Windows Powershell

Discussion in 'Malware Help - Public (Anyone Can Post & Respond)' started by KeepOnTruckin, Jun 13, 2024.

  1. KeepOnTruckin

    KeepOnTruckin Private E-2

    Folks-

    I went to a restaurant website that I use often and a large message popped up indicating that the website had an issue and I should click on the "fix" button and copy it into the Windows PowerShell at the CMD line. This is on a windows 10 laptop. Extremely stupidly, and obviously without thinking much, or, at all, I did it. As soon as I did it I realized how stupid it was. I did a restore to a date a week or so earlier, but I'm obviously quite nervous and have not had the laptop connected to the internet since. I've also changed the more important passwords.

    Can anyone suggest how bad this is? Will resetting the PC to factory settings, will it solve any potential issue? I'm considering using LapLink PcMove, which I've used over the years, to "migrate" my Windows 10 desktop over to the perhaps factory reset laptop. the two PCs are extremely similar in hat's on them for apps and files. I have the "fix" copied into a Word file, if it matters.

    Thanks for any ideas.

    KeepOnTruckin
    Nick
     
    KeepOnTruckin, Jun 13, 2024
    #1
  2. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings and welcome to the Major Geeks Malware Forum.

    Let's take a snapshot of your system. Please do this.

    ===================================================

    Farbar Recovery Scan Tool (FRST)

    --------------------
    • Download FRST64 and save the file on your Desktop
    • If your computer language is other than English right click on the FRST64 icon and rename it to FRST64english
    • Right click on the icon and select Run as administrator
    • Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
    • Click Yes to the disclaimer
    • Click Scan and allow the program to run
    • When completed, FRST.txt and Addition.txt reports will be saved on the Desktop
    • Please attach the reports to your reply
    ===================================================

    Things I would like to see in your next reply.
    • Attached reports
     
    Last edited: Jun 14, 2024
    Oh My!, Jun 13, 2024
    #2
  3. KeepOnTruckin

    KeepOnTruckin Private E-2

    Thank you for responding.

    When I right-click the icon, there is no Run option, as administrator, or otherwise.
     
    KeepOnTruckin, Jun 14, 2024
    #3
  4. KeepOnTruckin

    KeepOnTruckin Private E-2

    Should I just go to the website where FRST is at, download it and run it?
     
    KeepOnTruckin, Jun 14, 2024
    #4
  5. Oh My!

    Oh My! Malware Expert Staff Member

    Please attempt this.

    • Right click on FRST64.exe
    • Select Properties
    • Click Change settings for all users
    • Select Run this program as an administrator
    • Click Apply, then OK twice
    • Double click on FRST64.exe
    • Click Scan
     
    Oh My!, Jun 14, 2024
    #5
  6. Oh My!

    Oh My! Malware Expert Staff Member

    Sorry, didn't see your post.

    Yes, download it then attempt to Run as administrator.
     
    Oh My!, Jun 14, 2024
    #6
  7. KeepOnTruckin

    KeepOnTruckin Private E-2

    See attached. Thank you again.
     

    Attached Files:

    KeepOnTruckin, Jun 14, 2024
    #7
  8. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you.

    We can skip going through the trouble to quote my previous post.

    The FRST.txt report is incomplete. Since you attached it I am assuming that is all there is. Please delete the FRST.txt report, rerun a scan, and attach the report.
     
    Oh My!, Jun 14, 2024
    #8
  9. KeepOnTruckin

    KeepOnTruckin Private E-2

    I've attached both files from the re-scan.
     

    Attached Files:

    KeepOnTruckin, Jun 14, 2024
    #9
  10. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings.

    I am not seeing any evidence of malicious software but there are some things we can address.

    This is insufficient available hard drive space to effectively run your system. You can expect to experience some general performance issues.

    Please do this.

