View Single Post
  #22  
Old January 17th, 2021, 06:49 PM
Han Solo Han Solo is offline
Senior Member
 
Join Date: Jun 2005
Posts: 134
question: should I be running these three steps in safe mode or full windows?

had booted back into safe mode after last blue screen and didn't think of it but last 2 times ran FRST was in full windows.. so had ran step 1 in safe mode

please advise if should continue with steps 2 &3 in full windows and repeat step 1 in full windows or reboot into safe mode and continue with steps 2 &3..

after FRST ran got a message that a file in chrome, I think, was corrupted and that it would run chkdsk after reboot.. rebooted fine but got 2 dialog box messages from ProtonVPN. the first message advised that the application is missing a required file and to repair the installation by hitting the "repair" button. the second message advised that service required for the VPN connection seems disabled and to enable it by hitting the "enable" button.

should I do these two things for ProtonVPN then continue in full windows and redo step one in full windows or goto safe mode and continue or skip both ProtonVPN messages and continue in full windows and redo step 1 in full windows or goto safe mode and continue?

only poked around a little.. windows full seems ok but have kept activity to minimum to avoid another blue screen..

Thank you, Hans

here is what I have so far:

Fix result of Farbar Recovery Scan Tool (x64) Version: 17-01-2021
Ran by Hans (17-01-2021 09:57:23) Run:1
Running from C:\Users\Hans\Desktop
Loaded Profiles: Hans
Boot Mode: Safe Mode (with Networking)
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:

GroupPolicy: Restriction - Chrome <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
SearchScopes: HKLM -> DefaultScope {49606DC7-976D-4030-A74E-9FB5C842FA68} URL =
SearchScopes: HKLM-x32 -> DefaultScope {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
AlternateDataStreams: C:\ProgramData\Temp:5C321E34 [125]
ShortcutWithArgument: C:\Users\Hans\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Oriental Weather.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --profile-directory=Default --app-id=mbkkhmpidoemedicppkhfklljppccaan
FirewallRules: [{559A8DCE-8B1D-4FA1-842E-4A6054CA33D5}] => (Allow) C:\Users\Hans\AppData\Local\Microsoft\SkyDrive\Sky Drive.exe => No File
FirewallRules: [TCP Query User{684394E7-EA52-4B35-925A-8623013DC1E4}C:\programdata\windows genuine advantage\{3b9287ed-7546-40fa-a463-441bd82ddf2d}\msiexec.exe] => (Block) C:\programdata\windows genuine advantage\{3b9287ed-7546-40fa-a463-441bd82ddf2d}\msiexec.exe => No File
FirewallRules: [UDP Query User{41DA95D7-A999-4945-8E1C-72BF6A147B78}C:\programdata\windows genuine advantage\{3b9287ed-7546-40fa-a463-441bd82ddf2d}\msiexec.exe] => (Block) C:\programdata\windows genuine advantage\{3b9287ed-7546-40fa-a463-441bd82ddf2d}\msiexec.exe => No File
FirewallRules: [TCP Query User{2A65CE14-3731-406C-8473-13AC8646D02C}C:\programdata\windows genuine advantage\{ec51d003-ed16-4d7a-a15e-c06a631419ca}\msiexec.exe] => (Block) C:\programdata\windows genuine advantage\{ec51d003-ed16-4d7a-a15e-c06a631419ca}\msiexec.exe => No File
FirewallRules: [UDP Query User{F338DE2E-04AD-4594-9CD1-123AED2AD808}C:\programdata\windows genuine advantage\{ec51d003-ed16-4d7a-a15e-c06a631419ca}\msiexec.exe] => (Block) C:\programdata\windows genuine advantage\{ec51d003-ed16-4d7a-a15e-c06a631419ca}\msiexec.exe => No File
