Fake Windows Defender Alert

thedirewolf · May 10, 2023

Specifically, app:annonces.fiancetrack(0x2).dll

My friend is somewhat impaired and doesn't remember what he was doing when this popped up. I've run numerous scans, emptied all caches and temp folders with CC Cleaner to no avail. I ran the required scans for you and have attached the logs. I much appreciate your help; it's been years since I needed it and it's so good to know you're still here!
Thanks, Rich

Oh My! · May 10, 2023

Greetings Rich and welcome to the MajorGeeks Malware Forum.

It looks like you posted the Addition.txt twice. The attached FRST.txt file is actually another copy of the Addition.txt report.

If you don't have a good copy of the FRST.txt report in the D:\Malware Tools folder please run another scan and post the report.

Oh My! · May 14, 2023

How are we doing Rich?

thedirewolf · Jun 7, 2023

Sorry, I thought I'd get an email notification when somebody responded.

Oh My! · Jun 7, 2023

If you don't get a notification regarding this reply let me know.

Please delete all copies of FRST.txt and Addition.txt reports. Following that please run a new FRST Scan and attach both reports to your reply.

thedirewolf · Jun 7, 2023

Here you go. Thanks so much for the help!

Oh My! · Jun 8, 2023

Could you please also attach the Addition.txt report for me? I want to make sure we are working with the most current information about the state of your computer.

**Nevermind, the last Addition.txt report is close enough.***

Oh My! · Jun 8, 2023

Thank you for the report.

We need to be a bit aggressive given the state of your computer, in particular Firefox.

Your system is low on available RAM so you can expect to see overall diminished performance.

==================== Memory info ===========================

BIOS: Insyde F.18 02/17/2021
Motherboard: HP 84FB
Processor: Intel® Celeron® N4020 CPU @ 1.10GHz
Percentage of memory in use: 86%
Total physical RAM: 3911.32 MB
Available physical RAM: 540.09 MB
Total Virtual: 10055.32 MB
Available Virtual: 6131.42 MB
Click to expand...

Please do this.

===================================================

Disabling Firefox Sync

--------------------

Launch Firefox

Copy and paste the below into the address bar and hit Enter
Code:
about:preferences#sync
Under Sync if you see Sign Out... click that then click Sign Out

