Malware- Katana Do-ma Desktop-r1kj977

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by manilka835, Dec 28, 2024.

  1. manilka835

    manilka835 Specialist

    The Operating System of the above desktop computer was re-installed due to the existed Operating System not being loaded.

    I have run READ & RUN ME FIRST- Malware Removal Guide to make sure there are no Malware. The relevant logs are attached.

    I would also value any suggestions which may streamline the function of this computer


    Dr. K.D.J.H. Manilka Jayawardena,
    Medical Officer of Health,
    Katana.
    Proud to be a Sri Lankan!
     

    Attached Files:

    manilka835, Dec 28, 2024
    #1
  2. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings my friend and welcome back to the Major Geeks Malware Forum.

    Please do this

    ===================================================

    Farbar Recovery Scan Tool (FRST)

    --------------------
    • Download FRST64 and save the file on your Desktop
    • If your computer language is other than English right click on the FRST64 icon and rename it to FRST64english
    • Right click on the icon and select Run as administrator
    • Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
    • Click Yes to the disclaimer
    • Click Scan and allow the program to run
    • When completed, FRST.txt and Addition.txt reports will be saved on the Desktop
    • Please attach the reports to your reply
    ===================================================

    Things I would like to see in your next reply.
    • Attached reports
     
    Oh My!, Dec 28, 2024
    #2
  3. manilka835

    manilka835 Specialist

    Greetings! Wish you a Merry Christmas and a Happy New Year!
    Nice to see you again.

    FRST.txt and Addition.txt reports are attached hereto.
     

    Attached Files:

    manilka835, Dec 29, 2024
    #3
  4. Oh My!

    Oh My! Malware Expert Staff Member

    Same greetings to you, my friend.

    As you are already aware, this is an older computer with very little computing capabilities. Though I am unsure how much performance increase we can expect I would recommend uninstalling the below programs and only use the native Windows Defender. We can leave Malwarebytes and you can periodically scan your system with that.

    If you agree, please do this.

    ===================================================

    Uninstalling Programs Using Revo Uninstaller Free Portable

    --------------------

    • Download Revo Uninstaller Free Portable and save it to your Desktop
    • Right click on the folder and select Extract All..., then click Extract
    • Double click on the RevoUninstaller-Portable folder
    • Right click on RevoUPort and select Run as administrator
    • Click OK on the License Agreement
    • From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)
    • If multiple programs are listed you need only create a Restore Point when uninstalling the first listed program
    Code:
    Autorun Eater v2.6
Avast Free Antivirus
CCleaner
COMODO Firewall
Internet Security Essentials 
RogueKiller version 15.19.2.0
Smart Defrag 10
SpywareBlaster 6.0
USB Disk Security
    • If the program's uninstaller appears work through the steps to remove the program(s)
    • Be sure the Advanced option is selected then click Scan
    • For each window that may appear identifying leftover items click Select All, Delete, then confirm the deletion
    • Once done click Finish
    • Reboot your computer
    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
CreateRestorePoint:
CloseProcesses:
S1 ndacwmhc; \??\C:\Windows\system32\drivers\ndacwmhc.sys [X] 
FirewallRules: [{6FD490A3-A838-4124-B267-9BBF22D07D82}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe => No File 
FirewallRules: [{14DA07AA-B0DB-46EB-95FC-B9662CE31187}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe => No File 
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION 
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION 
GroupPolicy: Restriction - Chrome <==== ATTENTION 
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION 
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION 
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION 
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION 
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [136] 
2024-12-29 01:29 - 2024-12-29 02:11 - 000000000 ____D C:\ProgramData\TEMP
cmd: netsh winsock reset catalog
cmd: netsh int ip reset resetlog.txt
Reg: reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules C:\Firewall.reg
C:\Firewall.reg
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: bitsadmin /reset /allusers
cmd: ipconfig /flushdns
Removeproxy:
hosts:
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /CheckHealth
Emptytemp:
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • Note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program agree to the request.
    • Note: The Emptytemp: command will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
    ===================================================

