[mint123]

Hi everyone, I did a vulnerability scan using Kaspersky antivirus software and something was flagged out. The details are as follows:

KLA11240
Critical vulnerability in 7-Zip

C:\Program Files (x86)\Wondershare\Wondershare dr.fone\Addins\Recovery\extractor\7z.exe

I tried to delete this Wondershare from the program files but it says the following: The action can't be completed because the folder or a file in it is open in another program. I then tried to delete them under the task manager, managed to do so. Unfortunately, when I tried to remove the files from program files, I can't seem to delete them, it says the same thing

In addition, a couple of months ago, Kaspersky also flagged out some suspicious files in the system.

I have attached the log files, please kindly advised whether my laptop is infected?

Thank you very much for the kind assistance, much appreciated!! 🙏

 

[Gary R]

The FRST.txt log you posted is incomplete, please run the scan again and attach the new FRST.txt created.

 

[mint123]

Hi Gary, thank you for the reply. I ran the scan again, please let me know whether the text file is alright.

 

[mint123]

I also attached a report of the virus scan from Kaspersky.

 

[Gary R]

Latest FRST log is complete, looking over it now. Could take some time, dependent on how many entries I need to research.

Back as soon as I've finished.

 

[Gary R]

No obvious signs of an active infection in your logs, however there are a few things that need further investigation, and some orphans that need removing.

So, let's tend to things and see where that gets us.

Question ... are the entries below for sites that you have authorised to notify you, all known to you ?

CHR Notifications: Default -> hxxps://ezbuy.sg; hxxps://myjobstreet.jobstreet.com.sg; hxxps://shopbacksg.api.sociaplus.com; hxxps://shopbacksg.api.useinsider.com; hxxps://singaporeairlines.api.sociaplus.com; hxxps://singaporeairlines.api.useinsider.com; hxxps://www.facebook.com; hxxps://www.hipvan.com; hxxps://www.jobstreet.com.sg; hxxps://www.renotalk.com; hxxps://www.sephora.sg

It is not generally a good idea to allow sites to notify you, as this facility can be misused as an attack vector to make modifications to your browser.

Next question ....

Did you install Team Viewer ?

Next ....

Please uninstall the following Chrome Extensions. I can find no definitive information that they are legitimate, so IMO they are a security risk to your machine.

CHR Extension: (Shopback Button - Cashback & Coupons) - C:\Users\Huey Min\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjngckebbndpdeeakdgohmcdnecidcjk [2020-08-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Huey Min\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2019-10-06]
CHR Extension: (Chrome Media Router) - C:\Users\Huey Min\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-12-17]

See ... How to Remove Chrome Extensions (Fully) • Productivity Portfolio

Next ....

• Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
• Press Ctrl+y (Ctrl and y keys at the same time)
• A blank randomly named .txt Notepad file will open.
• Copy and paste the following into it (don't include Code: ) ....

