Scrooge

Need help to remove greyed out exclusions and corrupted registry keys

Recommended Posts

Hi there guys,

I recently helped a firend to clear his laptop (Dell, Windows Home 10, 64-bit)

What happened was he got some pretty bad PUPs and other dirt.

I was able to clean it up meticulously with Emsisoft Emergency Kit, I checked Firefox extensions according to Emsisoft article here, I ran many scans and it is clean now.

No redirection, no PUPs, nothing, zilch, looks like it's clean and it is clean. Everything is working as it should be working.

The only thing that is left is the list of greyed out exclusions that these viruses and malware programs forced Windows defender Antivirus to exclude.

You can't remove them because they greyed out.  Obviously I found them in the registry with the location:

Komputer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

Here is the screenshot of the keyes I need to delete. They are exactly correspond to the greyed out exclusions in Wndows defender Antivirus that I also need to delete.

But I can't delete the registry keys because of the error pop-up. It's like catch 22 situation.

Of cource I can do a clean Windows refresh install with but maybe there;s some ways to delete first these registry keys and then maybe the exclusion list will "ungrey"

automatically because doing a new install is too easey and the computer seems to be working just fine. Even better than before after I cleand all these dirt.

Please help

 

Registry keys to delete.jpg
Download Image

Share this post


Link to post
Share on other sites

Hello,

I would like to get a couple of logs from a third-party tool we use to help us identify problem areas.

Download Farbar Recovery Scan Tool and save it to your desktop.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.
For x64 (x64) bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Share this post


Link to post
Share on other sites

Hi Kevin, thank you very much for your prompt reply. Here are  both Farbar text files you requested.
I ran Farbar first thing I got my hands on this laptop today. That was the very first thing I did
after I booted it up.I'm sorry it's in Polish language but I hope this is not going to a problem for you.

I also wanted to update on these undeletable exclusions from both registry and Windows defender.

I was able to successfuly delete these malicious exclusions form above locatoins. This is what I did.

1. After Farbar I restarted the computer in safe boot using msconfig. Then I changed the ownership of
"Paths" key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths from "SYSTEM" to "Everyone giving it full access.

2. Then I deleted all these exclusions showed on the picture in my previous post.

3. After that I checked Windows defender exclusions. They were still there. But I didn't give up. I found the second list of the same exclusions in another location
in registry and I deleted them all.

4. After that I went to Windows Defender exclusion section to check if they awere still there. Now they were gone. There was nothing there.

5. Then I rebooted in normal mode to check if everything is ok.

6. Then I restrted in safe mode again and scan the whole computer:

a) first with Kacperski virus removal tool ( KVRT.exe.) It took almosy an hour. No threats were found.
b) second with Malwarebytes - no threats ere found.
c) third with Emsisoft Emergency Kit - no threats were found
d) fourth with Hitman Pro - no threats were found
e) fith with Zemana Antimalware portable - no threats were found
f) sixth with Windows defender antivirus scanner - no threats were found.

I think it's clean now, but I'm still not sure but tht maybe because I'm a bit parnoid.
Do you think it would be wise to stll have to do a clean Windows install in this case?

Someone had the same problem reported to Microsoft Community here:

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/unable-to-remove-exclusions-from-window-defender/028c5bc3-6e10-45ad-b432-34049759e3c8

 

 

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

One more thing,

 

Should I  change back the ownership of "Paths"  in this location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths from "Everyone"  to  "SYSTEM"?

Share this post


Link to post
Share on other sites

You want my help or do you want to fix it yourself?  You are doing things that I did not request that you do.  You are running the risk of damaging your system beyond repair. Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Furthermore, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.

CPlease run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

Start::
    HKU\S-1-5-21-2321107616-3240194887-1935080380-1001\...\Run: [ZX0-o4ZoPs.exe] => C:\Program Files\Windows Mail\0GOL48158EWEFHVXF7NHVW\ZX0-o4ZoPs.exe
    HKU\S-1-5-21-2321107616-3240194887-1935080380-1001\...\MountPoints2: {b6e15567-7866-11e8-8d4c-30f77227d230} - "F:\setup.EXE" /AUTORUN
    GroupPolicy: Ograniczenia - Windows Defender <==== UWAGA
    GroupPolicy\User: Ograniczenia ? <==== UWAGA
    SearchScopes: HKU\S-1-5-21-2321107616-3240194887-1935080380-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    S1 prisafe; \SystemRoot\System32\drivers\prisafe.sys [X]
    2018-06-26 11:56 - 2018-06-26 16:30 - 000000000 ____D C:\Users\Teresa\AppData\Roaming\kg3aobc1v4k
    2018-06-26 11:56 - 2018-06-26 11:57 - 000000034 _____ C:\Users\Public\Documents\{DE764086-1C0A-4DD3-90BA-0B93BDD794BE}
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> Brak pliku
    Task: {6310806F-AD15-4C3D-8BC5-F161B2139E1B} - \Microsoft\Windows\UNP\RunCampaignManager -> Brak pliku <==== UWAGA
    HKU\S-1-5-21-2321107616-3240194887-1935080380-1001\...\StartupApproved\Run: => "ZX0-o4ZoPs.exe"
End::

