[Closed] SRP malware

[Victor M]

I am infected with some kind of SRP malware. It refuses to let me run anything from Downloads or Documents. I says it is restricted by your system administrator.

FRST.TXT
ADDITIONS.TXT

 

[Bot]

I am infected with some kind of SRP malware. It refuses to let me run anything from Downloads or Documents. I says it is restricted by your system administrator.

FRST.TXT
ADDITIONS.TXT

Hey Victor,

Sorry to hear you're dealing with what sounds like a Software Restriction Policy (SRP) lockdown— that's a common tactic some malware uses to block executables from running in certain folders like Downloads or Documents. It often masquerades as an admin restriction to make it seem legit. Good on you for running FRST and sharing the logs; those are super helpful for diagnostics.

I'll take a look at the FRST.txt and Addition.txt you linked (via Google Drive). Based on a quick review, it looks like there might be some policy keys set in the registry that's enforcing these restrictions, possibly tied to remnants of an infection. No obvious active malware jumping out, but we should clean this up carefully to avoid any side effects.

### Quick Steps to Try First
Before we dive into a full fix, let's see if we can bypass or reset the SRP manually. Important: Boot into Safe Mode if possible (hold Shift while restarting, or use msconfig), as that might let you run tools without the restrictions kicking in.

1. Run a Scan with Malwarebytes
Download and install Malwarebytes from their official site (malwarebytes.com). If the download is blocked, try from another folder or use a USB from another PC. Run a full scan and quarantine anything it finds. Restart and test if the restrictions lift.

2. Check and Reset Group Policies
- Press Win + R, type gpedit.msc, and hit Enter (this requires admin rights; if blocked, we might need to tweak the registry).
- Navigate to Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies.
- If policies are set, right-click and delete them, then restart.

If gpedit isn't available (Home editions of Windows don't have it), we can use the registry:
- Win + R > regedit
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
- Look for subkeys like "0" or "Paths"—delete any suspicious entries (backup the registry first via File > Export).
- Also check HKEY_CURRENT_USER for similar paths. Restart after.

3. If That Doesn't Work
We can create a Fixlist for FRST based on your logs. Save the below as fixlist.txt on your desktop (or somewhere not restricted), then run FRST again, load the fixlist, and hit Fix. Backup important data first, just in case.

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
; Add any specific registry keys from your logs here if needed

; Assuming standard SRP cleanup
Reg: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /f
Reg: reg delete "HKCU\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /f

EmptyTemp:
Reboot:

After running that, reboot and test running files from Downloads/Documents. If issues persist, reply with the Fixlog.txt that FRST generates, and we can refine it.

If you're not comfortable with these steps or if it's a work/school PC (real admin policies?), it might be worth posting in our Malware Removal Help forum for a tailored guide from the team. Hang in there—we'll get this sorted!

@Bot

 

[Victor M]

I can;t run malwarebytes, it is an online installer, and this box is offline.
I deleted my SRP policy in gpedit, ran gpupdate. No change. Files are still restricted.
I want to find the software that is causing this, I can delete all the 'safer' keys and my programs will run again, but that is not addressing the Root Cause.
Just tried your fixlist. It doesnt work. There were many Safer locations when I checked regedit yesterday.
This machine is a offline box. In the past 3-4 months, it has been only online for 10 mins, only when I cannot find a offline installer.
I last went online 3 days ago to activate ESET Protect.
If I remove ESET, I can run the progras in Downloads and Documents again. So I disabled ALL the protections in ESET to try, but no go.
There is a slim chance that the ESET Protect installer may be infected.

 

[icotonev]

Hello..! Could you tell me the following software for what purpose it was used and if some of the cited programs are the reason : NMAP, NPCAP, Tenable Nessus, Wazu Agent, AppControl Manager , U_stigiewer ..!

2025-09-22 16:02 - 2025-09-22 16:08 - 000000000 ____D C:\Users\zzz\Documents\STIG NEW
2025-09-22 16:01 - 2025-09-22 16:10 - 000000000 ____D C:\Users\zzz\AppData\Roaming\stig_viewer_3
2025-09-22 16:01 - 2025-09-22 16:01 - 000000000 ____D C:\Users\zzz\Documents\U_STIGViewer-win32_x64-3-6-0
2025-09-22 16:00 - 2025-09-18 12:59 - 155276369 _____ C:\Users\zzz\Documents\U_STIGViewer-win32_x64-3-6-0.zip

Can you load the legal notice screen as well as other restrictions? I would ask what you really tried to start..?

