Hi, Jmallard.

It is a scam, but it's good you posted the FRST logs, so we can take a deeper look into the system and check it.

Just a confirmation: you said that you left the laptop with the above screen open without doing anything. Is this still open in Firefox?

 

DR.M,

Yes, as stated in my message. I have left the laptop running with Firefox open and logged into Facebook and the Defender warning screen is still displayed.

Thanks for your response.

Jerry

 

Hi, Jerry.

Can you, please, try to close it? Is there an option to close it? If not, let me know to tell you what to do.

 

I was able to close both the Defender warning message and close Facebook in the Firefox browser and close the browser.

Sorry, should have mentioned. The laptop is currently running with the normal desktop displayed.

Jerry

 

Perfect! It was a scam. See in your first screenshot that the real Windows Defender's icon at the bottom right is green.

It seems that you or your wife tried to download some programs for backup purposes (Easeus, Perfect Backup) from not the official sites yesterday.

We are going to do some checks, but first, please read the basic guidelines of the Malware Removal Forum. As soon as I have your consent, I'll give you the first set of instructions.

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

 

Perfect! It was a scam. See in your first screenshot that the real Windows Defender's icon at the bottom right is green.

It seems that you or your wife tried to download some programs for backup purposes (Easeus, Perfect Backup) from not the official sites yesterday.

No. My wife did not try to download the backup programs. I did that and backed up the whole computer with Easeus, onto a separate storage drive, before I ran the FRST program.

Jerry

 

OK. Thanks for the clarification. Did you download EasuUS from their site? What about the Perfect Backup?

Assuming that you agree with the guidelines, let's start with the following:

1. Run Malwarebytes (scan only)

• Download Malwarebytes and save it to your Desktop.
• Once downloaded, close all programs and Windows on your computer.
• Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
• Follow the instructions to install the program.
• When finished, double click the program's icon created on your Desktop.
• Click the little gear on the top right (Settings) and when it opens, click the General tab. Under the title Windows Security Center, make sure the option is disabled.
• Click the Scan and Detections tab and under the Scan options title, enable Scan for rootkits option. Do not change any other option.
• Return to the Dashboard and choose Scan.
• When finished, you will see the Threat Scan Summary window open.
• If threats are not found, click View Report and proceed to the two last steps below.
  
  If threats are found, make sure that all threats are not selected,close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

2. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.

• Double click AdwCleaner.exe to run it.
• Click the Scan Now button.
• Once the scan completes, AdwCleaner shows you all detected PUPs and adware. DO NOT check anything found, and click Next.
• If any preinstalled software was detected on your device, a message notifies you that your action is requested. DO NOT check anything, and click Cancel to continue.
• Click the Log Files tab.
• Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
• A Notepad file will open containing the results of the removal.
• Please post the contents of the file in your next reply.

Note: Click Skip Basic Repair if you are asked to.


In your next reply, please post:

1. The Malwarebytes report
2. The AdwCleaner[S0*].txt

 

Since it's late right now for me, I'll review the results you will post tomorrow.

 

I will comply with your instructions above and reply.

Thank You.

Jerry

 

OK, Jerry. See you tomorrow.

 

DR.M

I downloaded the EasuUS software from their site. Did not download any other backup tools.

Competed the downloads and scans. No malicious files found with either scan.
Reports attached.

 

Hi, Jerry.

Actually, we need to remove the following detected items:

PUP.Optional.Legacy C:\SysInfo.exe
PUP.Optional.Legacy Honey - jid1-93CWPmRbVPjRQA@jetpack

As to the preinstalled software that was detected, it's up to you if you want to remove or keep it. I usually remove whatever I don't need/use. But this is a completely your decision.