In your reply report whether or not you signed out

===================================================

Farbar Recovery Scan Tool Fix

--------------------

Right click on the FRST icon and select Run as administrator

Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied

There is no need to paste the information anywhere, FRST will do it for you
Code:
Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
Zip: C:\WINDOWS\system32\Caad.db
S2 HitmanPro38CrusaderBoot; "D:\hitmanpro_x64.exe" /crusader:boot [X]
U3 aspnet_state; no ImagePath
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
Task: {384CE62B-013E-4CC2-A8EE-ECB6C07D35A3} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe /RunOnBattery RebootDialog (No File)
Task: {497886EC-7018-4E7B-9436-A9E22B2A251A} - System32\Tasks\CCleanerSkipUAC - lstre => "D:\Malware Tools\CCleaner64.exe" $(Arg0) (No File)
Task: {9D41D82E-AE10-413B-94B5-573EA133C4AC} - System32\Tasks\CCleaner Update => C:\Users\lstre\OneDrive\Desktop\security\CCUpdate.exe (No File)
Task: {B8BD1570-C1EA-4168-8358-8DB7B1B361EA} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe (No File)
Task: {CE1D1DDE-C1F5-4EC9-BEC4-0DDE31AB0437} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe /RunOnAC RebootDialog (No File)
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
Edge HKLM-x32\...\Edge\Extension: [pdhdldaneekjpoaldekpgomomeabpnek]
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Enabled: {c5ffbd00-71e8-4603-a19b-860104b7ac62}
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Enabled: Quick_Live_News_spxMukSrlT@quicklivenews.com
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Enabled: {82c0173d-b61d-4cd3-8e01-ffc56211a71c}
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Enabled: addon@customsearchtool.com
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Enabled: {94fe999d-930d-4162-b7b2-0cffdfbf4429}
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Enabled: Find_Manuals_Now___Custom_Web_Search_TcURqcnjqD@findmanualsnow.com
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Disabled: {ca253281-1ddf-4e22-b3bb-5d5aa8b57c11}
FF Extension: (Custom Search Tool) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\addon@customsearchtool.com.xpi [2023-01-11] [UpdateUrl:hxxps://home.customsearchtool.com/firefox/updates]
FF Extension: (Dreamer Balanced) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\dreamer-balanced-colorway@mozilla.org.xpi [2023-03-17]
FF Extension: (Ezy Photo Tab & Custom Web Search) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\Ezy_Photo_Tab___Custom_Web_Search_YALalKMirg@ezyphototab.com.xpi [2022-10-02]
FF Extension: (Find Manuals Now & Custom Web Search) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\Find_Manuals_Now___Custom_Web_Search_TcURqcnjqD@findmanualsnow.com.xpi [2022-10-02]
FF Extension: (Quick Live News & Custom Web Search) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\Quick_Live_News_spxMukSrlT@quicklivenews.com.xpi [2023-04-02]
FF Extension: (PDF Editor and Search by PDFtab) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\{82c0173d-b61d-4cd3-8e01-ffc56211a71c}.xpi [2022-12-27] [UpdateUrl:hxxps://cdn.pdftab-cdn.com/xpi/pdftab/yhs/0721/search/updates.json]
FF Extension: (TV Search) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\{94fe999d-930d-4162-b7b2-0cffdfbf4429}.xpi [2022-10-04] [UpdateUrl:hxxps://cdn.gettvsearch-cdn.org/xpi/gettvsearch/yhs/0720/search/updates.json]
FF Extension: (Freshy Newtab and Search ) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\{c5ffbd00-71e8-4603-a19b-860104b7ac62}.xpi [2022-10-04] [UpdateUrl:hxxps://cdn.freshysearch-cdn.com/xpi/freshy/yhs/01020/searchnnewtab/updates.json]
FF Extension: (Yahoo Search From QuickSpeed Test) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\{ca253281-1ddf-4e22-b3bb-5d5aa8b57c11}.xpi [2022-11-20] [UpdateUrl:hxxps://cdn.quickspeedtest-cdn.net/xpi/quickspeedtest/yhs/0820/search/updates.json]
cmd: netsh winsock reset catalog
cmd: netsh int ip reset resetlog.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: bitsadmin /reset /allusers
cmd: ipconfig /flushdns
Removeproxy:
hosts:
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /RestoreHealth
Emptytemp:
End::
Click Fix

When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

The tool will create a zipped folder on your Desktop with today's date, example: 02.17.2022_13.24.50.zip. Please attach it to your reply

Note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program agree to the request.

Note: The Emptytemp: command will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:

Firefox Sync status

Fixlog

Attached .zip file

thedirewolf · Jun 8, 2023

I assume this list is the FRST log? The first 8 lines appear nowhere; the others aren't all in a row and I can't figure out how to select them all. I'm afraid I'm going to have to suck it up and pay somebody to deal with this. Everything on the laptop is so tiny that my old eyes need a magnifier, which exacerbates my vertigo. TMI, I know. Sorry to have wasted your time. Thanks, Rich

Oh My! · Jun 9, 2023

Hi Rich.

Sorry to hear about your difficulties and I certainly understand if you don't want to deal with it here. However, I am going to post another set of instructions that should make it easier to run the Fixlist, if you'd like to try.

===================================================

Farbar Recovery Scan Tool - Run Fix Using Attached File

--------------------

Please download the attached file and save it to C:\Users\lstre\OneDrive\Desktop

Right click on FRST and select Run as administrator

Click Fix and once completed your computer will reboot

The tool will create a log on the desktop called Fixlog.txt

Copy and paste the contents of the report in your reply. If it is too large please attach it.

Note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program agree to the request.