FirewallRules: [TCP Query User{CE46814A-1516-4E06-B8C3-D663FEEBC10F}C:\programdata\windows genuine advantage\{307b09d4-4088-4cb6-b65f-fce619322b50}\msiexec.exe] => (Block) C:\programdata\windows genuine advantage\{307b09d4-4088-4cb6-b65f-fce619322b50}\msiexec.exe => No File
FirewallRules: [UDP Query User{641D4311-0D04-44DC-BE58-A5E229FF4075}C:\programdata\windows genuine advantage\{307b09d4-4088-4cb6-b65f-fce619322b50}\msiexec.exe] => (Block) C:\programdata\windows genuine advantage\{307b09d4-4088-4cb6-b65f-fce619322b50}\msiexec.exe => No File
Task: {F15BA0EF-5B72-42B2-B343-928E8E85294F} - System32\Tasks\ProtonVPN Update => C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPN.UpdateService.exe [61760 2020-10-06] (ProtonVPN AG -> )
CHR DefaultSearchURL: Default -> hxxps://vortex.accuweather.com/adc2010/images/favicons/awx-2013-master.ico
CHR DownloadDir: N:\
CHR Extension: (VPN Free - Betternet Unlimited VPN Proxy) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjknjjomckknofjidppipffbpo ekiipm [2020-10-18]
CHR Extension: (Hola Free VPN Proxy Unblocker - Best VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfb nlmeio [2021-01-12]
CHR Extension: (Windscribe - Free Proxy and Ad Blocker) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnmpcagpplmpfojmgmnngilcna nddlhb [2021-01-06]
CHR Extension: (Free VPN Proxy Unlimited VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\mojliakllambnopeaalgddbiip ohdgol [2020-12-16]
CHR Extension: (Hotspot Shield Free VPN Proxy - Unlimited VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbejmccbhkncgokjcmghpfloa ajcffj [2020-10-18]
CHR Extension: (TunnelBear VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\omdakjcmkglenbhjadbccaookp fjihpa [2021-01-06]
CHR Extension: (Browsec VPN - Free VPN for Chrome) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\omghfjlpggmjjaagoclmmobgdo dcjboh [2021-01-06]
CHR Extension: (SetupVPN - Lifetime Free VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\oofgbpoabipfcfjapgnbbjjaen ockbdp [2020-10-18]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl]
R2 NOBU; C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2823000 2010-08-25] (Symantec Corporation -> Dell, Inc.)
R3 ProtonVPN Service; C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPNService.exe [99136 2020-10-06] (ProtonVPN AG -> )
R3 ProtonVPN Update Service; C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPN.UpdateService.exe [61760 2020-10-06] (ProtonVPN AG -> )
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S3 ProtonVPNSplitTunnel; C:\Program Files (x86)\Proton Technologies\ProtonVPN\x64\Win7\ProtonVPN.SplitTun nelDriver.sys [22456 2020-08-19] (ProtonVPN AG -> Proton Technologies AG)
R3 tapprotonvpn; C:\Windows\System32\DRIVERS\tapprotonvpn.sys [39864 2020-08-19] (ProtonVPN AG -> The OpenVPN Project)
C:\Users\Hans\AppData\Roaming\DECRYPT_INSTRUCTION. URL
C:\Users\Hans\AppData\Roaming\Microsoft\DECRYPT_IN STRUCTION.URL
C:\Users\Hans\AppData\Local\DECRYPT_INSTRUCTION.UR L
WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"", Fi lter="__EventFilter.Name=\"BVTFilter\"::
WMI:subscription\__EventFilter->BVTFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99]
WMI:subscription\CommandLineEventConsumer->BVTConsumer::[CommandLineTemplate => cscript KernCap.vbs][WorkingDirectory => C:\\tools\\kernrate]