HKLM\...\Policies\system: [legalnoticecaption] US Department of Defense Warning Statement
HKLM\...\Policies\system: [legalnoticetext] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

ago to install ESET Protect.

Remnants of COMODO Internet Security are visible.. A conflict is possible..!

 

[icotonev]

I want to find the software that is causing this

I think AppControl Manager is the reason ..! Test ..!

Create App Control Policy

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Pers...

github.com

 

[Victor M]

NMAP, - used to scan my network for unknown PCs
NPCAP - Wireshark component
Tenable Nessus, - used for scanning and identifying vulnerabilities and new CVE's on the machine
Wazu Agent - an SIEM agent that reports interesting events to the SIEM server
AppControl Manager - to create WDAC rules
U_stigiewer - STIG Viewer is used to manually check if all DoD baseline settings are done properly. I don't remember a 'U_stigiewer'
AppControl Manager is made by Spynetgirl, a former member of MT. The program is trusted and has been on the machine for 3 months. It creates WDAC rules/policies and compiles them, has nothing to do with SRP.

 

[Victor M]

Can FRST64 process wildcards for registries. If so, then a *\Safer\* would kill all the Safer locations. I tried manually to remove all Safer locations yesterday. There were many. And I took a wrong turn and deleted the entire group policy key. A wildcard would address one visible symptom, but we need to find the executable root cause. And remember that when I uninstalled ESET, the symptom went away, so probably the malware is checking for the presense of ESET.

I know it is far fetched (from my understanding) but is it possible also to identify the entry vector that the hacker leveraged to implant this ?

 

[icotonev]

Thank you for the information....!
And you accidentally used CryptoPrеvent..? The purpose is preventing CryptoLocker Ransomeware from infecting your system.

 

[Victor M]

No I didnt purposefully enable crypto prevention. I'll search for it and disable it then.

 

[icotonev]

Good morning ..! I suggest trying to eliminate the infection. But before that, take precautions .. (I guess you have a fresh image if something goes wrong)

RegBak by Acelogix Software

• Download RegBak by Acelogix Software and save it to your Desktop.
• Note: If you are warned of a suspicious site you can ignore the warning, the site and download are safe
• Unzip the folder onto your Desktop
• Right click on the RegBak64 and select Run as administrator
• Click New Backup, leave the default Backup Folder setting, and type in BC Backup under Description
• Click on Click here to view details of the hives in the backup
• Check Select hives not loaded by Windows
• Click OK, then Start
• Once your see Finished successfully click Close
• Verify the BC Backup folder is present then click Close

Farbar Recovery Scan Tool Fix

• Right click on the FRST64 icon and select Run as administrator
• Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
• There is no need to paste the information anywhere, FRST64 will do it for you

Start::
CreateRestorePoint:
CloseProcesses:

HKLM Group Policy restriction on software: *.js <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\ <==== ATTENTION
HKLM Group Policy restriction on software: *.jar <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\Temp\Crashpad <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\Input\RemoteMouseSyncDataAvailable <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\WindowsColorSystem\Calibration Loader <==== ATTENTION
HKLM Group Policy restriction on software: *.pyz <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\Temp\MsEdgeCrashpad <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\SysWOW64\Tasks\Microsoft\Windows\WCM <==== ATTENTION
HKLM Group Policy restriction on software: *.plx <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System <==== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\ossec-agent\ossec.conf <==== ATTENTION
HKLM Group Policy restriction on software: *.rbw <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\GroupPolicy\User\Scripts\Logon <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\Temp\MsEdgeCrashpad\reports <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\Input\TouchpadSyncDataAvailable <==== ATTENTION
HKLM Group Policy restriction on software: *.java <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System <==== ATTENTION
HKLM Group Policy restriction on software: *.ru <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\Input\PenSyncDataAvailable <==== ATTENTION
HKLM Group Policy restriction on software: *.phtml <==== ATTENTION
HKLM Group Policy restriction on software: *.psgi <==== ATTENTION
HKLM Group Policy restriction on software: *.py <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\Printing\PrinterCleanupTask <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\COMODO <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\SysWOW64\Com\dmp <==== ATTENTION
HKLM Group Policy restriction on software: *.csx <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\spool\drivers\color <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\Temp\Crashpad\attachments <==== ATTENTION
HKLM Group Policy restriction on software: *.pl <==== ATTENTION
HKLM Group Policy restriction on software: *.phar <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Com\dmp <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\Temp\Crashpad\reports <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\Input\RemotePenSyncDataAvailable <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\Registration\CRMLog <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\Printing\PrintJobCleanupTask <==== ATTENTION
HKLM Group Policy restriction on software: *.mjs <==== ATTENTION
HKLM Group Policy restriction on software: *.pyw <==== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\BraveSoftware\Brave-Browser\Application\SetupMetrics <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\Temp\MsEdgeCrashpad\attachments <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\Input\MouseSyncDataAvailable <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\MareBackup <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\Input\InputSettingsRestoreDataAvailable <==== ATTENTION
HKLM Group Policy restriction on software: *.cjs <==== ATTENTION
HKLM Group Policy restriction on software: *.php <==== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\Tasks <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\File Classification Infrastructure\Property Definition Sync <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\GroupPolicy\User\Scripts\Logoff <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\SysWOW64\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\GroupPolicy\Machine\Scripts\Shutdown <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\Input\LocalUserSyncDataAvailable <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\tracing <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\spool\SERVERS <==== ATTENTION
HKLM Group Policy restriction on software: *.rb <==== ATTENTION
HKLM Group Policy restriction on software: *available\* <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\Input\RemoteTouchpadSyncDataAvailable <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\spool\PRINTERS <==== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\Tasks\Microsoft\Windows\Input\syncpensettings <==== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86) <==== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <==== ATTENTION
HKLM Group Policy restriction on software: C:\Sandbox <==== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <==== ATTENTION
GroupPolicy: Restriction - Edge <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
Task: {10657CEE-9CC1-48E8-89D3-421D78959573} - System32\Tasks\COMODO\COMODO AutoPurge {97A231DE-4E0C-4C20-A628-7F4998065803} => "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe"  --launchSchedule {97A231DE-4E0C-4C20-A628-7F4998065803} (No File)
Task: {64EA9C75-089C-4A7F-939C-961D5E271F4C} - System32\Tasks\COMODO\COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10} => "C:\Program Files\COMODO\COMODO Internet Security\cis.exe"  --cistrayUI (No File)
Task: {B1C618F2-9C09-4E0A-BB6D-49F77189F8D3} - System32\Tasks\COMODO\COMODO Maintenance {947247B5-026A-4437-9371-770782BE839D} => "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe"  --launchSchedule {947247B5-026A-4437-9371-770782BE839D} (No File)
Task: {72E8B67D-B518-4B29-98D8-E2497167199A} - System32\Tasks\COMODO\COMODO Scan {2BC1F438-A318-4CCC-A065-86425D4B75E5} => "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe"  --launchSchedule {2BC1F438-A318-4CCC-A065-86425D4B75E5} (No File)
Task: {126D90E0-5046-445C-A95A-F16CE9C4C0A6} - System32\Tasks\COMODO\COMODO Scan {94CE9A2E-A825-474B-8B09-8442A28AE549} => "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe"  --launchSchedule {94CE9A2E-A825-474B-8B09-8442A28AE549} (No File)
Task: {74A27097-06A4-466D-854B-6EC6C216BF6C} - System32\Tasks\COMODO\COMODO Scan {F3759F65-549D-4296-8636-81F3E6F29AB6} => "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe"  --launchSchedule {F3759F65-549D-4296-8636-81F3E6F29AB6} (No File)
Task: {8D7A67D6-50DF-4046-87DB-846558842FAF} - System32\Tasks\COMODO\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} => "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe"  --launchSchedule {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} (No File)
Task: {2E43D284-C494-43B4-91BD-C7FBEDDBB2C2} - System32\Tasks\COMODO\COMODO Telemetry {18AD3DFA-30C0-4B5F-84F7-F1870B1A4921} => "C:\Program Files\COMODO\COMODO Internet Security\cis.exe"  --telemetry (No File)
Task: {32C9BB1F-19D7-4C22-877A-E42D0A3B4DD8} - System32\Tasks\COMODO\COMODO Telemetry Job {06A09C0F-DD9C-4191-A670-71115CD78627} => "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe"  --launchSchedule {06A09C0F-DD9C-4191-A670-71115CD78627} (No File)
Task: {1D7FC44A-9794-429B-903B-249F9AE76BB8} - System32\Tasks\COMODO\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85} => "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe"  --launchSchedule {A6D52E4F-569B-4756-B3D8-DF217313DA85} (No File)
Task: {D6DED379-9209-4B0E-BFFD-11E578DAA20E} - System32\Tasks\COMODO\COMODO Virtual Desktop {C743449B-51C9-4AA8-A691-C821CBD50529} => "C:\Program Files\COMODO\COMODO Internet Security\cis.exe"  --virtualDesktopServ=autologon (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (No File)
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0: <==== ATTENTION (Restriction - Zones)
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1: <==== ATTENTION (Restriction - Zones)
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2: <==== ATTENTION (Restriction - Zones)
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3: <==== ATTENTION (Restriction - Zones)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-3727774297-3829142435-4059952429-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-3727774297-3829142435-4059952429-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
S0 33696588; system32\drivers\94056747.sys [X]
S3 E1G60; \SystemRoot\System32\drivers\E1G6032E.sys [X]
S3 MpKsl4792b49b; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{64AA3A43-D987-47D4-A267-D9E2311759B2}\MpKslDrv.sys [X]
U4 MrxSmb10; no ImagePath
U4 npcap_wifi; no ImagePath
2025-10-10 03:45 - 2025-10-10 03:45 - 000000000 ____D C:\WINDOWS\system32\Tasks\COMODO
2025-10-10 03:45 - 2025-10-10 03:45 - 000000000 _____ C:\WINDOWS\system32\Tasks\CIS_81EFDD93-DBBE-415B-BE6E-49B9664E3E82
2025-10-10 03:45 - 2024-10-02 20:29 - 006635520 _____ (COMODO) C:\ProgramData\cisF879.exe
2025-08-06 11:01 - 2024-10-02 20:32 - 000519672 _____ (COMODO) C:\ProgramData\cmdres.dll

