Mysterious Overlay

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Ron Kelly, Jan 1, 2024.

  1. Ron Kelly

    Ron Kelly Private E-2

    Don't know if this is posted in the right place, but here's the issue I've been unable to resolve.
    Started up HP desktop PC today with HP monitor, running Windows 10. When desktop came up there is a square white box overlay that has appeared in the lower right corner of the desktop. The box is empty except for the words "ATUS MONITOR." The overlay appears on every screen of every app or website I open.
    When I right-click on the box/overlay, there is no response.
    NOTE: I've had others send me advice referncing ASUS monitor, but I have no ASUS monitor. The text in the overlay box says ATUS MONITOR.
    Do you have any clue as to how I might get rid of this overlay?

    Without any recourse at this point, my last resort is to copy important files, wipe out everything and reset the system to factory condition and then reinstall whatever I must. Not something I'm especially fond of doing:(
     
    Ron Kelly, Jan 1, 2024
    #1
  2. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings and welcome to the Major Geeks Malware Forum.

    This doesn't sound like malware but let's see what we can find.

    Please do this.

    ===================================================

    Farbar Recovery Scan Tool (FRST)

    --------------------
    • Download Farbar Recover Scan Tool for 64 bit systems and save(or copy and paste) the file onto your Desktop
    • Right click on the icon and select Run as administrator
    • Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
    • Click Yes to the disclaimer
    • Click Scan and allow the program to run
    • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
    • 2 Notepad documents should now be open on your desktop.
    • Please attempt to copy and paste each report in a separate reply. If unable to do so attach both reports.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:

    • FRST.txt
    • Addition.txt
     
    Oh My!, Jan 1, 2024
    #2
  3. Ron Kelly

    Ron Kelly Private E-2

    Thanks for your reply.
    FRST and Addition reports attached as requested.
     

    Attached Files:

    Ron Kelly, Jan 1, 2024
    #3
  4. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings.

    I see you have also posted at Windows 10 Forum and you have received a reply. In order to avoid confusion or competing directives you should only be receiving assistance by one helper at a time. Let me know which site you would like to receive sole direction from.
     
    Oh My!, Jan 2, 2024
    #4
  5. Ron Kelly

    Ron Kelly Private E-2

    Seeking only your advice and direction going forward. The only advice I had received from Ten Forums talked about an ASUS Monitor -- which I don't have. Mine is an HP monitor.
     
    Ron Kelly, Jan 2, 2024
    #5
  6. Oh My!

    Oh My! Malware Expert Staff Member

    Very good, thank you.

    We have a lot to cover. There are things to address beyond the ATUS issue.

    Do you recognize these programs?

    -----

    Your security software situation is a bit muddied. We need to straighten it out. I would recommend removing everything except Windows Defender for now, and if you want a different active antivirus program we can address that later.

    -----

    There is very little free space available which can result in performance issues and can prevent the successful creation of System Restore Points. Currently you do not show any System Restore Points which can be an issue generally and is certainly an issue during our current process. We need to establish a fallback position should something unforeseen happen, though I don't expect that.

    I would like us to start by removing the antivirus programs and clear out temporary files to see if we can free up enough space to create a System Restore Point. Please do this.

    Please do these things.

    ===================================================

    Uninstalling Programs Using Revo Uninstaller

    --------------------

    I recommend uninstalling the below listed program(s) from your computer.

    • Right click on Revo Uninstaller and select Run as administrator
    • From the list of programs highlight the listed program(s), or anything similar if they exist, then select Uninstall
    Code:
    TotalAV
Norton Security Suite
Spybot - Search and Destroy
    • If the program's uninstaller appears work through the steps to remove the program(s)
    • Be sure the Advanced option is selected then click Scan
    • For each window that may appear identifying leftover items click Select All, Delete, then confirm the deletion
    • Once done click Finish
    • Reboot your computer
    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION 
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION 
Powershell: Get-MpPreference
Emptytemp:
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • Note: The Emptytemp: command will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
    ===================================================

    Farbar Recovery Scan Tool SearchAll

    --------------------
    • Right click on FRST and select Run as administrator
    • Copy/paste the following in the Search: box
    Code:
    SearchAll: TotalAV;Norton;Symantec;Spybot;Avira;McAfee
    • Click Search Files button
    • When completed click OK and a Search.txt document will open on your desktop
    • Please zip and upload the large file to GoFile, WeTransfer, or the file hosting site of your choice and post the download link in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Recognize programs?
    • Programs uninstall?
    • Fixlog
    • Download link
     