Note: The Emptytemp: command will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:

Fixlog

thedirewolf · Jun 9, 2023

I very much appreciate your extra effort! Here you go:
Fix result of Farbar Recovery Scan Tool (x64) Version: 29-05-2023
Ran by lstre (09-06-2023 15:27:59) Run:1
Running from C:\Users\lstre\OneDrive\Desktop
Loaded Profiles: lstre
Boot Mode: Normal
==============================================

fixlist content:
*****************

SystemRestore: On
CreateRestorePoint:
CloseProcesses:
Zip: C:\WINDOWS\system32\Caad.db
S2 HitmanPro38CrusaderBoot; "D:\hitmanpro_x64.exe" /crusader:boot [X]
U3 aspnet_state; no ImagePath
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
Task: {384CE62B-013E-4CC2-A8EE-ECB6C07D35A3} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe /RunOnBattery RebootDialog (No File)
Task: {497886EC-7018-4E7B-9436-A9E22B2A251A} - System32\Tasks\CCleanerSkipUAC - lstre => "D:\Malware Tools\CCleaner64.exe" $(Arg0) (No File)
Task: {9D41D82E-AE10-413B-94B5-573EA133C4AC} - System32\Tasks\CCleaner Update => C:\Users\lstre\OneDrive\Desktop\security\CCUpdate.exe (No File)
Task: {B8BD1570-C1EA-4168-8358-8DB7B1B361EA} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe (No File)
Task: {CE1D1DDE-C1F5-4EC9-BEC4-0DDE31AB0437} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe /RunOnAC RebootDialog (No File)
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
Edge HKLM-x32\...\Edge\Extension: [pdhdldaneekjpoaldekpgomomeabpnek]
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Enabled: {c5ffbd00-71e8-4603-a19b-860104b7ac62}
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Enabled: Quick_Live_News_spxMukSrlT@quicklivenews.com
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Enabled: {82c0173d-b61d-4cd3-8e01-ffc56211a71c}
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Enabled: addon@customsearchtool.com
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Enabled: {94fe999d-930d-4162-b7b2-0cffdfbf4429}
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Enabled: Find_Manuals_Now___Custom_Web_Search_TcURqcnjqD@findmanualsnow.com
FF NewTabOverride: Mozilla\Firefox\Profiles\svj5stqr.default-release -> Disabled: {ca253281-1ddf-4e22-b3bb-5d5aa8b57c11}
FF Extension: (Custom Search Tool) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\addon@customsearchtool.com.xpi [2023-01-11] [UpdateUrl:hxxps://home.customsearchtool.com/firefox/updates]
FF Extension: (Dreamer Balanced) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\dreamer-balanced-colorway@mozilla.org.xpi [2023-03-17]
FF Extension: (Ezy Photo Tab & Custom Web Search) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\Ezy_Photo_Tab___Custom_Web_Search_YALalKMirg@ezyphototab.com.xpi [2022-10-02]
FF Extension: (Find Manuals Now & Custom Web Search) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\Find_Manuals_Now___Custom_Web_Search_TcURqcnjqD@findmanualsnow.com.xpi [2022-10-02]
FF Extension: (Quick Live News & Custom Web Search) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\Quick_Live_News_spxMukSrlT@quicklivenews.com.xpi [2023-04-02]
FF Extension: (PDF Editor and Search by PDFtab) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\{82c0173d-b61d-4cd3-8e01-ffc56211a71c}.xpi [2022-12-27] [UpdateUrl:hxxps://cdn.pdftab-cdn.com/xpi/pdftab/yhs/0721/search/updates.json]
FF Extension: (TV Search) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\{94fe999d-930d-4162-b7b2-0cffdfbf4429}.xpi [2022-10-04] [UpdateUrl:hxxps://cdn.gettvsearch-cdn.org/xpi/gettvsearch/yhs/0720/search/updates.json]
FF Extension: (Freshy Newtab and Search ) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\{c5ffbd00-71e8-4603-a19b-860104b7ac62}.xpi [2022-10-04] [UpdateUrl:hxxps://cdn.freshysearch-cdn.com/xpi/freshy/yhs/01020/searchnnewtab/updates.json]
FF Extension: (Yahoo Search From QuickSpeed Test) - C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\{ca253281-1ddf-4e22-b3bb-5d5aa8b57c11}.xpi [2022-11-20] [UpdateUrl:hxxps://cdn.quickspeedtest-cdn.net/xpi/quickspeedtest/yhs/0820/search/updates.json]
cmd: netsh winsock reset catalog
cmd: netsh int ip reset resetlog.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: bitsadmin /reset /allusers
cmd: ipconfig /flushdns
Removeproxy:
hosts:
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /RestoreHealth
Emptytemp:
*****************