Share this post


Link to post
Share on other sites


I'm sorry Kevin, you're absolutely right. I shouldn't ve done that, It won't happen again.

Here is the fixlog text file the program created. I did as you instructed. I copied everything form strt to end and clicked the fixed button.
And as you said I read it form the clipboard I guess because the popup said " Repair is finished, close all windows and restart uyour computer

I'm sorry, you're absolutely right. I shouldn't ve done that, It won't happen again.

Here is the fixlog text file the program created. I did as you instructed. I copied everything form strt to end and clicked the fixed button. And as you said I read it form the clipboard I guess because the popup said " Repair is finished, close all windows and restart your computer. After restart you won't receive any notification from this tool"

 

I'm sorry again that I didn't follow your instructions right away.

Fixlog.txt

Share this post


Link to post
Share on other sites

This next tool targets Adware and Junkware in general.

Please download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print out or write down these instructions first).
  2. Double click on the AdwCleaner icon to run it.
  3. You will need to accept the license agreement from Malwarebytes in order to continue.
  4. Click on the Scan button in the lower-left.
  5. When the scan is done, a log will open in Notepad. You can close this Notepad window before continuing.
  6. If something was found on your computer, then click on the Clean button in the lower-left (where the "Scan" button was earlier).
  7. AdwCleaner will warn you that it will close all running processes (programs). Click OK to continue when ready.
  8. After the cleaning process is done, you will be prompted to restart your computer. Please click Reboot now when ready to restart your computer.
  9. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  10. Please attach that log file to a reply for me to review.
  11. If you lose that log file for any reason, you can find it at C:\AdwCleaner[C0] on your computer.

Share this post


Link to post
Share on other sites

Did you have AdwCleaner delete this detection, PUP.Optional.TweakBit           HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\tweakbit.com?  If not run it again and delete it.  The cleaning log always following this format AdwCleaner[C0]  AdwCleaner[S00].txt is a scan log.

Share this post


Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Share this post


Link to post
Share on other sites

Double-click on this entry in EEK:

09.07.2018 09:16:23    Użytkownik DESKTOP-FLS179Q\TERESA    Infekcja została usunięta    Średniego ryzyka Malware "Adware.Linkury.CX (B)" w "installer.dat".

Export it to a text file and send me that file.  I Need to full path to installer,dat that is being detected.

Share this post


Link to post
Share on other sites

Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

Start::
    SearchScopes: HKU\S-1-5-21-2321107616-3240194887-1935080380-1001 -> DefaultScope {0C071E52-C62C-4B94-93C4-75168CF6C68A} URL =
    SearchScopes: HKU\S-1-5-21-2321107616-3240194887-1935080380-1001 -> {0C071E52-C62C-4B94-93C4-75168CF6C68A} URL =
    2018-06-24 15:07 - 2018-06-24 15:07 - 000000168 ____H () C:\Program Files\Common Files\restore_rev.bat
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\installer.dat
End::

Share this post


Link to post
Share on other sites

Things are running smoothly thanks to you. I really appreciate it. Thank you very much Kevin.

I really don't want to put you out, you helped me a lot already,
but if you just could take a look at this farbar scans of another laptop for any possible signs of malware.

