Author Topic: Re-Check Please  (Read 23793 times)

0 Members and 1 Guest are viewing this topic.

Offline hayc59

  • Voodoo Child
  • Hero Member
  • *****
  • Posts: 1459
  • Gentleman
    • View Profile
Re: Re-Check Please
« Reply #75 on: October 31, 2020, 04:30:36 PM »
Hope i got it all :)

Here is a little info...I get updates and installs from Palemoon through the program.spywareblaster

9.11.01
"The most beautiful flower loses her beauty one day, but a hard faithful friend an eternity"
"Beauty that is not hidden to deepest of my soul can be seen that with eyes of the heart"

'Never Forget'


Offline hayc59

  • Voodoo Child
  • Hero Member
  • *****
  • Posts: 1459
  • Gentleman
    • View Profile
Re: Re-Check Please
« Reply #76 on: October 31, 2020, 04:31:26 PM »
icotonev , thank you for your wisdom

9.11.01
"The most beautiful flower loses her beauty one day, but a hard faithful friend an eternity"
"Beauty that is not hidden to deepest of my soul can be seen that with eyes of the heart"

'Never Forget'


Offline icotonev

  • Malware Experts
  • Full Member
  • *****
  • Posts: 50
  • Malware Removal
    • View Profile
Re: Re-Check Please
« Reply #77 on: October 31, 2020, 05:14:40 PM »
Hello..! I reviewed your diaries ..! Active infections are not visible ..!

I see:

Quote
R1 gwdrv; C:\WINDOWS\system32\DRIVERS\gwdrv.sys [33152 2015-05-29] (GlassWire -> SecureMix LLC)
R1 hmpalert; C:\WINDOWS\system32\drivers\hmpalert.sys [445400 2020-07-05] (SurfRight B.V. -> SurfRight B.V.)

Drivers for GlassWire Firewall and HitmanPro.Alert respectively .. Both are currently running (R1 ..) .. Have you used this software ..?
Hristo Tonev (Ico)
Member of UNITE 

Offline hayc59

  • Voodoo Child
  • Hero Member
  • *****
  • Posts: 1459
  • Gentleman
    • View Profile
Re: Re-Check Please
« Reply #78 on: October 31, 2020, 05:16:23 PM »
They have been removed awhile ago not using them

9.11.01
"The most beautiful flower loses her beauty one day, but a hard faithful friend an eternity"
"Beauty that is not hidden to deepest of my soul can be seen that with eyes of the heart"

'Never Forget'


Offline icotonev

  • Malware Experts
  • Full Member
  • *****
  • Posts: 50
  • Malware Removal
    • View Profile
Re: Re-Check Please
« Reply #79 on: October 31, 2020, 05:26:15 PM »
They have been removed awhile ago not using them

Apparently not completely removed ..!  :)

And how would you explain this:

Quote
Windows Defender:
===================================
Date: 2020-10-29 14:42:40.562
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Ymacco.AB2D&threatid=2147758023&enterprise=0
Name: Trojan:Win32/Ymacco.AB2D
ID: 2147758023
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$DRa4488.8800\Malwarebytes.Premium.4.1.2.73.msstdfmt\LicenseMalwareBytes.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Security intelligence Version: AV: 1.325.1644.0, AS: 1.325.1644.0, NIS: 1.325.1644.0
Engine Version: AM: 1.1.17500.4, NIS: 1.1.17500.4

Date: 2020-10-29 14:39:27.851
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Ymacco.AB2D&threatid=2147758023&enterprise=0
Name: Trojan:Win32/Ymacco.AB2D
ID: 2147758023
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$EXa3416.38939\Malwarebytes.Premium.4.1.2.73.msstdfmt\LicenseMalwareBytes.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Program Files\WinRAR\WinRAR.exe
Security intelligence Version: AV: 1.325.1644.0, AS: 1.325.1644.0, NIS: 1.325.1644.0
Engine Version: AM: 1.1.17500.4, NIS: 1.1.17500.4