SystemRestore: On => completed
Restore point was successfully created.
Processes closed successfully.
================== Zip: ===================
C:\WINDOWS\system32\Caad.db -> copied successfully to C:\Users\lstre\OneDrive\Desktop\09.06.2023_15.30.35.zip
=========== Zip: End ===========
HKLM\System\CurrentControlSet\Services\HitmanPro38CrusaderBoot => removed successfully
HitmanPro38CrusaderBoot => service removed successfully
HKLM\System\CurrentControlSet\Services\aspnet_state => removed successfully
aspnet_state => service removed successfully
HKLM\System\CurrentControlSet\Services\WinSetupMon => removed successfully
WinSetupMon => service removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{384CE62B-013E-4CC2-A8EE-ECB6C07D35A3}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{384CE62B-013E-4CC2-A8EE-ECB6C07D35A3}" => removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{497886EC-7018-4E7B-9436-A9E22B2A251A}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{497886EC-7018-4E7B-9436-A9E22B2A251A}" => removed successfully
C:\WINDOWS\System32\Tasks\CCleanerSkipUAC - lstre => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC - lstre" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{9D41D82E-AE10-413B-94B5-573EA133C4AC}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9D41D82E-AE10-413B-94B5-573EA133C4AC}" => removed successfully
C:\WINDOWS\System32\Tasks\CCleaner Update => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleaner Update" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B8BD1570-C1EA-4168-8358-8DB7B1B361EA}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B8BD1570-C1EA-4168-8358-8DB7B1B361EA}" => removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CE1D1DDE-C1F5-4EC9-BEC4-0DDE31AB0437}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CE1D1DDE-C1F5-4EC9-BEC4-0DDE31AB0437}" => removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Reboot_AC" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E0F10DCF-44AD-40E8-9370-FB5DA59F93FB}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E0F10DCF-44AD-40E8-9370-FB5DA59F93FB}" => removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" => removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Edge\Extensions\pdhdldaneekjpoaldekpgomomeabpnek => removed successfully
"Firefox NewTabOverride ({c5ffbd00-71e8-4603-a19b-860104b7ac62}) " => removed successfully
"Firefox NewTabOverride (Quick_Live_News_spxMukSrlT@quicklivenews.com) " => removed successfully
"Firefox NewTabOverride ({82c0173d-b61d-4cd3-8e01-ffc56211a71c}) " => removed successfully
"Firefox NewTabOverride (addon@customsearchtool.com) " => removed successfully
"Firefox NewTabOverride ({94fe999d-930d-4162-b7b2-0cffdfbf4429}) " => removed successfully
"Firefox NewTabOverride (Find_Manuals_Now___Custom_Web_Search_TcURqcnjqD@findmanualsnow.com) " => removed successfully
"Firefox NewTabOverride ({ca253281-1ddf-4e22-b3bb-5d5aa8b57c11}) " => removed successfully
C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\addon@customsearchtool.com.xpi => moved successfully
C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\dreamer-balanced-colorway@mozilla.org.xpi => moved successfully
C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\Ezy_Photo_Tab___Custom_Web_Search_YALalKMirg@ezyphototab.com.xpi => moved successfully
C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\Find_Manuals_Now___Custom_Web_Search_TcURqcnjqD@findmanualsnow.com.xpi => moved successfully
C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\Quick_Live_News_spxMukSrlT@quicklivenews.com.xpi => moved successfully
C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\{82c0173d-b61d-4cd3-8e01-ffc56211a71c}.xpi => moved successfully
C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\{94fe999d-930d-4162-b7b2-0cffdfbf4429}.xpi => moved successfully
C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\{c5ffbd00-71e8-4603-a19b-860104b7ac62}.xpi => moved successfully
C:\Users\lstre\AppData\Roaming\Mozilla\Firefox\Profiles\svj5stqr.default-release\Extensions\{ca253281-1ddf-4e22-b3bb-5d5aa8b57c11}.xpi => moved successfully

========= netsh winsock reset catalog =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

========= netsh int ip reset resetlog.txt =========

Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.

========= End of CMD: =========

========= netsh advfirewall reset =========

Ok.

========= End of CMD: =========

========= netsh advfirewall set allprofiles state ON =========

Ok.