    ===================================================

    Uninstalling Programs Using Revo Uninstaller Free Portable

    --------------------

    • Right click on RevoUPort and select Run as administrator
    • Click OK on the License Agreement
    • From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)
    Code:
    App Explorer
Advanced SystemCare 
IObit Uninstaller 13
    • If the program's uninstaller appears work through the steps to remove the program(s)
    • Be sure the Advanced option is selected then click Scan
    • For each window that may appear identifying leftover items click Select All, Delete, then confirm the deletion
    • Once done click Finish
    • Reboot your computer
    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
2024-06-14 06:40 - 2024-06-14 06:40 - 000066508 _____ C:\Users\ngx_a\Desktop\S8O2DoY2.htm
2024-06-12 12:50 - 2022-10-01 02:42 - 000002554 _____ C:\WINDOWS\SysWOW64\pubfreeware.ini
S3 cpuz154; \??\C:\WINDOWS\temp\cpuz154\cpuz154_x64.sys [X] <==== ATTENTION 
FF Plugin-x32: @google.com/zxwebplugin -> C:\WINDOWS\system32\npzxwebplugin.dll [No File] 
CustomCLSID: HKU\S-1-5-21-3995987313-1681012414-4109313511-1001_Classes\CLSID\{75f92b33-bbaa-b4b4-04ac-a7c07959e5a66}\InprocServer32 -> 0x9A62B0065190D90137E8B1065190D901010000000A00000000000000 => No File 
CustomCLSID: HKU\S-1-5-21-3995987313-1681012414-4109313511-1001_Classes\CLSID\{9486aaf1-0930-362a-962d-8e6908739c817}\InprocServer32 -> 0x58645BDD858ED901175DA7065190D901040000009000000000000000 => No File 
ShellExecuteHooks-x32: No Name - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} -  -> No File 
ShellExecuteHooks-x32: No Name - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  -> No File 
ShellIconOverlayIdentifiers: [SharingPrivate] -> {08244EE6-92F0-47f2-9FC9-929BAA2E7235} =>  -> No File 
ShellIconOverlayIdentifiers-x32: [Offline Files] -> {750fdf0e-2a26-11d1-a3ea-080036587f03} =>  -> No File 
ShellIconOverlayIdentifiers-x32: [SharingPrivate] -> {08244EE6-92F0-47f2-9FC9-929BAA2E7235} =>  -> No File 
ShellServiceObjects: No Name -> {7007ACCF-3202-11D1-AAD2-00805FC1270E} =>
ShellServiceObjects: No Name -> {A1607060-5D4C-467a-B711-2B59A6F25957} =>
ShellServiceObjects-x32: No Name -> {7007ACCF-3202-11D1-AAD2-00805FC1270E} =>
ShellServiceObjects-x32: No Name -> {A1607060-5D4C-467a-B711-2B59A6F25957} =>
ShellServiceObjects-x32: No Name -> {E6FB5E20-DE35-11CF-9C87-00AA005127ED} =>
ShellExecuteHooks-x32: No Name - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - -> No File
ShellExecuteHooks-x32: No Name - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - -> No File
ShellIconOverlayIdentifiers: [SharingPrivate] -> {08244EE6-92F0-47f2-9FC9-929BAA2E7235} => -> No File
ShellIconOverlayIdentifiers-x32: [Offline Files] -> {750fdf0e-2a26-11d1-a3ea-080036587f03} => -> No File
ShellIconOverlayIdentifiers-x32: [SharingPrivate] -> {08244EE6-92F0-47f2-9FC9-929BAA2E7235} => -> No File
SearchScopes: HKU\S-1-5-21-3995987313-1681012414-4109313511-1001 -> DefaultScope {571729B1-5FE0-46B2-8C22-459278D010A2} URL =
SearchScopes: HKU\S-1-5-21-3995987313-1681012414-4109313511-1001 -> {571729B1-5FE0-46B2-8C22-459278D010A2} URL =
SearchScopes: HKU\S-1-5-21-3995987313-1681012414-4109313511-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
Filter: application/x-ica - No CLSID Value
Filter: application/x-ica; charset=euc-jp - No CLSID Value
Filter: application/x-ica; charset=ISO-8859-1 - No CLSID Value
Filter: application/x-ica; charset=MS936 - No CLSID Value
Filter: application/x-ica; charset=MS949 - No CLSID Value
Filter: application/x-ica; charset=MS950 - No CLSID Value
Filter: application/x-ica; charset=UTF-8 - No CLSID Value
Filter: application/x-ica; charset=UTF8 - No CLSID Value
Filter: application/x-ica;charset=euc-jp - No CLSID Value
Filter: application/x-ica;charset=ISO-8859-1 - No CLSID Value
Filter: application/x-ica;charset=MS936 - No CLSID Value
Filter: application/x-ica;charset=MS949 - No CLSID Value
Filter: application/x-ica;charset=MS950 - No CLSID Value
Filter: application/x-ica;charset=UTF-8 - No CLSID Value
Filter: application/x-ica;charset=UTF8 - No CLSID Value
Filter: ica - No CLSID Value
cmd: netsh winsock reset catalog
cmd: netsh int ip reset resetlog.txt
Reg: reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules C:\Firewall.reg
C:\Firewall.reg
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: bitsadmin /reset /allusers
cmd: ipconfig /flushdns
Removeproxy:
hosts:
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /CheckHealth
Emptytemp:
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • Note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program agree to the request.
    • Note: The Emptytemp: command will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Programs uninstalled?
    • Fixlog
     
    Oh My!, Jun 14, 2024
    #10
  11. KeepOnTruckin

    KeepOnTruckin Private E-2

    Note that the hard drive space issue is known and caused by security camera software saving multiple motion-detected files. I periodically clear out the files and have been meaning to set up a larger-capacity external drive to send those files to. Because of this, I have as yet not done any program uninstalls. The Fixlog follows.