    Farbar Recovery Scan Tool SearchAll

    --------------------
    • Right click on FRST and select Run as administrator
    • Copy/paste the following in the Search: box
    Code:
    SearchAll: COMODO;Avast;SpywareBlaster;CCleaner;Zbshareware
    • Click Search Files
    • When completed click OK and a Search.txt document will open on your desktop
    • Zip and attach the file to your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Programs uninstalled?
    • Fixlog
    • Attached zip file
     
    Oh My!, Dec 29, 2024
    #4
  5. manilka835

    manilka835 Specialist

    Programes uninstalled
    1. Autorun Eater v2.6
    2. Avast Free Antivirus
    3. CCleaner
    4. COMODO Firewall
    5. Internet Security Essentials
    6. RogueKiller version 15.19.2.0
    7. Smart Defrag 10
    8. SpywareBlaster 6.0
    9. USB Disk Security
    Fixlog
    Fix result of Farbar Recovery Scan Tool (x64) Version: 19-12-2024
    Ran by Admin (30-12-2024 08:28:55) Run:1
    Running from C:\Users\Admin\Desktop
    Loaded Profiles: Admin
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    CreateRestorePoint:
    CloseProcesses:
    S1 ndacwmhc; \??\C:\Windows\system32\drivers\ndacwmhc.sys [X]
    FirewallRules: [{6FD490A3-A838-4124-B267-9BBF22D07D82}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe => No File
    FirewallRules: [{14DA07AA-B0DB-46EB-95FC-B9662CE31187}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe => No File
    HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
    HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
    GroupPolicy: Restriction - Chrome <==== ATTENTION
    Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
    HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
    HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
    AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [136]
    2024-12-29 01:29 - 2024-12-29 02:11 - 000000000 ____D C:\ProgramData\TEMP
    cmd: netsh winsock reset catalog
    cmd: netsh int ip reset resetlog.txt
    Reg: reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules C:\Firewall.reg
    C:\Firewall.reg
    cmd: netsh advfirewall reset
    cmd: netsh advfirewall set allprofiles state ON
    cmd: bitsadmin /reset /allusers
    cmd: ipconfig /flushdns
    Removeproxy:
    hosts:
    cmd: sfc /scannow
    cmd: DISM /Online /Cleanup-Image /CheckHealth
    Emptytemp:
    End::
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    HKLM\System\CurrentControlSet\Services\ndacwmhc => removed successfully
    ndacwmhc => service removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6FD490A3-A838-4124-B267-9BBF22D07D82}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{14DA07AA-B0DB-46EB-95FC-B9662CE31187}" => removed successfully
    HKLM\SOFTWARE\Microsoft\Windows Defender\\"DisableAntiSpyware"="0" => value restored successfully
    HKLM\SOFTWARE\Microsoft\Windows Defender\\"DisableAntiVirus"="0" => value restored successfully

    "C:\Windows\system32\GroupPolicy\Machine" Folder move:

    C:\Windows\system32\GroupPolicy\Machine => moved successfully
    C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
    C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
    C:\ProgramData\NTUSER.pol => moved successfully
    HKLM\SOFTWARE\Policies\Mozilla => removed successfully
    HKLM\SOFTWARE\Policies\Google => removed successfully
    HKLM\SOFTWARE\Policies\Microsoft\Edge => removed successfully
    C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully

    "C:\ProgramData\TEMP" Folder move:

    C:\ProgramData\TEMP => moved successfully

    ========= netsh winsock reset catalog =========


    Sucessfully reset the Winsock Catalog.
    You must restart the computer in order to complete the reset.



    ========= End of CMD: =========


    ========= netsh int ip reset resetlog.txt =========

    Resetting Compartment Forwarding, OK!
    Resetting Compartment, OK!
    Resetting Control Protocol, OK!
    Resetting Echo Sequence Request, OK!
    Resetting Global, OK!
    Resetting Interface, OK!
    Resetting Anycast Address, OK!
    Resetting Multicast Address, OK!
    Resetting Unicast Address, OK!
    Resetting Neighbor, OK!
    Resetting Path, OK!
    Resetting Potential, OK!
    Resetting Prefix Policy, OK!
    Resetting Proxy Neighbor, OK!
    Resetting Route, OK!
    Resetting Site Prefix, OK!
    Resetting Subinterface, OK!
    Resetting Wakeup Pattern, OK!
    Resetting Resolve Neighbor, OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , failed.
    Access is denied.