========= End of CMD: =========

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0
BITS administration utility.
(C) Copyright Microsoft Corp.

{04D021ED-AD50-46FC-9A48-2901B5183393} canceled.
{B6189497-7ED7-4E4B-962B-98F6A04EC4C2} canceled.
{F1F9030B-7BF4-4F28-BBB8-5CD21629838F} canceled.
3 out of 3 jobs canceled.

========= End of CMD: =========

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

========= RemoveProxy: =========

"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
"HKU\S-1-5-21-2325390496-992823342-1151514651-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\S-1-5-21-2325390496-992823342-1151514651-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully

========= End of RemoveProxy: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

========= sfc /scannow =========

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.

Verification 0% complete.
Verification 1% complete.
Verification 2% complete.
Verification 2% complete.
Verification 3% complete.
Verification 4% complete.
Verification 4% complete.
Verification 5% complete.
Verification 6% complete.
Verification 6% complete.
Verification 7% complete.
Verification 8% complete.
Verification 8% complete.
Verification 9% complete.
Verification 10% complete.
Verification 10% complete.
Verification 11% complete.
Verification 12% complete.
Verification 13% complete.
Verification 13% complete.
Verification 14% complete.
Verification 15% complete.
Verification 15% complete.
Verification 16% complete.
Verification 17% complete.
Verification 17% complete.
Verification 18% complete.
Verification 19% complete.
Verification 19% complete.
Verification 20% complete.
Verification 21% complete.
Verification 21% complete.
Verification 22% complete.
Verification 23% complete.
Verification 23% complete.
Verification 24% complete.
Verification 25% complete.
Verification 26% complete.
Verification 26% complete.
Verification 27% complete.
Verification 28% complete.
Verification 28% complete.
Verification 29% complete.
Verification 30% complete.
Verification 30% complete.
Verification 31% complete.
Verification 32% complete.
Verification 32% complete.
Verification 33% complete.
Verification 34% complete.
Verification 34% complete.
Verification 35% complete.
Verification 36% complete.
Verification 36% complete.
Verification 37% complete.
Verification 38% complete.
Verification 39% complete.
Verification 39% complete.
Verification 40% complete.
Verification 41% complete.
Verification 41% complete.
Verification 42% complete.
Verification 43% complete.
Verification 43% complete.
Verification 44% complete.
Verification 45% complete.
Verification 45% complete.
Verification 46% complete.
Verification 47% complete.
Verification 47% complete.
Verification 48% complete.
Verification 49% complete.
Verification 50% complete.
Verification 50% complete.
Verification 51% complete.
Verification 52% complete.
Verification 52% complete.
Verification 53% complete.
Verification 54% complete.
Verification 54% complete.
Verification 55% complete.
Verification 56% complete.
Verification 56% complete.
Verification 57% complete.
Verification 58% complete.
Verification 58% complete.
Verification 59% complete.
Verification 60% complete.
Verification 60% complete.
Verification 61% complete.
Verification 62% complete.
Verification 63% complete.
Verification 63% complete.
Verification 64% complete.
Verification 65% complete.
Verification 65% complete.
Verification 66% complete.
Verification 67% complete.
Verification 67% complete.
Verification 68% complete.
Verification 69% complete.
Verification 69% complete.
Verification 70% complete.
Verification 71% complete.
Verification 71% complete.
Verification 72% complete.
Verification 73% complete.
Verification 73% complete.
Verification 74% complete.
Verification 75% complete.
Verification 76% complete.
Verification 76% complete.
Verification 77% complete.
Verification 78% complete.
Verification 78% complete.
Verification 79% complete.
Verification 80% complete.
Verification 80% complete.
Verification 81% complete.
Verification 82% complete.
Verification 82% complete.
Verification 83% complete.
Verification 84% complete.
Verification 84% complete.
Verification 85% complete.
Verification 86% complete.
Verification 87% complete.
Verification 87% complete.
Verification 88% complete.
Verification 89% complete.
Verification 89% complete.
Verification 90% complete.
Verification 91% complete.
Verification 91% complete.
Verification 92% complete.
Verification 93% complete.
Verification 93% complete.
Verification 94% complete.
Verification 95% complete.
Verification 95% complete.
Verification 96% complete.
Verification 97% complete.
Verification 97% complete.
Verification 98% complete.
Verification 99% complete.
Verification 100% complete.