    Last edited: Jan 4, 2024
    Oh My!, Jan 2, 2024
    #6
  7. Ron Kelly

    Ron Kelly Private E-2

    Gary,
    Thanks for your continued help. I wasn’t able to get to your directed actions last night. Will try to do so later this evening.
    A couple of notes before I start on that:
    (1) I do recognize and use the 2 programs you asked about. “In the Pocket” is a bowling simulation game and the other (mbcc) I use to manage my baseball card collection.
    (2) Belarc Advisor also lists Norton Security Suite as an AV program on my system, but I removed it years ago after the intro period expired and it does not show up on the Revo Uninstaller or the Windows list of installed apps/software.
    (3) At some point in the future I would like to reinstall Total AV as my antivirus protection. I have an annual subscription, used it for several years, and have been satisfied with it vs. some others I had tried prior to that.

    On a side note, regarding that annoying overlay box: it occurred to me that perhaps the first two letters in the title somehow were dropped and instead of “ATUS MONITOR” it should have read “STATUS MONITOR.” Is that possible?

    Thanks again for your help with this issue. I will complete the actions you directed ASAP and reply as you requested. Thanks again.

    —RonKelly—
     
    Ron Kelly, Jan 3, 2024
    #7
  8. Ron Kelly

    Ron Kelly Private E-2

    Gary,
    In addition to removing the antivirus software, you mention clearing out temporary files to create more space. I can do this through Windows Settings > Update & Security > Check Storage (gives me a list of temporary files that can be deleted). Is this what you have in mind?
     
