Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange bahavior


  • This topic is locked This topic is locked
7 replies to this topic

#1 Serb91

Serb91

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 23 March 2017 - 12:39 PM

A couple of days ago i made a stupid mistake and run some exe file i downloaded. After that i have a lot of problems with my system. I already ran rkill, Zemana, HitmanPro, and adwCleaner a couple of times. First time i ran it everything was cleaned, but after some time malicious files appeared again. I ran again these software and cleaned again everything, but during a night Zemana Antimalware stopped working and malicious files returned. Yesterday i scanned the system again in safe mode and removed everything, but 1 hour ago on my screen a progress bar with a clock appeared, and after it progressed to 100%, Zemana stopped working and showed some error message. Please, tell me which steps should i perform to get rid of these problems?



BC AdBot (Login to Remove)

 


#2 Serb91

Serb91
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 23 March 2017 - 01:18 PM

This is the file generated by FRST. Addition.txt is attached in this post.

 

-------------------------------------------------------------------------------------------------

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by <PC>_000 (administrator) on <PC> (23-03-2017 19:05:16)
Running from C:\Users\<PC>_000\Downloads
Loaded Profiles: <PC>_000 (Available Profiles: <PC>_000)
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Plays.tv, LLC) C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
() C:\Program Files\RogueKiller\RogueKiller64.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\livecomm.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_25_0_0_127.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_25_0_0_127.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7632088 2014-06-10] (Realtek Semiconductor)
HKLM\...\Run: [StartCN] => C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe [6626696 2016-07-18] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14471408 2017-03-06] (Copyright 2017.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
HKU\S-1-5-21-1172481675-1058511214-2217543290-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8894680 2016-08-05] (Piriform Ltd)
HKU\S-1-5-21-1172481675-1058511214-2217543290-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [29635712 2016-09-12] (Skype Technologies S.A.)
HKU\S-1-5-21-1172481675-1058511214-2217543290-1001\...\Run: [XçcZYzR0SZ.exe] => C:\Program Files\Microsoft SQL Server Compact Edition\{156-46-5b-7b4d6-843e5-1583-4880c}\XçcZYzR0SZ.exe -r1_5 -r2_1
HKU\S-1-5-21-1172481675-1058511214-2217543290-1001\...\RunOnce: [Uninstall C:\Users\<PC>_000\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\<PC>_000\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64"
HKU\S-1-5-21-1172481675-1058511214-2217543290-1001\...\MountPoints2: {fd0bc338-9553-11e5-8257-4a9fbff267df} - "G:\setup.exe"
HKU\S-1-5-18\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} =>  -> No File
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} =>  -> No File
BootExecute: autocheck autochk * sh4native Sh4Removal

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{3889A462-3546-42F7-9845-CB2268FDE499}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131347649062767244&GUID=F037C8D8-FD3E-4364-B12C-C3A4EB66EB20
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKU\S-1-5-21-1172481675-1058511214-2217543290-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKLM-x32 -> DefaultScope value is missing
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-03-06] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_111\bin\ssv.dll [2016-10-25] (Oracle Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2017-03-06] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-10-25] (Oracle Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2017-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll [2016-10-25] (Oracle Corporation)
BHO-x32: Microsoft Web Test Recorder 14.0 Helper -> {b924f0b4-0b3c-49c0-bab2-213fb9ebd1d3} -> C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll [2015-07-07] (Microsoft Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\GROOVEEX.DLL [2017-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-10-25] (Oracle Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-03-06] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-03-06] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-03-06] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-03-06] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\<PC>_000\AppData\Roaming\Mozilla\Firefox\Profiles\6shmixn7.default-1462546129222 [2017-03-23]
FF Homepage: Mozilla\Firefox\Profiles\6shmixn7.default-1462546129222 -> about:home
FF Extension: (PSFactoryBuffer) - C:\Users\<PC>_000\AppData\Roaming\Mozilla\Firefox\Profiles\6shmixn7.default-1462546129222\Extensions\{E7A044CF-54F3-7619-5C98-72BF45E5D0C5} [2016-08-17] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_25_0_0_127.dll [2017-03-14] ()
FF Plugin: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-10-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-10-25] (Oracle Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_127.dll [2017-03-14] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-10-25] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-10-25] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2017-03-06] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-03-06] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-03-22] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-03-22] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1172481675-1058511214-2217543290-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\<PC>_000\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-05-08] (Unity Technologies ApS)

Chrome:
=======
CHR DefaultProfile: ChromeDefaultData
CHR Profile: C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-03-22] <==== ATTENTION
CHR Extension: (Google Slides) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-08-17]
CHR Extension: (Google Docs) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\aohghmighlieiainnegkcijnfilokake [2016-08-17]
CHR Extension: (Google Drive) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-08-17]
CHR Extension: (YouTube) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-08-17]
CHR Extension: (Google Sheets) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-08-17]
CHR Extension: (Google Docs Offline) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-08-19]
CHR Extension: (Chrome Web Store Payments) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-16]
CHR Extension: (Gmail) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-08-17]
CHR Extension: (Chrome Media Router) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-14]
CHR Profile: C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2 [2017-03-22] <==== ATTENTION
CHR Extension: (Google Slides) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-11-13]
CHR Extension: (Google Docs) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\aohghmighlieiainnegkcijnfilokake [2015-11-13]
CHR Extension: (Google Drive) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-13]
CHR Extension: (YouTube) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-11-13]
CHR Extension: (Google Search) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-13]
CHR Extension: (Google Sheets) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-11-13]
CHR Extension: (Google Docs Offline) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-20]
CHR Extension: (Gmail) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-11-13]
CHR Extension: (Chrome Media Router) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-15]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx

Opera:
=======
OPR Extension: (CinemaP-1.9cV09.11) - C:\Users\<PC>_000\AppData\Roaming\Opera Software\Opera Stable\Extensions\lkadffjmnaiokkdncgdlecdegajoiemi [2015-11-14]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe [351944 2015-11-03] (Advanced Micro Devices, Inc.)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [445976 2016-10-10] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [425496 2016-10-10] (BlueStack Systems, Inc.)
S3 BstHdPlusAndroidSvc; C:\Program Files (x86)\Bluestacks\HD-Plus-Service.exe [466456 2016-10-10] (BlueStack Systems, Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [3736776 2017-03-05] (Microsoft Corporation)
S4 Disc Soft Ultra Bus Service; C:\Program Files\DAEMON Tools Ultra\DiscSoftBusService.exe [1345368 2015-06-10] (Disc Soft Ltd)
S3 ICCS; C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [160256 2011-08-30] (Intel Corporation) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 PlaysService; C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe [32528 2016-08-09] (Plays.tv, LLC)
S3 VSStandardCollectorService140; C:\Program Files (x86)\Microsoft Visual Studio 14.0\Team Tools\DiagnosticsHub\Collector\StandardCollector.Service.exe [52968 2015-07-07] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
R2 WPDTSrv; C:\ProgramData\Microsoft\Phone Tools\CoreCon\12.0\addons\SDKFilesVer.dll [103424 2017-03-21] () [File not signed]
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14471408 2017-03-06] (Copyright 2017.)
S2 lomebimi; no ImagePath
S2 nqeproductnoajoyneot; no ImagePath

