okay, the guy clicked on a link somewhere, and installed a rogue. He stopped and blocked the rogue processes himself, ie manually, from CIS def+, and that’s what he calls protection. He didn’t get a single warning from CIS, but just prompts asking him to allow Microsoft processes ;D … what he did (before realizing what’s going on…), see for yourselves:
Yes CIS asked me if I wanted to grant full access to a program signed by Microsoft and I clicked yes.
so I decided to stop and block this processes gaining control of my laptop again, all windows telling me I was infected stoped.