Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird Chinese programes!


  • This topic is locked This topic is locked
22 replies to this topic

#1 Mergho

Mergho

  • Members
  • 37 posts
  • OFFLINE
  •  

Posted 11 August 2016 - 07:30 PM

Hello, I have some weird chinese programes (or malwares i dunno*) that I cannot delete, also Malwarebytes Quarantine doesnt let me press the finish button.

Some weird chinese programs tend to appear out of nowhere.

Please help.

*didn't install any of them, but left my laptop for an ahour and came back to find it crowded on my desktop

attached latest malwarebytes scan

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:51 PM

Posted 12 August 2016 - 08:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.

#3 Mergho

Mergho
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  

Posted 12 August 2016 - 08:10 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.

 

 

When i click on "Clean", Program become not responding
i get all of these checked when scanning is finished:
 
-UCGuard
-KuaiZipDrive
-KuaZipUpdateChecker
ComputerZLock
ComputerZ_X64
HpSvc
 
I dunno any of them, so i left them all checked
 
Also when i try to copy/paste FRST.txt here and press add reply i get the following msg
 
Sorry, you don't have permission for that!
 
[#103130]
You do not have permission for that action.
 
Need Help?
Our help documentation
Contact the community administrator

Attached Files


Edited by Mergho, 12 August 2016 - 08:11 PM.


#4 Mergho

Mergho
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  

Posted 12 August 2016 - 08:21 PM

since the problem has started, i got 2 tabs automatically opened when i launch chrome 1) 0.0.0.0 2) 0.0.0.1

Dunno whether it's related to the issue or not



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:51 PM

Posted 13 August 2016 - 09:48 AM

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
<<<>>>

Please run the AdwCleaner tool and clean everything that was reported. <- important.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 

start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

( ) C:\Program Files (x86)\sbqh\uc.exe
( ) C:\Program Files (x86)\sbqh\uc.exe
HKLM-x32\...\Run: [apphide] => C:\Program Files (x86)\sbqh\uc.exe [233520 2016-08-03] ( )
HKU\S-1-5-21-3614168608-439642083-191617718-1000\...\Run: [apphide] => C:\Program Files (x86)\sbqh\uc.exe [233520 2016-08-03] ( )
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => C:\Program Files\???¹\X64\KZipShell.dll [2016-08-13] ()
CHR HomePage: tkosghefoiedqhosy -> hxxp://www.google.com/
CHR StartupUrls: tkosghefoiedqhosy -> "hxxp://www.google.com/","hxxp://www.youndoo.com/?z=ee0b19f006e32de7d194778g8z2m8e1b6qfzbc4c2c&from=wak&uid=WDCXWD7500BPVT-75HXZT3_WD-WX41E413113731137&type=hp"
CHR DefaultSearchURL: tkosghefoiedqhosy -> hxxp://www.youndoo.com/search/?q={searchTerms}&z=ee0b19f006e32de7d194778g8z2m8e1b6qfzbc4c2c&from=wak&uid=WDCXWD7500BPVT-75HXZT3_WD-WX41E413113731137&type=sp
CHR DefaultSearchKeyword: tkosghefoiedqhosy -> youndoo
U3 idsvc; no ImagePath
U3 wpcsvc; no ImagePath
CustomCLSID: HKU\S-1-5-21-3614168608-439642083-191617718-1000_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-AB61686A0081}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
Task: {239219DA-A5F8-483D-ACD6-BCFB43BC8F89} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
Task: {3A211ABE-8CC7-4DBD-9EFE-719FAB9A44CA} - System32\Tasks\DriverToolkit Autorun => C:\Program Files (x86)\DriverToolkit\DriverToolkit.exe
Task: C:\WINDOWS\Tasks\DriverToolkit Autorun.job => C:\Program Files (x86)\DriverToolkit\DriverToolkit.exe
Task: C:\WINDOWS\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
C:\Program Files (x86)\sbqh
C:\Program Files\???¹\X64\KZipShell.dll
C:\Program Files (x86)\UCBrowser
C:\Program Files (x86)\DriverToolkit

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#6 Mergho

Mergho
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  

Posted 13 August 2016 - 11:07 AM

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
<<<>>>

Please run the AdwCleaner tool and clean everything that was reported. <- important.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 