VirusTotal: C:\Program Files (x86)\Wondershare\Wondershare dr.fone\Library\DriverInstaller\DriverInstall.exe;C:\Program Files (x86)\Wondershare\WAF\2.4.3.236\WsAppService.exe;C:\Program Files (x86)\Sonos\SonosLibraryService.exe
EmptyTemp:
Hosts:
cmd:ipconfig /flushdns
HKU\S-1-5-21-3341730244-1619866131-124171938-1001\...\MountPoints2: {1b55422e-612d-11e9-94bf-0028f8e13dc6} - "F:\HiSuiteDownLoader.exe"
HKU\S-1-5-21-3341730244-1619866131-124171938-1001\...\MountPoints2: {814ea01e-7ec8-11e8-948b-0028f8e13dc6} - "E:\InstallNavi.exe"
HKU\S-1-5-21-3341730244-1619866131-124171938-1001\...\MountPoints2: {968226f5-6d17-11ea-94f5-0028f8e13dc6} - "E:\HiSuiteDownLoader.exe"
Task: {FF92BFE4-5299-4533-9004-CCE5016DFD81} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
FF Plugin HKU\S-1-5-21-3341730244-1619866131-124171938-1001: @alibaba.com/npAliSSOLogin;version=1.0 -> C:\Program Files (x86)\AliWangWang\9.12.05C\npAliSSOLogin.dll [No File]
FF Plugin HKU\S-1-5-21-3341730244-1619866131-124171938-1001: @alibaba.com/npwangwang;version=1.0 -> C:\Program Files (x86)\AliWangWang\9.12.05C\npwangwang.dll [No File]
S2 wwbizsrv; "C:\Program Files (x86)\Alibaba\wwbizsrv\wwbizsrv.exe" [X]
BHO: Trend Micro IE Protection -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> No File
BHO-x32: Trend Micro IE Protection -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> No File
Toolbar: HKU\S-1-5-21-3341730244-1619866131-124171938-1001 -> No Name - {EF293C5A-9F37-49FD-91C4-2B867063FC54} -  No File
DPF: HKLM-x32 {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} hxxps://mybank.icbc.com.cn/icbc/newperbank/AxSafeControls.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll No File
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\9.2.1026\9.2.1026\TmBpIe32.dll No File
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll No File
IE trusted site: HKU\S-1-5-21-3341730244-1619866131-124171938-1001\...\icbc.com.cn -> hxxps://icbc.com.cn
IE trusted site: HKU\S-1-5-21-3341730244-1619866131-124171938-1001\...\trendmicro.com -> hxxps://pwm.trendmicro.com
FirewallRules: [{FDC73FF8-F3E5-4E90-A244-A343951F43DA}] => (Allow) C:\Program Files (x86)\AlibabaProtect\1.0.23.863\AlibabaProtect.exe => No File
FirewallRules: [{BDB8AD6F-78DB-40DA-BB62-AB690801A5BA}] => (Allow) C:\Program Files (x86)\AlibabaProtect\1.0.23.863\AlibabaProtect.exe => No File
FirewallRules: [{AF274AC0-8039-49E9-BA17-24B5FB155F76}] => (Allow) C:\Program Files (x86)\AlibabaProtect\1.0.23.863\AlibabaProtect.exe => No File
FirewallRules: [{F3B19DFC-561E-47EB-8468-8E397192BD5D}] => (Allow) C:\Program Files (x86)\AlibabaProtect\1.0.23.863\AlibabaProtect.exe => No File
FirewallRules: [{2B8C6D05-B763-49A1-94F6-33185AA18060}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe => No File
FirewallRules: [{E700EB1B-1BA0-45CD-B5F5-8FC1CF3A63BB}] => (Allow) C:\Program Files (x86)\AlibabaProtect\1.0.20.829\AlibabaProtect.exe => No File
FirewallRules: [{2EF588DD-C8FF-46DB-9090-180DF70CAB91}] => (Allow) C:\Program Files (x86)\AlibabaProtect\1.0.20.829\AlibabaProtect.exe => No File
FirewallRules: [{B8A44F58-B5F7-4DF3-9142-65548CD54962}] => (Allow) C:\Program Files\CyberLink\PowerDirector12\PDR10.EXE => No File
FirewallRules: [{7D4FCAB6-ECC1-476A-92B4-09CC96AE363D}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe => No File
FirewallRules: [{0A64E3A7-BECD-4250-A66F-301DB2D55B16}] => (Allow) C:\Program Files (x86)\AliWangWang\AliIM.exe => No File
FirewallRules: [{F6A40D9D-7645-4A06-A5F0-15E255217112}] => (Allow) C:\Program Files (x86)\AliWangWang\AliIM.exe => No File
FirewallRules: [{D3815316-6F84-4CCD-9BF6-0DCF42B87D2A}] => (Allow) C:\Program Files (x86)\AlibabaProtect\1.0.11.753\AlibabaProtect.exe => No File
FirewallRules: [{22872875-850C-46B2-9453-908F9D0A3A2D}] => (Allow) C:\Program Files (x86)\AlibabaProtect\1.0.11.753\AlibabaProtect.exe => No File
FirewallRules: [{396392E3-2192-44A4-9722-B86824A01AD8}] => (Allow) C:\Program Files (x86)\AlibabaProtect\1.0.11.753\AlibabaProtect.exe => No File
FirewallRules: [{E0209C51-6AF9-459F-A01A-30496CB34DFE}] => (Allow) C:\Program Files (x86)\AlibabaProtect\1.0.11.753\AlibabaProtect.exe => No File
FirewallRules: [{FAA4D4AE-603C-49B9-A843-1792159D7784}] => (Allow) C:\Program Files (x86)\AlibabaProtect\1.0.20.829\AlibabaProtect.exe => No File
FirewallRules: [{BDB6D2BB-06E0-4AF7-8FEF-4CF9FE1CAAB3}] => (Allow) C:\Program Files (x86)\AlibabaProtect\1.0.20.829\AlibabaProtect.exe => No File

• Press Ctrl+s to save fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Now press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
• Please post me the log

 

[mint123]

Hi Gary, thank you so much for your time and explanation, really appreciate your help!