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [21160 2012-09-23] (Advanced Micro Devices, Inc.)
R2 AODDriver4.2.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
S2 AODDriver4.3; C:\Program Files\AMD\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [22240 2013-10-28] ()
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [110096 2016-05-04] (Advanced Micro Devices)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [152672 2016-10-10] (BlueStack Systems)
S3 BstkDrv; C:\Program Files (x86)\Bluestacks\BstkDrv.sys [270904 2016-10-07] (Bluestack System Inc. )
R3 dtultrascsibus; C:\Windows\System32\drivers\dtultrascsibus.sys [30264 2015-11-28] (Disc Soft Ltd)
R3 dtultrausbbus; C:\Windows\System32\drivers\dtultrausbbus.sys [47160 2015-11-28] (Disc Soft Ltd)
S3 GVTDrv64; C:\Windows\GVTDrv64.sys [30528 2015-11-13] ()
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [54736 2017-03-22] ()
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [27552 2017-03-17] (REALiX™)
S3 NdisImPlatformMp; C:\Windows\system32\DRIVERS\NdisImPlatform.sys [126464 2014-11-21] (Microsoft Corporation)
S1 oqaodoun; C:\Windows\system32\drivers\oqaodoun.sys [55168 2017-03-23] (Microsoft Corporation)
R3 SensorsSimulatorDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [226304 2014-11-21] (Microsoft Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2017-03-23] ()
S1 UsbCharger; C:\Windows\System32\DRIVERS\UsbCharger.sys [22240 2013-10-24] ()
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
R3 XtuAcpiDriver; C:\Windows\System32\drivers\XtuAcpiDriver.sys [54344 2016-11-22] (Intel Corporation)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2017-03-18] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2017-03-17] (Zemana Ltd.)
S1 akwqrlfv; \??\C:\Windows\system32\drivers\akwqrlfv.sys [X]
S1 frqqibgh; \??\C:\Windows\system32\drivers\frqqibgh.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-23 19:05 - 2017-03-23 19:06 - 00020482 _____ C:\Users\<PC>_000\Downloads\FRST.txt
2017-03-23 19:04 - 2017-03-23 19:05 - 00000000 ____D C:\FRST
2017-03-23 19:03 - 2017-03-23 19:03 - 02424832 _____ (Farbar) C:\Users\<PC>_000\Downloads\FRST64.exe
2017-03-23 18:50 - 2017-03-23 18:57 - 00001234 _____ C:\Users\<PC>_000\Desktop\Google Chrome.lnk
2017-03-23 18:50 - 2017-03-23 18:50 - 00055168 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\oqaodoun.sys
2017-03-23 18:15 - 2017-03-23 18:15 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-03-23 18:13 - 2017-03-23 18:13 - 00000870 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2017-03-23 18:13 - 2017-03-23 18:13 - 00000000 ____D C:\ProgramData\RogueKiller
2017-03-23 18:13 - 2017-03-23 18:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-03-23 18:12 - 2017-03-23 18:13 - 00000000 ____D C:\Program Files\RogueKiller
2017-03-23 18:11 - 2017-03-23 18:12 - 35109888 _____ (Adlice Software ) C:\Users\<PC>_000\Downloads\setup.exe
2017-03-22 23:44 - 2017-03-22 23:44 - 00006700 _____ C:\Users\<PC>_000\Desktop\New Text Document.txt
2017-03-22 15:28 - 2017-03-22 15:28 - 01179491 _____ C:\Users\<PC>_000\Downloads\C-Soccer.pdf
2017-03-22 15:28 - 2017-03-22 15:28 - 00269197 _____ C:\Users\<PC>_000\Downloads\9360.pdf
2017-03-22 15:26 - 2017-03-22 16:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-03-22 15:26 - 2017-03-22 16:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-03-22 15:26 - 2017-03-22 15:26 - 00001175 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-03-22 15:26 - 2017-03-22 15:26 - 00001163 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2017-03-22 15:25 - 2017-03-22 15:25 - 00002279 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-03-22 15:24 - 2017-03-22 15:25 - 00000000 ____D C:\Program Files (x86)\Google
2017-03-22 15:24 - 2017-03-22 15:24 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-03-22 15:24 - 2017-03-22 15:24 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-03-22 15:23 - 2017-03-22 15:23 - 01129376 _____ (Google Inc.) C:\Users\<PC>_000\Downloads\ChromeSetup.exe
2017-03-22 15:22 - 2017-03-22 15:25 - 44272360 _____ (Mozilla) C:\Users\<PC>_000\Downloads\Firefox Setup 53.0b4.exe
2017-03-22 14:45 - 2017-03-22 15:25 - 00002291 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-03-22 14:21 - 2017-03-23 12:21 - 00000132 _____ C:\Users\Public\Documents\temp.dat
2017-03-22 13:55 - 2017-03-22 13:55 - 00054736 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2017-03-22 13:39 - 2017-03-22 13:39 - 00000000 ____D C:\Windows\pss
2017-03-22 11:01 - 2017-03-22 14:02 - 00000000 ____D C:\Windows\system32\log
2017-03-21 16:46 - 2017-03-21 16:46 - 00000000 ____D C:\Users\<PC>_000\AppData\Local\Bepat
2017-03-21 02:48 - 2017-03-21 02:48 - 00000000 _____ C:\Windows\SysWOW64\1
2017-03-20 22:11 - 2017-03-20 22:28 - 192417960 _____ C:\Users\<PC>_000\Downloads\cureit.exe
2017-03-20 22:10 - 2017-03-20 22:10 - 00000000 ____D C:\ProgramData\Doctor Web
2017-03-20 14:54 - 2017-03-22 11:36 - 00000000 _____ C:\Windows\SysWOW64\4
2017-03-20 14:54 - 2017-03-22 11:36 - 00000000 _____ C:\Windows\SysWOW64\3
2017-03-18 01:16 - 2017-03-18 01:16 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2017-03-17 20:53 - 2017-03-23 19:06 - 00000344 _____ C:\Windows\Tasks\Traffic Exchange v209 - 3.job
2017-03-17 20:53 - 2017-03-23 19:06 - 00000344 _____ C:\Windows\Tasks\Traffic Exchange v209 - 2.job
2017-03-17 20:53 - 2017-03-23 19:06 - 00000344 _____ C:\Windows\Tasks\Traffic Exchange v209 - 1.job
2017-03-17 20:53 - 2017-03-23 19:06 - 00000334 _____ C:\Windows\Tasks\Traffic Exchange v2 - 3.job
2017-03-17 20:53 - 2017-03-23 19:06 - 00000334 _____ C:\Windows\Tasks\Traffic Exchange v2 - 2.job
2017-03-17 20:53 - 2017-03-23 19:06 - 00000334 _____ C:\Windows\Tasks\Traffic Exchange v2 - 1.job
2017-03-17 20:53 - 2017-03-17 20:53 - 00003150 _____ C:\Windows\System32\Tasks\Traffic Exchange v209 - 3
2017-03-17 20:53 - 2017-03-17 20:53 - 00003150 _____ C:\Windows\System32\Tasks\Traffic Exchange v209 - 2
2017-03-17 20:53 - 2017-03-17 20:53 - 00003150 _____ C:\Windows\System32\Tasks\Traffic Exchange v209 - 1
2017-03-17 20:53 - 2017-03-17 20:53 - 00003140 _____ C:\Windows\System32\Tasks\Traffic Exchange v2 - 3
2017-03-17 20:53 - 2017-03-17 20:53 - 00003140 _____ C:\Windows\System32\Tasks\Traffic Exchange v2 - 2
2017-03-17 20:53 - 2017-03-17 20:53 - 00003140 _____ C:\Windows\System32\Tasks\Traffic Exchange v2 - 1
2017-03-17 20:51 - 2017-03-17 20:52 - 00000000 ____D C:\Users\<PC>_000\AppData\Local\Buvertypomodom
2017-03-17 20:51 - 2017-03-17 20:51 - 00006062 _____ C:\Windows\System32\Tasks\Ckepaphdrerseied Center
2017-03-17 20:35 - 2017-03-22 13:54 - 00002922 _____ C:\Windows\system32\.crusader
2017-03-17 20:19 - 2017-03-17 20:35 - 00000000 ____D C:\ProgramData\HitmanPro
2017-03-17 20:18 - 2017-03-17 20:19 - 11581544 _____ (SurfRight B.V.) C:\Users\<PC>_000\Downloads\HitmanPro_x64.exe
2017-03-17 19:13 - 2017-03-23 19:06 - 05346701 _____ C:\Windows\ZAM.krnl.trace
2017-03-17 19:13 - 2017-03-23 19:05 - 00666583 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-03-17 19:13 - 2017-03-17 19:13 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2017-03-17 19:13 - 2017-03-17 19:13 - 00001164 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2017-03-17 19:13 - 2017-03-17 19:13 - 00000000 ____D C:\Users\<PC>_000\AppData\Local\Zemana
2017-03-17 19:13 - 2017-03-17 19:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2017-03-17 19:13 - 2017-03-17 19:13 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2017-03-17 19:12 - 2017-03-17 19:12 - 05755024 _____ (Zemana Ltd. ) C:\Users\<PC>_000\Downloads\Zemana.AntiMalware.Setup.exe