start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

( ) C:\Program Files (x86)\sbqh\uc.exe
( ) C:\Program Files (x86)\sbqh\uc.exe
HKLM-x32\...\Run: [apphide] => C:\Program Files (x86)\sbqh\uc.exe [233520 2016-08-03] ( )
HKU\S-1-5-21-3614168608-439642083-191617718-1000\...\Run: [apphide] => C:\Program Files (x86)\sbqh\uc.exe [233520 2016-08-03] ( )
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => C:\Program Files\???¹\X64\KZipShell.dll [2016-08-13] ()
CHR HomePage: tkosghefoiedqhosy -> hxxp://www.google.com/
CHR StartupUrls: tkosghefoiedqhosy -> "hxxp://www.google.com/","hxxp://www.youndoo.com/?z=ee0b19f006e32de7d194778g8z2m8e1b6qfzbc4c2c&from=wak&uid=WDCXWD7500BPVT-75HXZT3_WD-WX41E413113731137&type=hp"
CHR DefaultSearchURL: tkosghefoiedqhosy -> hxxp://www.youndoo.com/search/?q={searchTerms}&z=ee0b19f006e32de7d194778g8z2m8e1b6qfzbc4c2c&from=wak&uid=WDCXWD7500BPVT-75HXZT3_WD-WX41E413113731137&type=sp
CHR DefaultSearchKeyword: tkosghefoiedqhosy -> youndoo
U3 idsvc; no ImagePath
U3 wpcsvc; no ImagePath
CustomCLSID: HKU\S-1-5-21-3614168608-439642083-191617718-1000_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-AB61686A0081}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
Task: {239219DA-A5F8-483D-ACD6-BCFB43BC8F89} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
Task: {3A211ABE-8CC7-4DBD-9EFE-719FAB9A44CA} - System32\Tasks\DriverToolkit Autorun => C:\Program Files (x86)\DriverToolkit\DriverToolkit.exe
Task: C:\WINDOWS\Tasks\DriverToolkit Autorun.job => C:\Program Files (x86)\DriverToolkit\DriverToolkit.exe
Task: C:\WINDOWS\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
C:\Program Files (x86)\sbqh
C:\Program Files\???¹\X64\KZipShell.dll
C:\Program Files (x86)\UCBrowser
C:\Program Files (x86)\DriverToolkit

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

Turned on system restore, but AdwCleaner is still not responding

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:51 PM

Posted 14 August 2016 - 07:32 AM

Restart the computer normally.

Try to run the AdwCleaner and clean everything.

If not able click the File Menu and select Uninstall.

Restart the computer when completed.

Download and run the program downloaded from this site.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Run it and Clean everyting found.

Keep me posted.

#8 Mergho

Mergho
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  

Posted 14 August 2016 - 01:16 PM

Restart the computer normally.

Try to run the AdwCleaner and clean everything.

If not able click the File Menu and select Uninstall.

Restart the computer when completed.

Download and run the program downloaded from this site.

Please download AdwCleaner by Xplode onto your Desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Run it and Clean everyting found.

Keep me posted.
Problem persists, not responding for hours (When i press clean)

Edited by Mergho, 14 August 2016 - 01:18 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:51 PM

Posted 14 August 2016 - 01:53 PM


Stop the process.
Did your run the Fix as suggested with the Farbar tool.

Post the log for my review.

#10 Mergho

Mergho
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  

Posted 14 August 2016 - 01:55 PM

Stop the process.
Did your run the Fix as suggested with the Farbar tool.

Post the log for my review.

Yes and posted the logs above

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:51 PM

Posted 15 August 2016 - 06:05 AM

The log was not posted or attached.

Please do it again.

Let me know if the problem is persisting.

#12 Mergho

Mergho
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  

Posted 15 August 2016 - 06:17 AM

The log was not posted or attached.

Please do it again.

Let me know if the problem is persisting.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-08-2016 01
Ran by Mergho (administrator) on AHMEDAMR-PC (13-08-2016 02:54:53)
Running from C:\Users\Ahmed Amr\Desktop\New folder (2)
Loaded Profiles: Mergho (Available Profiles: Mergho)
Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(DEVGURU Co., LTD.) C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files (x86)\LuDaShi\ComputerZTray.exe
( ) C:\Program Files (x86)\sbqh\uc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
( ) C:\Program Files (x86)\sbqh\uc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe
() C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe
(Node.js) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\CCLibrary.exe
(Node.js) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\libs\node.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [708952 2013-07-08] (Alps Electric Co., Ltd.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508128 2016-05-05] (Adobe Systems Incorporated)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1795912 2015-07-23] (NVIDIA Corporation)
HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [318128 2016-06-02] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files\PowerISO\PWRISOVM.EXE [454792 2016-06-07] (Power Software Ltd)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2380480 2016-06-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [apphide] => C:\Program Files (x86)\sbqh\uc.exe [233520 2016-08-03] ( )
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3614168608-439642083-191617718-1000\...\Run: [apphide] => C:\Program Files (x86)\sbqh\uc.exe [233520 2016-08-03] ( )
HKU\S-1-5-21-3614168608-439642083-191617718-1000\...\RunOnce: [Uninstall C:\Users\Ahmed Amr\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Ahmed Amr\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\amd64"
HKU\S-1-5-21-3614168608-439642083-191617718-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [805888 2015-10-30] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-05-22] ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-05-22] ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-05-22] ()
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => C:\Program Files\؟ىر¹\X64\KZipShell.dll [2016-08-13] ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 163.121.128.134 163.121.128.135 192.168.1.1
Tcpip\..\Interfaces\{9ad83933-79b2-40ab-85eb-21845a3543f1}: [DhcpNameServer] 163.121.128.134 163.121.128.135 192.168.1.1
Tcpip\..\Interfaces\{d1e9f53d-538f-4a3c-be5b-915b6c55be35}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-3614168608-439642083-191617718-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE01&ocid=UE01DHP
 
