merujmar Posted March 11, 2019 Report Share Posted March 11, 2019 Hello, For the last week everyday, I have been getting a notification from windows defender saying it quarantined a file it found in the Windows/Temp directory. Different antivirus and anti malware programs have been run, some report blocking files from that same folder, some don't find anything, some say it found something different every time. I am trying to attach the files required. Addition.txt FRST.txt scan_190310-201749.txt Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted March 12, 2019 Report Share Posted March 12, 2019 Hello, This is total overkill: AV: Avira Antivirus (Enabled - Up to date) {88AE6B46-DC3C-455A-A21B-085F285A3546} AV: Emsisoft Anti-Malware (Disabled - Up to date) {67773CDD-EA83-AD98-A2ED-386463EB3B0D} AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} Of these, 2 of them need to be uninstalled: AV: Avira Antivirus (Enabled - Up to date) {88AE6B46-DC3C-455A-A21B-085F285A3546} AV: Emsisoft Anti-Malware (Disabled - Up to date) {67773CDD-EA83-AD98-A2ED-386463EB3B0D} AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} With all that installed all kinds of strange things can happen. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\...\Run: [] => [X] HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-1311960360-2324220091-4079808086-1001\...\Policies\Explorer: [NoChangeStartMenu] 0 HKU\S-1-5-21-1311960360-2324220091-4079808086-1001\...\Policies\Explorer: [NoLogOff] 0 GroupPolicy: Restriction ? <==== ATTENTION SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Task: {4A9EF030-71D4-405E-A52A-F19042281D2B} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION AlternateDataStreams: C:\Users\Public\AppData:CSM [468] Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Link to comment Share on other sites More sharing options...
merujmar Posted March 15, 2019 Author Report Share Posted March 15, 2019 Thank you for the response, I have attached the fixlog.txt I do not usually use multiple antivirus programs, I was curious what detections each one would have. I only have one active antivirus. Fixlog.txt Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted March 15, 2019 Report Share Posted March 15, 2019 Let's take a fresh look. Run a fresh scan with FRST, attach the new FRST scan report to your reply. It is not recommended to run multiple AVs side by side, even when testing. If you are testing an AV you should always uninstall the currently installed AV. Even when one is disabled it will still have active running services that can and often do interfere with the active AV. Link to comment Share on other sites More sharing options...
merujmar Posted March 17, 2019 Author Report Share Posted March 17, 2019 Got it, have uninstalled all of them except the one with the most amount of stuff to remove.... Let me know if you need the addition log too. FRST.txt Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted March 18, 2019 Report Share Posted March 18, 2019 The FRST report looks fine. I see no malware in the log. How are things running? Link to comment Share on other sites More sharing options...
merujmar Posted March 21, 2019 Author Report Share Posted March 21, 2019 I havnt gotten a notification about anything since actually! Seems to have worked. What exactly did the fix file do? Should I start taking other measures such as changing passwords? Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted March 22, 2019 Report Share Posted March 22, 2019 We fixed some broken policies, deleted some orphaned registry items, removed a broken task, and removed an alternate data stream. I see no reason to change passwords, based on what I saw on the system. Link to comment Share on other sites More sharing options...
merujmar Posted March 22, 2019 Author Report Share Posted March 22, 2019 Much thanks Kevin. I appreciate the help. Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted March 22, 2019 Report Share Posted March 22, 2019 You are welcome. Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted March 27, 2019 Report Share Posted March 27, 2019 Thread Closed Reason: Resolved PM either Kevin, Elise, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread Link to comment Share on other sites More sharing options...
Recommended Posts