Windows Resource Protection found corrupt files and successfully repaired them.

For online repairs, details are included in the CBS log file located at

windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline

repairs, details are included in the log file provided by the /OFFLOGFILE flag.

========= End of CMD: =========

========= DISM /Online /Cleanup-Image /RestoreHealth =========

Deployment Image Servicing and Management tool
Version: 10.0.22621.1

Image Version: 10.0.22621.1702

[== 3.8% ]

[== 4.4% ]

[== 4.6% ]

[== 5.1% ]

[=== 5.3% ]

[=== 5.8% ]

[=== 6.4% ]

[==== 7.3% ]

[==== 8.3% ]

[===== 9.3% ]

[===== 10.3% ]

[====== 11.2% ]

[======= 12.2% ]

[======= 13.2% ]

[======== 14.2% ]

[======== 15.2% ]

[========= 16.1% ]

[========= 16.4% ]

[========== 17.3% ]

[========== 17.5% ]

[========== 17.7% ]

[========== 18.2% ]

[========== 18.6% ]

[=========== 19.1% ]

[=========== 19.2% ]

[=========== 19.2% ]

[=========== 19.4% ]

[=========== 19.5% ]

[=========== 20.1% ]

[=========== 20.5% ]

[============ 21.0% ]

[============ 21.9% ]

[============= 22.9% ]

[============= 23.8% ]

[============== 24.8% ]

[============== 25.1% ]

[============== 25.4% ]

[=============== 26.0% ]

[=============== 26.4% ]

[=============== 26.8% ]

[=============== 27.4% ]

[================ 27.7% ]

[================ 27.9% ]

[================ 28.3% ]

[================ 28.8% ]

[================= 29.4% ]

[================= 29.9% ]

[================= 30.3% ]

[================= 30.7% ]

[================= 31.0% ]

[================== 31.8% ]

[================== 32.0% ]

[================== 32.2% ]

[================== 32.2% ]

[================== 32.3% ]

[================== 32.4% ]

[================== 32.5% ]

[================== 32.6% ]

[================== 32.7% ]

[================== 32.7% ]

[================== 32.7% ]

[=================== 32.8% ]

[=================== 32.9% ]

[=================== 33.1% ]

[=================== 33.3% ]

[=================== 33.6% ]

[=================== 33.7% ]

[=================== 34.1% ]

[=================== 34.3% ]

[=================== 34.4% ]

[==================== 34.5% ]

[==================== 34.7% ]

[==================== 34.9% ]

[==================== 35.0% ]

[==================== 35.1% ]

[==================== 35.2% ]

[==================== 35.4% ]

[==================== 35.5% ]

[==================== 35.6% ]

[==================== 35.8% ]

[==================== 35.9% ]

[==================== 36.1% ]

[===================== 36.5% ]

[===================== 36.5% ]

[===================== 36.9% ]

[===================== 37.5% ]

[====================== 38.3% ]

[====================== 38.6% ]

[====================== 38.9% ]

[====================== 39.2% ]

[======================= 39.7% ]

[======================= 40.0% ]

[======================= 40.2% ]

[======================= 40.7% ]

[======================= 41.1% ]

[======================= 41.1% ]

[======================= 41.3% ]

[======================== 41.7% ]

[======================== 41.7% ]

[======================== 42.0% ]

[======================== 42.3% ]

[======================== 42.6% ]

[======================== 42.9% ]

[========================= 43.2% ]

[========================= 43.5% ]

[========================= 43.6% ]

[========================= 43.8% ]

[========================= 43.9% ]

[========================= 44.2% ]

[========================= 44.6% ]

[========================== 45.1% ]

[========================== 45.9% ]

[===========================46.9% ]

[===========================47.8% ]

[===========================48.8% ]

[===========================49.7% ]

[===========================50.4% ]

[===========================51.2% ]

[===========================51.5% ]

[===========================51.5% ]

[===========================51.6% ]

[===========================51.6% ]

[===========================51.6% ]

[===========================51.7% ]

[===========================51.8% ]

[===========================51.8% ]

[===========================51.9% ]