FireFox:
========
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2016-06-08] (Adobe Systems)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-07-23] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-07-23] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-30] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-30] (Google Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2016-06-08] (Adobe Systems)
 
Chrome: 
=======
CHR HomePage: tkosghefoiedqhosy -> hxxp://www.google.com/
CHR StartupUrls: tkosghefoiedqhosy -> "hxxp://www.google.com/","hxxp://www.youndoo.com/?z=ee0b19f006e32de7d194778g8z2m8e1b6qfzbc4c2c&from=wak&uid=WDCXWD7500BPVT-75HXZT3_WD-WX41E413113731137&type=hp"
CHR DefaultSearchURL: tkosghefoiedqhosy -> hxxp://www.youndoo.com/search/?q={searchTerms}&z=ee0b19f006e32de7d194778g8z2m8e1b6qfzbc4c2c&from=wak&uid=WDCXWD7500BPVT-75HXZT3_WD-WX41E413113731137&type=sp
CHR DefaultSearchKeyword: tkosghefoiedqhosy -> youndoo
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe [737984 2016-06-03] (Adobe Systems Incorporated)
R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2159832 2016-08-12] (Adobe Systems, Incorporated)
S4 BITCOMET_HELPER_SERVICE; C:\Program Files\BitComet\tools\BitCometService.exe [1296728 2013-11-29] (www.BitComet.com)
R2 HpSvc; C:\Program Files (x86)\LuDaShi\lpi\HpSvc.dll [239016 2016-07-21] ()
R2 KuaizipUpdateChecker; C:\Program Files\؟ىر¹\X86\kuaizipUpdateChecker.dll [217528 2016-08-13] ()
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 ss_conn_service; C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [754784 2016-01-08] (DEVGURU Co., LTD.)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\Windows\System32\drivers\athwnx.sys [4207104 2015-10-30] (Qualcomm Atheros Communications, Inc.)
R2 ComputerZLock; C:\Program Files (x86)\LuDaShi\ComputerZLock_x64.sys [44264 2016-05-19] (www.ludashi.com)
S3 ComputerZ_x64; C:\Program Files (x86)\LuDaShi\ComputerZ_x64.sys [49152 2016-06-27] (ludashi.com)
R2 KuaiZipDrive; C:\WINDOWS\system32\drivers\KuaiZipDrive.sys [92872 2016-08-10] (WinMount International Inc)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-08-13] (Malwarebytes)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2015-10-30] (Realtek                                            )
R1 UCGuard; C:\Windows\System32\DRIVERS\ucguard.sys [81792 2016-08-02] (Huorong Borui (Beijing) Technology Co., Ltd.)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
U3 idsvc; no ImagePath
U3 wpcsvc; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVCx32: HpSvc -> C:\Program Files (x86)\LuDaShi\lpi\HpSvc.dll ()
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-13 01:41 - 2016-08-13 02:54 - 00000000 ____D C:\FRST
2016-08-13 01:40 - 2016-08-13 01:41 - 00000000 ____D C:\Users\Ahmed Amr\Desktop\New folder (2)
2016-08-13 00:16 - 2016-08-13 00:08 - 00011796 _____ C:\Users\Ahmed Amr\Desktop\AdwCleaner[S1].txt
2016-08-13 00:04 - 2016-08-13 00:04 - 00011722 _____ C:\Users\Ahmed Amr\Desktop\AdwCleaner[S0].txt
2016-08-12 23:59 - 2016-08-13 01:43 - 00000000 ____D C:\AdwCleaner
2016-08-12 23:59 - 2016-08-12 23:59 - 03784256 _____ C:\Users\Ahmed Amr\Desktop\adwcleaner_6.000.exe
2016-08-12 13:46 - 2016-08-12 13:46 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsign80eabea594bd8b78
2016-08-12 13:42 - 2016-08-12 13:42 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsign5c769674cbf8ac99
2016-08-12 13:42 - 2016-08-12 13:42 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsign0bce0318a5ba4d06
2016-08-11 16:17 - 2016-08-11 16:21 - 00000000 ____D C:\Users\Ahmed Amr\Desktop\New folder
2016-08-11 02:13 - 2016-08-13 02:53 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-08-11 02:08 - 2016-08-11 02:10 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-08-11 02:08 - 2016-08-11 02:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-08-11 02:08 - 2016-08-11 02:08 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-08-11 02:08 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-08-11 02:08 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-08-11 02:08 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-08-11 01:57 - 2016-08-11 01:57 - 00000000 ____D C:\WINDOWS\pss
