View Single Post
  #21  
Old January 17th, 2021, 01:54 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,066
Hi Hans
Step 1:
Run FRST fixlist
  • Please open notepad (Start > All Programs > Accessories > Notepad)
  • Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
  • Save it to the Desktop, and name it: fixlist.txt
-----------------------------------------------------
Start
CreateRestorePoint:
CloseProcesses:

GroupPolicy: Restriction - Chrome <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
SearchScopes: HKLM -> DefaultScope {49606DC7-976D-4030-A74E-9FB5C842FA68} URL =
SearchScopes: HKLM-x32 -> DefaultScope {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
AlternateDataStreams: C:\ProgramData\Temp:5C321E34 [125]
ShortcutWithArgument: C:\Users\Hans\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Oriental Weather.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --profile-directory=Default --app-id=mbkkhmpidoemedicppkhfklljppccaan
FirewallRules: [{559A8DCE-8B1D-4FA1-842E-4A6054CA33D5}] => (Allow) C:\Users\Hans\AppData\Local\Microsoft\SkyDrive\Sky Drive.exe => No File
FirewallRules: [TCP Query User{684394E7-EA52-4B35-925A-8623013DC1E4}C:\programdata\windows genuine advantage\{3b9287ed-7546-40fa-a463-441bd82ddf2d}\msiexec.exe] => (Block) C:\programdata\windows genuine advantage\{3b9287ed-7546-40fa-a463-441bd82ddf2d}\msiexec.exe => No File
FirewallRules: [UDP Query User{41DA95D7-A999-4945-8E1C-72BF6A147B78}C:\programdata\windows genuine advantage\{3b9287ed-7546-40fa-a463-441bd82ddf2d}\msiexec.exe] => (Block) C:\programdata\windows genuine advantage\{3b9287ed-7546-40fa-a463-441bd82ddf2d}\msiexec.exe => No File
FirewallRules: [TCP Query User{2A65CE14-3731-406C-8473-13AC8646D02C}C:\programdata\windows genuine advantage\{ec51d003-ed16-4d7a-a15e-c06a631419ca}\msiexec.exe] => (Block) C:\programdata\windows genuine advantage\{ec51d003-ed16-4d7a-a15e-c06a631419ca}\msiexec.exe => No File
FirewallRules: [UDP Query User{F338DE2E-04AD-4594-9CD1-123AED2AD808}C:\programdata\windows genuine advantage\{ec51d003-ed16-4d7a-a15e-c06a631419ca}\msiexec.exe] => (Block) C:\programdata\windows genuine advantage\{ec51d003-ed16-4d7a-a15e-c06a631419ca}\msiexec.exe => No File
FirewallRules: [TCP Query User{CE46814A-1516-4E06-B8C3-D663FEEBC10F}C:\programdata\windows genuine advantage\{307b09d4-4088-4cb6-b65f-fce619322b50}\msiexec.exe] => (Block) C:\programdata\windows genuine advantage\{307b09d4-4088-4cb6-b65f-fce619322b50}\msiexec.exe => No File
FirewallRules: [UDP Query User{641D4311-0D04-44DC-BE58-A5E229FF4075}C:\programdata\windows genuine advantage\{307b09d4-4088-4cb6-b65f-fce619322b50}\msiexec.exe] => (Block) C:\programdata\windows genuine advantage\{307b09d4-4088-4cb6-b65f-fce619322b50}\msiexec.exe => No File
Task: {F15BA0EF-5B72-42B2-B343-928E8E85294F} - System32\Tasks\ProtonVPN Update => C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPN.UpdateService.exe [61760 2020-10-06] (ProtonVPN AG -> )
CHR DefaultSearchURL: Default -> hxxps://vortex.accuweather.com/adc2010/images/favicons/awx-2013-master.ico
CHR DownloadDir: N:\
CHR Extension: (VPN Free - Betternet Unlimited VPN Proxy) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjknjjomckknofjidppipffbpo ekiipm [2020-10-18]
CHR Extension: (Hola Free VPN Proxy Unblocker - Best VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfb nlmeio [2021-01-12]
CHR Extension: (Windscribe - Free Proxy and Ad Blocker) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnmpcagpplmpfojmgmnngilcna nddlhb [2021-01-06]
CHR Extension: (Free VPN Proxy Unlimited VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\mojliakllambnopeaalgddbiip ohdgol [2020-12-16]
CHR Extension: (Hotspot Shield Free VPN Proxy - Unlimited VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbejmccbhkncgokjcmghpfloa ajcffj [2020-10-18]
CHR Extension: (TunnelBear VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\omdakjcmkglenbhjadbccaookp fjihpa [2021-01-06]
CHR Extension: (Browsec VPN - Free VPN for Chrome) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\omghfjlpggmjjaagoclmmobgdo dcjboh [2021-01-06]
CHR Extension: (SetupVPN - Lifetime Free VPN) - C:\Users\Hans\AppData\Local\Google\Chrome\User Data\Default\Extensions\oofgbpoabipfcfjapgnbbjjaen ockbdp [2020-10-18]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl]
R2 NOBU; C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2823000 2010-08-25] (Symantec Corporation -> Dell, Inc.)
R3 ProtonVPN Service; C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPNService.exe [99136 2020-10-06] (ProtonVPN AG -> )
R3 ProtonVPN Update Service; C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPN.UpdateService.exe [61760 2020-10-06] (ProtonVPN AG -> )
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S3 ProtonVPNSplitTunnel; C:\Program Files (x86)\Proton Technologies\ProtonVPN\x64\Win7\ProtonVPN.SplitTun nelDriver.sys [22456 2020-08-19] (ProtonVPN AG -> Proton Technologies AG)
R3 tapprotonvpn; C:\Windows\System32\DRIVERS\tapprotonvpn.sys [39864 2020-08-19] (ProtonVPN AG -> The OpenVPN Project)
C:\Users\Hans\AppData\Roaming\DECRYPT_INSTRUCTION. URL
C:\Users\Hans\AppData\Roaming\Microsoft\DECRYPT_IN STRUCTION.URL
C:\Users\Hans\AppData\Local\DECRYPT_INSTRUCTION.UR L
WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"", Fi lter="__EventFilter.Name=\"BVTFilter\"::
WMI:subscription\__EventFilter->BVTFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99]
WMI:subscription\CommandLineEventConsumer->BVTConsumer::[CommandLineTemplate => cscript KernCap.vbs][WorkingDirectory => C:\\tools\\kernrate]