Date: 2020-10-29 14:38:32.632
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Ymacco.AB2D&threatid=2147758023&enterprise=0
Name: Trojan:Win32/Ymacco.AB2D
ID: 2147758023
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Gordon & Nancy\Desktop\Junk\lis\LicenseMalwareBytes.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Security intelligence Version: AV: 1.325.1644.0, AS: 1.325.1644.0, NIS: 1.325.1644.0
Engine Version: AM: 1.1.17500.4, NIS: 1.1.17500.4

Date: 2020-10-29 14:37:51.586
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Ymacco.AB2D&threatid=2147758023&enterprise=0
Name: Trojan:Win32/Ymacco.AB2D
ID: 2147758023
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Gordon & Nancy\Desktop\Junk\lis\LicenseMalwareBytes.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Security intelligence Version: AV: 1.325.1644.0, AS: 1.325.1644.0, NIS: 1.325.1644.0
Engine Version: AM: 1.1.17500.4, NIS: 1.1.17500.4

Date: 2020-10-29 14:37:44.324
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Ymacco.AB2D&threatid=2147758023&enterprise=0
Name: Trojan:Win32/Ymacco.AB2D
ID: 2147758023
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Gordon & Nancy\Desktop\Junk\lis\LicenseMalwareBytes.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Security intelligence Version: AV: 1.325.1644.0, AS: 1.325.1644.0, NIS: 1.325.1644.0
Engine Version: AM: 1.1.17500.4, NIS: 1.1.17500.4

This sounds to me like an illegal attempt to activate MalwareBytes ..?!?
Hristo Tonev (Ico)
Member of UNITE 

Offline hayc59

  • Voodoo Child
  • Hero Member
  • *****
  • Posts: 1459
  • Gentleman
    • View Profile
Re: Re-Check Please
« Reply #80 on: October 31, 2020, 05:39:04 PM »
That is my freakin family member! wow lets get rid of it PLEASE

I have lifetime key! that I cant activate...on the phone now with the idiot!!

9.11.01
"The most beautiful flower loses her beauty one day, but a hard faithful friend an eternity"
"Beauty that is not hidden to deepest of my soul can be seen that with eyes of the heart"

'Never Forget'


Offline icotonev

  • Malware Experts
  • Full Member
  • *****
  • Posts: 50
  • Malware Removal
    • View Profile
Re: Re-Check Please
« Reply #81 on: October 31, 2020, 05:40:33 PM »
Farbar Recovery Scan Tool - Search All


    Double-click FRST.exe/FRST64.exe to run it.
    Copy and paste the following into the Search: box:


Quote
SearchAll: GlassWire;HitmanPro;MalwareBytes

 
    Press the Search Files button.
    When complete, FRST will generate a log in the same location it was run from (Search.txt)
    Please copy and paste its contents into your reply.


-----------------------------------------------------------------

In your next reply, please include:

  • Search.txt



Hristo Tonev (Ico)
Member of UNITE 

Offline hayc59

  • Voodoo Child
  • Hero Member
  • *****
  • Posts: 1459
  • Gentleman
    • View Profile
Re: Re-Check Please
« Reply #82 on: October 31, 2020, 06:05:40 PM »
Farbar Recovery Scan Tool (x64) Version: 24-10-2020
Ran by Gordon & Nancy (31-10-2020 11:43:40)
Running from C:\Users\Gordon & Nancy\Desktop
Boot Mode: Normal

================== Search Files: "SearchAll: GlassWire;HitmanPro;MalwareBytes" =============

File:
========
C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$EXa3416.38939\Malwarebytes.Premium.4.1.2.73.msstdfmt\LicenseMalwareBytes.exe.log
[2020-10-29 14:39][2020-07-04 03:41] 000000173 _____ () B37B9104ECAB7A67674A5ABEDBF5C081 [File not signed]

C:\Users\Gordon & Nancy\AppData\Local\Temp\mwb9BE9.tmp\Malwarebytes EULA.rtf
[2020-10-27 11:58][2020-07-16 13:17] 000040235 _____ () 51A2CD07C31DCA35BFA81DBD89BEE80F [File not signed]

C:\Users\Gordon & Nancy\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Malwarebytes_Privacy_UI_MBPrivacy_exe
[2020-07-06 10:27][2020-07-06 10:27] 000037014 _____ () AB0E4D5A041FA7D1D2DCC1D0E6163F71 [File not signed]