2016-08-11 01:50 - 2016-08-13 01:38 - 00004158 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{46014ECA-5A61-4362-93F1-FF307235744D}
2016-08-11 01:40 - 2016-08-11 01:40 - 00250912 _____ C:\WINDOWS\SysWOW64\kz.exe
2016-08-11 01:34 - 2016-08-11 01:34 - 00002215 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-08-11 01:14 - 2016-08-11 01:14 - 00000000 _____ C:\Users\Ahmed Amr\AppData\Roaming\1.txt
2016-08-11 00:34 - 2016-08-11 01:28 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器
2016-08-11 00:15 - 2016-08-11 00:15 - 00093072 _____ (WinMount International Inc) C:\WINDOWS\system32\Drivers\KuaiZipDrive2.sys
2016-08-11 00:12 - 2016-08-13 02:47 - 00000482 _____ C:\WINDOWS\Tasks\UCBrowserUpdater.job
2016-08-11 00:12 - 2016-08-11 00:12 - 00003502 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdater
2016-08-11 00:12 - 2016-08-02 15:47 - 00081792 _____ (Huorong Borui (Beijing) Technology Co., Ltd.) C:\WINDOWS\system32\Drivers\ucguard.sys
2016-08-11 00:10 - 2016-08-11 01:39 - 00000000 ____D C:\Program Files (x86)\UCBrowser
2016-08-10 23:56 - 2016-08-10 23:57 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\lockhomepage
2016-08-10 23:55 - 2016-08-13 02:57 - 00003416 _____ C:\WINDOWS\System32\Tasks\ComputerZ-Tray
2016-08-10 23:55 - 2016-08-13 01:39 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\Ludashi
2016-08-10 23:55 - 2016-08-11 01:30 - 07616340 _____ C:\Users\Ahmed Amr\AppData\Roaming\setup.apk
2016-08-10 23:55 - 2016-08-11 01:30 - 00732869 _____ C:\Users\Ahmed Amr\AppData\Roaming\xdo.zip
2016-08-10 23:55 - 2016-08-10 23:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\鲁大师
2016-08-10 23:53 - 2016-08-11 01:43 - 00000000 ____D C:\Program Files (x86)\LuDaShi
2016-08-10 23:53 - 2016-08-10 23:53 - 00092872 _____ (WinMount International Inc) C:\WINDOWS\system32\Drivers\KuaiZipDrive.sys
2016-08-10 23:53 - 2016-08-10 23:53 - 00000882 _____ C:\Users\Ahmed Amr\AppData\Roaming\Microsoft\Windows\Start Menu\؟ىر¹.lnk
2016-08-10 23:53 - 2016-08-10 23:53 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\Softlink
2016-08-10 23:52 - 2016-08-13 02:55 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\Kuaizip
2016-08-10 23:52 - 2016-08-13 02:38 - 00000000 ____D C:\Program Files\؟ىر¹
2016-08-10 23:52 - 2016-08-11 01:43 - 00000000 ____D C:\Program Files (x86)\GreatMaker
2016-08-10 23:42 - 2016-02-18 11:10 - 05267952 _____ () C:\Users\Ahmed Amr\AppData\Roaming\ziptool_wc-9015_setup.exe
2016-08-10 23:40 - 2016-08-11 01:13 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\ssn
2016-08-10 23:38 - 2016-08-10 23:38 - 00000000 ____D C:\Users\Public\Documents\Tools
2016-08-10 23:37 - 2016-08-10 23:37 - 00000000 ____D C:\Users\Public\Documents\Guid
2016-08-10 23:33 - 2016-08-11 01:54 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\app
2016-08-10 23:31 - 2016-08-11 01:41 - 00000000 ____D C:\Program Files (x86)\sbqh
2016-08-10 23:29 - 2016-08-10 23:24 - 00001188 _____ C:\WINDOWS\system32\Drivers\etc\hp.bak
2016-08-10 23:28 - 2016-08-11 03:32 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\gplyra
2016-08-10 23:26 - 2016-08-10 23:26 - 00000000 ___HD C:\Program Files (x86)\z2m2D29
2016-08-10 23:25 - 2016-08-11 03:32 - 00000000 ____D C:\Program Files (x86)\Gheklerjotain
2016-08-10 23:25 - 2016-08-10 23:26 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\fqisphivisecoozech
2016-08-10 23:25 - 2016-08-10 23:25 - 00000000 ____D C:\extensions
2016-08-10 23:23 - 2016-08-10 23:23 - 00000000 ____D C:\Program Files (x86)\WeatherChickn
2016-08-08 18:40 - 2016-08-08 19:03 - 63385912 _____ C:\Users\Ahmed Amr\Desktop\wings.psd
2016-08-08 17:41 - 2016-08-08 17:41 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsignfd607de9e482e235