    Ron Kelly, Jan 4, 2024
    #8
  9. Ron Kelly

    Ron Kelly Private E-2

    Please disregard my earlier post. Following is the items and info you asked for:
    • I recognize and use both programs, In The Pocket and MBCC
    • I have uninstalled Total AV antivirus software. Neither Norton Security Suite nor SpyBot-Search and Destroy were on the list produced by Revo Uninstaller. (I had uninstalled both some time ago)
    • Download link for the Search.txt document: https://gofile.io/d/aPy49l
    • Fix result of Farbar Recovery Scan Tool (x64) Version: 01.01.2024
      Ran by nybre (04-01-2024 00:18:48) Run:1
      Running from C:\Users\nybre\Desktop\FRST64
      Loaded Profiles: nybre & wendy & megan & test
      Boot Mode: Normal
      ==============================================
      fixlist content:
      *****************
      Start::
      HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
      HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
      Powershell: Get-MpPreference
      Emptytemp:
      End::
      *****************
      HKLM\SOFTWARE\Microsoft\Windows Defender\\DisableAntiSpyware => Error setting value.
      HKLM\SOFTWARE\Microsoft\Windows Defender\\DisableAntiVirus => Error setting value.
      ========= Get-MpPreference =========
      AllowDatagramProcessingOnWinServer : False
      AllowNetworkProtectionDownLevel : False
      AllowNetworkProtectionOnWinServer : False
      AllowSwitchToAsyncInspection : False
      ApplyDisableNetworkScanningToIOAV : False
      AttackSurfaceReductionOnlyExclusions :
      AttackSurfaceReductionRules_Actions :
      AttackSurfaceReductionRules_Ids :
      AttackSurfaceReductionRules_RuleSpecificExclusions :
      AttackSurfaceReductionRules_RuleSpecificExclusions_Id :
      CheckForSignaturesBeforeRunningScan : False
      CloudBlockLevel : 0
      CloudExtendedTimeout : 0
      ComputerID : 6EBEF90A-7F18-4320-8D79-3C67CB0D1F97
      ControlledFolderAccessAllowedApplications :
      ControlledFolderAccessProtectedFolders :
      DefinitionUpdatesChannel : 0
      DisableArchiveScanning : False
      DisableAutoExclusions : False
      DisableBehaviorMonitoring : False
      DisableBlockAtFirstSeen : False
      DisableCacheMaintenance : False
      DisableCatchupFullScan : True
      DisableCatchupQuickScan : True
      DisableCpuThrottleOnIdleScans : True
      DisableDatagramProcessing : False
      DisableDnsOverTcpParsing : False
      DisableDnsParsing : False
      DisableEmailScanning : True
      DisableFtpParsing : False
      DisableGradualRelease : False
      DisableHttpParsing : False
      DisableInboundConnectionFiltering : False
      DisableIOAVProtection : False
      DisableNetworkProtectionPerfTelemetry : False
      DisablePrivacyMode : False
      DisableQuicParsing : False
      DisableRdpParsing : False
      DisableRealtimeMonitoring : False
      DisableRemovableDriveScanning : True
      DisableRestorePoint : True
      DisableScanningMappedNetworkDrivesForFullScan : True
      DisableScanningNetworkFiles : False
      DisableScriptScanning : False
      DisableSmtpParsing : False
      DisableSshParsing : False
      DisableTlsParsing : False
      EnableControlledFolderAccess : 0
      EnableConvertWarnToBlock : False
      EnableDnsSinkhole : True
      EnableFileHashComputation : False
      EnableFullScanOnBatteryPower : False
      EnableLowCpuPriority : False
      EnableNetworkProtection : 0
      EngineUpdatesChannel : 0
      ExclusionExtension :
      ExclusionIpAddress :
      ExclusionPath :
      ExclusionProcess :
      ForceUseProxyOnly : False
      HideExclusionsFromLocalUsers : True
      HighThreatDefaultAction : 0
      IntelTDTEnabled :
      LowThreatDefaultAction : 0
      MAPSReporting : 2
      MeteredConnectionUpdates : False
      ModerateThreatDefaultAction : 0
      NetworkProtectionReputationMode : 0
      OobeEnableRtpAndSigUpdate : False
      PerformanceModeStatus : 1
      PlatformUpdatesChannel : 0
      ProxyBypass :
      ProxyPacUrl :
      ProxyServer :
      PUAProtection : 1
      QuarantinePurgeItemsAfterDelay : 90
      QuickScanIncludeExclusions : 0
      RandomizeScheduleTaskTimes : True
      RealTimeScanDirection : 0
      RemediationScheduleDay : 0
      RemediationScheduleTime : 02:00:00
      ReportDynamicSignatureDroppedEvent : False
      ReportingAdditionalActionTimeOut : 10080
      ReportingCriticalFailureTimeOut : 10080
      ReportingNonCriticalTimeOut : 1440
      ScanAvgCPULoadFactor : 50
      ScanOnlyIfIdleEnabled : True
      ScanParameters : 1
      ScanPurgeItemsAfterDelay : 15
      ScanScheduleDay : 0
      ScanScheduleOffset : 120
      ScanScheduleQuickScanTime : 00:00:00
      ScanScheduleTime : 02:00:00
      SchedulerRandomizationTime : 4
      ServiceHealthReportInterval : 60
      SevereThreatDefaultAction : 0
      SharedSignaturesPath :
      SharedSignaturesPathUpdateAtScheduledTimeOnly : False
      SignatureAuGracePeriod : 0
      SignatureBlobFileSharesSources :
      SignatureBlobUpdateInterval : 60
      SignatureDefinitionUpdateFileSharesSources :
      SignatureDisableUpdateOnStartupWithoutEngine : False
      SignatureFallbackOrder : MicrosoftUpdateServer|MMPC
      SignatureFirstAuGracePeriod : 120
      SignatureScheduleDay : 8
      SignatureScheduleTime : 01:45:00
      SignatureUpdateCatchupInterval : 1
      SignatureUpdateInterval : 0
      SubmitSamplesConsent : 1
      ThreatIDDefaultAction_Actions :
      ThreatIDDefaultAction_Ids :
      ThrottleForScheduledScanOnly : True
      TrustLabelProtectionStatus : 0
      UILockdown : False
      UnknownThreatDefaultAction : 0
      PSComputerName :
      ========= End of Powershell: =========
      =========== EmptyTemp: ==========
      FlushDNS => completed
      BITS transfer queue => 2621440 B
      DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 269561893 B
      Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 415842446 B
      Windows/system/drivers => 10507786 B
      Edge => 0 B
      Chrome => 735763525 B
      Firefox => 3612275 B
      Opera => 0 B
      Temp, IE cache, history, cookies, recent:
      Default => 0 B
      ProgramData => 0 B
      Public => 0 B
      systemprofile => 16 B
      systemprofile32 => 16 B
      LocalService => 3761496 B
      NetworkService => 4945310 B
      nybre => 780687148 B
      wendy => 971229951 B
      megan => 1106315377 B
      test => 1106353547 B
      RecycleBin => 0 B
      EmptyTemp: => 5 GB temporary data Removed.
      ================================
      The system needed a reboot.
      ==== End of Fixlog 00:24:36 ====
     
    Ron Kelly, Jan 4, 2024
    #9
  10. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings.

    Thank you for your excellent work. Yes, it is possible the overlay is related to a printer or other device. What printer models are available for you to use on your compter?

    Please rerun the SearchAll: step I modified in Post #6.

    In addition, run the below.