To proceed:

• Double click AdwCleaner.exe on your Desktop, to run it as you did before.
• Click Scan Now.
• Once the scan completes, AdwCleaner shows you what it found on your computer. Check the boxes next to any items you want to quarantine and disable, then click Next.
• Now, AdwCleaner will show you any preinstalled software it found on your device. Again, check the boxes next to any items you want to quarantine and disable. If you don't want to remove any preinstalled software, click Cancel and continue.
• Click Continue, then click Restart now, and you’re done.
• Once your computer has restarted:
  • Click the Log Files tab.
  • Click Skip Basic Repair to finish the cleaning process
  • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
  • A Notepad file will open containing the results of the removal.
  • Please post the contents of the file in your next reply.

In your next reply please post:

1. The AdwCleaner[C0*].txt

 

Since I will shut down now, I'm giving you another step.

So, after posting the AdwCleaner's log, run FRST tool as you did before, and attach fresh FRST logs for me to check.

 

DR.M,

Requested files attached.

Everything seems just fine on the laptop now.

Thank You Very Much for your time and solving my problem. I am glad there are people like you who don't have to take the time from your lives to do things like this and give your expertise freely, but you do. It is appreciated very much!

Jerry

 

Hi, Jerry.

Thanks for your good words.

There are some things to be done yet, before I marked the topic as Solved. First, please move the FRST tool from
C:\Download\FRST64.exe directly on to your Desktop.

After that:

FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-1004575877-1421367045-863696920-1001\...\Run: [Perfect Backup] => "C:\Perfect Backup\pb.exe" /hide (No File)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{73FA19D0-2D75-11D2-995D-00C04F98BBC9}] -> 
Task: {661C11F1-28D0-454B-AE7E-5E602B728D69} - System32\Tasks\HPDataRetriever => C:\ProgramData\HP\Telemetry\collectors\hp-telemetry-application-info-collector_ver_4.675.11370\hp-data-retriever.exe  (No File)
Task: {9DAD8283-3435-4317-AECB-7CA6A65DB2A8} - System32\Tasks\HPSupportTool => C:\ProgramData\HP\Telemetry\collectors\hp-telemetry-iolo-collector_ver_4.675.11370\hp-support-tool.exe  (No File)
FF Notifications: Mozilla\Firefox\Profiles\nr9l83x1.default-release -> hxxps://www.facebook.com; hxxp://search.hyourmapview.com; hxxps://online.citi.com; hxxps://www.snapfish.com; hxxps://www.greatselections.co; hxxps://4patriots.com
S2 HP Comm Recover; "C:\Program Files\HPCommRecovery\HPCommRecovery.exe" [X]
S2 WildTangentHelper; "C:\Program Files (x86)\WildTangent Games\Integration\WildTangentHelperService.exe" [X]
SearchScopes: HKLM -> {501A3C2D-15D3-49C8-B7AB-9D2B9C546F70} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {501A3C2D-15D3-49C8-B7AB-9D2B9C546F70} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-1004575877-1421367045-863696920-1001 -> {501A3C2D-15D3-49C8-B7AB-9D2B9C546F70} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
BHO: No Name -> {6C674988-489F-4C12-8F4D-0F111C517BD1}' -> No File
BHO-x32: No Name -> {6C674988-489F-4C12-8F4D-0F111C517BD1}' -> No File
HKLM\...\StartupApproved\Run: => "Acronis Scheduler2 Service"
HKU\S-1-5-21-1004575877-1421367045-863696920-1001\...\StartupApproved\Run: => "Perfect Backup"
FirewallRules: [{62B42EF3-0600-475B-BCDA-9DF3262876FA}] => (Allow) C:\Users\Lorraine\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{7E750551-BD7D-4B9F-8053-B5A9261316B9}] => (Allow) C:\Users\Lorraine\AppData\Roaming\Zoom\bin\airhost.exe => No File
2025-01-22 14:54 - 2025-01-22 14:54 - 000000000 ____D C:\Users\Lorraine\AppData\Roaming\Perfect Backup
2025-01-22 14:54 - 2025-01-22 14:54 - 000000000 ____D C:\ProgramData\Perfect Backup
Folder: C:\Users\Lorraine\Documents\Perfect Backup
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: SFC /scannow
EmptyTemp:
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

 

EDIT: I meant "There are some things to be done yet, before I mark the topic as Solved."

