Virus added exclusions in Windows Defender I can't remove, reset this pc does not work

[LeagueX 0]

Hello,

I tried to cleaned my laptop from an ugly virus which came with some pretty bad PUPs and other dirt.

I cleaned it with Emsisoft Emergency Kit, I checked Firefox extensions, I ran many scans and it appears clean now.

The problem is the virus added exclusions in Windows Defender both in allowed threats (which come back every time I delete them from allowed threats section) and folder exclusions sections. After deleting the specific folders and exclusions from regedit, they still appear in Windows defender, with a greyed out, inactive, remove button.

I deleted the entries from registry:

Komputer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

Furthermore, reset this pc option does not work. I added controlled folder access for Sys32, Program Files x86, and Users.

Here are screenshots of the things I need to delete and logs of Farbar.

 

Please help me

Addition.txt FRST.txt

[Kevin Zoll 309]

Hello @LeagueX,

 

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

 

HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-3298452434-1556392215-2145215963-1001\...\Run: [Zoom] => [X]
GroupPolicy: Restriction - Chrome <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Edge Extension: (TotalСashback — кэшбэк-сервис) - C:\Users\Razvan\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\eofogjfkadmolbbmnlbohhbkhbodcjjm [2021-01-21]
Edge HKLM-x32\...\Edge\Extension: [eofogjfkadmolbbmnlbohhbkhbodcjjm]
2021-01-19 23:42 - 2021-01-19 23:42 - 000000000 ____D C:\ProgramData\48C4687D-9760-4F5B-BAB3-60351B0841E4
2021-01-25 13:20 - 2020-09-27 16:50 - 000008192 ___SH C:\DumpStack.log.tmp
CustomCLSID: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Razvan\AppData\Local\Microsoft\OneDrive\19.222.1110.0006\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Razvan\AppData\Local\Microsoft\OneDrive\19.222.1110.0006\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Razvan\AppData\Local\Microsoft\OneDrive\19.222.1110.0006\amd64\FileSyncShell64.dll => No File
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
AlternateDataStreams: C:\Users\Public\AppData:CSM [486]
IE trusted site: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001\...\webcompanion.com -> hxxp://webcompanion.com

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

[LeagueX 0]

Hello Sir,

Nothing appears to be changed. The folder exclusions are still greyed out in Windows Defender and viruses are still allowed. It appears Windows Defender's Controlled folder's access blocked a FRST process. Should I disable it? (I activated because powershell kept messing with Sys32). I have attached the fixlog and a screenshot.Fixlog.txt

 

Thank you

Fixlog.txt

[Kevin Zoll 309]

I would like for you to run a third-party tool that aggressively targets Adware, Junkware, and PUPs.

Download AdwCleaner and save it to your desktop.

• Right-click AdwCleaner.exe and select Run as Administrator.
• Read and accept the End User License Agreement.
• Press the Scan Now button and wait for it to complete.
• A window titled Scan Results will open.
• Select Cancel.
• Click the Log Files button on the left pane.
• Double-click the newest log file to open it in Notepad. (AdwCleaner[Sxx].txt, where x is replaced by a number)
• Attach the scan log to your next reply.

Note: the AdwCleaner log is also saved to C:\AdwCleaner\Logs\AdwCleaner[Sxx].txt

[LeagueX 0]

I attached the AdwCleaner log. I did not use or voluntarily download Lavasoft.

AdwCleaner[S00].txt

[LeagueX 0]

Browsing through start menu I found this shady .exe located in System32. Should I delete it?

[Kevin Zoll 309]

You can let AdwCleaner remove the following:

PUP.Optional.WebCompanion       C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft\WebCompanion
PUP.Optional.Legacy             C:\Users\Razvan\AppData\Roaming\Mozilla\Firefox\Profiles\xmllcvw7.default\searchplugins\yahoo-lavasoft.xml
PUP.Optional.Legacy             HKCU\Software\Microsoft\Internet Explorer\Main|Start Page
PUP.Optional.WebCompanion       HKCU\Software\Lavasoft\Web Companion
PUP.Optional.WebCompanion       HKLM\Software\Wow6432Node\Lavasoft\Web Companion

 

5 minutes ago, LeagueX said:

Browsing through start menu I found this shady .exe located in System32. Should I delete it?

Yes, you can delete that.

[LeagueX 0]

The viruses are still allowed in Windows Defender and the exclusion paths are still there. I attached the cleaning log.

AdwCleaner[C01].txt

[Kevin Zoll 309]

OK, going to switch to a tool that will take a more indepth look at the system.

Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop.

• Double-click on setup.exe to install RogueKiller.

Close all programs and disconnect any USB or external drives before running the tool.

• Right-click RogueKiller.exe and select Run As Administrator to run the tool.
• Once the Prescan has finished, click Scan.
• Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.

[LeagueX 0]

I ran a full (standard) scan.

RogueKiller.txt

[Kevin Zoll 309]

Your scans are not showing any malware.

You may have to remove the exclusions by manually editing the Registry.

Windows stores Defender exclusions in HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows Defender > Exclusions > Paths

Exercise caution when manually editing the registry.

[LeagueX 0]

That registry seems empty although Defender shows the paths (I added that exclusion just now to see if that's the registry path). Hope it's a bug. Thank you very much for your prompt and professional help.

 

Sincerely,

LeagueX

[Kevin Zoll 309]

Might be a bug with defender.  I suggest visiting Microsoft Community and seeing if they can help sort out the issue with Defender.

https://answers.microsoft.com/en-us

[LeagueX 0]

Thank you very much Kevin, my PC is running like new.

I know you are busy and I don't want to take much of your time, but can you please also look at my other pc's log for any malware?

FRST.txt Addition.txt

[Kevin Zoll 309]

Your FRST reports do not show any malware.

[LeagueX 0]

Thank you. The topic can be closed.

[Kevin Zoll 309]

You are welcome.

Topic Closed.