    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Restart the computer to complete this action.



    ========= End of CMD: =========


    ========= reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules C:\Firewall.reg =========

    The operation completed successfully.



    ========= End of Reg: =========

    C:\Firewall.reg => moved successfully

    ========= netsh advfirewall reset =========

    Ok.



    ========= End of CMD: =========


    ========= netsh advfirewall set allprofiles state ON =========

    Ok.



    ========= End of CMD: =========


    ========= bitsadmin /reset /allusers =========


    BITSADMIN version 3.0
    BITS administration utility.
    (C) Copyright Microsoft Corp.

    0 out of 0 jobs canceled.


    ========= End of CMD: =========


    ========= ipconfig /flushdns =========


    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.


    ========= End of CMD: =========


    ========= RemoveProxy: =========

    "HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
    "HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
    "HKU\S-1-5-21-3279037863-539196515-3328088880-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
    "HKU\S-1-5-21-3279037863-539196515-3328088880-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully


    ========= End of RemoveProxy: =========

    C:\Windows\System32\Drivers\etc\hosts => moved successfully
    Hosts restored successfully.

    ========= sfc /scannow =========



    Beginning system scan. This process will take some time.



    Beginning verification phase of system scan.


    Verification 0% complete.
    Verification 1% complete.
    Verification 1% complete.
    Verification 2% complete.
    Verification 2% complete.
    Verification 3% complete.
    Verification 4% complete.
    Verification 4% complete.
    Verification 5% complete.
    Verification 5% complete.
    Verification 6% complete.
    Verification 7% complete.
    Verification 7% complete.
    Verification 8% complete.
    Verification 8% complete.
    Verification 9% complete.
    Verification 10% complete.
    Verification 10% complete.
    Verification 11% complete.
    Verification 11% complete.
    Verification 12% complete.
    Verification 12% complete.
    Verification 13% complete.
    Verification 14% complete.
    Verification 14% complete.
    Verification 15% complete.
    Verification 15% complete.
    Verification 16% complete.
    Verification 17% complete.
    Verification 17% complete.
    Verification 18% complete.
    Verification 18% complete.
    Verification 19% complete.
    Verification 20% complete.
    Verification 20% complete.
    Verification 21% complete.
    Verification 21% complete.
    Verification 22% complete.
    Verification 23% complete.
    Verification 23% complete.
    Verification 24% complete.
    Verification 24% complete.
    Verification 25% complete.
    Verification 25% complete.
    Verification 26% complete.
    Verification 27% complete.
    Verification 27% complete.
    Verification 28% complete.
    Verification 28% complete.
    Verification 29% complete.
    Verification 30% complete.
    Verification 30% complete.
    Verification 31% complete.
    Verification 31% complete.
    Verification 32% complete.
    Verification 33% complete.
    Verification 33% complete.
    Verification 34% complete.
    Verification 34% complete.
    Verification 35% complete.
    Verification 35% complete.
    Verification 36% complete.
    Verification 37% complete.
    Verification 37% complete.
    Verification 38% complete.
    Verification 38% complete.
    Verification 39% complete.
    Verification 40% complete.
    Verification 40% complete.
    Verification 41% complete.
    Verification 41% complete.
    Verification 42% complete.
    Verification 43% complete.
    Verification 43% complete.
    Verification 44% complete.
    Verification 44% complete.
    Verification 45% complete.
    Verification 46% complete.
    Verification 46% complete.
    Verification 47% complete.
    Verification 47% complete.
    Verification 48% complete.
    Verification 48% complete.
    Verification 49% complete.
    Verification 50% complete.
    Verification 50% complete.
    Verification 51% complete.
    Verification 51% complete.
    Verification 52% complete.
    Verification 53% complete.
    Verification 53% complete.
    Verification 54% complete.
    Verification 54% complete.
    Verification 55% complete.
    Verification 56% complete.
    Verification 56% complete.
    Verification 57% complete.
    Verification 57% complete.
    Verification 58% complete.
    Verification 58% complete.
    Verification 59% complete.
    Verification 60% complete.
    Verification 60% complete.
    Verification 61% complete.
    Verification 61% complete.
    Verification 62% complete.
    Verification 63% complete.
    Verification 63% complete.
    Verification 64% complete.
    Verification 64% complete.
    Verification 65% complete.
    Verification 66% complete.
    Verification 66% complete.
    Verification 67% complete.
    Verification 67% complete.
    Verification 68% complete.
    Verification 69% complete.
    Verification 69% complete.
    Verification 70% complete.
    Verification 70% complete.
    Verification 71% complete.
    Verification 71% complete.
    Verification 72% complete.
    Verification 73% complete.
    Verification 73% complete.
    Verification 74% complete.
    Verification 74% complete.
    Verification 75% complete.
    Verification 76% complete.
    Verification 76% complete.
    Verification 77% complete.
    Verification 77% complete.
    Verification 78% complete.
    Verification 79% complete.
    Verification 79% complete.
    Verification 80% complete.
    Verification 80% complete.
    Verification 81% complete.
    Verification 81% complete.
    Verification 82% complete.
    Verification 83% complete.
    Verification 83% complete.
    Verification 84% complete.
    Verification 84% complete.
    Verification 85% complete.
    Verification 86% complete.
    Verification 86% complete.
    Verification 87% complete.
    Verification 87% complete.
    Verification 88% complete.
    Verification 89% complete.
    Verification 89% complete.
    Verification 90% complete.
    Verification 90% complete.
    Verification 91% complete.
    Verification 92% complete.
    Verification 92% complete.
    Verification 93% complete.
    Verification 93% complete.
    Verification 94% complete.
    Verification 94% complete.
    Verification 95% complete.
    Verification 96% complete.
    Verification 96% complete.
    Verification 97% complete.
    Verification 97% complete.
    Verification 98% complete.
    Verification 99% complete.
    Verification 99% complete.
    Verification 100% complete.