2017-03-17 19:09 - 2017-03-17 19:09 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\<PC>_000\Downloads\rkill.exe
2017-03-17 18:16 - 2017-03-17 18:16 - 04031440 _____ C:\Users\<PC>_000\Downloads\adwcleaner_6.044.exe
2017-03-17 18:13 - 2017-03-17 18:33 - 00000000 ____D C:\ProgramData\ProductData
2017-03-17 18:13 - 2017-03-17 18:13 - 00027552 _____ (REALiX™) C:\Windows\SysWOW64\Drivers\HWiNFO64A.SYS
2017-03-17 18:13 - 2017-03-17 18:13 - 00002888 _____ C:\Windows\System32\Tasks\Driver Booster SkipUAC (<PC>_000)
2017-03-17 18:13 - 2017-03-17 18:13 - 00000000 ____D C:\Windows\IObit
2017-03-17 18:13 - 2017-03-17 18:13 - 00000000 ____D C:\Users\<PC>_000\AppData\LocalLow\IObit
2017-03-17 18:13 - 2017-03-17 18:13 - 00000000 ____D C:\ProgramData\IObit
2017-03-17 18:11 - 2017-03-17 20:17 - 00000000 ___HD C:\ProgramData\209G142G378l349
2017-03-17 18:11 - 2017-03-17 18:11 - 00000000 ____D C:\Users\<PC>_000\AppData\Roaming\IObit
2017-03-17 18:10 - 2017-03-17 18:14 - 00000000 ____D C:\Users\<PC>_000\AppData\Local\Ghuterymmercult
2017-03-17 18:10 - 2017-03-17 18:10 - 00006012 _____ C:\Windows\System32\Tasks\Phugushlecerse Manager
2017-03-17 11:17 - 2017-03-17 13:53 - 00000000 ____D C:\Users\<PC>_000\Desktop\MO-Analyzing
2017-03-14 20:47 - 2017-03-04 09:01 - 00576512 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-03-14 20:47 - 2017-03-04 08:59 - 02895360 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-03-14 20:47 - 2017-03-04 08:48 - 25746944 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-03-14 20:47 - 2017-03-04 08:45 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2017-03-14 20:47 - 2017-03-04 08:44 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-03-14 20:47 - 2017-03-04 08:31 - 06045696 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-03-14 20:47 - 2017-03-04 08:05 - 01033216 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2017-03-14 20:47 - 2017-03-04 07:54 - 00806912 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-03-14 20:47 - 2017-03-04 07:26 - 15259648 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-03-14 20:47 - 2017-03-04 07:25 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-03-14 20:47 - 2017-03-04 07:12 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-03-14 20:47 - 2017-03-04 07:02 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-03-14 20:47 - 2017-03-04 05:18 - 20281856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-03-14 20:47 - 2017-03-02 19:01 - 00499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2017-03-14 20:47 - 2017-03-02 18:55 - 02287104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2017-03-14 20:47 - 2017-03-02 18:49 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2017-03-14 20:47 - 2017-03-02 18:25 - 00880640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2017-03-14 20:47 - 2017-03-02 18:22 - 04604416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-03-14 20:47 - 2017-03-02 18:19 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2017-03-14 20:47 - 2017-03-02 18:11 - 13654528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-03-14 20:47 - 2017-03-02 17:53 - 02767360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-03-14 20:47 - 2017-03-02 17:50 - 01312768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-03-14 20:47 - 2017-03-02 17:50 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2017-03-14 20:47 - 2017-02-11 20:25 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2017-03-14 20:47 - 2017-02-11 06:12 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2017-03-14 20:47 - 2017-02-11 06:12 - 00145408 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2017-03-14 20:47 - 2017-02-11 06:00 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2017-03-14 20:47 - 2017-02-11 05:58 - 00378880 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2017-03-14 20:47 - 2017-02-11 05:56 - 02131456 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2017-03-14 20:47 - 2017-02-10 20:09 - 04169728 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-03-14 20:47 - 2017-02-10 06:34 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2017-03-14 20:47 - 2017-02-10 06:10 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2017-03-14 20:47 - 2017-02-10 06:09 - 00128000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2017-03-14 20:47 - 2017-02-10 06:08 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2017-03-14 20:47 - 2017-02-10 06:01 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2017-03-14 20:47 - 2017-02-10 06:00 - 00330752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2017-03-14 20:47 - 2017-02-10 05:59 - 02055680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2017-03-14 20:47 - 2017-02-10 02:31 - 01549144 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2017-03-14 20:47 - 2017-02-10 01:12 - 01375960 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2017-03-14 20:47 - 2017-02-09 16:28 - 01987584 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2017-03-14 20:47 - 2017-02-09 16:19 - 01377792 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2017-03-14 20:47 - 2017-02-09 16:16 - 01560064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2017-03-14 20:47 - 2017-02-09 16:16 - 01094656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2017-03-14 20:47 - 2017-02-09 15:59 - 00658432 _____ (Microsoft Corporation) C:\Windows\system32\dnsapi.dll
2017-03-14 20:47 - 2017-02-09 15:58 - 00499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dnsapi.dll
2017-03-14 20:47 - 2017-02-09 15:58 - 00252416 _____ (Microsoft Corporation) C:\Windows\system32\dnsrslvr.dll
2017-03-14 20:47 - 2017-02-04 21:32 - 07444832 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-03-14 20:47 - 2017-02-04 21:30 - 01663184 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2017-03-14 20:47 - 2017-02-04 21:30 - 01523216 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2017-03-14 20:47 - 2017-02-04 21:30 - 01490128 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2017-03-14 20:47 - 2017-02-04 21:30 - 01358960 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2017-03-14 20:47 - 2017-02-04 20:32 - 00251392 _____ (Microsoft Corporation) C:\Windows\system32\microsoft-windows-system-events.dll
2017-03-14 20:47 - 2017-02-04 20:30 - 00285184 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2017-03-14 20:47 - 2017-02-04 19:14 - 01001472 _____ (Microsoft Corporation) C:\Windows\HelpPane.exe
2017-03-14 20:47 - 2017-02-04 18:50 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\icm32.dll
2017-03-14 20:47 - 2017-02-04 18:40 - 01754112 _____ (Microsoft Corporation) C:\Windows\system32\GdiPlus.dll
2017-03-14 20:47 - 2017-02-04 18:32 - 00584704 _____ (Microsoft Corporation) C:\Windows\system32\mscms.dll
2017-03-14 20:47 - 2017-02-04 18:17 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icm32.dll
2017-03-14 20:47 - 2017-02-04 18:10 - 01491456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\GdiPlus.dll
2017-03-14 20:47 - 2017-02-04 18:05 - 00503808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscms.dll
2017-03-14 20:47 - 2017-01-21 22:37 - 00567152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2017-03-14 20:47 - 2017-01-21 20:27 - 00756736 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2017-03-14 20:47 - 2017-01-21 20:27 - 00095232 _____ (Microsoft Corporation) C:\Windows\system32\auditpolmsg.dll