    As an aside, would posting the offending code that I foolishly plugged into the cmd line be of assistance to us?

    Fix result of Farbar Recovery Scan Tool (x64) Version: 11.06.2024
    Ran by ngx (15-06-2024 09:42:49) Run:1
    Running from C:\Users\ngx_a\Downloads
    Loaded Profiles: ngx
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    SystemRestore: On
    CreateRestorePoint:
    CloseProcesses:
    2024-06-14 06:40 - 2024-06-14 06:40 - 000066508 _____ C:\Users\ngx_a\Desktop\S8O2DoY2.htm
    2024-06-12 12:50 - 2022-10-01 02:42 - 000002554 _____ C:\WINDOWS\SysWOW64\pubfreeware.ini
    S3 cpuz154; \??\C:\WINDOWS\temp\cpuz154\cpuz154_x64.sys [X] <==== ATTENTION
    FF Plugin-x32: @google.com/zxwebplugin -> C:\WINDOWS\system32\npzxwebplugin.dll [No File]
    CustomCLSID: HKU\S-1-5-21-3995987313-1681012414-4109313511-1001_Classes\CLSID\{75f92b33-bbaa-b4b4-04ac-a7c07959e5a66}\InprocServer32 -> 0x9A62B0065190D90137E8B1065190D901010000000A00000000000000 => No File
    CustomCLSID: HKU\S-1-5-21-3995987313-1681012414-4109313511-1001_Classes\CLSID\{9486aaf1-0930-362a-962d-8e6908739c817}\InprocServer32 -> 0x58645BDD858ED901175DA7065190D901040000009000000000000000 => No File
    ShellExecuteHooks-x32: No Name - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - -> No File
    ShellExecuteHooks-x32: No Name - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - -> No File
    ShellIconOverlayIdentifiers: [SharingPrivate] -> {08244EE6-92F0-47f2-9FC9-929BAA2E7235} => -> No File
    ShellIconOverlayIdentifiers-x32: [Offline Files] -> {750fdf0e-2a26-11d1-a3ea-080036587f03} => -> No File
    ShellIconOverlayIdentifiers-x32: [SharingPrivate] -> {08244EE6-92F0-47f2-9FC9-929BAA2E7235} => -> No File
    ShellServiceObjects: No Name -> {7007ACCF-3202-11D1-AAD2-00805FC1270E} =>
    ShellServiceObjects: No Name -> {A1607060-5D4C-467a-B711-2B59A6F25957} =>
    ShellServiceObjects-x32: No Name -> {7007ACCF-3202-11D1-AAD2-00805FC1270E} =>
    ShellServiceObjects-x32: No Name -> {A1607060-5D4C-467a-B711-2B59A6F25957} =>
    ShellServiceObjects-x32: No Name -> {E6FB5E20-DE35-11CF-9C87-00AA005127ED} =>
    ShellExecuteHooks-x32: No Name - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - -> No File
    ShellExecuteHooks-x32: No Name - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - -> No File
    ShellIconOverlayIdentifiers: [SharingPrivate] -> {08244EE6-92F0-47f2-9FC9-929BAA2E7235} => -> No File
    ShellIconOverlayIdentifiers-x32: [Offline Files] -> {750fdf0e-2a26-11d1-a3ea-080036587f03} => -> No File
    ShellIconOverlayIdentifiers-x32: [SharingPrivate] -> {08244EE6-92F0-47f2-9FC9-929BAA2E7235} => -> No File
    SearchScopes: HKU\S-1-5-21-3995987313-1681012414-4109313511-1001 -> DefaultScope {571729B1-5FE0-46B2-8C22-459278D010A2} URL =
    SearchScopes: HKU\S-1-5-21-3995987313-1681012414-4109313511-1001 -> {571729B1-5FE0-46B2-8C22-459278D010A2} URL =
    SearchScopes: HKU\S-1-5-21-3995987313-1681012414-4109313511-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
    Filter: application/x-ica - No CLSID Value
    Filter: application/x-ica; charset=euc-jp - No CLSID Value
    Filter: application/x-ica; charset=ISO-8859-1 - No CLSID Value
    Filter: application/x-ica; charset=MS936 - No CLSID Value
    Filter: application/x-ica; charset=MS949 - No CLSID Value
    Filter: application/x-ica; charset=MS950 - No CLSID Value
    Filter: application/x-ica; charset=UTF-8 - No CLSID Value
    Filter: application/x-ica; charset=UTF8 - No CLSID Value
    Filter: application/x-ica;charset=euc-jp - No CLSID Value
    Filter: application/x-ica;charset=ISO-8859-1 - No CLSID Value
    Filter: application/x-ica;charset=MS936 - No CLSID Value
    Filter: application/x-ica;charset=MS949 - No CLSID Value
    Filter: application/x-ica;charset=MS950 - No CLSID Value
    Filter: application/x-ica;charset=UTF-8 - No CLSID Value
    Filter: application/x-ica;charset=UTF8 - No CLSID Value
    Filter: ica - No CLSID Value
    cmd: netsh winsock reset catalog
    cmd: netsh int ip reset resetlog.txt
    Reg: reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules C:\Firewall.reg
    C:\Firewall.reg
    cmd: netsh advfirewall reset
    cmd: netsh advfirewall set allprofiles state ON
    cmd: bitsadmin /reset /allusers
    cmd: ipconfig /flushdns
    Removeproxy:
    hosts:
    cmd: sfc /scannow
    cmd: DISM /Online /Cleanup-Image /CheckHealth
    Emptytemp:
    End::
    *****************

