LeagueX 0 Posted January 25 Report Share Posted January 25 Hello, I tried to cleaned my laptop from an ugly virus which came with some pretty bad PUPs and other dirt. I cleaned it with Emsisoft Emergency Kit, I checked Firefox extensions, I ran many scans and it appears clean now. The problem is the virus added exclusions in Windows Defender both in allowed threats (which come back every time I delete them from allowed threats section) and folder exclusions sections. After deleting the specific folders and exclusions from regedit, they still appear in Windows defender, with a greyed out, inactive, remove button. I deleted the entries from registry: Komputer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths Furthermore, reset this pc option does not work. I added controlled folder access for Sys32, Program Files x86, and Users. Here are screenshots of the things I need to delete and logs of Farbar. Please help me Addition.txt FRST.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 25 Report Share Posted January 25 Hello @LeagueX, Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\...\Policies\Explorer: [HideSCAHealth] 1 HKU\S-1-5-21-3298452434-1556392215-2145215963-1001\...\Run: [Zoom] => [X] GroupPolicy: Restriction - Chrome <==== ATTENTION Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION Edge Extension: (TotalСashback — кэшбэк-сервис) - C:\Users\Razvan\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\eofogjfkadmolbbmnlbohhbkhbodcjjm [2021-01-21] Edge HKLM-x32\...\Edge\Extension: [eofogjfkadmolbbmnlbohhbkhbodcjjm] 2021-01-19 23:42 - 2021-01-19 23:42 - 000000000 ____D C:\ProgramData\48C4687D-9760-4F5B-BAB3-60351B0841E4 2021-01-25 13:20 - 2020-09-27 16:50 - 000008192 ___SH C:\DumpStack.log.tmp CustomCLSID: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Razvan\AppData\Local\Microsoft\OneDrive\19.222.1110.0006\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Razvan\AppData\Local\Microsoft\OneDrive\19.222.1110.0006\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Razvan\AppData\Local\Microsoft\OneDrive\19.222.1110.0006\amd64\FileSyncShell64.dll => No File ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File AlternateDataStreams: C:\Users\Public\AppData:CSM [486] IE trusted site: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001\...\localhost -> localhost IE trusted site: HKU\S-1-5-21-3298452434-1556392215-2145215963-1001\...\webcompanion.com -> hxxp://webcompanion.com Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed. Link to post Share on other sites
LeagueX 0 Posted January 26 Author Report Share Posted January 26 Hello Sir, Nothing appears to be changed. The folder exclusions are still greyed out in Windows Defender and viruses are still allowed. It appears Windows Defender's Controlled folder's access blocked a FRST process. Should I disable it? (I activated because powershell kept messing with Sys32). I have attached the fixlog and a screenshot.Fixlog.txt Thank you Fixlog.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 26 Report Share Posted January 26 I would like for you to run a third-party tool that aggressively targets Adware, Junkware, and PUPs. Download AdwCleaner and save it to your desktop. Right-click AdwCleaner.exe and select Run as Administrator. Read and accept the End User License Agreement. Press the Scan Now button and wait for it to complete. A window titled Scan Results will open. Select Cancel. Click the Log Files button on the left pane. Double-click the newest log file to open it in Notepad. (AdwCleaner[Sxx].txt, where x is replaced by a number) Attach the scan log to your next reply. Note: the AdwCleaner log is also saved to C:\AdwCleaner\Logs\AdwCleaner[Sxx].txt Link to post Share on other sites
LeagueX 0 Posted January 26 Author Report Share Posted January 26 I attached the AdwCleaner log. I did not use or voluntarily download Lavasoft. AdwCleaner[S00].txt Link to post Share on other sites
LeagueX 0 Posted January 26 Author Report Share Posted January 26 Browsing through start menu I found this shady .exe located in System32. Should I delete it? Link to post Share on other sites
Kevin Zoll 309 Posted January 26 Report Share Posted January 26 You can let AdwCleaner remove the following: PUP.Optional.WebCompanion C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft\WebCompanion PUP.Optional.Legacy C:\Users\Razvan\AppData\Roaming\Mozilla\Firefox\Profiles\xmllcvw7.default\searchplugins\yahoo-lavasoft.xml PUP.Optional.Legacy HKCU\Software\Microsoft\Internet Explorer\Main|Start Page PUP.Optional.WebCompanion HKCU\Software\Lavasoft\Web Companion PUP.Optional.WebCompanion HKLM\Software\Wow6432Node\Lavasoft\Web Companion 5 minutes ago, LeagueX said: Browsing through start menu I found this shady .exe located in System32. Should I delete it? Yes, you can delete that. Link to post Share on other sites
LeagueX 0 Posted January 26 Author Report Share Posted January 26 The viruses are still allowed in Windows Defender and the exclusion paths are still there. I attached the cleaning log. AdwCleaner[C01].txt Link to post Share on other sites
Kevin Zoll 309 Posted January 26 Report Share Posted January 26 OK, going to switch to a tool that will take a more indepth look at the system. Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop. Double-click on setup.exe to install RogueKiller. Close all programs and disconnect any USB or external drives before running the tool. Right-click RogueKiller.exe and select Run As Administrator to run the tool. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply. Link to post Share on other sites
LeagueX 0 Posted January 26 Author Report Share Posted January 26 I ran a full (standard) scan. RogueKiller.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 27 Report Share Posted January 27 Your scans are not showing any malware. You may have to remove the exclusions by manually editing the Registry. Windows stores Defender exclusions in HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows Defender > Exclusions > Paths Exercise caution when manually editing the registry. Link to post Share on other sites
LeagueX 0 Posted January 27 Author Report Share Posted January 27 That registry seems empty although Defender shows the paths (I added that exclusion just now to see if that's the registry path). Hope it's a bug. Thank you very much for your prompt and professional help. Sincerely, LeagueX Link to post Share on other sites
Kevin Zoll 309 Posted January 28 Report Share Posted January 28 Might be a bug with defender. I suggest visiting Microsoft Community and seeing if they can help sort out the issue with Defender. https://answers.microsoft.com/en-us Link to post Share on other sites
LeagueX 0 Posted January 29 Author Report Share Posted January 29 Thank you very much Kevin, my PC is running like new. I know you are busy and I don't want to take much of your time, but can you please also look at my other pc's log for any malware? FRST.txt Addition.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 29 Report Share Posted January 29 Your FRST reports do not show any malware. Link to post Share on other sites
LeagueX 0 Posted January 30 Author Report Share Posted January 30 Thank you. The topic can be closed. Link to post Share on other sites
Kevin Zoll 309 Posted February 1 Report Share Posted February 1 You are welcome. Topic Closed. Link to post Share on other sites
Recommended Posts