2017-03-14 20:47 - 2017-01-21 20:27 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2017-03-14 20:47 - 2017-01-21 20:22 - 00201728 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-03-14 20:47 - 2017-01-21 20:20 - 00401920 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2017-03-14 20:47 - 2017-01-21 19:40 - 00756736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2017-03-14 20:47 - 2017-01-21 19:40 - 00095232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpolmsg.dll
2017-03-14 20:47 - 2017-01-21 19:40 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2017-03-14 20:47 - 2017-01-21 19:37 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2017-03-14 20:47 - 2017-01-21 18:58 - 00324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2017-03-14 20:47 - 2017-01-21 18:48 - 01437696 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-03-14 20:47 - 2017-01-14 18:49 - 00146944 _____ (Microsoft Corporation) C:\Windows\system32\wininit.exe
2017-03-14 20:47 - 2017-01-11 20:37 - 02345984 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2017-03-14 20:47 - 2017-01-10 20:08 - 01549312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2017-03-14 20:47 - 2017-01-05 19:20 - 01697792 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2017-03-14 20:47 - 2017-01-05 19:09 - 07076864 _____ (Microsoft Corporation) C:\Windows\system32\glcndFilter.dll
2017-03-14 20:47 - 2017-01-05 18:36 - 01501184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
2017-03-14 20:47 - 2017-01-05 18:29 - 05273600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\glcndFilter.dll
2017-03-14 20:47 - 2017-01-05 18:13 - 07796224 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll
2017-03-14 20:47 - 2017-01-05 17:57 - 05268480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2017-03-14 20:47 - 2016-11-09 20:22 - 00681472 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2017-03-14 20:42 - 2017-02-23 15:50 - 00093360 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2017-03-14 20:42 - 2017-02-22 15:35 - 01609216 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2017-03-14 20:42 - 2017-02-22 15:35 - 00646656 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2017-03-02 23:44 - 2017-03-02 23:44 - 00001122 _____ C:\Users\<PC>_000\Desktop\EVEREST Home Edition.lnk
2017-03-02 23:44 - 2017-03-02 23:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavalys
2017-03-02 23:44 - 2017-03-02 23:44 - 00000000 ____D C:\Program Files (x86)\Lavalys
2017-03-02 22:30 - 2017-03-02 22:30 - 00000000 ____D C:\Users\<PC>_000\Desktop\cpu-z_1.78-en-1
2017-03-02 09:04 - 2017-01-18 15:35 - 01286144 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2017-03-02 09:04 - 2017-01-18 15:35 - 00556544 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2017-03-02 09:04 - 2017-01-18 15:35 - 00335360 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2017-03-02 09:04 - 2017-01-18 15:35 - 00293376 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2017-03-02 09:04 - 2017-01-18 15:35 - 00233984 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2017-03-02 09:04 - 2017-01-18 15:35 - 00133632 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2017-03-02 09:04 - 2016-06-03 18:11 - 00472576 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-23 19:02 - 2016-08-17 16:40 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1172481675-1058511214-2217543290-1001
2017-03-23 19:02 - 2015-11-13 16:19 - 00000000 ____D C:\Users\<PC>_000\AppData\Roaming\Skype
2017-03-23 19:02 - 2013-08-22 16:36 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2017-03-23 18:57 - 2016-08-17 03:00 - 00000000 ___HD C:\Program Files (x86)\ccdCF4C
2017-03-23 18:57 - 2015-11-14 05:44 - 00001054 _____ C:\Users\<PC>_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-03-23 18:03 - 2015-11-14 05:44 - 00000000 ____D C:\Users\<PC>_000
2017-03-23 13:21 - 2015-11-14 05:50 - 00003930 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{271E96DD-C9C1-499E-9661-DC1B13493149}
2017-03-22 15:34 - 2015-11-14 05:54 - 00003840 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1447476880
2017-03-22 15:34 - 2015-11-14 05:54 - 00000000 ____D C:\Program Files (x86)\Opera
2017-03-22 15:27 - 2016-09-25 00:48 - 00000000 ____D C:\Users\<PC>_000\AppData\LocalLow\Mozilla
2017-03-22 14:52 - 2015-11-14 05:44 - 00000000 ____D C:\Users\<PC>_000\AppData\Local\Packages
2017-03-22 14:45 - 2015-11-13 16:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2017-03-22 14:37 - 2016-12-10 23:16 - 00000000 ____D C:\ProgramData\BlueStacksSetup
2017-03-22 14:37 - 2016-01-11 20:20 - 00000000 ____D C:\Users\<PC>_000\AppData\Roaming\MPC-HC
2017-03-22 14:37 - 2015-11-13 16:48 - 00000000 ____D C:\Users\<PC>_000\AppData\Roaming\uTorrent
2017-03-22 14:37 - 2013-08-22 14:36 - 00000000 ____D C:\Windows\Inf
2017-03-22 14:36 - 2015-11-13 17:42 - 04447232 ___SH C:\Users\<PC>_000\Desktop\Thumbs.db
2017-03-22 14:32 - 2015-11-13 15:51 - 00000000 ___HD C:\Program Files (x86)\Temp
2017-03-22 14:20 - 2015-11-14 05:45 - 00000000 ____D C:\Users\<PC>_000\OneDrive
2017-03-22 14:18 - 2013-08-22 15:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-03-22 14:08 - 2015-11-13 18:45 - 00000000 ____D C:\Program Files (x86)\TrendMicro
2017-03-22 14:03 - 2015-11-13 14:56 - 00000000 ____D C:\AdwCleaner
2017-03-22 13:55 - 2013-08-22 14:25 - 00524288 ___SH C:\Windows\system32\config\BBI
2017-03-22 13:40 - 2016-08-15 17:36 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2017-03-18 05:57 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\rescache
2017-03-18 01:12 - 2016-08-17 09:17 - 00000000 ____D C:\Users\<PC>_000\Downloads\SpyHunter v4.19.13.4482 Final Ml_Rus
2017-03-17 21:10 - 2015-11-14 01:31 - 00000000 ____D C:\Users\<PC>_000\AppData\Local\MSfree Inc
2017-03-17 20:51 - 2015-11-13 22:09 - 00000000 ____D C:\Program Files\Microsoft SQL Server Compact Edition
2017-03-17 18:20 - 2015-11-14 05:44 - 00000000 ____D C:\Users\<PC>_000\AppData\Roaming\Adobe
2017-03-17 10:33 - 2013-08-22 15:44 - 00474496 _____ C:\Windows\system32\FNTCACHE.DAT
2017-03-16 11:36 - 2013-08-22 16:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-16 11:36 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\AppReadiness
2017-03-16 11:36 - 2013-08-22 16:20 - 00000000 ____D C:\Windows\CbsTemp
2017-03-16 11:33 - 2015-11-13 19:29 - 00000000 ____D C:\Windows\system32\appraiser
2017-03-16 11:33 - 2015-11-13 18:03 - 00000000 ____D C:\Windows\system32\MRT
2017-03-16 11:31 - 2015-11-13 18:03 - 138634176 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-03-14 16:09 - 2015-12-01 21:57 - 00004288 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-03-14 16:09 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-03-14 16:09 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\system32\Macromed
2017-03-10 05:34 - 2016-12-17 00:27 - 00835576 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-03-10 05:34 - 2016-12-17 00:27 - 00177656 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-03-08 08:37 - 2016-01-28 19:40 - 00000000 ____D C:\Users\<PC>_000\AppData\Roaming\PhoXo
2017-03-01 12:48 - 2016-11-18 06:36 - 00000000 ____D C:\Users\<PC>_000\Desktop\test
2017-02-26 07:54 - 2015-11-14 08:31 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-02-24 18:43 - 2016-11-12 22:58 - 00046080 ___SH C:\Users\<PC>_000\Downloads\Thumbs.db
2017-02-23 21:17 - 2016-12-10 14:01 - 00003174 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task v2
2017-02-23 21:17 - 2016-04-21 16:32 - 00002349 _____ C:\Users\<PC>_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive for Business.lnk
2017-02-23 21:17 - 2015-11-14 00:03 - 00003182 _____ C:\Windows\System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-1172481675-1058511214-2217543290-1001