2016-08-08 17:41 - 2016-08-08 17:41 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsign282636b25d9d361a
2016-08-08 17:41 - 2016-08-08 17:41 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsign1db76c8fca40c00e
2016-08-07 20:02 - 2016-08-07 20:02 - 02460660 _____ C:\Users\Ahmed Amr\Desktop\freddycamargo.zip
2016-08-05 00:33 - 2016-08-05 00:34 - 01752315 _____ C:\Users\Ahmed Amr\Desktop\PIIS0002817716304755.pdf
2016-08-05 00:27 - 2016-08-05 00:27 - 00463052 _____ C:\Users\Ahmed Amr\Desktop\PIIS0002817716304731.pdf
2016-08-04 16:08 - 2016-08-04 16:08 - 00000000 ____D C:\Users\Ahmed Amr\Desktop\Automated Photo Collages Test
2016-08-04 16:08 - 2016-08-04 16:08 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsign6320363d3a72cef7
2016-08-04 14:31 - 2016-08-13 02:54 - 00000000 ___RD C:\Users\Ahmed Amr\Creative Cloud Files
2016-08-04 14:31 - 2016-08-13 02:54 - 00000000 ____D C:\ProgramData\boost_interprocess
2016-08-04 14:30 - 2016-08-04 14:30 - 00001226 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Creative Cloud.lnk
2016-08-04 13:07 - 2016-08-04 13:07 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsigndb8b33c01a8068da
2016-08-04 13:07 - 2016-08-04 13:07 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsign1224c74c3fc7a6a8
2016-08-04 13:07 - 2016-08-04 13:07 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsign04fa66fcb00b7590
2016-08-04 13:05 - 2016-08-04 13:05 - 00001379 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Update Management Tool.lnk
2016-08-04 12:58 - 2016-08-04 12:58 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsignb0d2f5c43a31b3db
2016-08-04 12:58 - 2016-08-04 12:58 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsign428414041fc6f832
2016-08-04 12:54 - 2016-08-04 12:54 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsign90625b99e781c4ff
2016-08-04 12:54 - 2016-08-04 12:54 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Tempzxpsign44bed905dff7e85e
2016-08-04 12:53 - 2016-08-04 12:53 - 00003622 _____ C:\WINDOWS\System32\Tasks\AdobeAAMUpdater-1.0-AhmedAmr-PC-Mergho
2016-08-04 12:43 - 2016-08-04 12:43 - 00001101 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CC 2015.5.lnk
2016-08-04 12:43 - 2016-08-04 12:43 - 00000000 ____D C:\Users\Ahmed Amr\Documents\Adobe
2016-08-04 12:33 - 2016-08-04 12:43 - 00000000 ____D C:\Program Files\Adobe
2016-08-04 12:20 - 2016-08-04 14:30 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-08-02 14:09 - 2016-08-03 23:43 - 36968037 _____ C:\Users\Ahmed Amr\Desktop\Untitled-3 copy.psd
2016-08-01 17:19 - 2016-08-01 17:21 - 07367414 _____ C:\Users\Ahmed Amr\Desktop\KLPDesigns logan storyboard.psd
2016-08-01 17:19 - 2016-08-01 17:20 - 04454825 _____ C:\Users\Ahmed Amr\Desktop\KLP Designs Katelyn Storyboard.psd
2016-08-01 16:28 - 2016-08-01 16:42 - 00000000 ____D C:\Users\Ahmed Amr\Desktop\cams
2016-07-31 01:23 - 2016-08-03 03:11 - 00000000 ____D C:\Users\Ahmed Amr\Desktop\kh
2016-07-30 21:22 - 2016-07-30 21:22 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\PowerISO
2016-07-25 20:08 - 2016-07-25 20:08 - 07105536 _____ C:\Users\Ahmed Amr\AppData\Roaming\agent.dat
2016-07-25 20:08 - 2016-07-25 20:08 - 00018432 _____ C:\Users\Ahmed Amr\AppData\Roaming\Main.dat
2016-07-25 20:08 - 2016-07-25 20:08 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\Mozilla
2016-07-25 19:40 - 2016-07-25 19:40 - 00129024 _____ C:\Users\Ahmed Amr\AppData\Roaming\Installer.dat
2016-07-25 19:40 - 2016-07-25 19:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerISO
2016-07-25 19:40 - 2016-07-25 19:40 - 00000000 ____D C:\Program Files\PowerISO
2016-07-25 19:40 - 2016-05-25 01:06 - 00137280 _____ (Power Software Ltd) C:\WINDOWS\system32\Drivers\scdemu.sys
2016-07-24 15:32 - 2016-07-24 15:33 - 00020668 _____ C:\Users\Ahmed Amr\Documents\Vertigo (1958) [1080p] [YTS.AG].torrent
2016-07-24 15:32 - 2016-07-24 15:32 - 00021729 _____ C:\Users\Ahmed Amr\Documents\Mystic River (2003) [1080p] [YTS.AG].torrent
