Hi,
I think that proxy set was my free VPN (Psiphon).
1)
Fix result of Farbar Recovery Scan Tool (x64) Version: 19.04.2024 01
Ran by jama2 (03-05-2024 15:10:41) Run:3
Running from C:\Users\jama2\Desktop
Loaded Profiles: jama2
Boot Mode: Normal
==============================================
fixlist content:
*****************
Start::
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-1026589745-2252998717-1832492364-1001\...\Run: [Surfshark] => C:\Program Files (x86)\Surfshark\Surfshark.exe (No File)
S2 WirelessBackupService; C:\Program Files (x86)\Wondershare\Dr.Fone Data Recovery\Addins\Recovery\WirelessBackupService.exe [X]
S3 2442D4E7; C:\Windows\system32\drivers\2442D4E7.sys [255928 2024-04-30] (Malwarebytes Corporation -> Malwarebytes)
2024-05-02 20:33 - 2024-05-02 20:33 - 000001226 _____ C:\Users\jama2\Downloads\Malwarebytes Scan Report 2024-05-02 203208.txt
2024-05-02 12:28 - 2024-05-02 12:28 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\65256111.sys
2024-05-01 20:54 - 2024-05-01 20:54 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\3514826A.sys
2024-05-01 17:17 - 2024-05-01 17:17 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\1F226483.sys
2024-05-01 16:02 - 2024-05-01 16:02 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\2513B41E.sys
2024-04-30 23:17 - 2024-04-30 23:17 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\717662E5.sys
2024-04-30 23:12 - 2024-04-30 23:12 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\62634545.sys
2024-04-30 22:25 - 2024-04-30 22:25 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\761701B4.sys
2024-04-30 19:11 - 2024-04-30 19:11 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\3264512A.sys
2024-04-30 14:07 - 2024-04-30 14:07 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\7342815D.sys
2024-04-30 13:42 - 2024-04-30 13:42 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\38314686.sys
2024-04-30 11:10 - 2024-04-30 11:10 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\6231B3BA.sys
2024-04-30 00:02 - 2024-04-30 00:02 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\2442D4E7.sys
2024-04-29 23:00 - 2024-04-29 23:00 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\13637557.sys
2024-04-29 22:40 - 2024-04-29 22:40 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\116484D8.sys
2024-04-29 22:27 - 2024-04-29 22:27 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\2456612F.sys
2024-04-29 22:26 - 2024-05-02 12:36 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2024-04-29 22:25 - 2024-04-29 22:26 - 014178840 _____ (Malwarebytes Corp.) C:\Users\jama2\Downloads\mbar-1.10.3.1001.exe
2024-04-29 22:20 - 2024-05-02 20:37 - 000000000 ____D C:\ProgramData\Malwarebytes
2024-04-29 22:20 - 2024-04-29 22:20 - 002589624 _____ (Malwarebytes) C:\Users\jama2\Desktop\MBSetup.exe
2024-05-01 16:02 - 2024-05-02 12:36 - 000000000 ____D C:\Users\jama2\Desktop\mbar
2024-04-30 22:16 - 2024-05-02 20:40 - 000000000 ____D C:\ProgramData\HitmanPro.Alert
2024-04-30 22:16 - 2024-05-01 18:51 - 000000000 ____D C:\Program Files (x86)\HitmanPro.Alert
AlternateDataStreams: C:\Users\jama2\Downloads\AdwCleaner.exe:MBAM.Zone.Identifier [229]
AlternateDataStreams: C:\Users\jama2\Downloads\HitmanPro_x64.exe:MBAM.Zone.Identifier [138]
AlternateDataStreams: C:\Users\jama2\Downloads\mbar-1.10.3.1001.exe:MBAM.Zone.Identifier [244]
AlternateDataStreams: C:\Users\jama2\Downloads\tdsskiller.exe:MBAM.Zone.Identifier [212]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\13464238.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\30725930.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\49333647.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\54173153.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\13464238.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\30725930.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\49333647.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\54173153.sys => ""="Driver"
C:\Windows\system32\drivers\2442D4E7.sys
RemoveProxy:
Powershell: wevtutil el | Foreach-Object {wevtutil cl "$_"}
EmptyTemp:
End::
*****************
Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-1026589745-2252998717-1832492364-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Surfshark" => removed successfully
HKLM\System\CurrentControlSet\Services\WirelessBackupService => removed successfully
WirelessBackupService => service removed successfully
HKLM\System\CurrentControlSet\Services\2442D4E7 => removed successfully
2442D4E7 => service removed successfully
C:\Users\jama2\Downloads\Malwarebytes Scan Report 2024-05-02 203208.txt => moved successfully
C:\Windows\system32\Drivers\65256111.sys => moved successfully
C:\Windows\system32\Drivers\3514826A.sys => moved successfully
C:\Windows\system32\Drivers\1F226483.sys => moved successfully
C:\Windows\system32\Drivers\2513B41E.sys => moved successfully
C:\Windows\system32\Drivers\717662E5.sys => moved successfully
C:\Windows\system32\Drivers\62634545.sys => moved successfully
C:\Windows\system32\Drivers\761701B4.sys => moved successfully
C:\Windows\system32\Drivers\3264512A.sys => moved successfully
C:\Windows\system32\Drivers\7342815D.sys => moved successfully
C:\Windows\system32\Drivers\38314686.sys => moved successfully
C:\Windows\system32\Drivers\6231B3BA.sys => moved successfully
C:\Windows\system32\Drivers\2442D4E7.sys => moved successfully
C:\Windows\system32\Drivers\13637557.sys => moved successfully
C:\Windows\system32\Drivers\116484D8.sys => moved successfully
C:\Windows\system32\Drivers\2456612F.sys => moved successfully
"C:\ProgramData\Malwarebytes' Anti-Malware (portable)" Folder move:
C:\ProgramData\Malwarebytes' Anti-Malware (portable) => moved successfully
C:\Users\jama2\Downloads\mbar-1.10.3.1001.exe => moved successfully
"C:\ProgramData\Malwarebytes" Folder move:
C:\ProgramData\Malwarebytes => moved successfully
C:\Users\jama2\Desktop\MBSetup.exe => moved successfully
"C:\Users\jama2\Desktop\mbar" Folder move:
C:\Users\jama2\Desktop\mbar => moved successfully
"C:\ProgramData\HitmanPro.Alert" Folder move:
Could not move "C:\ProgramData\HitmanPro.Alert" => Scheduled to move on reboot.
"C:\Program Files (x86)\HitmanPro.Alert" Folder move:
Could not move "C:\Program Files (x86)\HitmanPro.Alert" => Scheduled to move on reboot.
C:\Users\jama2\Downloads\AdwCleaner.exe => ":MBAM.Zone.Identifier" ADS removed successfully
C:\Users\jama2\Downloads\HitmanPro_x64.exe => ":MBAM.Zone.Identifier" ADS removed successfully
"C:\Users\jama2\Downloads\mbar-1.10.3.1001.exe" => ":MBAM.Zone.Identifier" ADS not found.
C:\Users\jama2\Downloads\tdsskiller.exe => ":MBAM.Zone.Identifier" ADS removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\13464238.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\30725930.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\49333647.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\54173153.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\13464238.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\30725930.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\49333647.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\54173153.sys => removed successfully
"C:\Windows\system32\drivers\2442D4E7.sys" => not found
========= RemoveProxy: =========
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
"HKU\S-1-5-21-1026589745-2252998717-1832492364-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer" => removed successfully
"HKU\S-1-5-21-1026589745-2252998717-1832492364-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\S-1-5-21-1026589745-2252998717-1832492364-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
========= End of RemoveProxy: =========
========= wevtutil el | Foreach-Object {wevtutil cl "$_"} =========
wevtutil : Failed to clear log Microsoft-Windows-LiveId/Analytic.
At C:\FRST\tmp.ps1:1 char:31
+ wevtutil el | Foreach-Object {wevtutil cl "$_"}
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Failed to clear...iveId/Analytic.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Access is denied.
wevtutil : Failed to clear log Microsoft-Windows-LiveId/Operational.
At C:\FRST\tmp.ps1:1 char:31
+ wevtutil el | Foreach-Object {wevtutil cl "$_"}
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Failed to clear...Id/Operational.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Access is denied.
========= End of Powershell: =========
=========== EmptyTemp: ==========
FlushDNS => completed
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 8559870 B
Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 35193585 B
Windows/system/drivers => 2072343 B
Edge => 0 B
Chrome => 315583821 B
Firefox => 0 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 27698 B
NetworkService => 27698 B
jama2 => 166328274 B
RecycleBin => 0 B
EmptyTemp: => 503.3 MB temporary data Removed.
================================
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 03-05-2024 15:13:03)
C:\ProgramData\HitmanPro.Alert => Could not move
C:\Program Files (x86)\HitmanPro.Alert => Could not move
==== End of Fixlog 15:13:03 ====
2)
Malwarebytes with requested settings found no detections (This time rootkit scan enabled) below is the report;
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 5/3/2024
Scan Time: 3:19 PM
Log File: 289cb24a-0958-11ef-9fef-2cf05d714632.json
-Software Information-
Version: 5.1.3.110
Components Version: 1.0.1219
Update Package Version: 1.0.84203
License: Trial
-System Information-
OS: Windows 11 (Build 22000.2538)
CPU: x64
File System: NTFS
User: Mohamed\jama2
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 219563
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 1 min, 48 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
File system: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 0
(No malicious items detected)
Registry Value: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 0
(No malicious items detected)
Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)
But I must say, something interesting happened when I tried to open up my fixlog.txt in my documents. A message popped up saying something a long the lines of `Unable to open as user does not have required authorization`. But it opened without any message on the second attempt.