    SystemRestore: On => Error -> 3%
    CreateRestorePoint: Error(1=3%) -> Failed to create a restore point.
    Processes closed successfully.
    C:\Users\ngx_a\Desktop\S8O2DoY2.htm => moved successfully
    C:\WINDOWS\SysWOW64\pubfreeware.ini => moved successfully
    HKLM\System\CurrentControlSet\Services\cpuz154 => removed successfully
    cpuz154 => service removed successfully
    HKLM\Software\Wow6432Node\MozillaPlugins\@google.com/zxwebplugin => removed successfully
    HKU\S-1-5-21-3995987313-1681012414-4109313511-1001_Classes\CLSID\{75f92b33-bbaa-b4b4-04ac-a7c07959e5a66} => removed successfully
    HKU\S-1-5-21-3995987313-1681012414-4109313511-1001_Classes\CLSID\{9486aaf1-0930-362a-962d-8e6908739c817} => removed successfully
    "HKLM\Software\Wow6432Node{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" => not found
    "HKLM\Software\Wow6432Node{AEB6717E-7E19-11d0-97EE-00C04FD91972}" => not found
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\SharingPrivate => removed successfully
    HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Offline Files => removed successfully
    HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\SharingPrivate => removed successfully
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{7007ACCF-3202-11D1-AAD2-00805FC1270E} => removed successfully
    HKLM\Software\Classes\CLSID\{7007ACCF-3202-11D1-AAD2-00805FC1270E} => not found
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{A1607060-5D4C-467a-B711-2B59A6F25957} => removed successfully
    HKLM\Software\Classes\CLSID\{A1607060-5D4C-467a-B711-2B59A6F25957} => not found
    HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{7007ACCF-3202-11D1-AAD2-00805FC1270E} => removed successfully
    HKLM\Software\WOW6432Node\Classes\CLSID\{7007ACCF-3202-11D1-AAD2-00805FC1270E} => not found
    HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{A1607060-5D4C-467a-B711-2B59A6F25957} => removed successfully
    HKLM\Software\WOW6432Node\Classes\CLSID\{A1607060-5D4C-467a-B711-2B59A6F25957} => not found
    HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} => removed successfully
    HKLM\Software\WOW6432Node\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} => not found
    "HKLM\Software\Wow6432Node{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" => not found
    "HKLM\Software\Wow6432Node{AEB6717E-7E19-11d0-97EE-00C04FD91972}" => not found
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\SharingPrivate => not found
    HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Offline Files => not found
    HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\SharingPrivate => not found
    "HKU\S-1-5-21-3995987313-1681012414-4109313511-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
    HKU\S-1-5-21-3995987313-1681012414-4109313511-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{571729B1-5FE0-46B2-8C22-459278D010A2} => removed successfully
    HKU\S-1-5-21-3995987313-1681012414-4109313511-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} => removed successfully
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica; charset=euc-jp - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica; charset=ISO-8859-1 - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica; charset=MS936 - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica; charset=MS949 - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica; charset=MS950 - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica; charset=UTF-8 - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica; charset=UTF8 - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica;charset=euc-jp - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica;charset=ISO-8859-1 - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica;charset=MS936 - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica;charset=MS949 - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica;charset=MS950 - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica;charset=UTF-8 - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-ica;charset=UTF8 - No CLSID Value => not found
    HKLM\Software\Classes\PROTOCOLS\Filter\Filter: ica - No CLSID Value => not found

    ========= netsh winsock reset catalog =========

    The following helper DLL cannot be loaded: NAPMONTR.DLL.