2016-07-24 15:32 - 2016-07-24 15:32 - 00018199 _____ C:\Users\Ahmed Amr\Documents\2001- A Space Odyssey (1968) [720p] [YTS.AG].torrent
2016-07-24 15:32 - 2016-07-24 15:32 - 00017216 _____ C:\Users\Ahmed Amr\Documents\No Country for Old Men (2007) [1080p] [YTS.AG].torrent
2016-07-24 15:32 - 2016-07-24 15:32 - 00016895 _____ C:\Users\Ahmed Amr\Documents\To Kill a Mockingbird (1962) [720p] [YTS.AG].torrent
2016-07-24 15:32 - 2016-07-24 15:32 - 00016225 _____ C:\Users\Ahmed Amr\Documents\The Big Lebowski (1998) [1080p] [YTS.AG].torrent
2016-07-24 15:32 - 2016-07-24 15:32 - 00016213 _____ C:\Users\Ahmed Amr\Documents\The Silence of the Lambs (1991) [1080p] [YTS.AG].torrent
2016-07-24 15:32 - 2016-07-24 15:32 - 00015888 _____ C:\Users\Ahmed Amr\Documents\Chinatown (1974) [720p] [YTS.AG].torrent
2016-07-24 15:32 - 2016-07-24 15:32 - 00015317 _____ C:\Users\Ahmed Amr\Documents\Requiem for a Dream (2000) [1080p] [YTS.AG].torrent
2016-07-24 15:32 - 2016-07-24 15:32 - 00015315 _____ C:\Users\Ahmed Amr\Documents\Fargo (1996) [1080p] [YTS.AG].torrent
2016-07-24 15:32 - 2016-07-24 15:32 - 00015001 _____ C:\Users\Ahmed Amr\Documents\The Wizard of Oz (1939) [1080p] [YTS.AG].torrent
2016-07-24 15:32 - 2016-07-24 15:32 - 00012653 _____ C:\Users\Ahmed Amr\Documents\L.A. Confidential (1997) [720p] [YTS.AG].torrent
2016-07-23 09:18 - 2016-07-23 10:24 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\Samsung
2016-07-23 09:18 - 2016-07-23 09:18 - 00000000 ____D C:\Users\Public\Documents\NativeFus_Log
2016-07-23 09:18 - 2016-07-23 09:18 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Samsung
2016-07-23 09:17 - 2016-07-23 09:17 - 00000000 ____D C:\Users\Ahmed Amr\Documents\samsung
2016-07-23 09:16 - 2016-01-08 10:51 - 00213088 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\WINDOWS\system32\Drivers\ssudmdm.sys
2016-07-23 09:16 - 2016-01-08 10:51 - 00120416 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\WINDOWS\system32\Drivers\ssudbus.sys
2016-07-23 09:14 - 2016-07-23 10:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung
2016-07-23 09:14 - 2013-12-30 10:53 - 04659712 _____ (Dmitry Streblechenko) C:\WINDOWS\SysWOW64\Redemption.dll
2016-07-23 09:14 - 2013-12-30 10:53 - 00144664 _____ (MAPILab Ltd. & Add-in Express Ltd.) C:\WINDOWS\SysWOW64\secman.dll
2016-07-23 09:13 - 2016-07-23 10:24 - 00000000 ____D C:\Program Files (x86)\Samsung
2016-07-23 09:13 - 2016-07-23 09:15 - 00000000 ____D C:\ProgramData\Samsung
2016-07-23 09:12 - 2016-07-23 09:12 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Downloaded Installations
2016-07-22 12:12 - 2016-07-22 12:12 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\WinRAR
2016-07-22 12:12 - 2016-07-22 12:12 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-07-22 12:12 - 2016-07-22 12:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-07-22 12:12 - 2016-07-22 12:12 - 00000000 ____D C:\Program Files\WinRAR
2016-07-20 01:48 - 2016-07-20 01:48 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\MPC-HC
2016-07-20 01:46 - 2016-07-20 01:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MPC-HC x64
2016-07-20 01:46 - 2016-07-20 01:46 - 00000000 ____D C:\Program Files\MPC-HC
2016-07-20 01:38 - 2016-07-20 01:38 - 00007601 _____ C:\Users\Ahmed Amr\AppData\Local\Resmon.ResmonCfg
2016-07-16 04:03 - 2016-07-16 04:03 - 00000000 ____D C:\Users\Ahmed Amr\AppData\LocalLow\Adobe
2016-07-16 02:42 - 2016-08-04 12:55 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\NVIDIA
2016-07-14 07:19 - 2016-07-14 07:19 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\NVIDIA
2016-07-14 07:17 - 2016-07-14 07:31 - 00000000 ____D C:\WINDOWS\SysWOW64\NV
2016-07-14 07:17 - 2016-07-14 07:31 - 00000000 ____D C:\WINDOWS\system32\NV
2016-07-14 07:05 - 2016-07-19 13:24 - 00000000 ____D C:\ProgramData\NVIDIA
2016-07-14 07:04 - 2015-07-23 03:10 - 06873928 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcpl.dll
2016-07-14 07:04 - 2015-07-23 03:10 - 03493008 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvsvc64.dll