C:\Users\Gordon & Nancy\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_HitmanPro_Alert_hmpalert_exe
[2020-07-06 10:27][2020-07-06 10:27] 000037014 _____ () 0F0DD8BEC61614C5DADBB019FAEA9F7E [File not signed]


folder:
========
2020-09-30 14:51 - 2020-09-30 14:53 _____ C:\Users\Gordon & Nancy\AppData\Local\glasswire
2020-10-29 14:39 - 2020-10-29 14:39 _____ C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$EXa3416.38939\Malwarebytes.Premium.4.1.2.73.msstdfmt
2020-10-29 14:42 - 2020-10-29 14:42 _____ C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$DRa4488.8800\Malwarebytes.Premium.4.1.2.73.msstdfmt
2020-10-29 14:42 - 2020-10-29 14:42 _____ C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$DRa4488.7946\Malwarebytes.Premium.4.1.2.73.msstdfmt

Registry:
========

===================== Search result for "GlassWire" ==========

[HKEY_LOCAL_MACHINE\SYSTEM\GlassWire]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gwdrv]
"DisplayName"="GlassWire Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gwdrv]
"Description"="GlassWire Driver"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated]
"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\GlassWire\GlassWire.exe"="514"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched]
"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\GlassWire\GlassWire.exe"="13"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView]
"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\GlassWire\GlassWire.exe"="1"


===================== Search result for "HitmanPro" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6FAC02B7-77D6-418B-AC11-962C65CDE8DD}]
""="HitmanPro.Alert Icon Overlay Handler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\HitmanPro.Alert Shell Extension]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\hitmanpro37]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\hitmanpro37.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\HitmanPro.Alert]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\HitmanPro.Alert]
"EventMessageFile"="C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\HitmanPro.Alert]
"CategoryMessageFile"="C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalert]
"DisplayName"="HitmanPro.Alert Support Driver"


===================== Search result for "MalwareBytes" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B}]
"DISPLAYNAME"="Malwarebytes"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B}]
"PRODUCTEXE"="C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B}]
"REPORTINGEXE"="C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]
"Malwarebytes Windows Firewall Control"="0x020000000000000000000000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{36B3D25E-9F02-4C24-9E19-958500BDF3FC}]
"ProfileName"="Malwarebytes VPN (Seattle, WA, USA)"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{36B3D25E-9F02-4C24-9E19-958500BDF3FC}]
"Description"="Malwarebytes VPN (Seattle, WA, USA)"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes]

[HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade\WinsockUpgrade\WinSock2\Parameters\AppId_Catalog\0462E881]
"AppFullPath"="C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Malwarebytes Support Tool]

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated]
"Malwarebytes.Antimalware"="173"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched]
"Malwarebytes.Antimalware"="43"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched]
"{6D809377-6AF0-444B-8957-A3773F02200E}\Malwarebytes\Anti-Malware\mbuns.exe"="3"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\Users\Gordon & Nancy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Malwarebytes\Malwarebytes.lnk"="1"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes\Malwarebytes.lnk"="1"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Search\JumplistData]
"Malwarebytes.Antimalware"="132484823947728407"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"15"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"16"="C:\Users\Gordon & Nancy\AppData\Roaming\Microsoft\Windows\Start Menu\Malwarebytes.lnk
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"19"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"="0x53414350010000000000000007000000280000008028CC003A61CC0001000000000000000000000A73220000631F6E6F0EDED40100000000000000000200000028000000000000000000000000000000000000000000000000000000116D0000000000000200000002000000"

[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe"="0x534143500100000000000000070000002800000008AD890B0B9F8A0B01000000000000000000000A00210000631F6E6F0EDED401000000000000000002000000280000000000000000000040000000000000000000000000000000005B8D0000000000000100000001000000"


====== End of Search ======

9.11.01
"The most beautiful flower loses her beauty one day, but a hard faithful friend an eternity"
"Beauty that is not hidden to deepest of my soul can be seen that with eyes of the heart"

'Never Forget'