    ===================================================

    Autoruns

    --------------------
    • Please download Autoruns and save it to your Desktop
    • Right click on the autoruns64 icon on your Desktop and select Run as administrator
    • Wait until the lower left hand corner of the window shows Ready
    • Hit the Ctrl + S key at the same time
    • Save the file onto your Desktop using the default File name:
    • Please attach the file to your reply
    ===================================================

    Things I would like to see in your next reply.
    • Which printer models?
    • Search.txt
    • Attached Autoruns file
     
    Oh My!, Jan 4, 2024
    #10
  11. Ron Kelly

    Ron Kelly Private E-2

    Following are the printers according to Belarc Advisor:
    HP ePrint on LPT1:
    HP Photosmart Plus B210 series on CN16H3N47005J9
    Lexmark E238 (MS) on USB001
    Microsoft Print To PDF on PORTPROMPT:
    Microsoft Shared Fax Driver on SHRFAX:
    Microsoft XPS Document Writer v4 on PORTPROMPT:
    novaPDF 10 on doPDF10
    Send to Microsoft OneNote 16 Driver on nul:

    NOTE: saved autoruns file has an .arn extension that will not upload as attachment. Should I rename it with a .txt extension?
     

    Attached Files:

    Ron Kelly, Jan 5, 2024
    #11
  12. Oh My!

    Oh My! Malware Expert Staff Member

    Please upload the folder GoFile, WeTransfer, or the file hosting site of your choice. Post the download link in your reply.

    Are the HP and Lexmark printers you are currently using? Can I assume there aren't any other printers you use beyond what you listed?
     
    Oh My!, Jan 5, 2024
    #12
  13. Ron Kelly

    Ron Kelly Private E-2

    Ron Kelly, Jan 5, 2024
    #13
  14. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you.

    Please run this and upon reboot let me know if the overlay disappears.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
CloseProcesses:
Startup: C:\Users\nybre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart Plus B210 series (Network).lnk [2023-12-31]
ShortcutAndArgument: Monitor Ink Alerts - HP Photosmart Plus B210 series (Network).lnk -> C:\WINDOWS\system32\RunDll32.exe => "C:\Program Files\HP\HP Photosmart Plus B210 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN16H3N47005J9;CONNECTION=NW;MONITOR=1;
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
    • Overlay gone?
     
    Oh My!, Jan 5, 2024
    #14
  15. Ron Kelly

    Ron Kelly Private E-2

    Overlay is gone. Thanks!

    Fix result of Farbar Recovery Scan Tool (x64) Version: 05.01.2024 01
    Ran by nybre (06-01-2024 16:27:21) Run:2
    Running from C:\Users\nybre\Desktop\FRST64
    Loaded Profiles: nybre
    Boot Mode: Normal
    ==============================================
    fixlist content:
    *****************
    Start::
    CloseProcesses:
    Startup: C:\Users\nybre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart Plus B210 series (Network).lnk [2023-12-31]
    ShortcutAndArgument: Monitor Ink Alerts - HP Photosmart Plus B210 series (Network).lnk -> C:\WINDOWS\system32\RunDll32.exe => "C:\Program Files\HP\HP Photosmart Plus B210 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN16H3N47005J9;CONNECTION=NW;MONITOR=1;
    End::
    *****************
    Processes closed successfully.
    C:\Users\nybre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart Plus B210 series (Network).lnk => moved successfully
    ShortcutAndArgument: Monitor Ink Alerts - HP Photosmart Plus B210 series (Network).lnk -> C:\WINDOWS\system32\RunDll32.exe => "C:\Program Files\HP\HP Photosmart Plus B210 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN16H3N47005J9;CONNECTION=NW;MONITOR=1; => Error: No automatic fix found for this entry.
    The system needed a reboot.
    ==== End of Fixlog 16:27:23 ====
     
    Ron Kelly, Jan 6, 2024
    #15
  16. Oh My!

    Oh My! Malware Expert Staff Member

    Very good.

    Reinstall TotalAV if you'd like. Let me know how that goes.
     
    Oh My!, Jan 6, 2024
    #16
  17. Ron Kelly

    Ron Kelly Private E-2

    Not going to reinstall Total AV, much as I would like to. Running out of storage space. Only 10 GB left.
     
    Ron Kelly, Jan 7, 2024
    #17
  18. Ron Kelly

    Ron Kelly Private E-2

    Is Windows Defender enough?
     
    Ron Kelly, Jan 7, 2024
    #18
  19. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings.
    Yes Windows Defender is enough but we need to take a look at it. There may be an issue.