2016-07-14 07:04 - 2015-07-23 03:10 - 02558608 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvsvcr.dll
2016-07-14 07:04 - 2015-07-23 03:10 - 01059984 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nv3dappshext.dll
2016-07-14 07:04 - 2015-07-23 03:10 - 00937800 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvvsvc.exe
2016-07-14 07:04 - 2015-07-23 03:10 - 00385168 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvmctray.dll
2016-07-14 07:04 - 2015-07-23 03:10 - 00074896 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nv3dappshextr.dll
2016-07-14 07:04 - 2015-07-23 03:10 - 00062608 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvshext.dll
2016-07-14 07:04 - 2015-07-23 02:44 - 00572048 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvStreaming.exe
2016-07-14 07:04 - 2015-07-22 06:29 - 05121613 _____ C:\WINDOWS\system32\nvcoproc.bin
2016-07-14 07:02 - 2015-07-23 04:02 - 00112784 _____ (Khronos Group) C:\WINDOWS\system32\OpenCL.dll
2016-07-14 07:01 - 2016-07-14 07:05 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2016-07-14 07:00 - 2016-07-14 07:05 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-13 02:54 - 2016-07-04 17:09 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Adobe
2016-08-13 02:53 - 2016-07-02 21:34 - 00000926 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-13 02:52 - 2016-07-02 16:49 - 00000390 _____ C:\WINDOWS\Tasks\DriverToolkit Autorun.job
2016-08-13 02:51 - 2016-04-27 08:34 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-08-13 02:02 - 2016-07-02 21:34 - 00000930 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-13 01:35 - 2016-07-02 15:50 - 00000000 ____D C:\Users\Ahmed Amr
2016-08-13 01:33 - 2015-10-30 09:24 - 00000000 ____D C:\WINDOWS\Registration
2016-08-12 23:56 - 2016-07-02 16:03 - 00879220 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-08-12 23:56 - 2015-10-30 09:21 - 00000000 ____D C:\WINDOWS\INF
2016-08-12 02:32 - 2016-07-02 18:59 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\BitComet
2016-08-11 05:42 - 2015-10-30 08:28 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2016-08-11 03:32 - 2015-10-30 09:24 - 00000000 ____D C:\WINDOWS\Help
2016-08-04 14:32 - 2016-07-04 17:10 - 00000000 ____D C:\ProgramData\Adobe
2016-08-04 13:51 - 2016-07-02 16:14 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Roaming\Adobe
2016-08-04 13:04 - 2016-07-04 17:14 - 00000000 ____D C:\Program Files\Common Files\Adobe
2016-08-04 12:53 - 2016-07-04 17:25 - 00000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2016-08-04 12:24 - 2016-07-04 17:21 - 00000000 ____D C:\ProgramData\Package Cache
2016-08-03 13:46 - 2016-04-27 08:29 - 00217664 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-07-30 20:57 - 2016-07-02 21:34 - 00003988 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2016-07-30 20:57 - 2016-07-02 21:34 - 00003756 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2016-07-24 15:58 - 2016-06-27 08:03 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\VirtualStore
2016-07-23 10:24 - 2016-06-27 08:27 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-07-22 12:17 - 2016-07-02 16:29 - 00000000 ____D C:\Program Files (x86)\DriverToolkit
2016-07-20 15:23 - 2016-07-01 16:53 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Google
2016-07-20 01:38 - 2015-10-30 09:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-07-20 01:38 - 2015-10-30 09:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-07-20 01:17 - 2015-10-30 09:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-07-14 07:29 - 2016-07-02 16:14 - 00000000 ____D C:\Users\Ahmed Amr\AppData\Local\Packages
2016-07-14 07:14 - 2016-07-07 22:35 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-07-14 07:06 - 2016-07-07 22:35 - 144749672 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-07-14 07:05 - 2016-07-04 21:45 - 00000000 ____D C:\Program Files\NVIDIA Corporation
 