Offline icotonev

  • Malware Experts
  • Full Member
  • *****
  • Posts: 50
  • Malware Removal
    • View Profile
Re: Re-Check Please
« Reply #83 on: October 31, 2020, 06:32:12 PM »
The day was busy ..! Now in Bulgaria it is 22.00 ..! Time to rest..! Tomorrow I will write a script with fresh eyes and head ...! I wish you good night ..!  :)
Hristo Tonev (Ico)
Member of UNITE 

Offline hayc59

  • Voodoo Child
  • Hero Member
  • *****
  • Posts: 1459
  • Gentleman
    • View Profile
Re: Re-Check Please
« Reply #84 on: October 31, 2020, 06:32:54 PM »
thank you soooooooo much and sweet dreams

9.11.01
"The most beautiful flower loses her beauty one day, but a hard faithful friend an eternity"
"Beauty that is not hidden to deepest of my soul can be seen that with eyes of the heart"

'Never Forget'


Offline icotonev

  • Malware Experts
  • Full Member
  • *****
  • Posts: 50
  • Malware Removal
    • View Profile
Re: Re-Check Please
« Reply #85 on: November 01, 2020, 05:57:09 AM »
Good morning..!  :)

Step 1 :
 
Tweaking.com Registry Backup
  • Download Tweaking.com Registry Backup from here, and save tweaking.com_registry_backup_portable.zip to your desktop.
  • Now we need to create a new folder to extract the zipped contents into. Right click on the zipped folder you just downloaded and select "Extract All".
  • Click the "Browse" button and from the list, expand "Computer", then expand "Windows (C:)", and click the "Make New Folder" button.
  • Call this folder something you will remember...like "RegBackup" then click "Ok", and then click "Extract".
  • From the newly extracted files, right click on and select Run as Administrator (XP users just double click) to start Tweaking.com Registry Backup.
    (Windows Vista/7/8 users: Accept UAC warning if it is enabled.
  • A screen like this should appear:
         

  • Type a custom name in Backup Name if you want, then choose Backup Now.
  • If backup is successful, a message will appear at the lower half of the screen with an option to view logs.
  • The registry backup will be created in %WindowsDrive%\RegBackup by default. You can customize the path in Settings.
  • Close Tweaking.com Registry Backup when done.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
Step 2 :
 
Boot your computer to Safe Mode.
 
 
Farbar Recovery Scan Tool - Fix
 
  • Highlight the contents of the below code box and press Ctrl + C on your keyboard:

[/list]
Code: (auto:0) [Select]
Start::

CreateRestorePoint:
CloseProcesses:

C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$EXa3416.38939\Malwarebytes.Premium.4.1.2.73.msstdfmt\LicenseMalwareBytes.exe.log
C:\Users\Gordon & Nancy\AppData\Local\Temp\mwb9BE9.tmp\Malwarebytes EULA.rtf
C:\Users\Gordon & Nancy\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Malwarebytes_Privacy_UI_MBPrivacy_exe
C:\Users\Gordon & Nancy\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_HitmanPro_Alert_hmpalert_exe
C:\Users\Gordon & Nancy\AppData\Local\glasswire
C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$EXa3416.38939\Malwarebytes.Premium.4.1.2.73.msstdfmt
C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$DRa4488.8800\Malwarebytes.Premium.4.1.2.73.msstdfmt
C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$DRa4488.7946\Malwarebytes.Premium.4.1.2.73.msstdfmt

StartRegedit:
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\GlassWire]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gwdrv]
"DisplayName"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gwdrv]
"Description"="GlassWire Driver"
[-HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated]
"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\GlassWire\GlassWire.exe"="514"
[-HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched]
"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\GlassWire\GlassWire.exe"="13"
[-HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView]
"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\GlassWire\GlassWire.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6FAC02B7-77D6-418B-AC11-962C65CDE8DD}]
""=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\HitmanPro.Alert Shell Extension]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\hitmanpro37]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\hitmanpro37.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\HitmanPro.Alert]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\HitmanPro.Alert]
"EventMessageFile"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\HitmanPro.Alert]
"CategoryMessageFile"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalert]
"DisplayName"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B}]
"DISPLAYNAME"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B}]
"PRODUCTEXE"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B}]
"REPORTINGEXE"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]
"Malwarebytes Windows Firewall Control"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{36B3D25E-9F02-4C24-9E19-958500BDF3FC}]
"ProfileName"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{36B3D25E-9F02-4C24-9E19-958500BDF3FC}]
"Description"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes]
[HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade\WinsockUpgrade\WinSock2\Parameters\AppId_Catalog\0462E881]
"AppFullPath"=-
[-HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Malwarebytes Support Tool]
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated]
"Malwarebytes.Antimalware"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched]
"Malwarebytes.Antimalware"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched]
"{6D809377-6AF0-444B-8957-A3773F02200E}\Malwarebytes\Anti-Malware\mbuns.exe"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\Users\Gordon & Nancy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Malwarebytes\Malwarebytes.lnk"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes\Malwarebytes.lnk"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Search\JumplistData]
"Malwarebytes.Antimalware"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"15"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"16"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"19"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe"=-

EndRegedit:

EmptyTemp:
End::


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Double-click FRST.exe/FRST64.exe to run it.
  • Press the Fix button just once and wait.
    Note: No need to paste the script into FRST.
  • Restart the computer if prompted.
  • When the fix is complete FRST will generate a log in the same location it was run from (Fixlog.txt)
  • Please copy and paste its contents into your reply.
---------------------------------------------------

In your next reply, please include:
  • Fixlog.txt
Hristo Tonev (Ico)
Member of UNITE 

Offline hayc59

  • Voodoo Child
  • Hero Member
  • *****
  • Posts: 1459
  • Gentleman
    • View Profile
Re: Re-Check Please
« Reply #86 on: November 01, 2020, 05:17:05 PM »
Fix result of Farbar Recovery Scan Tool (x64) Version: 24-10-2020
Ran by Gordon & Nancy (01-11-2020 12:06:04) Run:1
Running from C:\Users\Gordon & Nancy\Desktop
Loaded Profiles: Gordon & Nancy
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$EXa3416.38939\Malwarebytes.Premium.4.1.2.73.msstdfmt\LicenseMalwareBytes.exe.log
C:\Users\Gordon & Nancy\AppData\Local\Temp\mwb9BE9.tmp\Malwarebytes EULA.rtf
C:\Users\Gordon & Nancy\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Malwarebytes_Privacy_UI_MBPrivacy_exe
C:\Users\Gordon & Nancy\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_HitmanPro_Alert_hmpalert_exe
C:\Users\Gordon & Nancy\AppData\Local\glasswire
C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$EXa3416.38939\Malwarebytes.Premium.4.1.2.73.msstdfmt
C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$DRa4488.8800\Malwarebytes.Premium.4.1.2.73.msstdfmt
C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$DRa4488.7946\Malwarebytes.Premium.4.1.2.73.msstdfmt
StartRegedit:
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SYSTEM\GlassWire]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gwdrv]
"DisplayName"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gwdrv]
"Description"="GlassWire Driver"
[-HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated]
"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\GlassWire\GlassWire.exe"="514"
[-HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched]
"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\GlassWire\GlassWire.exe"="13"
[-HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView]
"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\GlassWire\GlassWire.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6FAC02B7-77D6-418B-AC11-962C65CDE8DD}]
""=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\HitmanPro.Alert Shell Extension]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\hitmanpro37]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\hitmanpro37.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\HitmanPro.Alert]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\HitmanPro.Alert]
"EventMessageFile"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\HitmanPro.Alert]
"CategoryMessageFile"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalert]
"DisplayName"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B}]
"DISPLAYNAME"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B}]
"PRODUCTEXE"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B}]
"REPORTINGEXE"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]
"Malwarebytes Windows Firewall Control"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{36B3D25E-9F02-4C24-9E19-958500BDF3FC}]
"ProfileName"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{36B3D25E-9F02-4C24-9E19-958500BDF3FC}]
"Description"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes]
[HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade\WinsockUpgrade\WinSock2\Parameters\AppId_Catalog\0462E881]
"AppFullPath"=-
[-HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Malwarebytes Support Tool]
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated]
"Malwarebytes.Antimalware"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched]
"Malwarebytes.Antimalware"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched]
"{6D809377-6AF0-444B-8957-A3773F02200E}\Malwarebytes\Anti-Malware\mbuns.exe"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\Users\Gordon & Nancy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Malwarebytes\Malwarebytes.lnk"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes\Malwarebytes.lnk"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Search\JumplistData]
"Malwarebytes.Antimalware"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"15"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"16"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"19"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe"=-
EndRegedit:
EmptyTemp:

*****************

Restore point was successfully created.
Processes closed successfully.
"C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$EXa3416.38939\Malwarebytes.Premium.4.1.2.73.msstdfmt\LicenseMalwareBytes.exe.log" => not found
C:\Users\Gordon & Nancy\AppData\Local\Temp\mwb9BE9.tmp\Malwarebytes EULA.rtf => moved successfully
C:\Users\Gordon & Nancy\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Malwarebytes_Privacy_UI_MBPrivacy_exe => moved successfully
C:\Users\Gordon & Nancy\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_HitmanPro_Alert_hmpalert_exe => moved successfully
C:\Users\Gordon & Nancy\AppData\Local\glasswire => moved successfully
C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$EXa3416.38939\Malwarebytes.Premium.4.1.2.73.msstdfmt => moved successfully
"C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$DRa4488.8800\Malwarebytes.Premium.4.1.2.73.msstdfmt" => not found
"C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$DRa4488.7946\Malwarebytes.Premium.4.1.2.73.msstdfmt" => not found
Registry ====> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B} <==== Access Denied
Registry ====> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B} <==== Access Denied
Registry ====> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B} <==== Access Denied
Registry ====> ERROR: Error accessing the registry.

=========== EmptyTemp: ==========

BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 10530112 B
Java, Flash, Steam htmlcache => 1351 B
Windows/system/drivers => 929021 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 72812 B
Gordon & Nancy => 97063512 B

RecycleBin => 111376 B
EmptyTemp: => 111.2 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 12:07:11 ====

9.11.01
"The most beautiful flower loses her beauty one day, but a hard faithful friend an eternity"
"Beauty that is not hidden to deepest of my soul can be seen that with eyes of the heart"

'Never Forget'


Offline hayc59

  • Voodoo Child
  • Hero Member
  • *****
  • Posts: 1459
  • Gentleman
    • View Profile
Re: Re-Check Please
« Reply #87 on: November 01, 2020, 05:19:07 PM »
that was a trip for sure!!
went into safe mode but could not get the fix info into frst
so did it in regular mode(sorry) if you know a trick to do so will do it again)

9.11.01
"The most beautiful flower loses her beauty one day, but a hard faithful friend an eternity"
"Beauty that is not hidden to deepest of my soul can be seen that with eyes of the heart"

'Never Forget'


