Posted December 27, 20177 yr FPCH Staff There are many HKLM Group Policy restriction ATTENTION lines in the FRST report. Maybe they're there due to CryptoPrevent. Here's an exaple. The full logs are attached. HKLM Group Policy restriction on software: *.mp3.msh* HKLM Group Policy restriction on software: *.png.hta HKLM Group Policy restriction on software: *.7z.jse HKLM Group Policy restriction on software: %userprofile%\AppData\*.isp I also note that MBAM starts with Windows. I have it set to NOT start with Windows. I'll have to play around with that. Anything else to be concerned about in these logs? ESET said it was clean. I ran MBAM afterwards and it found PUPs. Kaspersky scan is clean. Thanks much for looking.Addition.txtFRST.txtMBAM report.txt
December 27, 20177 yr Hi Tony, I was meant to be away for a few days, but woke up this morning and we're snowed in lol. Might try and get away tomorrow if the roads have cleared a bit. There are many HKLM Group Policy restriction ATTENTION lines in the FRST report. Maybe they're there due to CryptoPrevent. Yes, those group policies are set by CryptoPrevent. That's how it works. I also note that MBAM starts with Windows. I have it set to NOT start with Windows. I'll have to play around with that. Right click on the MB taskbar icon and then untick Start with Windows. Anything else to be concerned about in these logs? Not really. There's only one line to remove.... but we may as well do that. Copy the script within the quote box below: (make sure that you include Start:: and End:: as these are the clipboard notifiers. Start:: CloseProcesses: Task: {8EE22972-67D0-4F38-A658-B5609DD4CA91} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION CMD: ipconfig /flushdns Hosts: EmptyTemp: End:: NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Re-run FRST/FRST64 (which ever is installed ) and press the Fix button just once and wait. http://i.imgur.com/AZfCBHb.png The tool will make a log in the same directory that FRST is run from (Fixlog.txt). Please post this in your next reply.
December 27, 20177 yr Author FPCH Staff Looking good. Don't showel too much! Fix result of Farbar Recovery Scan Tool (x64) Version: 26-12-2017 Ran by Hinkle (27-12-2017 17:38:20) Run:3 Running from C:\Users\Hinkle\Desktop Loaded Profiles: Hinkle (Available Profiles: Hinkle) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: Task: {8EE22972-67D0-4F38-A658-B5609DD4CA91} - \Microsoft\Windows\UNP\RunCampaignManager -> No File CMD: ipconfig /flushdns Hosts: EmptyTemp: ***************** Processes closed successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8EE22972-67D0-4F38-A658-B5609DD4CA91} => could not remove key. ErrorCode1: 0x00000002 "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8EE22972-67D0-4F38-A658-B5609DD4CA91}" => removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => key not found ========= ipconfig /flushdns ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= C:\Windows\System32\Drivers\etc\hosts => moved successfully Hosts restored successfully. =========== EmptyTemp: ========== BITS transfer queue => 6053888 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7009330 B Java, Flash, Steam htmlcache => 1066 B Windows/system/drivers => 31588509 B Edge => 2870908 B Chrome => 724205681 B Firefox => 98270846 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 6656 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 14870 B NetworkService => 0 B Hinkle => 321482391 B RecycleBin => 1052526 B EmptyTemp: => 1.1 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 17:40:23 ====
December 28, 20177 yr 1.1 GB temporary data Removed the fix was worth running, just to clear this out.