    Sucessfully reset the Winsock Catalog.
    You must restart the computer in order to complete the reset.



    ========= End of CMD: =========


    ========= netsh int ip reset resetlog.txt =========

    The following helper DLL cannot be loaded: NAPMONTR.DLL.
    Resetting Compartment Forwarding, OK!
    Resetting Compartment, OK!
    Resetting Control Protocol, OK!
    Resetting Echo Sequence Request, OK!
    Resetting Global, OK!
    Resetting Interface, OK!
    Resetting Anycast Address, OK!
    Resetting Multicast Address, OK!
    Resetting Unicast Address, OK!
    Resetting Neighbor, OK!
    Resetting Path, OK!
    Resetting Potential, OK!
    Resetting Prefix Policy, OK!
    Resetting Proxy Neighbor, OK!
    Resetting Route, OK!
    Resetting Site Prefix, OK!
    Resetting Subinterface, OK!
    Resetting Wakeup Pattern, OK!
    Resetting Resolve Neighbor, OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , failed.
    Access is denied.

    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Restart the computer to complete this action.



    ========= End of CMD: =========


    ========= reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules C:\Firewall.reg =========

    The operation completed successfully.



    ========= End of Reg: =========

    C:\Firewall.reg => moved successfully

    ========= netsh advfirewall reset =========

    The following helper DLL cannot be loaded: NAPMONTR.DLL.
    Ok.



    ========= End of CMD: =========


    ========= netsh advfirewall set allprofiles state ON =========

    The following helper DLL cannot be loaded: NAPMONTR.DLL.
    Ok.



    ========= End of CMD: =========


    ========= bitsadmin /reset /allusers =========


    BITSADMIN version 3.0
    BITS administration utility.
    (C) Copyright Microsoft Corp.

    {FBE6FA53-3884-451F-B307-B83B3ED32465} canceled.
    {07A85154-0D49-49B0-B753-FA713E917F31} canceled.
    {FAAE6BB2-8A51-480A-A7E4-23676B2B9DE3} canceled.
    {2AE21B82-88E2-4E6A-A0E6-0E410B01E100} canceled.
    {4DDBA150-3566-43D2-AAEA-27F5499F76D1} canceled.
    {9DD7193C-ABDC-4DEE-A0B8-B939E499D007} canceled.
    {A40C2A15-354E-4DD5-AD2B-C3C1E60A617D} canceled.
    {C5726F22-F482-46D3-9D1B-BD9764440525} canceled.
    {56260CA9-6B5B-4ABF-8191-E9964780C14E} canceled.
    {1AC9704B-9093-4DEE-8349-D09796394FBA} canceled.
    {C08C0C7D-C521-4E23-AE00-161FB98B2D5B} canceled.
    {6FF168FD-7199-4F6B-B2C7-3FD2BD5A46D0} canceled.
    {712F94B8-F9F6-44E9-804A-7AD03BCB040E} canceled.
    {AF4A8907-D251-4EE0-ADD0-7A5313A69742} canceled.
    {E367F26C-93A8-4831-A114-B481A5FAA222} canceled.
    {54D5DD4A-4F91-4514-A225-08473B7941B8} canceled.
    {6ED07FE6-F6EF-48DB-990D-3FE3FA671509} canceled.
    {7169F999-0C7A-43BE-9A01-1E4FB53CD979} canceled.
    {D6DA1B23-0D07-4DCC-9870-3DFDAAB930F1} canceled.
    {399460C0-D290-41BE-B3EA-13F1D14775F3} canceled.
    {66E7C089-16D7-4D61-96A2-53B68AE429F2} canceled.
    Unable to cancel {28053BD8-C8BF-43E5-BA58-D0D706211C5A}.
    21 out of 22 jobs canceled.


    ========= End of CMD: =========


    ========= ipconfig /flushdns =========


    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.


    ========= End of CMD: =========


    ========= RemoveProxy: =========

    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => removed successfully
    "HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
    "HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
    "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
    "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
    "HKU\S-1-5-21-3995987313-1681012414-4109313511-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
    "HKU\S-1-5-21-3995987313-1681012414-4109313511-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully


    ========= End of RemoveProxy: =========

    C:\Windows\System32\Drivers\etc\hosts => moved successfully
    Hosts restored successfully.