Offline hayc59

  • Voodoo Child
  • Hero Member
  • *****
  • Posts: 1459
  • Gentleman
    • View Profile
Re: Re-Check Please
« Reply #88 on: November 01, 2020, 05:45:35 PM »
Safemode and figured it out i think
===================
Fix result of Farbar Recovery Scan Tool (x64) Version: 24-10-2020
Ran by Gordon & Nancy (01-11-2020 12:38:57) Run:2
Running from C:\Users\Gordon & Nancy\Desktop
Loaded Profiles: Gordon & Nancy
Boot Mode: Safe Mode (minimal)
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$EXa3416.38939\Malwarebytes.Premium.4.1.2.73.msstdfmt\LicenseMalwareBytes.exe.log
C:\Users\Gordon & Nancy\AppData\Local\Temp\mwb9BE9.tmp\Malwarebytes EULA.rtf
C:\Users\Gordon & Nancy\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Malwarebytes_Privacy_UI_MBPrivacy_exe
C:\Users\Gordon & Nancy\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_HitmanPro_Alert_hmpalert_exe
C:\Users\Gordon & Nancy\AppData\Local\glasswire
C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$EXa3416.38939\Malwarebytes.Premium.4.1.2.73.msstdfmt
C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$DRa4488.8800\Malwarebytes.Premium.4.1.2.73.msstdfmt
C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$DRa4488.7946\Malwarebytes.Premium.4.1.2.73.msstdfmt
StartRegedit:
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SYSTEM\GlassWire]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gwdrv]
"DisplayName"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gwdrv]
"Description"="GlassWire Driver"
[-HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated]
"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\GlassWire\GlassWire.exe"="514"
[-HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched]
"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\GlassWire\GlassWire.exe"="13"
[-HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView]
"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\GlassWire\GlassWire.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6FAC02B7-77D6-418B-AC11-962C65CDE8DD}]
""=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\HitmanPro.Alert Shell Extension]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\hitmanpro37]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\hitmanpro37.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\HitmanPro.Alert]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\HitmanPro.Alert]
"EventMessageFile"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\HitmanPro.Alert]
"CategoryMessageFile"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalert]
"DisplayName"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B}]
"DISPLAYNAME"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B}]
"PRODUCTEXE"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B}]
"REPORTINGEXE"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]
"Malwarebytes Windows Firewall Control"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{36B3D25E-9F02-4C24-9E19-958500BDF3FC}]
"ProfileName"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{36B3D25E-9F02-4C24-9E19-958500BDF3FC}]
"Description"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes]
[HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade\WinsockUpgrade\WinSock2\Parameters\AppId_Catalog\0462E881]
"AppFullPath"=-
[-HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Malwarebytes Support Tool]
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated]
"Malwarebytes.Antimalware"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched]
"Malwarebytes.Antimalware"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched]
"{6D809377-6AF0-444B-8957-A3773F02200E}\Malwarebytes\Anti-Malware\mbuns.exe"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\Users\Gordon & Nancy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Malwarebytes\Malwarebytes.lnk"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts]
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes\Malwarebytes.lnk"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\Search\JumplistData]
"Malwarebytes.Antimalware"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"15"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"16"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"19"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"=-
[HKEY_USERS\S-1-5-21-3675653720-2737141039-3862127861-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe"=-
EndRegedit:
EmptyTemp:

*****************

Error: Restore point can only be created in normal mode.
Processes closed successfully.
"C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$EXa3416.38939\Malwarebytes.Premium.4.1.2.73.msstdfmt\LicenseMalwareBytes.exe.log" => not found
"C:\Users\Gordon & Nancy\AppData\Local\Temp\mwb9BE9.tmp\Malwarebytes EULA.rtf" => not found
"C:\Users\Gordon & Nancy\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Malwarebytes_Privacy_UI_MBPrivacy_exe" => not found
"C:\Users\Gordon & Nancy\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_HitmanPro_Alert_hmpalert_exe" => not found
"C:\Users\Gordon & Nancy\AppData\Local\glasswire" => not found
"C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$EXa3416.38939\Malwarebytes.Premium.4.1.2.73.msstdfmt" => not found
"C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$DRa4488.8800\Malwarebytes.Premium.4.1.2.73.msstdfmt" => not found
"C:\Users\Gordon & Nancy\AppData\Local\Temp\Rar$DRa4488.7946\Malwarebytes.Premium.4.1.2.73.msstdfmt" => not found
Registry ====> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B} <==== Access Denied
Registry ====> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B} <==== Access Denied
Registry ====> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{23007AD3-69FE-687C-2629-D584AFFAF72B} <==== Access Denied
Registry ====> ERROR: Error accessing the registry.

=========== EmptyTemp: ==========

BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7372892 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 2400 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 1522 B
Gordon & Nancy => 9749561 B

RecycleBin => 8568 B
EmptyTemp: => 23.9 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 12:39:01 ====

9.11.01
"The most beautiful flower loses her beauty one day, but a hard faithful friend an eternity"
"Beauty that is not hidden to deepest of my soul can be seen that with eyes of the heart"

'Never Forget'


Offline hayc59

  • Voodoo Child
  • Hero Member
  • *****
  • Posts: 1459
  • Gentleman
    • View Profile
Re: Re-Check Please
« Reply #89 on: November 02, 2020, 02:59:03 PM »
Does all look good?

9.11.01
"The most beautiful flower loses her beauty one day, but a hard faithful friend an eternity"
"Beauty that is not hidden to deepest of my soul can be seen that with eyes of the heart"

'Never Forget'