Jump to content

Virus added exclusions in Windows Defender I can't remove, reset this pc does not work


Recommended Posts

Hello,

I tried to cleaned my laptop from an ugly virus which came with some pretty bad PUPs and other dirt.

I cleaned it with Emsisoft Emergency Kit, I checked Firefox extensions, I ran many scans and it appears clean now.

The problem is the virus added exclusions in Windows Defender both in allowed threats (which come back every time I delete them from allowed threats section) and folder exclusions sections. After deleting the specific folders and exclusions from regedit, they still appear in Windows defender, with a greyed out, inactive, remove button.

I deleted the entries from registry:

Komputer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

Furthermore, reset this pc option does not work. I added controlled folder access for Sys32, Program Files x86, and Users.

Here are screenshots of the things I need to delete and logs of Farbar.

 

Please help me

Screenshot_1.png

Screenshot_2.png

Addition.txt FRST.txt

Link to post
Share on other sites

Hello @LeagueX,

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-3298452434-1556392215-2145215963-1001\...\Run: [Zoom] => [X]
GroupPolicy: Restriction - Chrome <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Edge Extension: (TotalСashback — кэшбэк-сервис) - C:\Users\Razvan\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\eofogjfkadmolbbmnlbohhbkhbodcjjm [2021-01-21]
Edge HKLM-x32\...\Edge\Extension: [eofogjfkadmolbbmnlbohhbkhbodcjjm]
2021-01-19 23:42 - 2021-01-19 23:42 - 000000000 ____D C:\ProgramData\48C4687D-9760-4F5B-BAB3-60351B0841E4
2021-01-25 13:20 - 2020-09-27 16:50 - 000008192 ___SH C:\DumpStack.log.tmp
CustomCLSID: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Razvan\AppData\Local\Microsoft\OneDrive\19.222.1110.0006\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Razvan\AppData\Local\Microsoft\OneDrive\19.222.1110.0006\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Razvan\AppData\Local\Microsoft\OneDrive\19.222.1110.0006\amd64\FileSyncShell64.dll => No File
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
AlternateDataStreams: C:\Users\Public\AppData:CSM [486]
IE trusted site: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001\...\webcompanion.com -> hxxp://webcompanion.com

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

Link to post
Share on other sites

Hello Sir,

Nothing appears to be changed. The folder exclusions are still greyed out in Windows Defender and viruses are still allowed. It appears Windows Defender's Controlled folder's access blocked a FRST process. Should I disable it? (I activated because powershell kept messing with Sys32). I have attached the fixlog and a screenshot.Fixlog.txtScreenshot_1.thumb.png.2b5d108c93f8215acae2a77f89ccd9d9.png

 

Thank you

Fixlog.txt

Link to post
Share on other sites

I would like for you to run a third-party tool that aggressively targets Adware, Junkware, and PUPs.

Download AdwCleaner and save it to your desktop.

  • Right-click AdwCleaner.exe and select Run as Administrator.
  • Read and accept the End User License Agreement.
  • Press the Scan Now button and wait for it to complete.
  • A window titled Scan Results will open.
  • Select Cancel.
  • Click the Log Files button on the left pane.
  • Double-click the newest log file to open it in Notepad. (AdwCleaner[Sxx].txt, where x is replaced by a number)
  • Attach the scan log to your next reply.

Note: the AdwCleaner log is also saved to C:\AdwCleaner\Logs\AdwCleaner[Sxx].txt

Link to post
Share on other sites

You can let AdwCleaner remove the following:

PUP.Optional.WebCompanion       C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft\WebCompanion
PUP.Optional.Legacy             C:\Users\Razvan\AppData\Roaming\Mozilla\Firefox\Profiles\xmllcvw7.default\searchplugins\yahoo-lavasoft.xml
PUP.Optional.Legacy             HKCU\Software\Microsoft\Internet Explorer\Main|Start Page
PUP.Optional.WebCompanion       HKCU\Software\Lavasoft\Web Companion
PUP.Optional.WebCompanion       HKLM\Software\Wow6432Node\Lavasoft\Web Companion

 

5 minutes ago, LeagueX said:

Browsing through start menu I found this shady .exe located in System32. Should I delete it?

Screenshot_1.png

Yes, you can delete that.

Link to post
Share on other sites

OK, going to switch to a tool that will take a more indepth look at the system.

Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop.

  • Double-click on setup.exe to install RogueKiller.

Close all programs and disconnect any USB or external drives before running the tool.

  • Right-click RogueKiller.exe and select Run As Administrator to run the tool.
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.
Link to post
Share on other sites

Your scans are not showing any malware.

You may have to remove the exclusions by manually editing the Registry.

Windows stores Defender exclusions in HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows Defender > Exclusions > Paths

Exercise caution when manually editing the registry.

Link to post
Share on other sites

That registry seems empty although Defender shows the paths (I added that exclusion just now to see if that's the registry path). Hope it's a bug. Thank you very much for your prompt and professional help.

 

Sincerely,

LeagueX

Registries.thumb.png.722153ce2f884437b2c6be7d93bdc95d.png

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...