[===========================52.0% ]

[===========================52.0% ]

[===========================52.0% ]

[===========================52.1% ]

[===========================52.1% ]

[===========================52.2% ]

[===========================52.2% ]

[===========================52.2% ]

[===========================52.2% ]

[===========================52.2% ]

[===========================52.2% ]

[===========================52.3% ]

[===========================52.3% ]

[===========================52.4% ]

[===========================52.5% ]

[===========================52.5% ]

[===========================52.5% ]

[===========================52.5% ]

[===========================52.6% ]

[===========================52.6% ]

[===========================52.6% ]

[===========================52.7% ]

[===========================52.8% ]

[===========================52.8% ]

[===========================52.8% ]

[===========================52.8% ]

[===========================52.8% ]

[===========================52.9% ]

[===========================53.0% ]

[===========================53.1% ]

[===========================53.1% ]

[===========================53.1% ]

[===========================53.2% ]

[===========================53.2% ]

[===========================53.3% ]

[===========================53.3% ]

[===========================53.4% ]

[===========================53.4% ]

[===========================53.4% ]

[===========================53.4% ]

[===========================53.5% ]

[===========================53.5% ]

[===========================53.7% ]

[===========================53.9% ]

[===========================53.9% ]

[===========================54.0% ]

[===========================54.0% ]

[===========================54.0% ]

[===========================54.1% ]

[===========================54.1% ]

[===========================54.2% ]

[===========================54.2% ]

[===========================54.3% ]

[===========================54.3% ]

[===========================54.4% ]

[===========================54.4% ]

[===========================54.6% ]

[===========================54.6% ]

[===========================54.6% ]

[===========================54.6% ]

[===========================54.7% ]

[===========================54.7% ]

[===========================54.7% ]

[===========================54.8% ]

[===========================54.8% ]

[===========================54.8% ]

[===========================54.9% ]

[===========================54.9% ]

[===========================54.9% ]

[===========================54.9% ]

[===========================55.0% ]

[===========================55.0% ]

[===========================55.1% ]

[===========================55.1% ]

[===========================55.1% ]

[===========================55.2% ]

[===========================55.2% ]

[===========================55.2% ]

[===========================55.2% ]

[===========================55.3% ]

[===========================55.4% ]

[===========================55.4% ]

[===========================55.4% ]

[===========================55.5% ]

[===========================55.5% ]

[===========================55.6% ]

[===========================55.7% ]

[===========================55.7% ]

[===========================55.8% ]

[===========================55.8% ]

[===========================55.9% ]

[===========================56.1% ]

[===========================56.1% ]

[===========================56.1% ]

[===========================56.2% ]

[===========================56.2% ]

[===========================56.3% ]

[===========================56.4% ]

[===========================56.4% ]

[===========================56.5% ]

[===========================56.5% ]

[===========================56.6% ]

[===========================56.8% ]

[===========================56.8% ]

[===========================56.9%= ]

[===========================56.9%= ]

[===========================57.0%= ]

[===========================57.0%= ]

[===========================57.0%= ]

[===========================57.1%= ]

[===========================57.2%= ]

[===========================57.3%= ]

[===========================57.4%= ]

[===========================57.6%= ]

[===========================57.7%= ]

[===========================58.3%= ]

[===========================58.4%= ]

[===========================59.4%== ]

[===========================59.4%== ]

[===========================59.5%== ]

[===========================59.5%== ]

[===========================62.3%==== ]

[===========================84.9%================= ]

[==========================100.0%==========================]
The restore operation completed successfully.
The operation completed successfully.

========= End of CMD: =========

=========== EmptyTemp: ==========

FlushDNS => completed
BITS transfer queue => 1310720 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 22200148 B
Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 33300 B
Windows/system/drivers => 301124922 B
Edge => 0 B
Firefox => 39713296 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 434560 B
NetworkService => 434560 B
lstre => 384599327 B

RecycleBin => 723157446 B
EmptyTemp: => 1.4 GB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 15:48:43 ====

Oh My! · Jun 10, 2023

Nice work. Thanks for hanging in there.

Look to see if the below folder is on your Desktop. If so, please select Upload a File and upload that file in your reply.