    Please do this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
ExportKey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Farbar Service Scanner

    --------------------

    • Please download Farbar Service Scanner, save it to your desktop, and run it.
    • Make sure the following options are checked:
    Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other Services
    • Press Scan
    • Please copy and paste the contents of the FSS.txt report in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
    • FSS.txt
     
    Last edited: Jan 7, 2024
    Oh My!, Jan 7, 2024
    #19
  20. Ron Kelly

    Ron Kelly Private E-2

    Ron Kelly, Jan 7, 2024
    #20
  21. Oh My!

    Oh My! Malware Expert Staff Member

    Please try my link again. The file is safe to download.
     
    Oh My!, Jan 7, 2024
    #21
  22. Ron Kelly

    Ron Kelly Private E-2

    Fix result of Farbar Recovery Scan Tool (x64) Version: 06.01.2024 01
    Ran by nybre (07-01-2024 16:06:43) Run:3
    Running from C:\Users\nybre\Desktop\FRST64
    Loaded Profiles: nybre
    Boot Mode: Normal
    ==============================================
    fixlist content:
    *****************
    Start::
    ExportKey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
    End::
    *****************
    ================== ExportKey: ===================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
    [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]
    === End of ExportKey ===
    ==== End of Fixlog 16:06:43 ====

    Farbar Service Scanner Version: 30-04-2023
    Ran by nybre (administrator) on 07-01-2024 at 18:27:43
    Running from "C:\Users\nybre\Desktop"
    Microsoft Windows 10 Home (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.
    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================
    System Restore:
    ============
    System Restore Policy:
    ========================
    Windows Security:
    ============
    Windows Update:
    ============
    dosvc Service is not running. Checking service configuration:
    The start type of dosvc service is set to Demand. The default start type is Auto.
    The ImagePath of dosvc service is OK (ImagePath=%SystemRoot%\System32\svchost.exe -k NetworkService -p).
    The ServiceDll of dosvc service is OK.
    Windows Autoupdate Disabled Policy:
    ============================
    Windows Defender:
    ==============
    Other Services:
    ==============
    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => File is digitally signed
    C:\Windows\System32\Drivers\nsiproxy.sys => File is digitally signed
    C:\Windows\System32\Drivers\netbt.sys => File is digitally signed
    C:\Windows\System32\Drivers\tdx.sys => File is digitally signed
    C:\Windows\System32\Drivers\afd.sys => File is digitally signed
    C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
    C:\Windows\System32\dnsrslvr.dll => File is digitally signed
    C:\Windows\System32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\System32\mpssvc.dll => File is digitally signed
    C:\Windows\System32\bfe.dll => File is digitally signed
    C:\Windows\System32\Drivers\mpsdrv.sys => File is digitally signed
    C:\Windows\System32\SDRSVC.dll => File is digitally signed
    C:\Windows\System32\vssvc.exe => File is digitally signed
    C:\Windows\System32\SecurityHealthService.exe => File is digitally signed
    C:\Windows\System32\wscsvc.dll => File is digitally signed
    C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
    C:\Windows\System32\wuaueng.dll => File is digitally signed
    C:\Windows\System32\qmgr.dll => File is digitally signed
    C:\Windows\System32\es.dll => File is digitally signed
    C:\Windows\System32\cryptsvc.dll => File is digitally signed
    C:\Windows\System32\usosvc.dll => File is digitally signed
    C:\Windows\System32\WaaSMedicSvc.dll => File is digitally signed
    C:\Windows\System32\dosvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
    C:\Windows\System32\ipnathlp.dll => File is digitally signed
    C:\Windows\System32\iphlpsvc.dll => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed
    **** End of log ****
     
    Ron Kelly, Jan 7, 2024
    #22
  23. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you.

    Now run this please.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
ExportKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
cmd: sc query windefend
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
     