==================== Files in the root of some directories =======

2016-08-15 19:22 - 2016-08-15 19:22 - 0054272 _____ () C:\Users\<PC>_000\AppData\Roaming\ApplicationHosting.dat
2016-08-15 19:22 - 2016-08-15 19:22 - 1901051 _____ () C:\Users\<PC>_000\AppData\Roaming\Doncom.tst
2016-08-15 19:22 - 2016-08-15 19:22 - 0126464 _____ () C:\Users\<PC>_000\AppData\Roaming\lobby.dat
2016-08-15 19:22 - 2016-08-15 19:22 - 0072719 _____ () C:\Users\<PC>_000\AppData\Roaming\Ronlex.tst
2016-09-01 13:22 - 2016-09-01 13:22 - 0007605 _____ () C:\Users\<PC>_000\AppData\Local\Resmon.ResmonCfg
2015-11-14 06:00 - 2015-11-14 06:00 - 0000187 _____ () C:\Users\<PC>_000\AppData\Local\Sillux.exe.config
2015-11-13 15:54 - 2015-11-13 15:54 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
2017-03-17 18:10 - 2017-03-17 18:11 - 17866872 _____ (IObit                                                       ) C:\Users\<PC>_000\AppData\Local\Temp\1715.tmp.exe
2017-03-23 18:13 - 2016-08-13 08:40 - 1737080 _____ (Microsoft Corporation) C:\Users\<PC>_000\AppData\Local\Temp\dllnt_dump.dll
2017-03-17 18:34 - 2016-11-26 06:52 - 0101088 _____ () C:\Users\<PC>_000\AppData\Local\Temp\DriverInstall.exe
2017-03-17 18:34 - 2016-11-26 06:52 - 0115936 _____ () C:\Users\<PC>_000\AppData\Local\Temp\DriverInstall_X64.exe
2017-03-17 18:34 - 2016-11-26 06:52 - 0112352 _____ () C:\Users\<PC>_000\AppData\Local\Temp\DriverTool.dll
2016-10-25 10:53 - 2016-10-25 10:53 - 0737856 _____ (Oracle Corporation) C:\Users\<PC>_000\AppData\Local\Temp\jre-8u111-windows-au.exe
2017-03-22 14:25 - 2017-03-22 14:25 - 0739904 _____ (Oracle Corporation) C:\Users\<PC>_000\AppData\Local\Temp\jre-8u121-windows-au.exe
2017-03-17 18:34 - 2016-11-26 06:52 - 0162832 _____ (深圳市猫哈网络科技发展有限公司) C:\Users\<PC>_000\AppData\Local\Temp\maohasubstat.dll
2016-08-15 17:38 - 2016-08-15 17:38 - 0221632 _____ () C:\Users\<PC>_000\AppData\Local\Temp\raptr_stub.exe
2017-03-17 18:34 - 2016-11-26 06:52 - 0797216 _____ (深圳市猫哈网络科技发展有限公司) C:\Users\<PC>_000\AppData\Local\Temp\softconfig.dll
2017-03-17 18:34 - 2016-11-26 06:55 - 0598560 _____ () C:\Users\<PC>_000\AppData\Local\Temp\uninstall.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-23 06:35

==================== End of FRST.txt ============================

Attached Files


Edited by Serb91, 23 March 2017 - 01:25 PM.


#3 Serb91

Serb91
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 23 March 2017 - 03:10 PM

Can anyone tell me how to solve this?