    ========= sfc /scannow =========



    Beginning system scan. This process will take some time.



    Beginning verification phase of system scan.


    Verification 0% complete.
    Verification 1% complete.
    Verification 1% complete.
    Verification 2% complete.
    Verification 2% complete.
    Verification 3% complete.
    Verification 4% complete.
    Verification 4% complete.
    Verification 5% complete.
    Verification 5% complete.
    Verification 6% complete.
    Verification 7% complete.
    Verification 7% complete.
    Verification 8% complete.
    Verification 8% complete.
    Verification 9% complete.
    Verification 10% complete.
    Verification 10% complete.
    Verification 11% complete.
    Verification 11% complete.
    Verification 12% complete.
    Verification 13% complete.
    Verification 13% complete.
    Verification 14% complete.
    Verification 14% complete.
    Verification 15% complete.
    Verification 16% complete.
    Verification 16% complete.
    Verification 17% complete.
    Verification 17% complete.
    Verification 18% complete.
    Verification 19% complete.
    Verification 19% complete.
    Verification 20% complete.
    Verification 20% complete.
    Verification 21% complete.
    Verification 22% complete.
    Verification 22% complete.
    Verification 23% complete.
    Verification 23% complete.
    Verification 24% complete.
    Verification 25% complete.
    Verification 25% complete.
    Verification 26% complete.
    Verification 26% complete.
    Verification 27% complete.
    Verification 28% complete.
    Verification 28% complete.
    Verification 29% complete.
    Verification 29% complete.
    Verification 30% complete.
    Verification 31% complete.
    Verification 31% complete.
    Verification 32% complete.
    Verification 32% complete.
    Verification 33% complete.
    Verification 34% complete.
    Verification 34% complete.
    Verification 35% complete.
    Verification 35% complete.
    Verification 36% complete.
    Verification 37% complete.
    Verification 37% complete.
    Verification 38% complete.
    Verification 38% complete.
    Verification 39% complete.
    Verification 40% complete.
    Verification 40% complete.
    Verification 41% complete.
    Verification 41% complete.
    Verification 42% complete.
    Verification 43% complete.
    Verification 43% complete.
    Verification 44% complete.
    Verification 44% complete.
    Verification 45% complete.
    Verification 46% complete.
    Verification 46% complete.
    Verification 47% complete.
    Verification 47% complete.
    Verification 48% complete.
    Verification 49% complete.
    Verification 49% complete.
    Verification 50% complete.
    Verification 50% complete.
    Verification 51% complete.
    Verification 52% complete.
    Verification 52% complete.
    Verification 53% complete.
    Verification 53% complete.
    Verification 54% complete.
    Verification 55% complete.
    Verification 55% complete.
    Verification 56% complete.
    Verification 56% complete.
    Verification 57% complete.
    Verification 58% complete.
    Verification 58% complete.
    Verification 59% complete.
    Verification 59% complete.
    Verification 60% complete.
    Verification 61% complete.
    Verification 61% complete.
    Verification 62% complete.
    Verification 62% complete.
    Verification 63% complete.
    Verification 63% complete.
    Verification 64% complete.
    Verification 65% complete.
    Verification 65% complete.
    Verification 66% complete.
    Verification 66% complete.
    Verification 67% complete.
    Verification 68% complete.
    Verification 68% complete.
    Verification 69% complete.
    Verification 69% complete.
    Verification 70% complete.
    Verification 71% complete.
    Verification 71% complete.
    Verification 72% complete.
    Verification 72% complete.
    Verification 73% complete.
    Verification 74% complete.
    Verification 74% complete.
    Verification 75% complete.
    Verification 75% complete.
    Verification 76% complete.
    Verification 77% complete.
    Verification 77% complete.
    Verification 78% complete.
    Verification 78% complete.
    Verification 79% complete.
    Verification 80% complete.
    Verification 80% complete.
    Verification 81% complete.
    Verification 81% complete.
    Verification 82% complete.
    Verification 83% complete.
    Verification 83% complete.
    Verification 84% complete.
    Verification 84% complete.
    Verification 85% complete.
    Verification 86% complete.
    Verification 86% complete.
    Verification 87% complete.
    Verification 87% complete.
    Verification 88% complete.
    Verification 89% complete.
    Verification 89% complete.
    Verification 90% complete.
    Verification 90% complete.
    Verification 91% complete.
    Verification 92% complete.
    Verification 92% complete.
    Verification 93% complete.
    Verification 93% complete.
    Verification 94% complete.
    Verification 95% complete.
    Verification 95% complete.
    Verification 96% complete.
    Verification 96% complete.
    Verification 97% complete.
    Verification 98% complete.
    Verification 98% complete.
    Verification 99% complete.
    Verification 99% complete.
    Verification 100% complete.