    Oh My!, Jan 7, 2024
    #23
  24. Ron Kelly

    Ron Kelly Private E-2

    Fix result of Farbar Recovery Scan Tool (x64) Version: 06.01.2024 01
    Ran by nybre (07-01-2024 19:13:14) Run:4
    Running from C:\Users\nybre\Desktop\FRST64
    Loaded Profiles: nybre
    Boot Mode: Normal
    ==============================================
    fixlist content:
    *****************
    Start::
    ExportKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
    cmd: sc query windefend
    End::
    *****************
    ================== ExportKey: ===================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "ProductAppDataPath"="C:\ProgramData\Microsoft\Windows Defender"
    "ProductIcon"="@%ProgramFiles%\Windows Defender\EppManifest.dll,-100"
    "ProductLocalizedName"="@%ProgramFiles%\Windows Defender\EppManifest.dll,-1000"
    "DisableAntiSpyware"="0"
    "RemediationExe"="%ProgramFiles%\Windows Defender\MSASCui.exe"
    "ProductType"="2"
    "InstallTime"="67c94a11edded101"
    "InstallLocation"="C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0\"
    "ProductStatus"="0"
    "OOBEInstallTime"="3ffa6161a79ad201"
    "DisableAntiVirus"="0"
    "ManagedDefenderProductType"="0"
    "LastEnabledTime"="e9cb6a7bc53eda01"
    "BackupLocation"="C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23100.2009-0"
    "PUAProtection"="1"
    "HybridModeEnabled"="0"
    "VerifiedAndReputableTrustModeEnabled"="0"
    "RpcServerUseEndpointMapper"="0"
    "IsServiceRunning"="1"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService]
    "MdTrustedRootCertThumbPrints"="CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F|4348A0E9444C78CB265E058D5E8944B4D84F9662BD26DB257F8934A443C70161"
    "MdTrustedSubjectOrgs"="Microsoft Corporation|DigiCert Inc"
    "WdTimerInitalDelay"="300002"
    "WdTimerMonitorInterval"="300000"
    "WdConfigHash"="1370359201"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\CpuSensor]
    "MonitoredTargets"="mpdefendercoreservice|msmpeng|nissrv"
    "LowThresholds"="10|10|10"
    "HighThresholds"="95|95|95"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\CrashSensor]
    "MonitoredTargets"="mpdefendercoreservice|msmpeng|nissrv"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\DiskSensor]
    "MonitoredTargets"=""
    [HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\MemorySensor]
    "MonitoredTargets"="mpdefendercoreservice|msmpeng|nissrv"
    "LowThresholds"="4|1024|128"
    "HighThresholds"="16|2048|1024"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Device Control]
    "PoliciesLastUpdated"="c948a32f784ed901"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Device Control\Policy Groups]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Device Control\Policy Rules]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Diagnostics]
    "LastKnownGoodEngineCandidate"="0200465a01000100"
    "LastKnownGoodPlatformLocation"="C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0"
    "CloudBadListVersion"="0500000000000000"
    "LatestPlatformVersionOnDevice"="0300465a12000400"
    "LatestEngineVersionOnDevice"="0200465a01000100"
    "LastSignatureUpdateResult"="0"
    "InitializingComponentProgress"="ServiceStartedSuccessfully"
    "CleanupComponentProgress"="CleanupCompleted"
    "PlatformHealthData"="03000000300100006bafa65d5f24da016c715aa4c441da0104000000000000004900000001000000000000000100000004000000000000004900000001000000000000000100000003000000000000004900000001000000000000000100000003000000 (the data entry has 408 more characters)."
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Diagnostics\BlockedVersions]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Diagnostics\BlockedVersions\Engine]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Diagnostics\BlockedVersions\Platform]
    "4.18.2303.123"="7b00ff0812000400"
    "4.18.23060.1004"="ec03145a12000400"
    "4.18.23070.1004"="ec031e5a12000400"
    "4.18.23080.2006"="d607285a12000400"
    "4.18.23090.2008"="d807325a12000400"
    "4.18.23100.2009"="d9073c5a12000400"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Diagnostics\BlockedVersions\Signatures]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\DLP Configs]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\DLP Configs\Tag]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\DLP Websites]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\DLP Websites\Rules]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\IpAddresses]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\TemporaryPaths]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Features]
    "TamperProtection"="1"
    "MpPlatformKillbitsFromEngine"="0000000400000000"
    "TamperProtectionSource"="5"
    "ChangedDefaults"="0000000000000000"
    "MpCapability"="ff01000000000000"
    "TPExclusions"="0"
    "DlpAppEnlightenmentSettings"="0"
    "DlpDisablePrintDetours"="0"
    "MpPlatformKillbitsExFromEngine"="20000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 (the data entry has 56 more characters)."
    "DlpFileEvidenceEnabled"="0"
    "EnableCACS"="0"
    "DlpEnableBrowserPasteEnforcement"="0"
    "ECSDeviceID"="69D4C3B8-FFFC-4713-89BB-20551F3C4335"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls]
    "7"="1"
    "9"="1"
    "10"="1"
    "13"="1"
    "15"="1"
    "21"="1"
    "22"="62"
    "31"="2305"
    "32"="14000"
    "48"="1"
    "54"="1"
    "69"="1"
    "_4"="1"
    "_7"="1"
    "_9"="1"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Features\EcsConfigs]
    "EnableAdsSymlinkMitigation_MpRamp"="1"
    "EnableCIWorkaroundOnCFAEnabled_MpRamp"="1"
    "MdTimerInitalDelay"="300002"
    "MdTimerMonitorInterval"="300000"
