merujmar 0 Report post Posted March 11 Hello, For the last week everyday, I have been getting a notification from windows defender saying it quarantined a file it found in the Windows/Temp directory. Different antivirus and anti malware programs have been run, some report blocking files from that same folder, some don't find anything, some say it found something different every time. I am trying to attach the files required. Addition.txt FRST.txt scan_190310-201749.txt Share this post Link to post Share on other sites
Kevin Zoll 280 Report post Posted March 12 Hello, This is total overkill: AV: Avira Antivirus (Enabled - Up to date) {88AE6B46-DC3C-455A-A21B-085F285A3546} AV: Emsisoft Anti-Malware (Disabled - Up to date) {67773CDD-EA83-AD98-A2ED-386463EB3B0D} AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} Of these, 2 of them need to be uninstalled: AV: Avira Antivirus (Enabled - Up to date) {88AE6B46-DC3C-455A-A21B-085F285A3546} AV: Emsisoft Anti-Malware (Disabled - Up to date) {67773CDD-EA83-AD98-A2ED-386463EB3B0D} AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} With all that installed all kinds of strange things can happen. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\...\Run: [] => [X] HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-1311960360-2324220091-4079808086-1001\...\Policies\Explorer: [NoChangeStartMenu] 0 HKU\S-1-5-21-1311960360-2324220091-4079808086-1001\...\Policies\Explorer: [NoLogOff] 0 GroupPolicy: Restriction ? <==== ATTENTION SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Task: {4A9EF030-71D4-405E-A52A-F19042281D2B} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION AlternateDataStreams: C:\Users\Public\AppData:CSM [468] Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Share this post Link to post Share on other sites
merujmar 0 Report post Posted March 15 Thank you for the response, I have attached the fixlog.txt I do not usually use multiple antivirus programs, I was curious what detections each one would have. I only have one active antivirus. Fixlog.txt Share this post Link to post Share on other sites
Kevin Zoll 280 Report post Posted March 15 Let's take a fresh look. Run a fresh scan with FRST, attach the new FRST scan report to your reply. It is not recommended to run multiple AVs side by side, even when testing. If you are testing an AV you should always uninstall the currently installed AV. Even when one is disabled it will still have active running services that can and often do interfere with the active AV. Share this post Link to post Share on other sites
merujmar 0 Report post Posted March 17 Got it, have uninstalled all of them except the one with the most amount of stuff to remove.... Let me know if you need the addition log too. FRST.txt Share this post Link to post Share on other sites
Kevin Zoll 280 Report post Posted March 18 The FRST report looks fine. I see no malware in the log. How are things running? Share this post Link to post Share on other sites
merujmar 0 Report post Posted March 21 I havnt gotten a notification about anything since actually! Seems to have worked. What exactly did the fix file do? Should I start taking other measures such as changing passwords? Share this post Link to post Share on other sites
Kevin Zoll 280 Report post Posted March 22 We fixed some broken policies, deleted some orphaned registry items, removed a broken task, and removed an alternate data stream. I see no reason to change passwords, based on what I saw on the system. Share this post Link to post Share on other sites
merujmar 0 Report post Posted March 22 Much thanks Kevin. I appreciate the help. Share this post Link to post Share on other sites
Kevin Zoll 280 Report post Posted March 22 You are welcome. Share this post Link to post Share on other sites
Kevin Zoll 280 Report post Posted March 27 Thread Closed Reason: Resolved PM either Kevin, Elise, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread Share this post Link to post Share on other sites