cmd: net stop cryptSvc
cmd: ren C:\Windows\System32\catroot2 Catroot2.old
cmd: net start cryptSvc


CMD: bitsadmin /reset /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: Removeproxy
EmptyTemp:
Hosts:
Reboot:
End
*****************

Error: Restore point can only be created in normal mode.
Processes closed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
C:\ProgramData\NTUSER.pol => moved successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68} => removed successfully
C:\ProgramData\Temp => ":5C321E34" ADS removed successfully
C:\Users\Hans\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Oriental Weather.lnk => Shortcut argument removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAcce ss\Parameters\FirewallPolicy\FirewallRules\\{559A8 DCE-8B1D-4FA1-842E-4A6054CA33D5}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAcce ss\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{684394E7-EA52-4B35-925A-8623013DC1E4}C:\programdata\windows genuine advantage\{3b9287ed-7546-40fa-a463-441bd82ddf2d}\msiexec.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAcce ss\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{41DA95D7-A999-4945-8E1C-72BF6A147B78}C:\programdata\windows genuine advantage\{3b9287ed-7546-40fa-a463-441bd82ddf2d}\msiexec.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAcce ss\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{2A65CE14-3731-406C-8473-13AC8646D02C}C:\programdata\windows genuine advantage\{ec51d003-ed16-4d7a-a15e-c06a631419ca}\msiexec.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAcce ss\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{F338DE2E-04AD-4594-9CD1-123AED2AD808}C:\programdata\windows genuine advantage\{ec51d003-ed16-4d7a-a15e-c06a631419ca}\msiexec.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAcce ss\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{CE46814A-1516-4E06-B8C3-D663FEEBC10F}C:\programdata\windows genuine advantage\{307b09d4-4088-4cb6-b65f-fce619322b50}\msiexec.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAcce ss\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{641D4311-0D04-44DC-BE58-A5E229FF4075}C:\programdata\windows genuine advantage\{307b09d4-4088-4cb6-b65f-fce619322b50}\msiexec.exe" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F15BA0 EF-5B72-42B2-B343-928E8E85294F}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F15BA0 EF-5B72-42B2-B343-928E8E85294F}" => removed successfully
C:\Windows\System32\Tasks\ProtonVPN Update => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProtonVP N Update" => removed successfully
"Chrome DefaultSearchURL" => removed successfully
CHR DownloadDir: N:\ => Error: No automatic fix found for this entry.
CHR Extension: (VPN Free - Betternet Unlimited VPN Proxy) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjknjjomckknofjidppipffbpo ekiipm [2020-10-18] => Error: No automatic fix found for this entry.
CHR Extension: (Hola Free VPN Proxy Unblocker - Best VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfb nlmeio [2021-01-12] => Error: No automatic fix found for this entry.
CHR Extension: (Windscribe - Free Proxy and Ad Blocker) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnmpcagpplmpfojmgmnngilcna nddlhb [2021-01-06] => Error: No automatic fix found for this entry.
CHR Extension: (Free VPN Proxy Unlimited VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\mojliakllambnopeaalgddbiip ohdgol [2020-12-16] => Error: No automatic fix found for this entry.
CHR Extension: (Hotspot Shield Free VPN Proxy - Unlimited VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbejmccbhkncgokjcmghpfloa ajcffj [2020-10-18] => Error: No automatic fix found for this entry.
CHR Extension: (TunnelBear VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\omdakjcmkglenbhjadbccaookp fjihpa [2021-01-06] => Error: No automatic fix found for this entry.
CHR Extension: (Browsec VPN - Free VPN for Chrome) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\omghfjlpggmjjaagoclmmobgdo dcjboh [2021-01-06] => Error: No automatic fix found for this entry.
CHR Extension: (SetupVPN - Lifetime Free VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\oofgbpoabipfcfjapgnbbjjaen ockbdp [2020-10-18] => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions \efaidnbmnnnibpcajpcglclefindmkaj => removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions \lifbcibllhkdhoafpjfnlhfpfgnpldfl => removed successfully
HKLM\System\CurrentControlSet\Services\NOBU => removed successfully
NOBU => service removed successfully
HKLM\System\CurrentControlSet\Services\ProtonVPN Service => removed successfully
ProtonVPN Service => service removed successfully
HKLM\System\CurrentControlSet\Services\ProtonVPN Update Service => removed successfully
ProtonVPN Update Service => service removed successfully
HKLM\System\CurrentControlSet\Services\AppMgmt => removed successfully
AppMgmt => service removed successfully
HKLM\System\CurrentControlSet\Services\ProtonVPNSp litTunnel => removed successfully
ProtonVPNSplitTunnel => service removed successfully
tapprotonvpn => Unable to stop service.
HKLM\System\CurrentControlSet\Services\tapprotonvp n => removed successfully
tapprotonvpn => service removed successfully
"C:\Users\Hans\AppData\Roaming\DECRYPT_INSTRUCTION . URL" => not found
"C:\Users\Hans\AppData\Roaming\Microsoft\DECRYPT_I N STRUCTION.URL" => not found
"C:\Users\Hans\AppData\Local\DECRYPT_INSTRUCTION.U R L" => not found
"CommandLineEventConsumer.Name=\"BVTConsumer\" ", Fi lter="__EventFilter.Name=\"BVTFilter\"" => not found
"BVTFilter" => removed successfully
"BVTConsumer" => removed successfully

========= net stop cryptSvc =========

The Cryptographic Services service is stopping..
The Cryptographic Services service was stopped successfully.


========= End of CMD: =========


========= ren C:\Windows\System32\catroot2 Catroot2.old =========


========= End of CMD: =========


========= net start cryptSvc =========

The Cryptographic Services service is starting.
The Cryptographic Services service was started successfully.


========= End of CMD: =========


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to connect to BITS - 0x8007042c
The dependency service or group failed to start.



========= End of CMD: =========


========= netsh advfirewall reset =========

Ok.


========= End of CMD: =========


========= netsh advfirewall set allprofiles state ON =========

Ok.


========= End of CMD: =========


========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= Removeproxy =========

'Removeproxy' is not recognized as an internal or external command,
operable program or batch file.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 88930983 B
Java, Flash, Steam htmlcache => 612 B
Windows/system/drivers => 51327725 B
Edge => 0 B
Chrome => 615553943 B
Brave => 0 B
Firefox => 112710451 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 66228 B
ProgramData => 66228 B
systemprofile => 166968 B
systemprofile32 => 287959 B
LocalService => 287959 B
NetworkService => 55828657 B
Hans => 561982860 B

RecycleBin => 26277204042 B
EmptyTemp: => 25.9 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 10:00:15 ====
Reply With Quote