Malware help please + cryptoprevent

zman3 · 19 Mar 2018

So I have this in the log of cryptoprevent
Event ID=866 Message of: Access to C:\Users\Zman\AppData\Local\atbizdu\cgcstpk.exe has been restricted by your Administrator by location with policy rule {B6AF3C37-6012-4DEC-87BB-5125E94F5BC5} placed on path C:\Users\AdminZman\AppData\Local\*\*.exe.

on a constant basis I cannot get into that folder I cannot delete it rename it or anything if I try to take ownership of it I get told I cant even though Im a adminstrator account.
I booted off a windows 7 disk went to a command prompt and deleted it yet its back again Ive ran malwarebytes hitman pro windows defender. How do I figure out how thats being created and whats trying to access that exe?

thanks

ThrashZone · 19 Mar 2018

Hi,
Seems like at bizz is some sort of social media sharing site have you ever joined it ?
You can try the normal like scanning with malewarebyes and adwcleaner and see what it finds.

zman3 · 19 Mar 2018

nope never joined anything named close to that I have tried malwarebytes thou.

simrick · 23 Mar 2018

Hi. Have you resolved this or are you still looking for help? It sounds to me as if you have some sort of Rootkit (keeps spawning itself over and over).

Malwarebytes has an option to scan for Rootkits, but you have to check the box for it in Settings> Protection.
I would first start out with this though:

Run RKILL
Download RKill
This program doesn't install on the system. It just runs, and closes/ends all suspicious running items. Everything it does is temporary and undone by a reboot.

Run a scan with ADWCleaner
Downloads - AdwCleaner - ToolsLib
If the scan finds anything, it will offer you an option to clean - go ahead and do that. After cleaning, it will prompt for a reboot - do that as well.

Then run RKILL again.

Now run Malwarebytes with the Rootkit scan box checked and see if anything is found.

Posting the logs here from RKILL and ADWCleaner will also help.