    Windows Resource Protection found corrupt files and successfully repaired them.

    For online repairs, details are included in the CBS log file located at

    windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline

    repairs, details are included in the log file provided by the /OFFLOGFILE flag.



    ========= End of CMD: =========


    ========= DISM /Online /Cleanup-Image /CheckHealth =========


    Deployment Image Servicing and Management tool
    Version: 10.0.19041.3636

    Image Version: 10.0.19045.5247

    No component store corruption detected.
    The operation completed successfully.


    ========= End of CMD: =========


    =========== EmptyTemp: ==========

    FlushDNS => completed
    BITS transfer queue => 1048576 B
    DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9563392 B
    Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 0 B
    Windows/system/drivers => 15028760 B
    Edge => 0 B
    Chrome => 0 B
    Firefox => 0 B
    Opera => 0 B

    Temp, IE cache, history, cookies, recent:
    Default => 0 B
    ProgramData => 0 B
    Public => 0 B
    systemprofile => 0 B
    systemprofile32 => 0 B
    LocalService => 33124 B
    NetworkService => 33124 B
    Admin => 274270437 B

    RecycleBin => 37801530 B
    EmptyTemp: => 322.1 MB temporary data Removed.

    ================================

    The system needed a reboot.

    ==== End of Fixlog 08:41:18 ====

    Search.txt
    Zipped and attached
     

    Attached Files:

    manilka835, Dec 30, 2024
    #5
  6. Oh My!

    Oh My! Malware Expert Staff Member

    Looks good, thank you.

    Now this.

    ===================================================

    Farbar Recovery Scan Tool - Run Fix Using Attached File

    --------------------
    • Download the attached file and save it in the same location as FRST.exe (example, Desktop, USB device) <<< Important
    • Right click on FRST and select Run as administrator
    • Click Fix and once completed your computer will reboot
    • The tool will create a log on the desktop called Fixlog.txt
    • Attach the file to your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
     

    Attached Files:

    Oh My!, Dec 30, 2024
    #6
  7. manilka835

    manilka835 Specialist

    Fixlog.txt is attached hereto.
     

    Attached Files:

    manilka835, Dec 30, 2024
    #7
  8. Oh My!

    Oh My! Malware Expert Staff Member

    Looks good.