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:08 PM

Posted 24 March 2017 - 08:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-18\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} =>  -> No File
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} =>  -> No File
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKLM-x32 -> DefaultScope value is missing
CHR Profile: C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-03-22] <==== ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-16]
CHR Extension: (Chrome Media Router) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-14]
CHR Profile: C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2 [2017-03-22] <==== ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-20]
CHR Extension: (Chrome Media Router) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-15]
OPR Extension: (CinemaP-1.9cV09.11) - C:\Users\<PC>_000\AppData\Roaming\Opera Software\Opera Stable\Extensions\lkadffjmnaiokkdncgdlecdegajoiemi [2015-11-14]
S2 lomebimi; no ImagePath
S2 nqeproductnoajoyneot; no ImagePath
S1 oqaodoun; C:\Windows\system32\drivers\oqaodoun.sys [55168 2017-03-23] (Microsoft Corporation)
S1 akwqrlfv; \??\C:\Windows\system32\drivers\akwqrlfv.sys [X]
S1 frqqibgh; \??\C:\Windows\system32\drivers\frqqibgh.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
Task: {275DC815-87D1-4CFC-BBCB-B777F947F3D7} - \KMSAutoNet -> No File <==== ATTENTION
Task: {74D439C5-9E04-40FB-B022-4F4EFE37CE6C} - System32\Tasks\Traffic Exchange v2 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe  <==== ATTENTION
Task: {9220EDF1-474A-419E-AE2E-FD70EF41FF7C} - System32\Tasks\Traffic Exchange v2 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe  <==== ATTENTION
Task: {9C7D6459-12C9-44CE-B60D-46D38AF3F389} - System32\Tasks\Traffic Exchange v209 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe  <==== ATTENTION
Task: {C92B7343-7B34-4F11-A221-28454F25BA55} - System32\Tasks\Traffic Exchange v209 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe  <==== ATTENTION
Task: {CCBEA38C-413D-4DBD-BFDA-CCDCFF32F927} - System32\Tasks\Traffic Exchange v209 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe  <==== ATTENTION
Task: {D7FEC0D2-2474-4FD6-BB0F-D56146ADEB35} - \Folocult -> No File <==== ATTENTION
Task: {E267BA5D-BA45-419E-A925-DA64B40A63E7} - System32\Tasks\Ckepaphdrerseied Center => C:\Program Files (x86)\Stiwercult\xgubigh.exe
Task: {F82973C6-BB3E-4E5F-93FB-DA0473C595E0} - \209G142G378l349 -> No File <==== ATTENTION
Task: {FD674E34-32D3-417C-9B0D-DDEA52194007} - System32\Tasks\Traffic Exchange v2 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe  <==== ATTENTION
Task: C:\Windows\Tasks\Traffic Exchange v2 - 1.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\Windows\Tasks\Traffic Exchange v2 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\Windows\Tasks\Traffic Exchange v2 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\Windows\Tasks\Traffic Exchange v209 - 1.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\Windows\Tasks\Traffic Exchange v209 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\Windows\Tasks\Traffic Exchange v209 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [25444]
AlternateDataStreams: C:\Windows\system32\drivers:x64 [1498914]
AlternateDataStreams: C:\Windows\system32\drivers:x86 [1223458]
AlternateDataStreams: C:\Windows\system32\Drivers\oqaodoun.sys:changelist [1318]
C:\Program Files (x86)\Microleaves
C:\Program Files (x86)\Stiwercult
C:\Windows\system32\drivers\oqaodoun.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download to your Desktop the Junkware Removal Tool Download from this link.
http://www.bleepingcomputer.com/download/junkware-removal-tool/

Shutdown your antivirus to avoid any conflicts.
Right click the icon - disable for say 20 mins.
Right-mouse click JRT.exe and select Run as administrator (If using XP just double click on the icon to run it.)
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
======

ADOBE FLASH PLAYER

Go to this page with Firefox or Opera to download the current version for your browser:
https://get.adobe.com/flashplayer/

Note:
Flash Player is pre-installed in Google Chrome and updates automatically!
Flash Player is pre-installed in IE/Hedge and updates automatically!
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after these updates remove these old version(s) via the Control Panel > Programs > Programs and Features.
Adobe Flash Player 25 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 25.0.0.127 - Adobe Systems Incorporated)
Java 8 Update 111 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
Java SE Development Kit 8 Update 102 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180102}) (Version: 8.0.1020.14 - Oracle Corporation)

==

Please post the logs and let me know what problem persists with this computer.

#5 Serb91

Serb91
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 24 March 2017 - 09:31 AM

Thank you nasdaq for your help.

 

I made a mistake at start and didn't replace <PC> with my real computer name. The first log created after running the FRST finished a part of job and the second one, which is included in this post, finished the rest. Please, inform me if i have to repeat some scanning because of this mistake. Here are the logs:

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by <PC>_000 (24-03-2017 14:54:37) Run:2
Running from C:\Users\<PC>_000\Downloads
Loaded Profiles: <PC>_000 (Available Profiles: <PC>_000)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-18\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} =>  -> No File
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} =>  -> No File
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKLM-x32 -> DefaultScope value is missing
CHR Profile: C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-03-22] <==== ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-16]
CHR Extension: (Chrome Media Router) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-14]
CHR Profile: C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2 [2017-03-22] <==== ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-20]
CHR Extension: (Chrome Media Router) - C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-15]
OPR Extension: (CinemaP-1.9cV09.11) - C:\Users\<PC>_000\AppData\Roaming\Opera Software\Opera Stable\Extensions\lkadffjmnaiokkdncgdlecdegajoiemi [2015-11-14]
S2 lomebimi; no ImagePath
S2 nqeproductnoajoyneot; no ImagePath
S1 oqaodoun; C:\Windows\system32\drivers\oqaodoun.sys [55168 2017-03-23] (Microsoft Corporation)
S1 akwqrlfv; \??\C:\Windows\system32\drivers\akwqrlfv.sys [X]
S1 frqqibgh; \??\C:\Windows\system32\drivers\frqqibgh.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
Task: {275DC815-87D1-4CFC-BBCB-B777F947F3D7} - \KMSAutoNet -> No File <==== ATTENTION
Task: {74D439C5-9E04-40FB-B022-4F4EFE37CE6C} - System32\Tasks\Traffic Exchange v2 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe  <==== ATTENTION
Task: {9220EDF1-474A-419E-AE2E-FD70EF41FF7C} - System32\Tasks\Traffic Exchange v2 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe  <==== ATTENTION
Task: {9C7D6459-12C9-44CE-B60D-46D38AF3F389} - System32\Tasks\Traffic Exchange v209 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe  <==== ATTENTION
Task: {C92B7343-7B34-4F11-A221-28454F25BA55} - System32\Tasks\Traffic Exchange v209 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe  <==== ATTENTION
Task: {CCBEA38C-413D-4DBD-BFDA-CCDCFF32F927} - System32\Tasks\Traffic Exchange v209 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe  <==== ATTENTION
Task: {D7FEC0D2-2474-4FD6-BB0F-D56146ADEB35} - \Folocult -> No File <==== ATTENTION
Task: {E267BA5D-BA45-419E-A925-DA64B40A63E7} - System32\Tasks\Ckepaphdrerseied Center => C:\Program Files (x86)\Stiwercult\xgubigh.exe
Task: {F82973C6-BB3E-4E5F-93FB-DA0473C595E0} - \209G142G378l349 -> No File <==== ATTENTION
Task: {FD674E34-32D3-417C-9B0D-DDEA52194007} - System32\Tasks\Traffic Exchange v2 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe  <==== ATTENTION
Task: C:\Windows\Tasks\Traffic Exchange v2 - 1.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\Windows\Tasks\Traffic Exchange v2 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\Windows\Tasks\Traffic Exchange v2 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\Windows\Tasks\Traffic Exchange v209 - 1.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\Windows\Tasks\Traffic Exchange v209 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\Windows\Tasks\Traffic Exchange v209 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [25444]
AlternateDataStreams: C:\Windows\system32\drivers:x64 [1498914]
AlternateDataStreams: C:\Windows\system32\drivers:x86 [1223458]
AlternateDataStreams: C:\Windows\system32\Drivers\oqaodoun.sys:changelist [1318]
C:\Program Files (x86)\Microleaves
C:\Program Files (x86)\Stiwercult
C:\Windows\system32\drivers\oqaodoun.sys