    "MpCopyAcceleratorCancellableCopyState"="2"
    "MpDisablePropBagNotification"="0"
    "MpEnablePurgeHipsCache"="1"
    "MpFC_AdvertiseLogonMinutesFeature"="7"
    "MpFC_AdvertiseM365Feature"="15"
    "MpFC_AdvertiseM365PackBuild"="14000"
    "MpFC_AdvertiseM365PackMajor"="102"
    "MpFC_AdvertiseM365PackMinor"="2305"
    "MpFC_EcsConfigDownloadInterval"="62"
    "MpFC_EnableImpersonationOnNetworkResourceScan"="1"
    "MpFC_EnableTPExclusionsSCCMNonMDEAttach"="1"
    "MpFC_Kernel_HardenUxProcesses"="0"
    "MpFC_Kernel_ReduceOfficeInjectRuleFP"="1"
    "MpFC_Kernel_SystemIoRequestWorkOnBehalfOf"="1"
    "MpFC_MdEnableCoreService"="1"
    "MpFc_Kernel_UseLowPrioThreadsForAsyncScans"="1"
    "MpForceDllHostScanExeOnOpen"="1"
    "MpDisableResourceMonitoring"="0"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Features\EcsConfigs\ETag]
    ""=""Q/GWu6LnPfyN9wTMab5r26hC5X6+V+La2XQMlpAPblg=""
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Troubleshooting]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Features\UpdateControl]
    "LastHeartbeatSystime"="32b35ba4c441da01"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration]
    "DeltaUpdateFailure"="0"
    "BddUpdateFailure"="0"
    "NISDeltaUpdateFailure"="0"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine]
    "MpCampRing"="4"
    "MpEngineRing"="4"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\NIS]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\NIS\ActiveSignatures]
    "Active"="12"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\NIS\Consumers]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\NIS\Consumers\IPS]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\NIS\Consumers\IPS\SKU Differentiation]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Quarantine]
    "PurgeItemsAfterDelay"="90"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection]
    "DpaDisabled"="0"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Remediation]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting]
    "MputNormalPriSampleRate"="10"
    "MputHighPriSampleRate"="100"
    "MputNormalPriSendInterval"="24"
    "LastRtpAndScanConfigsCollectedInHeartbeatTime"="3ed04c530640da01"
    "SigUpdateTimestampsSinceLastHB"=""
    "DeviceId"="00180001198270A9"
    "LastRebootTime"="649d6d533341da01"
    "LastDefenderDisableHeartbeatReportTime"="0aa6a6f8c23eda01"
    "LastDeviceIdProcuredTime"="05e5b9c9f006d301"
    "LastRtpHeartbeatReportTime"="debc6042efd8d901"
    "LastHeartbeatReportTime"="a7a0c647ae41da01"
    "ScansSinceLastRecap"="3"
    "LastRecapTime"="a34be6e1473cda01"
    "LastPaidHeartbeatReportTime"="72dd698aa75fd701"
    "LastMapsDisableHeartbeatReportTime"="95202accefd8d901"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Scan]
    "1A698C15-EE94-4BCC-8C8A-006B927D539C"="C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\1A698C15-EE94-4BCC-8C8A-006B927D539C-0.bin"
    "CacheFile"="C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\1A698C15-EE94-4BCC-8C8A-006B927D539C-0.bin"
    "DaysUntilAggressiveCatchupQuickScan"="30"
    "AggressiveCatchupQuickScanReattemptElapsed"="23"
    "LastAggressiveCheck"="fc1ac647ae41da01"
    "SFCState"="7"
    "LastScanType"="1"
    "LastScanRun"="1a8ddb522741da01"
    "LastQuickScanID"="{70504D8E-FFCE-499C-B568-6D94CCDD4E1D}"
    "LastQuickScanResourceCount"="6736030000000000"
    "7DD71AFA-0000-0000-0000-100000000000"="C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\7DD71AFA-0000-0000-0000-100000000000-0.bin"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\Scan]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates]
    "DisableDefaultSigs"="0"
    "SignatureCategoryID"="8c3fcc84-7410-4a95-8b89-a166a0190486"
    "LastFallbackTime"="734277a8bd41da01"
    "SignatureUpdateCount"="512"
    "SignaturesLastUpdated"="13d783bdbd41da01"
    "UpdatedWithinGracePeriod"="1"
    "SignatureUpdatePending"="0"
    "SignatureType"="0"
    "MoCAMPUpdateStarted"="6cdaf4c2f722da01"
    "SignatureUpdateLastAttempted"="78676ba8bd41da01"
    "ISUInterval"="4"
    "ISULength"="24"
    "ISUReason"="16"
    "ISUControlFlags"="1"
    "EngineVersion"="1.1.23110.2"
    "AVSignatureVersion"="1.403.1801.0"
    "AVSignatureBaseVersion"="1.403.0.0"
    "AVSignatureApplied"="807ff21d7d41da01"
    "ASSignatureVersion"="1.403.1801.0"
    "ASSignatureBaseVersion"="1.403.0.0"
    "ASSignatureApplied"="80ac231f7d41da01"
    "SignatureLocation"="C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7B6AA32F-EF71-479B-89A1-3B5688A19300}"
    "EnableUpdateResiliency"="0"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet]
    "SpyNetReporting"="2"
    "SubmitSamplesConsent"="1"
    "SpyNetReportingLocation"="SOAP:https://wdcp.microsoft.com/WdCpSrvc...ttps://wdcpalt.microsoft.com/wdcp.svc/submitR (the data entry has 126 more characters)."
    "SSLOptions"="3"
    "MAPSconcurrency"="1"
    "MAPSconcurrencyDss"="10"
    "LastMAPSSuccessTime"="c43649e0c041da01"
    "LastMAPSFailureTime"="c26cd696282dda01"
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Threats]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatTypeDefaultAction]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\WCOS]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyPerRuleExclusions]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\DLP]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\DLP\Rules]
    [HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection]
    === End of ExportKey ===
    ========= sc query windefend =========
    SERVICE_NAME: windefend
    TYPE : 10 WIN32_OWN_PROCESS
    STATE : 4 RUNNING
    (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0
    ========= End of CMD: =========
    ==== End of Fixlog 19:13:19 ====
     
