Tweet
Originally posted by Malnutrition
@MaXz Sorry for the delay. The Log I requested takes time to go over.
Please for now, uninstall malwarebytes.
Download AV block remover .
Unzip to your desktop, Right click run as admin and follow the instructions. If it does not start, rename the AVbr.exe file to, for example, AV_br.exe
Click yes to reset hosts file.
After the machine reboots then there will be a logfile in the new folder created, post that please.
Copy the content of the code box below.
[COLOR=rgb(184, 49, 47)]Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.
[/COLOR]
Please for now, uninstall malwarebytes.
Download AV block remover .
Unzip to your desktop, Right click run as admin and follow the instructions. If it does not start, rename the AVbr.exe file to, for example, AV_br.exe
Click yes to reset hosts file.
After the machine reboots then there will be a logfile in the new folder created, post that please.
Copy the content of the code box below.
[COLOR=rgb(184, 49, 47)]Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.
Code:
Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center: Restriction <==== ATTENTION
HKLM\Software\Policies\...\system: [EnableSmartScreen] 0
DeleteKey: HKCU\SOFTWARE\153f8ce0-b97a-575b-ba12-4ff8b1481894
DeleteKey: HKU\S-1-5-21-3989784722-1943139329-1569411945-1001\SOFTWARE\153f8ce0-b97a-575b-ba12-4ff8b1481894
DeleteKey: HKLM\Software\Classes\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}
DeleteKey: HKCU\SOFTWARE\nwjs
DeleteKey: HKU\S-1-5-21-3989784722-1943139329-1569411945-1001\SOFTWARE\nwjs
DeleteValue: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Users\ozaga\AppData\Local\Updates\WindowsService.exe
DeleteValue: HKU\S-1-5-21-3989784722-1943139329-1569411945-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Users\ozaga\AppData\Local\Updates\WindowsService.exe
VirusTotal: C:\WINDOWS\System32\drivers\RoutePolicy.sys
File: C:\WINDOWS\System32\drivers\RoutePolicy.sys
CMD: gpupdate /force
cmd: DISM.exe /Online /Cleanup-image /Restorehealth
cmd: sfc /scannow
cmd: winmgmt /salvagerepository
cmd: winmgmt /verifyrepository
CMD: "%WINDIR%\SYSTEM32\lodctr.exe /R"
CMD: "%WINDIR%\SysWOW64\lodctr.exe /R"
CMD: "C:\Windows\SYSTEM32\lodctr.exe /R"
CMD: "C:\Windows\SysWOW64\lodctr.exe /R"
CMD: sc stop sysmain
CMD: sc config sysmain start= disabled
CMD: sc stop DiagTrack
CMD: sc config DiagTrack start= disabled
CMD: sc stop dmwappushservice
CMD: sc config dmwappushservice start= disabled
CMD: sc stop WSearch
CMD: sc config WSearch start= disabled
CMD: sc stop lfsvc
CMD: sc config lfsvc start= disabled
CMD: del /s /q %ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl
CMD: echo "" > %ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl
CMD: WMIC SERVICE WHERE Name="windefend" set startmode="auto"
CMD: WMIC SERVICE WHERE Name="wscsvc" set startmode="auto"
CMD: net start windefend
CMD: net start wscsvc
StartRegedit:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000002
EndRegedit:
emptytemp:
Reboot:
End::
Comment