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\.QMDeskTopGCIcon => key not found. 
HKCR\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\KzShlobj => key not found. 
HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => key not found. 
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData => moved successfully
C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => not found
C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => not found
C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2 => moved successfully
C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => not found
C:\Users\<PC>_000\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => not found
C:\Users\<PC>_000\AppData\Roaming\Opera Software\Opera Stable\Extensions\lkadffjmnaiokkdncgdlecdegajoiemi => moved successfully
lomebimi => service not found.
nqeproductnoajoyneot => service not found.
oqaodoun => service not found.
akwqrlfv => service not found.
frqqibgh => service not found.
gdrv => service not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{275DC815-87D1-4CFC-BBCB-B777F947F3D7} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KMSAutoNet => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{74D439C5-9E04-40FB-B022-4F4EFE37CE6C} => key not found. 
C:\Windows\System32\Tasks\Traffic Exchange v2 - 2 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v2 - 2 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9220EDF1-474A-419E-AE2E-FD70EF41FF7C} => key not found. 
C:\Windows\System32\Tasks\Traffic Exchange v2 - 1 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v2 - 1 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C7D6459-12C9-44CE-B60D-46D38AF3F389} => key not found. 
C:\Windows\System32\Tasks\Traffic Exchange v209 - 2 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v209 - 2 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C92B7343-7B34-4F11-A221-28454F25BA55} => key not found. 
C:\Windows\System32\Tasks\Traffic Exchange v209 - 3 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v209 - 3 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CCBEA38C-413D-4DBD-BFDA-CCDCFF32F927} => key not found. 
C:\Windows\System32\Tasks\Traffic Exchange v209 - 1 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v209 - 1 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D7FEC0D2-2474-4FD6-BB0F-D56146ADEB35} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Folocult => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E267BA5D-BA45-419E-A925-DA64B40A63E7} => key not found. 
C:\Windows\System32\Tasks\Ckepaphdrerseied Center => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Ckepaphdrerseied Center => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F82973C6-BB3E-4E5F-93FB-DA0473C595E0} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\209G142G378l349 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FD674E34-32D3-417C-9B0D-DDEA52194007} => key not found. 
C:\Windows\System32\Tasks\Traffic Exchange v2 - 3 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v2 - 3 => key not found. 
C:\Windows\Tasks\Traffic Exchange v2 - 1.job => not found.
C:\Windows\Tasks\Traffic Exchange v2 - 2.job => not found.
C:\Windows\Tasks\Traffic Exchange v2 - 3.job => not found.
C:\Windows\Tasks\Traffic Exchange v209 - 1.job => not found.
C:\Windows\Tasks\Traffic Exchange v209 - 2.job => not found.
C:\Windows\Tasks\Traffic Exchange v209 - 3.job => not found.
"C:\Windows\system32\drivers" => ":ucdrv-x64.sys" ADS not found.
"C:\Windows\system32\drivers" => ":x64" ADS not found.
"C:\Windows\system32\drivers" => ":x86" ADS not found.
"C:\Windows\system32\Drivers\oqaodoun.sys" => ":changelist" ADS not found.
"C:\Program Files (x86)\Microleaves" => not found.
"C:\Program Files (x86)\Stiwercult" => not found.
"C:\Windows\system32\drivers\oqaodoun.sys" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 5353136 B
Java, Flash, Steam htmlcache => 492 B
Windows/system/drivers => 3712150 B
Edge => 0 B
Chrome => 0 B
Firefox => 13136326 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => -650 B
<PC>_000 => 2864341 B

RecycleBin => 14081 B
EmptyTemp: => 31.9 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 14:55:37 ====
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 8.1 Pro x64 
Ran by <PC>_000 (Administrator) on Fri 03/24/2017 at 15:03:58.49
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 2 

Successfully deleted: C:\ProgramData\productdata (Folder) 
Successfully deleted: C:\Windows\system32\Tasks\Driver Booster SkipUAC (<PC>_000) (Task)



Registry: 0 





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 03/24/2017 at 15:05:33.58
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:08 PM

Posted 25 March 2017 - 07:30 AM

If your problem has not been solved please run the Farbar tool one more time and post fresh FRST and Addition.txt logs for my review.

Let me know what problem persists.

#7 Serb91

Serb91
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 25 March 2017 - 07:49 AM

For now it seems that problems disappeared. Thank you for help me, nasdaq.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:08 PM

Posted 25 March 2017 - 12:04 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users