As per your instructions, I have disabled Chrome notifications.

I have also removed the Chrome extensions that I do not frequently use, with the exception of Shopback, as it is an extension I frequently use to track online purchase for cashback. This is their home website: www.shopback.sg

CHR Extension: (Shopback Button - Cashback & Coupons) - C:\Users\Huey Min\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjngckebbndpdeeakdgohmcdnecidcjk [2020-08-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Huey Min\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2019-10-06]
CHR Extension: (Chrome Media Router) - C:\Users\Huey Min\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-12-17]

I am unable to remove Chrome Web Store Payments and Chrome Media Router as they are not in the list of my Chrome extensions

As for Team Viewer, I have no idea what this is, and I do not recall installing this application, so I have uninstalled it.

 

[mint123]

• Press Ctrl+s to save fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Now press the Fix button
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
• Please post me the log

Hi Gary,

Please see the attachment as requested.

After I save the fixlist.txt, I press the Fix button and within a second, this fixlist.txt file was generated, hope I'm doing this right.

 

[Gary R]

What you've posted me is your fixlist, what I need is your fixlog.

As you have a fixlist file, just run FRST again, and when it opens if there is an update available it will update. If it does allow the update to complete and then press the Fix button.

FRST should now process your fixlist and after a brief time should produce a fixlog.txt


Please post me that. If it doesn't produce one then please let me know.

 

[mint123]

Hi Gary,

Apologies, my mistakes for attaching the wrong text file. Please see attached fixlog text.

Thank you once again for your time and help. Wishing you a happy new year!

 

[Gary R]

According to VirusTotal, the Wondershare files that were flagged on your machine, and which I scripted for testing in the fixlist that I gave you, were not malicious ...

VirusTotal

VirusTotal

www.virustotal.com

VirusTotal

VirusTotal

www.virustotal.com

... so it's up to you whether we remove them or not.

Other than that, all the orphans I scripted for removal seem to have been removed successfully.

So please let me know what you want to do with the Wondershare files. If you want them removing, then we should be able to do that, if you're happy to leave them in the place, then all we need to do is uninstall FRST, and I'll let you know how to do that once I've heard your answer.

 

[mint123]

Hi Gary,

Thank you for the reply. I am just wondering why did Kaspersky flagged it out as a vulnerable application? If its possible, I would like to remove it from my system. Would you be able to help? Thank you so much once again!

 

[Gary R]

Kaspersky's detection is probably heuristic, by which I mean it categorises it based on its actions and behaviour. Heuristics were introduced as a means of combating the huge numbers of new infections being spawned, which the AV companies did not have the time and resources to produce timely definitions for. Heuristics generally produce more false positives than other detection methods.

All that being said, if you want to remove Wondershare, then first we need to run a search on your computer, to ensure that there are not more files, folders, and registry entries, than those already found by the normal FRST scan. Once we've got a more complete list, I can script their removal.

So ....

• Double click Frst64.exe to launch it.
• FRST will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Copy/Paste or Type the following line into the Search: box.

  SearchAll:Wondershare

  • Press the Search Files button.
  • When finished searching a log will open on your Desktop ... Search.txt
  • Please post it in your next reply.

 

[mint123]

Hi Gary,

My sincere apologies for the late reply. Pls see text file as requested.

I tried to delete the wondershare files from the program files but it does not seem to work, despite deleting the files off task manager in the background processes.

Thank you!

 

[Gary R]

• Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
• Press Ctrl+y (Ctrl and y keys at the same time)
• A blank randomly named .txt Notepad file will open.
• Copy and paste the following into it (don't include Code: ) ....