    Now this please.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
CreateRestorePoint:
CloseProcesses:
StartPowershell:
Set-MpPreference -OnAccessProtectionEnabled $True
Set-MpPreference -RealTimeProtectionEnabled $True
Set-MpPreference -AMRunningMode $Normal
Get-MpPreference
EndPowershell:
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • Following automatic reboot check the system performance
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
    • System performance?
     
    Oh My!, Dec 30, 2024
    #8
  9. manilka835

    manilka835 Specialist

    The contents of the file Fixlog.txt.
    Fix result of Farbar Recovery Scan Tool (x64) Version: 30-12-2024
    Ran by Admin (31-12-2024 06:26:05) Run:3
    Running from C:\Users\Admin\Desktop
    Loaded Profiles: Admin
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    CreateRestorePoint:
    CloseProcesses:
    StartPowershell:
    Set-MpPreference -OnAccessProtectionEnabled $True
    Set-MpPreference -RealTimeProtectionEnabled $True
    Set-MpPreference -AMRunningMode $Normal
    Get-MpPreference
    EndPowershell:
    End::
    *****************

    Restore point was successfully created.
    Processes closed successfully.

    ========= Powershell: =========

    Set-MpPreference : A parameter cannot be found that matches parameter name 'OnAccessProtectionEnabled'.
    At C:\FRST\tmp000.ps1:1 char:18
    + Set-MpPreference -OnAccessProtectionEnabled $True
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: :)) [Set-MpPreference], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Set-MpPreference

    Set-MpPreference : A parameter cannot be found that matches parameter name 'RealTimeProtectionEnabled'.
    At C:\FRST\tmp000.ps1:2 char:18
    + Set-MpPreference -RealTimeProtectionEnabled $True
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: :)) [Set-MpPreference], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Set-MpPreference

    Set-MpPreference : A parameter cannot be found that matches parameter name 'AMRunningMode'.
    At C:\FRST\tmp000.ps1:3 char:18
    + Set-MpPreference -AMRunningMode $Normal
    + ~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: :)) [Set-MpPreference], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Set-MpPreference

    Get-MpPreference : Operation failed with the following error: 0x%1!x!
    At C:\FRST\tmp000.ps1:4 char:1
    + Get-MpPreference
    + ~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Get-MpPreference],
    CimException
    + FullyQualifiedErrorId : HRESULT 0x800106ba,Get-MpPreference


    ========= End of Powershell: =========



    The system needed a reboot.

    ==== End of Fixlog 06:27:09 ====

    System performance- Better as it is Faster
    Malwarebytes Anti-Malware took less time (less than 2 minutes) than the previous scans (5 minutes).
     
    manilka835, Dec 30, 2024
    #9
  10. Oh My!

    Oh My! Malware Expert Staff Member

    Glad it is running better.

    Please do this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
StartPowershell:
Set-MpPreference -EnableControlledFolderAccess Enabled
Set-MpPreference -DisableRealtimeMonitoring $false
Get-MpPreference
EndPowershell:
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
     
    Oh My!, Dec 30, 2024
    #10
  11. manilka835

    manilka835 Specialist

    The contents of the file Fixlog.txt
    Fix result of Farbar Recovery Scan Tool (x64) Version: 30-12-2024
    Ran by Admin (31-12-2024 08:12:25) Run:4
    Running from C:\Users\Admin\Desktop
    Loaded Profiles: Admin
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    StartPowershell:
    Set-MpPreference -EnableControlledFolderAccess Enabled
    Set-MpPreference -DisableRealtimeMonitoring $false
    Get-MpPreference
    EndPowershell:
    End::
    *****************


    ========= Powershell: =========

    Set-MpPreference : Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference. Target:
    EnableControlledFolderAccess.
    At C:\FRST\tmp000.ps1:1 char:1
    + Set-MpPreference -EnableControlledFolderAccess Enabled
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference],
    CimException
    + FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference

    Set-MpPreference : Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference. Target:
    DisableRealtimeMonitoring.
    At C:\FRST\tmp000.ps1:2 char:1
    + Set-MpPreference -DisableRealtimeMonitoring $false
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference],
    CimException
    + FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference

    Get-MpPreference : Operation failed with the following error: 0x%1!x!
    At C:\FRST\tmp000.ps1:3 char:1
    + Get-MpPreference
    + ~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Get-MpPreference],
    CimException
    + FullyQualifiedErrorId : HRESULT 0x800106ba,Get-MpPreference


    ========= End of Powershell: =========


    ==== End of Fixlog 08:12:34 ====
     
    manilka835, Dec 30, 2024
    #11
  12. Oh My!