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

Start::
    HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <==== ATTENTION
    HKU\S-1-5-21-829221180-3900804615-1205485820-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
    HKU\S-1-5-21-829221180-3900804615-1205485820-1001\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
    HKU\S-1-5-21-829221180-3900804615-1205485820-1001\...\Policies\Explorer: [NoResolveSearch] 1
    HKU\S-1-5-21-829221180-3900804615-1205485820-1001\...\Policies\Explorer: [NoInternetOpenWith] 1
    BHO: No Name -> {27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5} -> No File
    Toolbar: HKU\S-1-5-21-829221180-3900804615-1205485820-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
    R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-01-31] (SUPERAntiSpyware.com)
    S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [55232 2018-07-03] ()
    R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    R1 ZAM; C:\WINDOWS\System32\drivers\zam64.sys [203680 2018-07-03] (Zemana Ltd.)
    R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2018-07-03] (Zemana Ltd.)
    2018-07-09 22:58 - 2018-07-09 22:58 - 000255928 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\52516528.sys
    2018-07-08 23:16 - 2018-07-08 23:16 - 000000000 ____D C:\KVRT_Data
    2018-07-08 16:28 - 2018-07-08 16:28 - 000255928 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\7251249A.sys
    2018-07-06 00:32 - 2018-07-06 00:32 - 000000000 ____D C:\AdwCleaner
    2018-07-05 18:01 - 2018-07-05 18:01 - 000255928 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\4512F771.sys
    2018-07-05 03:32 - 2018-07-05 03:32 - 000255928 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\2627F53A.sys
    2018-07-05 03:32 - 2018-07-05 03:32 - 000000000 ____D C:\ProgramData\Malwarebytes
    2018-07-05 03:05 - 2018-07-11 18:11 - 000192952 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
    2018-07-05 03:05 - 2018-07-09 23:26 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2018-07-04 23:42 - 2018-07-04 23:43 - 000000000 ____D C:\ProgramData\RogueKiller
    2018-07-04 16:23 - 2018-07-04 07:52 - 007395536 _____ (Malwarebytes) C:\Users\PC user\Documents\AdwCleaner.exe
    2018-07-03 17:44 - 2018-07-12 08:03 - 000281296 _____ C:\WINDOWS\ZAM.krnl.trace
    2018-07-03 17:44 - 2018-07-12 08:03 - 000258222 _____ C:\WINDOWS\ZAM_Guard.krnl.trace
    2018-07-03 17:44 - 2018-07-03 17:44 - 000203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard64.sys
    2018-07-03 17:44 - 2018-07-03 17:44 - 000203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zam64.sys
    2018-07-03 17:29 - 2018-07-03 17:29 - 000000000 ____D C:\Users\PC user\AppData\Local\Zemana
    2018-07-03 17:25 - 2018-07-03 17:25 - 000055232 _____ C:\WINDOWS\system32\Drivers\hitmanpro37.sys
    2018-07-01 03:33 - 2018-07-01 03:33 - 000024920 _____ (NoVirusThanks Company Srl) C:\WINDOWS\system32\Drivers\RegDeleteEx.sys
    2018-07-10 22:53 - 2018-05-12 00:05 - 000000000 ____D C:\Program Files\SUPERAntiSpyware
    ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
    ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
End::

Share this post


Link to post
Share on other sites

Fixlog here.

Fixlog.txt

I also have a question. What should I do with the folder FRST on my C?. Can I delete it? Because now everytime I start the Device Performace & health section  it says 1 recommendation and when I run the troubleshooting it says  that SASKUTL and SASDIFSV don't have drivers, which is quite understandble. I can always dismiss it but I'd like to get rid off it. They belong to SUPERAntiSpyware   software and they are not essential for Windows. I don't have it any more and I don't want it. Can I just delete FRST?

 

p.s. I'm sorry. It doesn't show any more when I restarted my computer again without dissmissing the recommendation.

Share this post


Link to post
Share on other sites

Yes, you can delete FRST and the FRST folder on drive C.

I can delete the SAS stuff using FRST if you like.  I will need a fresh scan from FRST, on the affected computer, to do that.

As far as tehlaptop, I saw no malware in the logs.  Just a bunch of orphaned stuff from security programs no longer installed.  I removed that stuff with the FRST fix.

Share this post


Link to post
Share on other sites

Thank you Kevin.

If I can ask you one more thing. I was wondering would you adise to turn on this relatively recent feature "memory integrity" in Windows Defender Seurity Center with Emsisoft being installed?
I've heard that some Windows users reported significant slowdowns and a decrease in system performance after they turned it on, even without any antivirus program being installed?

 

p.s. I just tried to delete it but it doesn't want to be deleted somehow. It says the file or folder is open  in another program but I don't know where it can be opened.

Share this post


Link to post
Share on other sites

Thank you. btw, just deleted FRST

I'm planning to buy Emsisoft 3-year license. Is there such a thing like Emsisoft life time license?

 

Anyway, I'd like to thank you for fixing my gal friday laptop. I trully appreciate it. The topic can be closed.

Share this post


Link to post
Share on other sites

No, we do not offer a lifetime license.

You are welcome.  Happy to be of assistance.

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only.  Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair.  Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.