    Windows Resource Protection did not find any integrity violations.



    ========= End of CMD: =========


    ========= DISM /Online /Cleanup-Image /CheckHealth =========


    Deployment Image Servicing and Management tool
    Version: 10.0.19041.3636

    Image Version: 10.0.19045.4529

    No component store corruption detected.
    The operation completed successfully.


    ========= End of CMD: =========


    =========== EmptyTemp: ==========

    FlushDNS => completed
    BITS transfer queue => 1310720 B
    DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 47983183 B
    Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 0 B
    Windows/system/drivers => 696460 B
    Edge => 0 B
    Chrome => 225280 B
    Firefox => 472760610 B
    Opera => 18986791 B

    Temp, IE cache, history, cookies, recent:
    Default => 0 B
    ProgramData => 0 B
    Public => 0 B
    systemprofile => 16 B
    systemprofile32 => 16 B
    LocalService => 26830 B
    NetworkService => 29638 B
    ngx_a => 190488795 B
     
    KeepOnTruckin, Jun 15, 2024
    #11
  12. Oh My!

    Oh My! Malware Expert Staff Member

    You can send me the information via Personal Message.

    Please do this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
Powershell: bitsadmin /list /allusers /verbose
cmd: net stop bits
Move: C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db.old
cmd: net start bits 
cmd:  bitsadmin /list /allusers
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
     
    Oh My!, Jun 15, 2024
    #12
  13. Oh My!

    Oh My! Malware Expert Staff Member

    I understand you are having difficulty getting FRST64 to run as it starts, stops, then disappears. Disable Avast and attempt it again.
     
    Oh My!, Jun 16, 2024
    #13
  14. KeepOnTruckin

    KeepOnTruckin Private E-2

    Fix result of Farbar Recovery Scan Tool (x64) Version: 11.06.2024
    Ran by ngx (16-06-2024 14:16:18) Run:2
    Running from D:\Users
    Loaded Profiles: ngx
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    SystemRestore: On
    CreateRestorePoint:
    CloseProcesses:
    Powershell: bitsadmin /list /allusers /verbose
    cmd: net stop bits
    Move: C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db.old
    cmd: net start bits
    cmd: bitsadmin /list /allusers
    End::
    *****************

    SystemRestore: On => completed
    Restore point was successfully created.
    Processes closed successfully.

    ========= bitsadmin /list /allusers /verbose =========


    BITSADMIN version 3.0
    BITS administration utility.
    (C) Copyright Microsoft Corp.

    Listed 0 job(s).

    ========= End of Powershell: =========


    ========= net stop bits =========

    The Background Intelligent Transfer Service service is stopping..
    The Background Intelligent Transfer Service service was stopped successfully.



    ========= End of CMD: =========

    "C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db" moved successfully to C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db.old

    ========= net start bits =========

    The Background Intelligent Transfer Service service is starting.
    The Background Intelligent Transfer Service service was started successfully.



    ========= End of CMD: =========


    ========= bitsadmin /list /allusers =========


    BITSADMIN version 3.0
    BITS administration utility.
    (C) Copyright Microsoft Corp.

    Listed 0 job(s).


    ========= End of CMD: =========



    The system needed a reboot.

    ==== End of Fixlog 14:16:44 ====
     
    KeepOnTruckin, Jun 16, 2024
    #14
  15. Oh My!

    Oh My! Malware Expert Staff Member

    That looks good.

    Let's run a final online scan. Please do this.

    ===================================================

    ESET Online Scanner

    --------------------

    Note: You can expect this process to take a long time, up to several hours or more.
    • Download ESET Free Online Scanner and save it to your Desktop
    • Right click on esetonlinescanner_enu.exe and select Run as administrator
    • NOTE: If the program immediately crashes rename esetonlinescanner_enu.exe to ESET.exe and attempt it again
    • Click Computer Scan
    • Click Full scan
    • Select Enable ESET to detect and quarantine potentially unwanted applications
    • Click Start scan
    • Once completed click View detailed results
    • Review the list of detected items for things you don't want to remove (sometimes Potentially Unwanted Applications)
    • If there entries you would like to keep click Restore cleaned files
    • Place a check mark in each entry you would like to restore then click Restore files then confirm the action
    • Click Finish
    • Save scan log and save it to your Desktop as ESETScan.txt
    • Click Continue then finally click Close
    • Copy and paste the ESETScan.txt file contents in your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
    • ESET report
     
    Oh My!, Jun 16, 2024
    #15
  16. KeepOnTruckin

    KeepOnTruckin Private E-2

    ESET doesn't want to run to its finish. I did rename it as directed. It runs for five or ten minutes, "downloading" or "updating" modules. It runs a few up to 100%, then ran one or more up to thousand of %. Then just stops and disappears from the screen. No log file or indication that it has done anything.
     