    Oh My! Malware Expert Staff Member

    I think there is a Malwarebytes setting restricting Windows Defender.

    Please do this.

    ===================================================

    Running Malwarebytes Premium in Side-by-Side Mode

    --------------------

    • Click Start, type Malwarebytes, then select Run as administrator
    • Click Settings
    • Under Windows Security Center turn off Always register Malwarebytes in the Windows Security Center
    • If the setting is already off stop and let me know
    • Close Malwarebytes then reboot your computer
    • Rerun the Fixlist from Post #10
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Malwarebytes setting changed?
    • Fixlog
     
    Oh My!, Dec 30, 2024
    #12
  13. manilka835

    manilka835 Specialist

    Under Windows Security Center, "Always register Malwarebytes in the Windows Security Center" was turned off.

    The contents of the file Fixlog.txt
    Fix result of Farbar Recovery Scan Tool (x64) Version: 30-12-2024
    Ran by Admin (31-12-2024 17:08:26) Run:5
    Running from C:\Users\Admin\Desktop
    Loaded Profiles: Admin
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    StartPowershell:
    Set-MpPreference -EnableControlledFolderAccess Enabled
    Set-MpPreference -DisableRealtimeMonitoring $false
    Get-MpPreference
    EndPowershell:
    End::
    *****************