C:\Users\lstre\OneDrive\Desktop\09.06.2023_15.30.35.zip

thedirewolf · Jun 10, 2023

Ok

Oh My! · Jun 10, 2023

Thank you.

Can you update on the computer performance? Are you still receiving fake warnings?

thedirewolf · Jun 10, 2023

I haven't been online on that computer. The last time I thought I had it taken care of it was gone for about 3 weeks before returning with a slightly different look. I'll start poking around and see what happens.

Oh My! · Jun 10, 2023

Thanks.

I'm logging off for the evening but will be back online tomorrow morning.

thedirewolf · Jun 11, 2023

So far, so good! Thank you, my friend!

Oh My! · Jun 12, 2023

Very good.

We will monitor it for another day and while we do that please run this.

===================================================

ESET Online Scanner

--------------------

Note: You can expect this process to take a long time, up to several hours or more.

Download ESET Free Online Scanner and save it to your Desktop

Right click on esetonlinescanner_enu.exe and select Run as administrator

NOTE: If the program immediately crashes rename esetonlinescanner_enu.exe to ESET.exe and attempt it again

Click Computer Scan

Click Full scan

Select Enable ESET to detect and quarantine potentially unwanted applications

Click Start scan

Once completed click Save scan log and save it to your Desktop as ESETScan.txt

Click Continue then finally click Close

Copy and paste the ESETScan.txt file contents in your reply

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:

ESET report

thedirewolf · Jun 13, 2023

Now the damned thing won't start up.

thedirewolf · Jun 13, 2023

Ok, got it up and running, ran the scan which found nothing. I thought I'd saved the log to my computer but I can't find it on mine or his laptop and my friend doesn't want to give up his laptop again so soon. I'll try again tomorrow if you still need to see it.

Oh My! · Jun 13, 2023

No need to see it.

Are you concerned about the inability to boot?

thedirewolf · Jun 14, 2023

That was a bit weird but I got it up with the old F11 trick. Hasn't been a problem since. Your help has been greatly appreciated, thank you!

Oh My! · Jun 14, 2023

Thanks.

We will wrap this up but let me know if you hae more problems.

Here is our final step and some additional information to consider.

===================================================

KpRm by Kernel-panik

--------------

Download KpRm and save it to your Desktop (see here if you must use Chrome)

Note: If the file is detected as malware it is not and it is safe to download. The detection is a false positive.

Right click on the icon and select Run as administrator

Click Yes on the Disclaimer

Place a check mark in Delete Tools, Create Restore Point, and Delete in 7 days

Click Run

Click OK on All operations are completed

KpRm will delete itself from you Desktop and you can either save or remove the report that is generated

You are free to remove any other tools/reports still remaining

===================================================

All Clean!

--------------

Your computer is now clean. Please consider this going forward.

===================================================

Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean.

Have you Been Hacked? 10 Indicators That Say Yes

So How did I get infected?

Pirated Software is All Fun and Games Until Your Data is Stolen

Do You Need Anti-Ransomware Software for Your PC?

Why You Should Update All Your Software

How Safe Are Password Managers?

Whats the Best Way to Back Up My Computer?

Log in or Sign up

Fake Windows Defender Alert

thedirewolf Private E-2

Attached Files:

Addition.txt

AdwCleaner[S02].txt

FRST.txt

HitmanPro_20230508_1854.log

Rogue Killer.txt

Oh My! Malware Expert Staff Member

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Attached Files:

frst.txt

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Attached Files:

FRST.txt

Oh My! Malware Expert Staff Member

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Oh My! Malware Expert Staff Member

Attached Files:

Fixlist.txt

thedirewolf Private E-2

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Attached Files:

09.06.2023_15.30.35.zip

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

thedirewolf Private E-2

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Oh My! Malware Expert Staff Member

Fake Windows Defender Alert

thedirewolf Private E-2

Attached Files:

Oh My! Malware Expert Staff Member

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Attached Files:

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Attached Files:

Oh My! Malware Expert Staff Member

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Oh My! Malware Expert Staff Member

Attached Files:

thedirewolf Private E-2

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Attached Files:

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

thedirewolf Private E-2

Oh My! Malware Expert Staff Member

thedirewolf Private E-2

Oh My! Malware Expert Staff Member

Useful Searches