Sorry for the typo.

 

Hi DR.M,

Sorry I marked the problem solved. I thought it was. . .

I performed the steps in your message and the fixlog is attached.

Jerry

 

Perfect! Note that some system files were fixed.

Another quick fix:

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
C:\Users\Lorraine\Documents\Perfect Backup
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

Is there any remaining question/concern/issue regarding this computer?

 

DR.M,

Will running FRST64 again OVERWRITE the current fixlog.txt file on the desktop ? Should I delete that file ?

Will running "C:\Users\Lorraine\Documents\Perfect Backup" create a backup of my computer ?

Note: I used "EaseUS Todo Backup Free" at 9:33pm tonight (24 Jan) to do a complete backup of the laptop.

It is 2:06am, 25 Jan where I am in California. May I ask where you are and what time it is ?

Jerry

 

Hi, Jerry.

Yes, the new fix will overwrite the previous fixlog.txt. So you don't need to do anything.

The fix will delete that empty file which is not part of EaseUS. It belongs to another software (Perfect Backup) which is no longer installed in your system.

Now it's 12:12 p.m. So I am 10 hours ahead you.

 

DR.M,

Thanks for the date & location info.

Complete the task you assigned and attached the new fixlog.txt

Jerry

 

OK!

Is there any remaining issue/question/concern regarding this computer?

 

No Sir! No more questions. Thank You Very Much !

Jerry

 

Perfect!

The following tool will remove the tools we used as well as reset system restore points:

Download KpRm by kernel-panik and save it to your desktop.

• Right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• Please copy and paste its contents in your next reply.

Note: If there is a warning about this tool, go on to download it, since it is a false/positive. Choose More info and continue from there.

 

Completed the task and here's the results:

==========start=================

# Run at 1/25/2025 2:36:05 AM
# KpRm (Kernel-panik) version 2.18.0
# Website https://kernel-panik.me/tool/kprm/
# Run by Lorraine from C:\Users\Lorraine\Desktop
# Computer Name: LORRAINE-LAPTOP
# OS: Windows 10 X64 (19045) (10.0.19045.5371)
# Number of passes: 1

- Checked options -

~ Registry Backup
~ Delete Tools
~ Restore System Settings
~ UAC Restore
~ Delete Restore Points
~ Create Restore Point
~ Delete Quarantines

- Create Registry Backup -

~ [OK] Hive C:\WINDOWS\System32\config\SOFTWARE backed up
~ [OK] Hive C:\Users\Lorraine\NTUSER.dat backed up

[OK] Registry Backup: C:\KPRM\backup\2025-01-25-02-36-05

- Delete Tools -


## AdwCleaner
[OK] C:\AdwCleaner deleted

## FRST
[OK] C:\Users\Lorraine\Desktop\Fixlog.txt deleted
[OK] C:\Users\Lorraine\Desktop\FRST64.exe deleted
[OK] C:\FRST deleted

- Restore System Settings -

[OK] Reset WinSock
[OK] FLUSHDNS
[OK] Hide Hidden file.
[OK] Show Extensions for known file types
[OK] Hide protected operating system files

- Restore UAC -

[OK] Set EnableLUA with default (1) value
[OK] Set ConsentPromptBehaviorAdmin with default (5) value
[OK] Set ConsentPromptBehaviorUser with default (3) value
[OK] Set EnableInstallerDetection with default (0) value
[OK] Set EnableSecureUIAPaths with default (1) value
[OK] Set EnableUIADesktopToggle with default (0) value
[OK] Set EnableVirtualization with default (1) value
[OK] Set FilterAdministratorToken with default (0) value
[OK] Set PromptOnSecureDesktop with default (1) value
[OK] Set ValidateAdminCodeSignatures with default (0) value

- Clear Restore Points -

~ [OK] RP named Scheduled Checkpoint created at 01/24/2025 01:21:53 deleted
~ [OK] RP named AdwCleaner_BeforeCleaning_24/01/2025_20:09:55 created at 01/25/2025 04:09:55 deleted
[OK] All system restore points have been successfully deleted

- Create Restore Point -

[OK] System Restore Point created

- Display System Restore Point -

~ RP named KpRm created at 01/25/2025 10:36:32

-- KPRM finished in 42.12s --
===============end===========

 

Excellent, Jerry!