    KeepOnTruckin, Jun 17, 2024
    #16
  17. KeepOnTruckin

    KeepOnTruckin Private E-2

    Tried again--Updating module hit 2300% and it kicked out of the program without a message.
     
    KeepOnTruckin, Jun 17, 2024
    #17
  18. Oh My!

    Oh My! Malware Expert Staff Member

    This type of ESET behavior is not unheard of.

    Please try this.

    ===================================================

    Kaspersky Virus Removal Tool

    --------------------
    • Download Kaspersky Virus Removal Tool and save it to your Desktop
    • Press the Windows Key + R at the same time
    • Copy and paste C:\Users\ngx_a\Desktop\KVRT.exe -dontencrypt in the Run box
    • Click OK
    • Review and place check marks in all 3 I confirm boxes then click Accept
    • Click Change parameters
    • Place check marks in the following categories:
    System memory
    Startup objects
    Boot sectors
    System drive
    • Click OK
    • Click Start scan
    • When completed click Continue
    • Close the program
    • Hit the Windows Key + E at the same time
    • Navigate to the C:\KVRT2020_Data\Reports folder
    • Right click on KLR File which looks similar to report_2022.09.12_06.27.09 and select Open
    • Copy and paste the contents of the file in your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • KLR report
     
    Oh My!, Jun 17, 2024
    #18
  19. KeepOnTruckin

    KeepOnTruckin Private E-2

    I'm holding off on the KVRT, as the ESET has decided to do its thing, knock on wood . . . Approx. 440,000 files, and counting.
     
    KeepOnTruckin, Jun 17, 2024
    #19
  20. KeepOnTruckin

    KeepOnTruckin Private E-2

    ESET ran and finished. It said there were no issues found. Unfortunately, after I hit Finish, the tab to allow me to save the log was no longer present, and I find no log. I'll run it again . . .
     
    KeepOnTruckin, Jun 17, 2024
    #20
  21. KeepOnTruckin

    KeepOnTruckin Private E-2

    ESETScan:

    6/17/2024 17:03:21 PM
    Scanned files: 647061
    Detected files: 2
    Cleaned files: 1
    Total scan time 00:52:18
    Scan status: Finished
    C:\Users\Public\Documents\Wondershare\recoverit_64bit_full4134.exe a variant of Win64/Recoverit.B potentially unwanted application cleaned by deleting

    C:\Windows\Installer\1ab8ef19.msi a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application unable to clean



    Thanks for continuing assistance.
     
    KeepOnTruckin, Jun 17, 2024
    #21
  22. Oh My!

    Oh My! Malware Expert Staff Member

    Nothing of concern there.

    Things look pretty good. Are there any remaining questions or concerns you might have before I post some tool/log clean up instructions and other information for you to consider going forward?
     
    Oh My!, Jun 17, 2024
    #22
  23. KeepOnTruckin

    KeepOnTruckin Private E-2

    I think I'm all set for now. Thank you again, for saving me much aggravation. I just looked into how to support your site, and will, at the very least, be sending some coffees your way.
     
    KeepOnTruckin, Jun 18, 2024
    #23
  24. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for your kind words and kindness.

    Here is our final step and some additional information to consider.

    ===================================================

    KpRm by Kernel-panik

    --------------
    • Download KpRm and save it to your Desktop (see here if you must use Chrome)
    • Note: If the file is detected as malware it is not and it is safe to download. The detection is a false positive.
    • Right click on the icon and select Run as administrator
    • Click Yes on the Disclaimer
    • Place a check mark in Delete Tools, Create Restore Point, and Delete in 7 days
    • Click Run
    • Click OK on All operations are completed
    • KpRm will delete itself from you Desktop and you can either save or remove the report that is generated
    • You are free to remove any other tools/reports still remaining
    ===================================================

    All Clean!

    --------------

    Your computer is now clean. Please consider this going forward.

    ===================================================

    Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean.

    Thank you for placing your trust in Major Geeks. It was a pleasure serving you.
     
    Oh My!, Jun 18, 2024
    #24

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds