Kevin Zoll

Emsisoft Employee
  • Content Count

    18510
  • Joined

  • Last visited

  • Days Won

    168

Everything posted by Kevin Zoll

  1. The Windows Defender restrictions is likely a permissions issue and you will need to reset system permissions to their defaults using Windows Repair (All In One). https://www.bleepingcomputer.com/download/windows-repair-all-in-one/
  2. That should take care of everything. How are things running?
  3. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Task: {AD61C44E-AB59-4CA7-9813-267C0109B90C} - \{F671ACEE-123F-402D-9569-6FA78514D210} -> No File <==== ATTENTION Task: {D347C392-82B1-4629-BD2E-0F64828FAFF6} - \{AEB0B1A2-83B5-40DE-A0DB-CEAED321E4AC} -> No File <==== ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HKU\S-1-5-21-3615462294-2877540407-2494349180-1000\Software\Classes\.scr: AutoCADScriptFile => C:\WINDOWS\system32\notepad.exe "%1" Close Notepad. NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version.
  4. Let's take a fresh look. Run a fresh scan with FRST, attach the new FRST scan reports to your reply.
  5. Thread ClosedReason: ResolvedPM either Kevin, Elise, or Arthur to have this thread reopened.The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  6. You are welcome. Thread ClosedReason: ResolvedPM either Kevin, Elise, or Arthur to have this thread reopened.The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  7. Your logs look fine. Unless you are still having problems. Now to remove most of the tools that we have used in fixing your machine: Download Delfix from here and save it to your Desktop. Double-Click on Delfix to run it. Ensure Remove disinfection tools is checked. Also place a checkmark next to: Create registry backup Purge system restore Click the Run button. When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad. Empty the Recycle Bin You can delete and uninstall any programs I had you download, that you do not wish to keep on the system. To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK Run Windows Update and update your Windows Operating System. That should take care of everything. Safe Surfing!
  8. Let's get one more set of logs from FRST. Run a fresh scam with FRST, attach the new FRST scan reports to your reply.
  9. Things better or the same?
  10. Close all programs and disconnect any USB or external drives before running the tool. Double-click RogueKiller.exe to run the tool again. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished". Select the following items: [PUP.Gen1 (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\simplitec -- N/A -> Found [PUP.Emotiplus (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-3615462294-2877540407-2494349180-1000\Software\Emotiplus -- N/A -> Found [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-3615462294-2877540407-2494349180-1000\Software\Popcorn Time -- N/A -> Found [PUP.Popcorn (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-3615462294-2877540407-2494349180-1000\Software\PopcornTime -- N/A -> Found [PUP.Gen1 (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-3615462294-2877540407-2494349180-1000\Software\WebApp -- N/A -> Found [PUP.Popcorn (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Popcorn Time_is1 -- N/A -> Found [Tr.DNSChanger (Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b68dd92b-2ea6-415e-860e-7a19ec872a0f}|NameServer -- 213.166.69.3,185.143.221.60 (missing) -> Found [PUM.Policies (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System|ConsentPromptBehaviorAdmin -- 0 -> Found [PUP.HackTool (Potentially Malicious)] (folder) AutoKMS -- C:\Windows\AutoKMS -> Found [PUP.OnlineIO (Potentially Malicious)] (folder) AdvinstAnalytics -- C:\Users\User\AppData\Local\AdvinstAnalytics -> Found [PUP.Popcorn (Potentially Malicious)] (folder) PopcornTime -- C:\Users\User\AppData\Local\PopcornTime -> Found [PUP.Popcorn (Potentially Malicious)] (folder) PopcornTimeDesktop -- C:\Users\User\AppData\Local\PopcornTimeDesktop -> Found [PUP.Gen1|PUP.Popcorn (Potentially Malicious)] (folder) Popcorn Time -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Popcorn Time -> Found [PUP.Gen1 (Potentially Malicious)] (folder) simplitec -- C:\ProgramData\simplitec -> Found [PUP.Gen1|PUP.Popcorn (Potentially Malicious)] (folder) Popcorn Time -- C:\Program Files (x86)\Popcorn Time -> Found Click the Delete button. Attach the RogueKiller report to your next reply. The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex.txt) The highest number of [X], is the most recent Delete log.
  11. Fernando, You are welcome. Happy to be of assistance. Now to remove most of the tools that we have used in fixing your machine: Download Delfix from here and save it to your Desktop. Double-Click on Delfix to run it. Ensure Remove disinfection tools is checked. Also place a checkmark next to: Create registry backup Purge system restore Click the Run button. When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad. Empty the Recycle Bin You can delete and uninstall any programs I had you download, that you do not wish to keep on the system. To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK Run Windows Update and update your Windows Operating System. That should take care of everything. Safe Surfing!
  12. Changing tools. Download AdwCleaner and save it on your Desktop. Close all open programs and Internet browsers (you may want to print out or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop. Attach that log file to your reply. NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
  13. Let's take a fresh look. Run a fresh scan with FRST, attach the new FRST scan reports to your reply.
  14. Close all programs and disconnect any USB or external drives before running the tool. Double-click RogueKiller.exe to run the tool again. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished". Select the following items: [VT.Detected (Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run|TaskBarTransparent -- C:\Program Files (x86)\WinASO\EasyTweak\Transparent.exe -> Found [PUM.SearchEngine (Potentially Malicious)] browser.search.defaultenginename (C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\45qmebu7.default\prefs.js) -- Yahoo! Search Engine -> Found [PUM.SearchEngine (Potentially Malicious)] browser.search.selectedEngine (C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\45qmebu7.default\prefs.js) -- Yahoo! Search Engine -> Found Click the Delete button. Attach the RogueKiller report to your next reply. The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex.txt) The highest number of [X], is the most recent Delete log.
  15. Changing tools. Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop. Double-click on setup.exe to install RogueKiller. Close all programs and disconnect any USB or external drives before running the tool. Right-click RogueKiller.exe and select Run As Administrator to run the tool. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.
  16. Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in. Start:: HKLM-x32\...\RunOnce: [GrpConv] => grpconv -o HKU\S-1-5-21-1273970154-3299082852-1378959178-1001\...\Run: [61942366] => C:\ProgramData\Intel\Wireless\0217207\gfbdcja.exe [893608 2019-08-12] (AutoIt Consulting Ltd -> AutoIt Team) Task: {8136E2E3-4BDE-4D8D-B947-2C0909D88222} - System32\Tasks\Bitdefender Agent WatchDog_65D6944A0EF74FDAB96E31112AD39864 => C:\Program Files\Bitdefender Agent\WatchDog.exe R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2018-10-30] (Zemana Ltd. -> Zemana Ltd.) C:\ProgramData\Intel\Wireless\0217207\gfbdcja.exe C:\Program Files\Bitdefender Agent C:\Windows\System32\drivers\zamguard64.sysShellIconOverlayIdentifiers: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => -> No File ShellIconOverlayIdentifiers: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => -> No File ShellIconOverlayIdentifiers: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => -> No File ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File ShellIconOverlayIdentifiers-x32: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => -> No File ShellIconOverlayIdentifiers-x32: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => -> No File ShellIconOverlayIdentifiers-x32: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files (x86)\Notepad++\NppShell_06.dll [2019-01-27] (Notepad++ -> ) ContextMenuHandlers1: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} => -> No File ContextMenuHandlers1: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => -> No File ContextMenuHandlers2: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => -> No File ContextMenuHandlers3: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => -> No File ContextMenuHandlers4: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} => -> No File ContextMenuHandlers4: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => -> No File ContextMenuHandlers5: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} => -> No File FirewallRules: [{0FEBB621-769E-4F75-B4AF-47DAFCC3D047}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe No File FirewallRules: [{970A9628-51B9-4A3B-BEE2-191D5D287A2B}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe No File FirewallRules: [{AE0CAA10-E268-4290-B4FC-E6C7E21E69BC}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe No File FirewallRules: [{1178F113-F167-4238-A1BB-9BA7C01A482C}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe No File End::
  17. Changing tools. Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop. Double-click on setup.exe to install RogueKiller. Close all programs and disconnect any USB or external drives before running the tool. Right-click RogueKiller.exe and select Run As Administrator to run the tool. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.
  18. To make sure I did not miss something do the following. Download AdwCleaner and save it on your Desktop. Close all open programs and Internet browsers (you may want to print out or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop. Attach that log file to your reply. NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
  19. OK, that looks like it worked. Let's take a fresh look. Run a fresh scan with FRST, attach the new FRST scan reports to your reply.
  20. Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in. Start:: (Chromium.) [File not signed] C:\Program Files (x86)\Chromium\Update\ChromiumUpdate.exe HKU\S-1-5-21-1095538760-4157375823-701317930-1001\...\Run: [Chromium] => c:\users\user\appdata\local\chromium\application\chrome.exe [828416 2017-01-23] (The Chromium Authors) [File not signed] Task: {241A4877-6727-4B60-A82F-6575E0C22DB4} - System32\Tasks\ChromiumUpdateTaskMachineCore => C:\Program Files (x86)\Chromium\Update\ChromiumUpdate.exe [102400 2019-09-06] (Chromium.) [File not signed] Task: {9EED6B4F-C669-4340-8CC4-86009921183C} - System32\Tasks\ChromiumUpdateTaskMachineUA => C:\Program Files (x86)\Chromium\Update\ChromiumUpdate.exe [102400 2019-09-06] (Chromium.) [File not signed] FF Plugin-x32: @chbrowserupdate.com/Chromium Update;version=3 -> C:\Program Files (x86)\Chromium\Update\1.3.99.0\npChromiumUpdate3.dll [2019-09-06] (Chromium.) [File not signed] FF Plugin-x32: @chbrowserupdate.com/Chromium Update;version=9 -> C:\Program Files (x86)\Chromium\Update\1.3.99.0\npChromiumUpdate3.dll [2019-09-06] (Chromium.) [File not signed] S2 chromium; C:\Program Files (x86)\Chromium\Update\ChromiumUpdate.exe [102400 2019-09-06] (Chromium.) [File not signed] S3 chromiumm; C:\Program Files (x86)\Chromium\Update\ChromiumUpdate.exe [102400 2019-09-06] (Chromium.) [File not signed] 2019-09-22 15:58 - 2019-09-22 15:58 - 000000000 ____D C:\WINDOWS\System32\Tasks\S-1-5-21-1095538760-4157375823-701317930-1001 2019-09-06 15:56 - 2019-09-06 15:56 - 000003440 _____ C:\WINDOWS\System32\Tasks\ChromiumUpdateTaskMachineUA 2019-09-06 15:56 - 2019-09-06 15:56 - 000003316 _____ C:\WINDOWS\System32\Tasks\ChromiumUpdateTaskMachineCore 2019-09-06 15:55 - 2019-09-06 15:55 - 000000000 ____D C:\Program Files (x86)\Chromium 2019-09-06 16:15 - 2018-11-30 14:25 - 000000299 _____ C:\Users\User\d4ac4633ebd6440fa397b84f1bc94a3c.7z ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\3405b694b8ac5858\Chromium.lnk -> C:\Users\User\AppData\Local\chromium\Application\chrome.exe (The Chromium Authors) -> --profile-directory=Default 2019-09-06 15:55 - 2019-09-06 15:55 - 001742336 ____T (Chromium.) [File not signed] C:\Program Files (x86)\Chromium\Update\1.3.99.0\chromiumpdate.dll C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\3405b694b8ac5858\Chromium.lnk C:\Users\User\AppData\Local\chromium\Application\chrome.exe C:\Users\User\AppData\Local\chromium\Application C:\Users\User\AppData\Local\chromium C:\Program Files (x86)\Chromium\Update\ChromiumUpdate.exe C:\Program Files (x86)\Chromium\Update\1.3.99.0\npChromiumUpdate3.dll C:\Program Files (x86)\Chromium\Update\1.3.99.0 C:\Program Files (x86)\Chromium\Update C:\Program Files (x86)\Chromium End::
  21. Your logs show that you are using KMSpico to bypass the activation and licensing systems for the copy of Windows 7 Ultimate Service Pack 1 in use on this system. Until such time that the copy of Windows on this system is properly licensed and activated no further help will be forthcoming.
  22. Ahmad, Let's take a fresh look. Run a fresh scan with FRST, attach the new FRST scan logs to your reply.