Now you can go to have a good night's sleep!

When you wake up, take a look at my favorite "final speech":

Now your computer is clean, here are some final tips about your computer's security from now on:

Some of the following, are from Klein's (2005) article, So how did I get infected in the first place. Since then, the article has been reproduced or linked to in dozens of locations. As a result, many malware experts have continued updating it, to include current operating systems and software program information. My source is Security Garden, and I marked for you the following:

1. Keep your Windows updated!
It is important always to keep current with the latest security fixes from Microsoft. This can patch many of the security holes through which attackers can infect your computer.

2. Update 3rd Party Software Programs
Third Party software programs have long been targets for malware creators. It has been stated that "Adobe’s Reader and Flash and all versions of Java are together responsible for a total of 66 percent of the vulnerabilities in Windows systems exploited by malware.'' It's important to keep everything updated.

3. Update the browsers you use
Many malware infections install themselves by exploiting security holes in the Internet browser that you use. So... Keep them updated.

4. Be careful about what you download and what you open!

• Many "freeware" programs come with an enormous amount of bundled spyware that will slow down your system, spawn pop-up advertisements, or just plain crash your browser or even Windows itself. Watch for pre-checked options such as toolbars that are not essential to the operation of the installed software.
• Peer-to-peer (P2P) programs like Kazaa, BearShare, Imesh, Warez P2P, and others, allow the creation of a network enabling people to connect with other users and upload or download material in a fast efficient manner. BUT even if the P2P software you are using is "clean", a large percentage of the files served on the P2P network are likely to be infected.
• Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Have this in mind.
• Do not open any files without being certain of what they are!

5. Avoid questionable web sites!
Visit web sites that are trustworthy and reputable. Many disreputable sites will attempt to install malware on your system through "drive-by" exploits just by visiting the site in your browser. Lyrics sites, free software sites (especially ones that target young children), cracked software sites, and pornography sites are some of the worst offenders. Also, never give out personal information of any sort online or click "OK" to a pop-up unless it is signed by a reputable company and you know what it is.

6. Registry cleaners/driver boosters/system optimizers
I do not recommend registry cleaners, system optimizers, driver boosters and the like. It is your computer and certainly your choice. However, please consider that modifying registry keys incorrectly can cause Windows instability, or make Windows unbootable. With registry cleaner and system optimization software programs, the potential is ever present to cause more problems than they claim to fix. Do note, however, that Microsoft does not support the use of registry cleaners. See Microsoft support policy for the use of registry cleaning utilities.

7. PC means personal computer!
Don't give access to your computer to friends or family who appear to be clueless about what they are doing.

8. Back-up your work!
Make back-ups of your personal files frequently. You never know when you'll have to reformat and start from scratch. You can always reformat and reinstall programs, but you cannot replace your data if you haven't made backups.

9. Must-Have Software
An anti-virus and an anti-spyware program is a necessity for the security of your computer. Be sure that you keep them updated, and that real time protection is enabled. You have now the built-in Windows antivirus, Windows Defender. Together with Malwarebytes, if you run it occasionally, depending on how often you use your computer, can keep you safe.

Happy safe computing.

I'm glad I was able to help you.

 

DR.M,

Again,
Thanks Very Much for your very thorough help !!

I need to get to bed, it's going on 3am. I'll read your favorite "final speech" closer tomorrow.

You are one smart cookie

Jerry