Unlock: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Unlock: C:\Users\zzz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

CMD: sfc /scannow
CMD: DISM /Online /Cleanup-Image /RestoreHealth

EmptyTemp:
End::

• Click Fix
• When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

In your next reply, please include:

• Fixlog.txt

 

[Victor M]

I couldn't exscute FRST64 anymore. It is newly recognized by the 'SRP' and says '... by systems administrator' . I suspect it is under live control by the hacker, since it worked yesterday when i placed FRST64 into \program files\mmm' . Although the WiFi is not working on the machine and my Ethernet cable is unplugged. But the BIOS says WiFi is 'locked' via the interface. So maybe the underlying code underneath the interface is still working and the malware accesses it Not thru the interface. Time to reformat. Thanks for your help.

 

[icotonev]

Time to reformat. Thanks for your help.

I am sorry that we did not achieve some success. But at this stage, I think this is the right decision..!

And yet..: I wish we could try with Farbar Recovery Scan Tool Fix From Recovery Partition or Process Monitor Boot Log ..?

Farbar Recovery Scan Tool Fix From Recovery Partition

• Download Farbar Recover Scan Tool for 64 bit systems (on a clean machine) and save it to a USB device
• Download attached file and save it to the same USB
• Insert the USB device into your compromised computer
• Holding down the Shift Key click Start, click the power icon, then select Reboot
• Click Troubleshoot
• Click Advanced options
• Click Command Prompt
• Choose an account to continue
• If necessary, enter the password then hit Continue
• In the command window type in Notepad and press Enter
• Under File menu select Open
• Select This PC and double click on your USB drive letter
• Next to Files of type: select All Files
• Right click on the FRST icon and select Run as administrator
• Click Yes to disclaimer that may appear
• Press Fix button
• A fixlog.txt file will be saved on the USB drive
• Reboot your computer into Normal Boot
• Copy and paste the contents of the Fixlog.txt report in your reply