cmd: net stop cryptSvc
cmd: ren C:\Windows\System32\catroot2 Catroot2.old
cmd: net start cryptSvc


CMD: bitsadmin /reset /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: Removeproxy
EmptyTemp:
Hosts:
Reboot:
End
---------------------------------
NOTICE: This script is written specifically for this computer!!!
  • Running this on another computer may cause damage to the Operating System.
  • Now, Please run FRST as administrator, and press theFix button, just once, and wait.
  • When done, the tool creates a report on the Desktop called: Fixlog.txt
>> Please post the Fixlog.txt in your reply.
================================================== ====
Any issue ?

Step 2:
AdwCleaner - Clean

Please download AdwCleaner by Xplode onto your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now
  • When the scan has finished a Scan Results window will open.
  • Please check the following boxes and then click Quarantine
  • Click Next
    • If any pre-installed software was found on your machine, a prompt window will open ...
      • Click OK to close it
    • Check any pre-installed software items you want to remove (if they're not causing you a problem I recommend you don't select any)
    • Click Quarantine
  • A prompt to save your work will appear ...
    • Click Continue when you're ready to proceed.
  • A prompt to restart your computer will appear ...
    • Click Restart Now
  • Once your computer has restarted ...
    • If it doesn't open automatically, please start ADWCleaner ...
    • Click the Log Files tab ...
    • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
    • A Notepad file will open containing the results of the removal.
    • Please post the contents of the file in your next reply.
---------------------------------------------------
In your next reply, please include:
  • AdwCleaner[C0*].txt
Step 3:
Run Malwarebytes Anti-Malware

Download Malwarebytes Anti-Malware from here:
  • Run the program
  • click on Scan
  • Malwarebytes will then run an update and begin the scan
  • When the scan has completed and if malware was found, click the Quarantine Selected button to allow MBAM to quarantine what was found
  • if prompted to restart the computer, close all other programs and click Yes to restart your computer
  • once you are back at your desktop, open MBAM once more
  • click on the ‘Reports’ tab
  • double-click on the most recent Scan Report
  • click on Export, then Copy to Clipboard
==============================================
Have a nice day.

Last edited by olgun52; January 17th, 2021 at 02:55 PM.
Reply With Quote