    Ron Kelly, Jan 7, 2024
    #24
  25. Oh My!

    Oh My! Malware Expert Staff Member

    Oh My!, Jan 7, 2024
    #25
  26. Ron Kelly

    Ron Kelly Private E-2

    no threats found
     
    Ron Kelly, Jan 7, 2024
    #26
  27. Oh My!

    Oh My! Malware Expert Staff Member

    Great.

    I think we are all set. Are there any remaining questions or concerns you might have before I post some tool/log clean up instructions and other information for you to consider going forward?
     
    Oh My!, Jan 7, 2024
    #27
  28. Ron Kelly

    Ron Kelly Private E-2

    Just your opinion on the Total AV antivirus package. It's always had good reviews and I've never had a complaint, but in your opinion, is it worth continuing my subscription or is there something else you would use in lieu of Windows Defender?

    Also, I just replaced my old laptop; getting ready to set up the new one. What would be the best way to transfer files from the old to the new one?

    Other than that, nothing else other than to say thank you again for your time, patience and assistance.

    --RonKelly--
     
    Ron Kelly, Jan 7, 2024
    #28
  29. Oh My!

    Oh My! Malware Expert Staff Member

    I sent you a Personal Message.

    I would recommend copying files to an external drive then running a double check scan of the external drive before transferring them to a new system.

    Here are scanning instructions if you are interested.

    ===================================================

    ESET Online Scanner with Attached External Drive

    --------------------

    Note: You can expect this process to take a long time, up to several hours or more.

    • Download ESET Free Online Scanner - ONE-TIME SCAN and save it to your Desktop
    • While holding down the Shift Key insert your USB/external drive
    • Right click on esetonlinescanner_enu.exe and select Run as administrator
    • Click Computer scan
    • Click Custom Scan
    • Place a check mark in every drive you wish to scan
    • Click Save and continue
    • Select Enable ESET to detect and quarantine potentially unwanted applications
    • Click Start scan
    • Once completed click View detailed results
    • Review the list of detected items for things you don't want to remove (sometimes Potentially Unwanted Applications)
    • If there entries you would like to keep click Restore cleaned files
    • Place a check mark in each entry you would like to restore then click Restore files then confirm the action
    • Click Finish
    • Save scan log and save it to your Desktop as ESETScan.txt
    • Click Continue then finally click Close
    • Copy and paste the ESETScan.txt file contents in your reply
     
    Oh My!, Jan 7, 2024
    #29

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds