[redleader74]

So I recently started seeing a fake windows defender notice appear on my screen.  I didn't think to make a screen shot and it also isn't showing up consistently, but it looks something like this image (this is just a sample image I found online that looks similar to what I'm seeing).  What should be my first step towards fixing this?

 

Thanks!

[Advertisements]

Hi, redleader74.
 
You forgot to attach the example image.
 
In order to check your computer for malware, please do the following:

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.

If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

• Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach the content of these two logs in your next reply.

(To attach the files, click on the More Reply Options at the bottom right of the reply area, and then choose Attach File)

[DR M]

Hi, redleader74.
 
You forgot to attach the example image.
 
In order to check your computer for malware, please do the following:

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.

If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

• Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach the content of these two logs in your next reply.

(To attach the files, click on the More Reply Options at the bottom right of the reply area, and then choose Attach File)

[redleader74]

Ok thanks! I have attached the logs.

 

Attached Files

•  FRST.txt   28.21KB   123 downloads
•  Addition.txt   33.04KB   125 downloads

[DR M]

Hi, redleader74.
 
I don't see signs of an infection in your logs. 
 
There are several pre-installed applications, however, including a program by HP called DisableMSDefender. This program is now hidden. With the fix below it will get visible so you can uninstall it. 
 
Question: There are signs of CyberLink installed, including PowerDVD14 and YouCam6, but I don't see any of them in your Installed Programs list. In case you are not aware about them, we can remove the remnants. 
 
For now:
 
1. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
DisableMSDefender (HKLM-x32\...\{74FE39A0-FB76-47CD-84BA-91E2BBB17EF2}) (Version: 1.0.0 - Hewlett-Packard Company) Hidden
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
EmptyTemp:
End::

• Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Please post the log in your next reply.

 

2. Uninstall programs

• Press the Windows Key + R.
• Type appwiz.cpl in the Run box and click OK.
• The Add/Remove Programs list will open. Locate the following programs on the list:

DisableMSDefender 
swMSM 

• Select the above programs, one by one, and click Uninstall.
• Restart the computer.

 

In your next reply please post:

1. Your reply about Cyberlink
2. The fixlog.txt
3. If the uninstall process ran successfully
4. Any info (screenshot maybe) about the Defender warning if it appears again

[redleader74]

Ok thanks, before I start your next steps, I do have one question.  Your first step includes

 

"Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere."

 

Is there a reason we need to copy the script but not paste it?  The reason I ask is because I am viewing/communicating on this forum on a different computer from the supposedly infected computer.  The reason for this is because I don't want to use any browser or log-in to my geekstogo account on a computer that is potentially infected.  So, if copying the script has somethign to do with the subsequent steps, then I won't have any choice but to use the browser on the infected computer.  Please let me know. Thanks!

[DR M]

Is there a reason we need to copy the script but not paste it?

 

Yes, we want the fix to be proceeded and that's how this can be done. Although we can transfer the fix from the healthy to the bad computer, your logs don't give me a reason to do so. You can use the computer we are testing instead of another computer. 

[redleader74]

Ok thanks. Attached is the log. 

 

Also, to answer your questions:

 

1. Your reply about Cyberlink:  I did a search for "Cyberlink" and attached a screen shot of what showed up.  So it looks like this is some kind of software for the camera.  I'm not sure.
2. The fixlog.txt:  Attached
3. If the uninstall process ran successfully:  Yes, when I search programs again I don't see "swMSM".
4. Any info (screenshot maybe) about the Defender warning if it appears again:  No further appearances of this

I do notice that the computer runs very slow with regards to launching of software and booting up.  My guess is there is a ton of trash everywhere.  Is there a good software to check for junk files, junk apps/software, etc., that I can run to clean/speed things up?

Attached Thumbnails

• 

Attached Files

•  Fixlog.txt   1.64KB   133 downloads

[DR M]

Thank you.

 

Can you please make a new scan with FRST now, providing fresh logs? FRST and Addition. 

[redleader74]

Ok thanks, logs attached.

Attached Files

•  Addition.txt   35.69KB   147 downloads
•  FRST.txt   24.33KB   112 downloads

[DR M]

Hi, readleader74.
 
I wonder if you can be online more regularly, so we can deal with your computer's issues effectively. I know that we are in different time zones, but I guess we could find a way to do that. It's 13:15 PM right now here, and the ideal time for me to be online is 17:00-23:00. Perhaps I (or you) want to ask just a simple question. Knowing that I'll see you again in more than 24 hours, makes my efforts to help you more complicated, as in the meantime the computer's status changes.
 
===============================
 
1. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
FirewallRules: [{4E57078B-D683-4BC2-AA2C-697A8F99E71F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe => No File
FirewallRules: [{41760F8E-DB41-4032-A03B-9480A0CBD96D}] => (Allow) c:\Program Files\CyberLink\PowerDirector12\PDR10.EXE => No File
FirewallRules: [{314DCD60-728B-4FC3-B88B-2EA6C69314A0}] => (Allow) C:\Users\eugeneandteresa\AppData\Local\Temp\7zS3B40\HP.EasyStart.exe => No File
HKU\S-1-5-21-3528544182-332038941-3401246441-1002\...\RunOnce: [Delete Cached Update Binary] => C:\WINDOWS\system32\cmd.exe /q /c del /q "C:\Users\eugeneandteresa\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" (No File)
HKU\S-1-5-21-3528544182-332038941-3401246441-1002\...\RunOnce: [Delete Cached Standalone Update Binary] => C:\WINDOWS\system32\cmd.exe /q /c del /q "C:\Users\eugeneandteresa\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" (No File)
Task: {BD0052F8-EFE4-4BFF-A43E-0774DA23B862} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {6DE8C96B-426C-4575-9718-A63E94E890DE} - System32\Tasks\Avast SecureLine => C:\Program Files\AVAST Software\SecureLine\SecureLine.exe /nogui (No File)
Task: {DF7BB16F-6D1D-408E-8896-2A426BE8C967} - System32\Tasks\WpsNotifyTask_eugeneandteresa => C:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.5113\wtoolex\wpsnotify.exe -from=task (No File)
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
CMD: reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{74FE39A0-FB76-47CD-84BA-91E2BBB17EF2}
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: SFC /scannow
EmptyTemp:
End::

• Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Please post the log in your next reply.

[redleader74]

Ok thanks, I will try to respond a little sooner.  Here is the log.

Attached Files

•  Fixlog.txt   45.34KB   121 downloads

[DR M]

Hi. 
 
No system corruptions. The Not found indication in the fixlog is because you ran the fixlist twice. 
 
Still no luck with the DisableMSDefender program. Although it is possibly related with pre-installed software, please do the following:

Upload your SOFTWARE hive.

• Navigate to C:\FRST\Hives and locate the SOFTWARE file.
• Copy this file to your Desktop.
• Right-click on this file on your Desktop and select Send To > Compressed (zipped) folder. This will create a file named SOFTWARE.ZIP on your desktop.
• If the file is too large to attach here, upload it to www.wetransfer.com and post the link in your next reply.

[redleader74]

Hi, thanks.  Yes, the file @ 18MB is too big to attach.  Here is the link to the zip: 

 

https://we.tl/t-JJMdDawiS1

[DR M]

Thank you! I'll be back to you tomorrow! 

[DR M]

Hi.
 
1. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
DisableMSDefender (HKLM\...\{74FE39A0-FB76-47CD-84BA-91E2BBB17EF2}) (Version: 1.0.0 - Hewlett-Packard Company) Hidden
End::

• Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Please post the log in your next reply.

 

2. Uninstall DisableMSDefender

• Press the Windows Key + R.
• Type appwiz.cpl in the Run box and click OK.
• The Add/Remove Programs list will open. Locate the following program on the list:

DisableMSDefender 

• Select the above program and click Uninstall.
• Restart the computer.

 

In your next reply please post:

1. The fixlog.txt
2. If you successfully uninstalled the program