==================== Files in the root of some directories =======
 
2016-08-11 01:14 - 2016-08-11 01:14 - 0000000 _____ () C:\Users\Ahmed Amr\AppData\Roaming\1.txt
2016-04-26 14:24 - 2016-04-26 14:24 - 0000009 ____N () C:\Users\Ahmed Amr\AppData\Roaming\a.bat
2010-08-28 22:43 - 2010-08-28 22:43 - 0577335 ____N () C:\Users\Ahmed Amr\AppData\Roaming\adb.exe
2010-08-28 22:43 - 2010-08-28 22:43 - 0096256 ____N (Google, inc) C:\Users\Ahmed Amr\AppData\Roaming\AdbWinApi.dll
2010-08-28 22:43 - 2010-08-28 22:43 - 0060928 ____N (Google, inc) C:\Users\Ahmed Amr\AppData\Roaming\AdbWinUsbApi.dll
2016-07-25 20:08 - 2016-07-25 20:08 - 7105536 _____ () C:\Users\Ahmed Amr\AppData\Roaming\agent.dat
2010-08-28 22:43 - 2010-08-28 22:43 - 0356009 ____N () C:\Users\Ahmed Amr\AppData\Roaming\fastboot.exe
2016-07-25 19:40 - 2016-07-25 19:40 - 0129024 _____ () C:\Users\Ahmed Amr\AppData\Roaming\Installer.dat
2016-07-25 20:08 - 2016-07-25 20:08 - 0018432 _____ () C:\Users\Ahmed Amr\AppData\Roaming\Main.dat
2016-08-10 23:55 - 2016-08-11 01:30 - 7616340 _____ () C:\Users\Ahmed Amr\AppData\Roaming\setup.apk
2016-08-10 23:55 - 2016-08-11 01:30 - 0732869 _____ () C:\Users\Ahmed Amr\AppData\Roaming\xdo.zip
2016-08-10 23:42 - 2016-02-18 11:10 - 5267952 _____ () C:\Users\Ahmed Amr\AppData\Roaming\ziptool_wc-9015_setup.exe
2016-07-20 01:38 - 2016-07-20 01:38 - 0007601 _____ () C:\Users\Ahmed Amr\AppData\Local\Resmon.ResmonCfg
 
Some files in TEMP:
====================
C:\Users\Ahmed Amr\AppData\Local\Temp\333.exe
C:\Users\Ahmed Amr\AppData\Local\Temp\360NetBase.dll
C:\Users\Ahmed Amr\AppData\Local\Temp\360NetBase64.dll
C:\Users\Ahmed Amr\AppData\Local\Temp\360NetUL.dll
C:\Users\Ahmed Amr\AppData\Local\Temp\ads.exe
C:\Users\Ahmed Amr\AppData\Local\Temp\appstart.exe
C:\Users\Ahmed Amr\AppData\Local\Temp\Browser_V5.6.14087.902_f_4674_(Build1608021049).exe
C:\Users\Ahmed Amr\AppData\Local\Temp\KuaiZip_Setup.exe
C:\Users\Ahmed Amr\AppData\Local\Temp\libeay32.dll
C:\Users\Ahmed Amr\AppData\Local\Temp\ludashisetup.exe
C:\Users\Ahmed Amr\AppData\Local\Temp\msvcr120.dll
C:\Users\Ahmed Amr\AppData\Local\Temp\setup.exe
C:\Users\Ahmed Amr\AppData\Local\Temp\softconfig.dll
C:\Users\Ahmed Amr\AppData\Local\Temp\sqlite3.dll
C:\Users\Ahmed Amr\AppData\Local\Temp\ucni.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-08-06 14:07
 
==================== End of FRST.txt ============================

Attached Files



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:51 PM

Posted 15 August 2016 - 06:52 AM

I was expecting a fixlog.txt log.

Please refer to my instructions on the post No. 6.

Did you turn ON your system restore?

>>>

If not already done create the Fixlist.txt file.
Place the file in the folder in bold: Running from C:\Users\Ahmed Amr\Desktop\New folder (2)

Run the Farbar tool and hid the FIX button.

A fixlog.txt will be created.

Post the content for my review.

Let me know what problem persists.

#14 Mergho

Mergho
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  

Posted 15 August 2016 - 07:15 AM

I was expecting a fixlog.txt log.

Please refer to my instructions on the post No. 6.

Did you turn ON your system restore?

>>>

If not already done create the Fixlist.txt file.
Place the file in the folder in bold: Running from C:\Users\Ahmed Amr\Desktop\New folder (2)

Run the Farbar tool and hid the FIX button.

A fixlog.txt will be created.

Post the content for my review.

Let me know what problem persists.

 

Yes, i turned it on (Attachment) 

Attached Files



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:51 PM

Posted 16 August 2016 - 07:11 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users