C:\Users\Huey Min\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\125\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_Wondershare_Wondershare dr_fone_DrFoneToolKit_exe
C:\Users\Public\Documents\Wondershare
C:\Users\Huey Min\AppData\Roaming\Wondershare
C:\ProgramData\Wondershare
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare
C:\Program Files (x86)\Wondershare
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{83045d03-658e-471c-ac48-edf4cb87f1a7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{00E8194A-7AE1-3BBB-B3F6-3F23B6C2E18C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{0A76011D-420F-3BA2-8F8C-9F317EDDFDDE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{10462C8F-11CE-326A-A46F-2E11248E25F5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{38A71EE0-A02B-3FB0-8D75-023BA287045E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{3AD3AA48-B2E6-3F05-8ED2-2BDFAC41F695}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{3F59F0D0-AA90-3F8D-9EBF-8B6631BEEE56}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{46C1C382-28B6-3975-940E-CD44350AC8B7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{4D230EC2-A0E8-3AA1-97A0-CE918D27CCDF}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{4E752D1B-E9EF-3D5E-8AD9-D4B23933F44A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{536E7B1F-1017-3D86-B0DA-AB2BAD2FC479}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{571C39BD-33F0-32C9-BE8F-70B0403F4A9F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{5C8C15DA-3D61-309C-B6DB-9D63AFA9FAC2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{6258B50A-6D33-3F8D-8CFF-26DB5D8E6DB5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{65A55938-1B7E-35D2-9197-0C4AD1B069E6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{6EA4D664-7742-30E4-AF98-8E11383590AD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{8158325C-AFDB-382E-BC91-6D6C7E93041B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{8259EB7D-F9D3-3B63-911A-86C8BB06BFBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{8AA82340-48F3-3F18-A5E6-6E7E93C01118}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{8B6D3D73-31A0-31E8-889C-42FA20A2F2DF}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{8C848E9F-57E9-3A2A-BEDD-BEA787734F5B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{963A68A8-7636-3A2C-96A4-77168A554F3D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{B437EE55-B6C2-3D9A-B3D5-A01A8B62A847}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{BADED972-D971-39EB-B241-229FA3368013}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{BBE1EDD5-C789-35D6-8349-70D916B07AFE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{E1E1B672-D644-318B-95F7-C7BA2F636826}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{E3874DE2-92B6-3869-8C58-BDB439F3C4B8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{F507231C-4062-34A9-86E5-16F03F952BB6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{FBD2E677-5916-3B77-B453-BA29650B7E15}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{FFDFF7E7-641E-3BFE-94F7-FB58D905B3FD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{70347FA4-20ED-47F9-AEB8-FD01752EF3BC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{899AB13F-F8E7-4A4E-9F04-C9802BC4E799}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{91238E18-C8DD-4450-9B44-C9E7002AE3B6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare.AppFrame.Services.ProductionManager]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare.AppFramework.Services.DownloadServices]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F804108-9A89-41E7-8A02-60A274FD707C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69FCCA4B-E071-4FBB-A74D-9A19560E8BD5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E1D781-F055-4BD3-B58B-BF3ED285C4D3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7704BEFF-B10C-4376-9A56-07FFDE318F7C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96C61A75-C01A-4BCA-B71F-536F5AFE9B91}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A83044C7-F70B-4202-9D24-6D5A737B3BA1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2910E1C-0E52-48E4-81A2-016D596C869F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5B5F703-4465-40FF-A09A-42D11AA29DA5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF891359-5822-466D-999F-A7D7F5F92340}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F2462912-993D-4E9A-8E6D-AB3B73CD2962}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F87E8A21-E0C6-4094-A85D-E10524011B29}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F944179B-0EC4-400B-9B7E-1B15053A4A21}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E8F86DA8-B8E4-42C7-AFD4-EBB692AC43FD}_is1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare]
[-HKEY_LOCAL_MACHINE\SYSTEM\Setup\FirstBoot\Services\WsAppService]
[-HKEY_LOCAL_MACHINE\SYSTEM\Setup\FirstBoot\Services\WsDrvInst]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsAppService]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsDrvInst]
[-HKEY_USERS\S-1-5-21-3341730244-1619866131-124171938-1001\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{26A98831-E260-4274-BAA8-2E650442C7A0}]
[-HKEY_USERS\S-1-5-21-3341730244-1619866131-124171938-1001\Software\Wondershare]
[-HKEY_USERS\S-1-5-21-3341730244-1619866131-124171938-1001\Software\Wondershare\Wondershare Helper Compact]
[-HKEY_USERS\S-1-5-21-3341730244-1619866131-124171938-1001\Software\Wow6432Node\Wondershare]
DeleteValue:HKEY_USERS\S-1-5-21-3341730244-1619866131-124171938-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files (x86)\Wondershare\Wondershare dr.fone\DrFoneToolKit.exe

• Press Ctrl+s to save fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Now press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
• Please post me the log

 

[mint123]

Hi Gary, thank you for the information, as per your instructions, please see fixlog.txt attached.

 

[Gary R]

The fixlog is incomplete, in as much as there is no fixlist showing (the items listed for removal will show if you have done things properly, along with the results of wether they were removed or not) which is why nothing has been removed.

Please follow the instructions in post #15 closely, and try again, then post me the new fixlog.