    ========= Powershell: =========



    AllowDatagramProcessingOnWinServer : False
    AllowNetworkProtectionDownLevel : False
    AllowNetworkProtectionOnWinServer : False
    AllowSwitchToAsyncInspection : True
    ApplyDisableNetworkScanningToIOAV : False
    AttackSurfaceReductionOnlyExclusions :
    AttackSurfaceReductionRules_Actions :
    AttackSurfaceReductionRules_Ids :
    AttackSurfaceReductionRules_RuleSpecificExclusions :
    AttackSurfaceReductionRules_RuleSpecificExclusions_Id :
    BruteForceProtectionAggressiveness : 0
    BruteForceProtectionConfiguredState : 0
    BruteForceProtectionExclusions :
    BruteForceProtectionLocalNetworkBlocking : False
    BruteForceProtectionMaxBlockTime : 0
    BruteForceProtectionSkipLearningPeriod : False
    CheckForSignaturesBeforeRunningScan : False
    CloudBlockLevel : 0
    CloudExtendedTimeout : 0
    ComputerID : A5A8D24A-F726-4DC1-8571-4C84FE01A82B
    ControlledFolderAccessAllowedApplications :
    ControlledFolderAccessDefaultProtectedFolders : {C:\Users\Admin\Documents, C:\Users\Public\Documents,
    C:\Users\Admin\Pictures, C:\Users\Public\Pictures...}
    ControlledFolderAccessProtectedFolders :
    DefinitionUpdatesChannel : 0
    DisableArchiveScanning : False
    DisableAutoExclusions : False
    DisableBehaviorMonitoring : False
    DisableBlockAtFirstSeen : False
    DisableCacheMaintenance : False
    DisableCatchupFullScan : True
    DisableCatchupQuickScan : True
    DisableCoreServiceECSIntegration : False
    DisableCoreServiceTelemetry : False
    DisableCpuThrottleOnIdleScans : True
    DisableDatagramProcessing : False
    DisableDnsOverTcpParsing : False
    DisableDnsParsing : False
    DisableEmailScanning : True
    DisableFtpParsing : False
    DisableGradualRelease : False
    DisableHttpParsing : False
    DisableInboundConnectionFiltering : False
    DisableIOAVProtection : False
    DisableNetworkProtectionPerfTelemetry : False
    DisablePrivacyMode : False
    DisableQuicParsing : True
    DisableRdpParsing : False
    DisableRealtimeMonitoring : False
    DisableRemovableDriveScanning : True
    DisableRestorePoint : True
    DisableScanningMappedNetworkDrivesForFullScan : True
    DisableScanningNetworkFiles : False
    DisableScriptScanning : False
    DisableSmtpParsing : False
    DisableSshParsing : False
    DisableTamperProtection : True
    DisableTlsParsing : False
    EnableControlledFolderAccess : 1
    EnableConvertWarnToBlock : False
    EnableDnsSinkhole : True
    EnableEcsConfiguration : False
    EnableFileHashComputation : False
    EnableFullScanOnBatteryPower : False
    EnableLowCpuPriority : False
    EnableNetworkProtection : 0
    EnableUdpReceiveOffload : False
    EnableUdpSegmentationOffload : False
    EngineUpdatesChannel : 0
    ExclusionExtension :
    ExclusionIpAddress :
    ExclusionPath : {C:\Windows\Temp\files, F:\OInstall.exe}
    ExclusionProcess :
    ForceUseProxyOnly : False
    HideExclusionsFromLocalUsers : True
    HighThreatDefaultAction : 0
    IntelTDTEnabled :
    LowThreatDefaultAction : 0
    MAPSReporting : 0
    MeteredConnectionUpdates : False
    ModerateThreatDefaultAction : 0
    NetworkProtectionReputationMode : 0
    OobeEnableRtpAndSigUpdate : False
    PerformanceModeStatus : 1
    PlatformUpdatesChannel : 0
    ProxyBypass :
    ProxyPacUrl :
    ProxyServer :
    PUAProtection : 0
    QuarantinePurgeItemsAfterDelay : 90
    QuickScanIncludeExclusions : 0
    RandomizeScheduleTaskTimes : True
    RealTimeScanDirection : 0
    RemediationScheduleDay : 0
    RemediationScheduleTime : 02:00:00
    RemoteEncryptionProtectionAggressiveness : 0
    RemoteEncryptionProtectionConfiguredState : 0
    RemoteEncryptionProtectionExclusions :
    RemoteEncryptionProtectionMaxBlockTime : 0
    RemoveScanningThreadPoolCap : False
    ReportDynamicSignatureDroppedEvent : False
    ReportingAdditionalActionTimeOut : 10080
    ReportingCriticalFailureTimeOut : 10080
    ReportingNonCriticalTimeOut : 1440
    ScanAvgCPULoadFactor : 50
    ScanOnlyIfIdleEnabled : True
    ScanParameters : 1
    ScanPurgeItemsAfterDelay : 15
    ScanScheduleDay : 0
    ScanScheduleOffset : 120
    ScanScheduleQuickScanTime : 00:00:00
    ScanScheduleTime : 02:00:00
    SchedulerRandomizationTime : 4
    ServiceHealthReportInterval : 60
    SevereThreatDefaultAction : 0
    SharedSignaturesPath :
    SharedSignaturesPathUpdateAtScheduledTimeOnly : False
    SignatureAuGracePeriod : 0
    SignatureBlobFileSharesSources :
    SignatureBlobUpdateInterval : 60
    SignatureDefinitionUpdateFileSharesSources :
    SignatureDisableUpdateOnStartupWithoutEngine : False
    SignatureFallbackOrder : MicrosoftUpdateServer|MMPC
    SignatureFirstAuGracePeriod : 120
    SignatureScheduleDay : 8
    SignatureScheduleTime : 01:45:00
    SignatureUpdateCatchupInterval : 1
    SignatureUpdateInterval : 0
    SubmitSamplesConsent : 1
    ThreatIDDefaultAction_Actions :
    ThreatIDDefaultAction_Ids :
    ThrottleForScheduledScanOnly : True
    TrustLabelProtectionStatus : 0
    UILockdown : False
    UnknownThreatDefaultAction : 0
    PSComputerName :




    ========= End of Powershell: =========


    ==== End of Fixlog 17:08:39 ====
     
    manilka835, Dec 31, 2024
    #13
  14. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you.

