scan with FRST, attach the new FRSTscan reports to your reply.

How are things running?