    Please run this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
Powershell: Get-MpComputerStatus
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
     
    Oh My!, Dec 31, 2024
    #14
  15. manilka835

    manilka835 Specialist

    The contents of the file Fixlog.txt
    Fix result of Farbar Recovery Scan Tool (x64) Version: 30-12-2024
    Ran by Admin (01-01-2025 18:40:03) Run:6
    Running from C:\Users\Admin\Desktop
    Loaded Profiles: Admin
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    Powershell: Get-MpComputerStatus
    End::
    *****************


    ========= Get-MpComputerStatus =========



    AMEngineVersion : 1.1.24090.11
    AMProductVersion : 4.18.24090.11
    AMRunningMode : Normal
    AMServiceEnabled : True
    AMServiceVersion : 4.18.24090.11
    AntispywareEnabled : True
    AntispywareSignatureAge : 4
    AntispywareSignatureLastUpdated : 28/12/2024 13:34:42
    AntispywareSignatureVersion : 1.421.1064.0
    AntivirusEnabled : True
    AntivirusSignatureAge : 4
    AntivirusSignatureLastUpdated : 28/12/2024 13:34:39
    AntivirusSignatureVersion : 1.421.1064.0
    BehaviorMonitorEnabled : True
    ComputerID : A5A8D24A-F726-4DC1-8571-4C84FE01A82B
    ComputerState : 0
    DefenderSignaturesOutOfDate : False
    DeviceControlDefaultEnforcement :
    DeviceControlPoliciesLastUpdated : 01/01/1601 05:30:00
    DeviceControlState : Disabled
    FullScanAge : 4294967295
    FullScanEndTime :
    FullScanOverdue : False
    FullScanRequired : False
    FullScanSignatureVersion :
    FullScanStartTime :
    InitializationProgress : ServiceStartedSuccessfully
    IoavProtectionEnabled : True
    IsTamperProtected : False
    IsVirtualMachine : False
    LastFullScanSource : 0
    LastQuickScanSource : 2
    NISEnabled : True
    NISEngineVersion : 1.1.24090.11
    NISSignatureAge : 4
    NISSignatureLastUpdated : 28/12/2024 13:34:39
    NISSignatureVersion : 1.421.1064.0
    OnAccessProtectionEnabled : True
    ProductStatus : 524288
    QuickScanAge : 22
    QuickScanEndTime : 09/12/2024 18:56:59
    QuickScanOverdue : False
    QuickScanSignatureVersion : 1.421.693.0
    QuickScanStartTime : 09/12/2024 18:56:17
    RealTimeProtectionEnabled : True
    RealTimeScanDirection : 0
    RebootRequired : False
    SmartAppControlExpiration :
    SmartAppControlState : Off
    TamperProtectionSource : UI
    TDTCapable : Supported
    TDTMode : rsw
    TDTSiloType : E
    TDTStatus : Enabled
    TDTTelemetry : Disabled
    TroubleShootingDailyMaxQuota :
    TroubleShootingDailyQuotaLeft :
    TroubleShootingEndTime :
    TroubleShootingExpirationLeft :
    TroubleShootingMode :
    TroubleShootingModeSource :
    TroubleShootingQuotaResetTime :
    TroubleShootingStartTime :
    PSComputerName :




    ========= End of Powershell: =========


    ==== End of Fixlog 18:40:39 ====
     
    manilka835, Jan 1, 2025
    #15
  16. Oh My!

    Oh My! Malware Expert Staff Member

    Very nice.

    I think we are all set unless you have any other questions or issues.
     
    Oh My!, Jan 1, 2025
    #16
  17. manilka835

    manilka835 Specialist

    There was a complaint that this Computer was slow and took a long time to boot. We thought that it waws due to a corruption of the OS. It seems now that it was due to the old nature of the Computer.

    Thank You for your time and effort.

    Till you here from me, may you experience the best of life.

    This is Yours Truly signing off.

    Dr. K.D.J.H. Manilka Jayawardena,
    Medical Officer of Health,
    Katana.
    Proud to be a Sri Lankan!
     
    manilka835, Jan 1, 2025
    #17
  18. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you and Happy New Year.
     
    Oh My!, Jan 1, 2025
    #18
  19. manilka835

    manilka835 Specialist

    I Wish You the same!
     
    manilka835, Jan 1, 2025
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds