Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Agent.bydd ,along with uc browser virus and many more....


  • This topic is locked This topic is locked
14 replies to this topic

#1 seed12121212

seed12121212

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 09 June 2017 - 03:09 PM

Sir , I am unable to 1. uninstall many software from add and remove programs(It says insufficient privilege)

                                2. Not able to run uplay(Even as i am connected to internet it says not connected)

                                 3. cannot change my default browser it always remains the uc chinese browser which i think is a virus 

                                 4. Cannot write on start menu's search bar

 

i posted the final log from emisoft software in my final post which detected the Agent.bydd trojan

here is the link to the orignal  post from where I WAS SUGGESTED TO POST HERE

:https://www.bleepingcomputer.com/forums/t/648733/installed-many-viruses-unknowingly-now-cannot-even-start-wscvc-from-services/

 

HELP!

I am atttaching the frst.txt and addition.txt

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 AM

Posted 10 June 2017 - 10:22 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Cracked/warez versions of programs

Cracked/warez versions of programs sound "good" and "cheap", but they can cause all sorts of headaches for you and damage to your computer. No reputable forum will support any method of cracking, warez, workarounds, providing any methods, tools, or posting of links designed for this express purpose.

There are people who have spent a great deal of money on developing and testing hardware and software, marketing and distributing it, and then on education and support for it. They have spent long, tedious, difficult and brain-numbing days/nights on their endeavor. They are attempting to make an honest living and feed their families.

Let's not support the thieves who rip them off and cheat them out of the fruits of their labor.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
AdvancedModule (HKU\S-1-5-21-511330708-1322164562-341044212-1001\...\Advanced Module_is1) (Version: - )
Jogotempo version 5.0 (HKLM-x32\...\{B552B283-6EBC-457E-8187-01682C83F26C}_is1) (Version: 5.0 - ) <==== ATTENTION
---

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
CMD: ipconfig /flushdns
RemoveProxy:

() C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc\WMPNetworkAcSvc.exe
(Microsoft Corporation) C:\ProgramData\Windows Security\winsecurity.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Network\Dsq\network\sysnetwk.exe
() C:\ProgramData\Microsoft\Network\Dsq\browser\syshostctl.exe
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-511330708-1322164562-341044212-1001\...\Run: [YeaDesktop] => C:\Program Files (x86)\YeaDesktop\YeaDesktop.exe /autostart <===== ATTENTION
HKU\S-1-5-21-511330708-1322164562-341044212-1001\...\Run: [msiql] => C:\Users\Siddharth\AppData\Local\Temp\00029546\msiql.exe /RUNNING <===== ATTENTION
ShellExecuteHooks: No Name - {5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} - C:\ProgramData\igfxDH.dll [952832 2017-06-05] ()
ShellIconOverlayIdentifiers: [JzShlobj] -> {9A0700D2-920A-4E52-8697-9B5230C92612} => C:\Program Files (x86)\Maoha\JiSuZip\JZipExt.dll -> No File
GroupPolicy: Restriction <======= ATTENTION
ProxyEnable: [S-1-5-21-511330708-1322164562-341044212-1001] => Proxy is enabled.
ProxyServer: [S-1-5-21-511330708-1322164562-341044212-1001] => http=127.0.0.1:8080;https=127.0.0.1:8080
ManualProxies: 1http=127.0.0.1:8080;https=127.0.0.1:8080
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll => No File
BHO-x32: Adobe Acrobat Create PDF Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll => No File
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll => No File
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll No File
FF user.js: detected! => C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\user.js [2017-04-12]
FF Extension: (Tables) - C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\Extensions\669206@extcorp.com.xpi [2017-04-12]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_25_0_0_171.dll [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_171.dll [No File]
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [No File]
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [No File]
CHR HomePage: Default -> hxxp://www.oursurfing.com/?type=sy&ts=1434046796&z=4c0ed6fe04ae38f115173fagfz1c3zee6z4qcm0mdq&from=2sq&uid=HGSTXHTS721010A9E630_JR10006P0GPBEF0GPBEFX
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://in.yhs4.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_pwrisofs_15_25&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Din%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0EzztB0A0E0A0D0DtByB0CyB0Dzz0FyEtN0D0Tzu0StCtByCtBtN1L2XzutAtFtCtDtFtCtDtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyDtD0D0F0B0EzzyCtGyBtByE0BtGyE0FyC0DtGtDzz0D0BtGyCtA0EyDtCyC0FyByEzyyB0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DyCtAyBtAyD0CtDtGtDtD0D0AtGyEzzzzyEt... (long line)
CHR Extension: (Tables) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2017-06-06]
CHR Extension: (Poppit!) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2016-06-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-10]
CHR Extension: (Chrome Media Router) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-07]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx <not found>
R2 WindowsSecurity; C:\ProgramData\Windows Security\winsecurity.exe [1376256 2017-05-11] (Microsoft Corporation) [File not signed] <==== ATTENTION
R2 WMPNetworkAcSvc; C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc\WMPNetworkAcSvc.exe [5091840 2016-11-10] () [File not signed] <==== ATTENTION
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [X]
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 JszipService; C:\Program Files (x86)\Maoha\JiSuZip\JszipSvc.exe [X]
R2 OracleOraDb11g_home1TNSListener; E:\app\Siddharth\product\11.2.0\dbhome_1\BIN\TNSLSNR  [X]
S2 TMService; C:\Program Files (x86)\WindowsTM\TMService.exe [X]
S2 UCBrowserSvc; "C:\Program Files (x86)\UCBrowser\Application\UCService.exe" [X] <==== ATTENTION
S2 WTFast.Service; "C:\Program Files (x86)\WTFast\service\WTFast.Service.exe" [X]
S2 XBox; C:\Program Files\XBox\XBLive.exe [X]
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]
R1 LanmaMaster; C:\WINDOWS\system32\drivers\lanmamaster.sys [2967656 2017-03-19] () [File not signed]
R1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== ATTENTION
R2 Uefochubsrv; C:\WINDOWS\system32\drivers\Uefochubsrv.sys [187936 2017-03-19] ()
S1 JszipProtect; \??\C:\Program Files (x86)\Maoha\JiSuZip\JsZipProtect64.sys [X]
S2 WtfEngineDrv; \??\C:\WINDOWS\system32WtfEngineDrv.sys [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
2017-06-07 20:10 - 2017-06-07 20:10 - 00055168 _____ C:\WINDOWS\system32\Drivers\oitxzdnd.sys
2017-06-07 20:08 - 2017-06-07 20:08 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bmlqbomv.sys
2017-06-07 20:05 - 2017-06-07 20:05 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\gunwfmra.sys
2017-06-07 20:03 - 2017-06-07 20:03 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\idnlgfgw.sys
2017-06-07 20:00 - 2017-06-07 20:00 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\agtovjam.sys
2017-06-07 19:58 - 2017-06-07 19:58 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\quxyinba.sys
2017-06-07 19:55 - 2017-06-07 19:55 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\qcnsbptr.sys
2017-06-07 19:53 - 2017-06-07 19:53 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\wcdmqsmi.sys
2017-06-07 19:50 - 2017-06-07 19:50 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\xrxtfylq.sys
2017-06-07 19:47 - 2017-06-07 19:47 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hqmoumov.sys
2017-06-07 19:45 - 2017-06-07 19:45 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rthprwky.sys
2017-06-07 19:42 - 2017-06-07 19:42 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\soejmvjv.sys
2017-06-07 19:39 - 2017-06-07 19:39 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\brfwriza.sys
2017-06-07 19:37 - 2017-06-07 19:37 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\xulflwqu.sys
2017-06-07 19:34 - 2017-06-07 19:34 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\vvorfrdh.sys
2017-06-07 19:31 - 2017-06-07 19:31 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ykhekyxd.sys
2017-06-07 03:47 - 2015-11-11 17:38 - 00008336 _____ C:\WINDOWS\system32\SppExtComObjPatcher.exe
2017-06-07 03:47 - 2014-05-25 06:06 - 00015360 _____ C:\WINDOWS\system32\SppExtComObjHook.dll
2017-06-06 21:38 - 2017-06-07 01:40 - 00000000 ____D C:\Program Files (x86)\UCBrowser
2017-06-06 21:38 - 2017-06-07 01:01 - 00002374 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdaterCore
2017-06-06 21:38 - 2017-06-06 21:38 - 00003520 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdater
2017-06-06 21:38 - 2017-06-06 21:38 - 00003476 _____ C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater
2017-06-06 21:38 - 2017-06-06 21:38 - 00000000 ____D C:\Users\Siddharth\AppData\Local\UCBrowser
2017-06-06 21:23 - 2017-06-07 20:10 - 00000000 ____D C:\Users\Siddharth\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk
2017-06-06 21:23 - 2017-06-06 21:23 - 01623552 _____ C:\ProgramData\service.exe
2017-06-06 21:12 - 2017-06-09 01:25 - 00000000 ____D C:\Program Files (x86)\KMSPico
2017-05-22 01:26 - 2017-05-22 01:26 - 2868859525 _____ C:\WINDOWS\MEMORY.DMP
Task: {049F4AE0-F947-439D-A0E4-D76EBAD9FDE9} - System32\Tasks\UCBrowserSecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe [2017-06-06] (UC Web Inc.) <==== ATTENTION
Task: {9066D739-1FE9-45B4-93DE-141BE00CD836} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
Task: {D378712A-78C3-42AF-A2A0-9DF72F7E62D1} - System32\Tasks\UCBrowserUpdaterCore => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
AlternateDataStreams: C:\WINDOWS\system32\Drivers\agtovjam.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\bmlqbomv.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\brfwriza.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\gunwfmra.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\hqmoumov.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\idnlgfgw.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\oitxzdnd.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\qcnsbptr.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\quxyinba.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\rthprwky.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\soejmvjv.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\vvorfrdh.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\wcdmqsmi.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\xrxtfylq.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\xulflwqu.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\ykhekyxd.sys:changelist [2410]
Windows Firewall is disabled.
FirewallRules: [TCP Query User{2462CF60-EADE-4810-B384-BD4C3974F3DB}C:\program files\java\jdk1.8.0_51\bin\java.exe] => (Allow) C:\program files\java\jdk1.8.0_51\bin\java.exe
FirewallRules: [UDP Query User{BA393644-EF8D-4C8B-8EDB-8B3844A8969B}C:\program files\java\jdk1.8.0_51\bin\java.exe] => (Allow) C:\program files\java\jdk1.8.0_51\bin\java.exe
FirewallRules: [{2B6F377B-5FEA-4872-AC0C-9B866C863386}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{8D5ECCAC-7B5D-4F74-B1D3-5A296723FFAF}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\Downloader\download\MiniThunderPlatform.exe
C:\Windows\System32\Tasks\UCBrowserSecureUpdater
C:\Windows\System32\Tasks\UCBrowserUpdaterCore
C:\Program Files (x86)\UCBrowser
C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc
C:\ProgramData\Windows Security
C:\ProgramData\Microsoft\Network\Dsq
C:\Program Files (x86)\YeaDesktop
C:\Users\Siddharth\AppData\Local\Temp\00029546
C:\ProgramData\igfxDH.dll
C:\WINDOWS\system32\drivers\Uefochubsrv.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please let me know what problem persists.

#3 seed12121212

seed12121212
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 10 June 2017 - 11:00 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Cracked/warez versions of programs

Cracked/warez versions of programs sound "good" and "cheap", but they can cause all sorts of headaches for you and damage to your computer. No reputable forum will support any method of cracking, warez, workarounds, providing any methods, tools, or posting of links designed for this express purpose.

There are people who have spent a great deal of money on developing and testing hardware and software, marketing and distributing it, and then on education and support for it. They have spent long, tedious, difficult and brain-numbing days/nights on their endeavor. They are attempting to make an honest living and feed their families.

Let's not support the thieves who rip them off and cheat them out of the fruits of their labor.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
AdvancedModule (HKU\S-1-5-21-511330708-1322164562-341044212-1001\...\Advanced Module_is1) (Version: - )
Jogotempo version 5.0 (HKLM-x32\...\{B552B283-6EBC-457E-8187-01682C83F26C}_is1) (Version: 5.0 - ) <==== ATTENTION
---

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
CMD: ipconfig /flushdns
RemoveProxy:

() C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc\WMPNetworkAcSvc.exe
(Microsoft Corporation) C:\ProgramData\Windows Security\winsecurity.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Network\Dsq\network\sysnetwk.exe
() C:\ProgramData\Microsoft\Network\Dsq\browser\syshostctl.exe
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-511330708-1322164562-341044212-1001\...\Run: [YeaDesktop] => C:\Program Files (x86)\YeaDesktop\YeaDesktop.exe /autostart <===== ATTENTION
HKU\S-1-5-21-511330708-1322164562-341044212-1001\...\Run: [msiql] => C:\Users\Siddharth\AppData\Local\Temp\00029546\msiql.exe /RUNNING <===== ATTENTION
ShellExecuteHooks: No Name - {5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} - C:\ProgramData\igfxDH.dll [952832 2017-06-05] ()
ShellIconOverlayIdentifiers: [JzShlobj] -> {9A0700D2-920A-4E52-8697-9B5230C92612} => C:\Program Files (x86)\Maoha\JiSuZip\JZipExt.dll -> No File
GroupPolicy: Restriction <======= ATTENTION
ProxyEnable: [S-1-5-21-511330708-1322164562-341044212-1001] => Proxy is enabled.
ProxyServer: [S-1-5-21-511330708-1322164562-341044212-1001] => http=127.0.0.1:8080;https=127.0.0.1:8080
ManualProxies: 1http=127.0.0.1:8080;https=127.0.0.1:8080
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll => No File
BHO-x32: Adobe Acrobat Create PDF Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll => No File
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll => No File
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll No File
FF user.js: detected! => C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\user.js [2017-04-12]
FF Extension: (Tables) - C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\Extensions\669206@extcorp.com.xpi [2017-04-12]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_25_0_0_171.dll [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_171.dll [No File]
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [No File]
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [No File]
CHR HomePage: Default -> hxxp://www.oursurfing.com/?type=sy&ts=1434046796&z=4c0ed6fe04ae38f115173fagfz1c3zee6z4qcm0mdq&from=2sq&uid=HGSTXHTS721010A9E630_JR10006P0GPBEF0GPBEFX
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://in.yhs4.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_pwrisofs_15_25&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Din%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0EzztB0A0E0A0D0DtByB0CyB0Dzz0FyEtN0D0Tzu0StCtByCtBtN1L2XzutAtFtCtDtFtCtDtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyDtD0D0F0B0EzzyCtGyBtByE0BtGyE0FyC0DtGtDzz0D0BtGyCtA0EyDtCyC0FyByEzyyB0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DyCtAyBtAyD0CtDtGtDtD0D0AtGyEzzzzyEt... (long line)
CHR Extension: (Tables) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2017-06-06]
CHR Extension: (Poppit!) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2016-06-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-10]
CHR Extension: (Chrome Media Router) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-07]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx <not found>
R2 WindowsSecurity; C:\ProgramData\Windows Security\winsecurity.exe [1376256 2017-05-11] (Microsoft Corporation) [File not signed] <==== ATTENTION
R2 WMPNetworkAcSvc; C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc\WMPNetworkAcSvc.exe [5091840 2016-11-10] () [File not signed] <==== ATTENTION
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [X]
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 JszipService; C:\Program Files (x86)\Maoha\JiSuZip\JszipSvc.exe [X]
R2 OracleOraDb11g_home1TNSListener; E:\app\Siddharth\product\11.2.0\dbhome_1\BIN\TNSLSNR  [X]
S2 TMService; C:\Program Files (x86)\WindowsTM\TMService.exe [X]
S2 UCBrowserSvc; "C:\Program Files (x86)\UCBrowser\Application\UCService.exe" [X] <==== ATTENTION
S2 WTFast.Service; "C:\Program Files (x86)\WTFast\service\WTFast.Service.exe" [X]
S2 XBox; C:\Program Files\XBox\XBLive.exe [X]
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]
R1 LanmaMaster; C:\WINDOWS\system32\drivers\lanmamaster.sys [2967656 2017-03-19] () [File not signed]
R1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== ATTENTION
R2 Uefochubsrv; C:\WINDOWS\system32\drivers\Uefochubsrv.sys [187936 2017-03-19] ()
S1 JszipProtect; \??\C:\Program Files (x86)\Maoha\JiSuZip\JsZipProtect64.sys [X]
S2 WtfEngineDrv; \??\C:\WINDOWS\system32WtfEngineDrv.sys [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
2017-06-07 20:10 - 2017-06-07 20:10 - 00055168 _____ C:\WINDOWS\system32\Drivers\oitxzdnd.sys
2017-06-07 20:08 - 2017-06-07 20:08 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bmlqbomv.sys
2017-06-07 20:05 - 2017-06-07 20:05 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\gunwfmra.sys
2017-06-07 20:03 - 2017-06-07 20:03 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\idnlgfgw.sys
2017-06-07 20:00 - 2017-06-07 20:00 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\agtovjam.sys
2017-06-07 19:58 - 2017-06-07 19:58 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\quxyinba.sys
2017-06-07 19:55 - 2017-06-07 19:55 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\qcnsbptr.sys
2017-06-07 19:53 - 2017-06-07 19:53 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\wcdmqsmi.sys
2017-06-07 19:50 - 2017-06-07 19:50 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\xrxtfylq.sys
2017-06-07 19:47 - 2017-06-07 19:47 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hqmoumov.sys
2017-06-07 19:45 - 2017-06-07 19:45 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rthprwky.sys
2017-06-07 19:42 - 2017-06-07 19:42 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\soejmvjv.sys
2017-06-07 19:39 - 2017-06-07 19:39 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\brfwriza.sys
2017-06-07 19:37 - 2017-06-07 19:37 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\xulflwqu.sys
2017-06-07 19:34 - 2017-06-07 19:34 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\vvorfrdh.sys
2017-06-07 19:31 - 2017-06-07 19:31 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ykhekyxd.sys
2017-06-07 03:47 - 2015-11-11 17:38 - 00008336 _____ C:\WINDOWS\system32\SppExtComObjPatcher.exe
2017-06-07 03:47 - 2014-05-25 06:06 - 00015360 _____ C:\WINDOWS\system32\SppExtComObjHook.dll
2017-06-06 21:38 - 2017-06-07 01:40 - 00000000 ____D C:\Program Files (x86)\UCBrowser
2017-06-06 21:38 - 2017-06-07 01:01 - 00002374 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdaterCore
2017-06-06 21:38 - 2017-06-06 21:38 - 00003520 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdater
2017-06-06 21:38 - 2017-06-06 21:38 - 00003476 _____ C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater
2017-06-06 21:38 - 2017-06-06 21:38 - 00000000 ____D C:\Users\Siddharth\AppData\Local\UCBrowser
2017-06-06 21:23 - 2017-06-07 20:10 - 00000000 ____D C:\Users\Siddharth\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk
2017-06-06 21:23 - 2017-06-06 21:23 - 01623552 _____ C:\ProgramData\service.exe
2017-06-06 21:12 - 2017-06-09 01:25 - 00000000 ____D C:\Program Files (x86)\KMSPico
2017-05-22 01:26 - 2017-05-22 01:26 - 2868859525 _____ C:\WINDOWS\MEMORY.DMP
Task: {049F4AE0-F947-439D-A0E4-D76EBAD9FDE9} - System32\Tasks\UCBrowserSecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe [2017-06-06] (UC Web Inc.) <==== ATTENTION
Task: {9066D739-1FE9-45B4-93DE-141BE00CD836} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
Task: {D378712A-78C3-42AF-A2A0-9DF72F7E62D1} - System32\Tasks\UCBrowserUpdaterCore => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
AlternateDataStreams: C:\WINDOWS\system32\Drivers\agtovjam.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\bmlqbomv.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\brfwriza.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\gunwfmra.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\hqmoumov.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\idnlgfgw.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\oitxzdnd.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\qcnsbptr.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\quxyinba.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\rthprwky.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\soejmvjv.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\vvorfrdh.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\wcdmqsmi.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\xrxtfylq.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\xulflwqu.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\ykhekyxd.sys:changelist [2410]
Windows Firewall is disabled.
FirewallRules: [TCP Query User{2462CF60-EADE-4810-B384-BD4C3974F3DB}C:\program files\java\jdk1.8.0_51\bin\java.exe] => (Allow) C:\program files\java\jdk1.8.0_51\bin\java.exe
FirewallRules: [UDP Query User{BA393644-EF8D-4C8B-8EDB-8B3844A8969B}C:\program files\java\jdk1.8.0_51\bin\java.exe] => (Allow) C:\program files\java\jdk1.8.0_51\bin\java.exe
FirewallRules: [{2B6F377B-5FEA-4872-AC0C-9B866C863386}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{8D5ECCAC-7B5D-4F74-B1D3-5A296723FFAF}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\Downloader\download\MiniThunderPlatform.exe
C:\Windows\System32\Tasks\UCBrowserSecureUpdater
C:\Windows\System32\Tasks\UCBrowserUpdaterCore
C:\Program Files (x86)\UCBrowser
C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc
C:\ProgramData\Windows Security
C:\ProgramData\Microsoft\Network\Dsq
C:\Program Files (x86)\YeaDesktop
C:\Users\Siddharth\AppData\Local\Temp\00029546
C:\ProgramData\igfxDH.dll
C:\WINDOWS\system32\drivers\Uefochubsrv.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please let me know what problem persists.

I am still unable to turn on firewall,wscvc services, and uplay 

was not able to remove jogotemp and the advanced module software

the error says You do not have sufficient access to remove Jogotempo please contact your system admin

also still could not type anything on start menu

the firstlog.txt below 

Fix result of Farbar Recovery Scan Tool (x64) Version: 10-06-2017
Ran by Siddharth (10-06-2017 21:00:58) Run:1
Running from F:\
Loaded Profiles: Siddharth (Available Profiles: Siddharth & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
CMD: ipconfig /flushdns
RemoveProxy:
 
() C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc\WMPNetworkAcSvc.exe
(Microsoft Corporation) C:\ProgramData\Windows Security\winsecurity.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Network\Dsq\network\sysnetwk.exe
() C:\ProgramData\Microsoft\Network\Dsq\browser\syshostctl.exe
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-511330708-1322164562-341044212-1001\...\Run: [YeaDesktop] => C:\Program Files (x86)\YeaDesktop\YeaDesktop.exe /autostart <===== ATTENTION
HKU\S-1-5-21-511330708-1322164562-341044212-1001\...\Run: [msiql] => C:\Users\Siddharth\AppData\Local\Temp\00029546\msiql.exe /RUNNING <===== ATTENTION
ShellExecuteHooks: No Name - {5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} - C:\ProgramData\igfxDH.dll [952832 2017-06-05] ()
ShellIconOverlayIdentifiers: [JzShlobj] -> {9A0700D2-920A-4E52-8697-9B5230C92612} => C:\Program Files (x86)\Maoha\JiSuZip\JZipExt.dll -> No File
GroupPolicy: Restriction <======= ATTENTION
ProxyEnable: [S-1-5-21-511330708-1322164562-341044212-1001] => Proxy is enabled.
ProxyServer: [S-1-5-21-511330708-1322164562-341044212-1001] => http=127.0.0.1:8080;https=127.0.0.1:8080
ManualProxies: 1http=127.0.0.1:8080;https=127.0.0.1:8080
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll => No File
BHO-x32: Adobe Acrobat Create PDF Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll => No File
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll => No File
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll No File
FF user.js: detected! => C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\user.js [2017-04-12]
FF Extension: (Tables) - C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\Extensions\669206@extcorp.com.xpi [2017-04-12]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_25_0_0_171.dll [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_171.dll [No File]
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [No File]
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [No File]
CHR HomePage: Default -> hxxp://www.oursurfing.com/?type=sy&ts=1434046796&z=4c0ed6fe04ae38f115173fagfz1c3zee6z4qcm0mdq&from=2sq&uid=HGSTXHTS721010A9E630_JR10006P0GPBEF0GPBEFX
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://in.yhs4.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_pwrisofs_15_25&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Din%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0EzztB0A0E0A0D0DtByB0CyB0Dzz0FyEtN0D0Tzu0StCtByCtBtN1L2XzutAtFtCtDtFtCtDtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyDtD0D0F0B0EzzyCtGyBtByE0BtGyE0FyC0DtGtDzz0D0BtGyCtA0EyDtCyC0FyByEzyyB0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DyCtAyBtAyD0CtDtGtDtD0D0AtGyEzzzzyEt... (long line)
CHR Extension: (Tables) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2017-06-06]
CHR Extension: (Poppit!) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2016-06-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-10]
CHR Extension: (Chrome Media Router) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-07]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx <not found>
R2 WindowsSecurity; C:\ProgramData\Windows Security\winsecurity.exe [1376256 2017-05-11] (Microsoft Corporation) [File not signed] <==== ATTENTION
R2 WMPNetworkAcSvc; C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc\WMPNetworkAcSvc.exe [5091840 2016-11-10] () [File not signed] <==== ATTENTION
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [X]
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 JszipService; C:\Program Files (x86)\Maoha\JiSuZip\JszipSvc.exe [X]
R2 OracleOraDb11g_home1TNSListener; E:\app\Siddharth\product\11.2.0\dbhome_1\BIN\TNSLSNR  [X]
S2 TMService; C:\Program Files (x86)\WindowsTM\TMService.exe [X]
S2 UCBrowserSvc; "C:\Program Files (x86)\UCBrowser\Application\UCService.exe" [X] <==== ATTENTION
S2 WTFast.Service; "C:\Program Files (x86)\WTFast\service\WTFast.Service.exe" [X]
S2 XBox; C:\Program Files\XBox\XBLive.exe [X]
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]
R1 LanmaMaster; C:\WINDOWS\system32\drivers\lanmamaster.sys [2967656 2017-03-19] () [File not signed]
R1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== ATTENTION
R2 Uefochubsrv; C:\WINDOWS\system32\drivers\Uefochubsrv.sys [187936 2017-03-19] ()
S1 JszipProtect; \??\C:\Program Files (x86)\Maoha\JiSuZip\JsZipProtect64.sys [X]
S2 WtfEngineDrv; \??\C:\WINDOWS\system32WtfEngineDrv.sys [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
2017-06-07 20:10 - 2017-06-07 20:10 - 00055168 _____ C:\WINDOWS\system32\Drivers\oitxzdnd.sys
2017-06-07 20:08 - 2017-06-07 20:08 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bmlqbomv.sys
2017-06-07 20:05 - 2017-06-07 20:05 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\gunwfmra.sys
2017-06-07 20:03 - 2017-06-07 20:03 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\idnlgfgw.sys
2017-06-07 20:00 - 2017-06-07 20:00 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\agtovjam.sys
2017-06-07 19:58 - 2017-06-07 19:58 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\quxyinba.sys
2017-06-07 19:55 - 2017-06-07 19:55 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\qcnsbptr.sys
2017-06-07 19:53 - 2017-06-07 19:53 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\wcdmqsmi.sys
2017-06-07 19:50 - 2017-06-07 19:50 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\xrxtfylq.sys
2017-06-07 19:47 - 2017-06-07 19:47 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hqmoumov.sys
2017-06-07 19:45 - 2017-06-07 19:45 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rthprwky.sys
2017-06-07 19:42 - 2017-06-07 19:42 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\soejmvjv.sys
2017-06-07 19:39 - 2017-06-07 19:39 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\brfwriza.sys
2017-06-07 19:37 - 2017-06-07 19:37 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\xulflwqu.sys
2017-06-07 19:34 - 2017-06-07 19:34 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\vvorfrdh.sys
2017-06-07 19:31 - 2017-06-07 19:31 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ykhekyxd.sys
2017-06-07 03:47 - 2015-11-11 17:38 - 00008336 _____ C:\WINDOWS\system32\SppExtComObjPatcher.exe
2017-06-07 03:47 - 2014-05-25 06:06 - 00015360 _____ C:\WINDOWS\system32\SppExtComObjHook.dll
2017-06-06 21:38 - 2017-06-07 01:40 - 00000000 ____D C:\Program Files (x86)\UCBrowser
2017-06-06 21:38 - 2017-06-07 01:01 - 00002374 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdaterCore
2017-06-06 21:38 - 2017-06-06 21:38 - 00003520 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdater
2017-06-06 21:38 - 2017-06-06 21:38 - 00003476 _____ C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater
2017-06-06 21:38 - 2017-06-06 21:38 - 00000000 ____D C:\Users\Siddharth\AppData\Local\UCBrowser
2017-06-06 21:23 - 2017-06-07 20:10 - 00000000 ____D C:\Users\Siddharth\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk
2017-06-06 21:23 - 2017-06-06 21:23 - 01623552 _____ C:\ProgramData\service.exe
2017-06-06 21:12 - 2017-06-09 01:25 - 00000000 ____D C:\Program Files (x86)\KMSPico
2017-05-22 01:26 - 2017-05-22 01:26 - 2868859525 _____ C:\WINDOWS\MEMORY.DMP
Task: {049F4AE0-F947-439D-A0E4-D76EBAD9FDE9} - System32\Tasks\UCBrowserSecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe [2017-06-06] (UC Web Inc.) <==== ATTENTION
Task: {9066D739-1FE9-45B4-93DE-141BE00CD836} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
Task: {D378712A-78C3-42AF-A2A0-9DF72F7E62D1} - System32\Tasks\UCBrowserUpdaterCore => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
AlternateDataStreams: C:\WINDOWS\system32\Drivers\agtovjam.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\bmlqbomv.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\brfwriza.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\gunwfmra.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\hqmoumov.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\idnlgfgw.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\oitxzdnd.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\qcnsbptr.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\quxyinba.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\rthprwky.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\soejmvjv.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\vvorfrdh.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\wcdmqsmi.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\xrxtfylq.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\xulflwqu.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\ykhekyxd.sys:changelist [2410]
Windows Firewall is disabled.
FirewallRules: [TCP Query User{2462CF60-EADE-4810-B384-BD4C3974F3DB}C:\program files\java\jdk1.8.0_51\bin\java.exe] => (Allow) C:\program files\java\jdk1.8.0_51\bin\java.exe
FirewallRules: [UDP Query User{BA393644-EF8D-4C8B-8EDB-8B3844A8969B}C:\program files\java\jdk1.8.0_51\bin\java.exe] => (Allow) C:\program files\java\jdk1.8.0_51\bin\java.exe
FirewallRules: [{2B6F377B-5FEA-4872-AC0C-9B866C863386}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{8D5ECCAC-7B5D-4F74-B1D3-5A296723FFAF}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\Downloader\download\MiniThunderPlatform.exe
C:\Windows\System32\Tasks\UCBrowserSecureUpdater
C:\Windows\System32\Tasks\UCBrowserUpdaterCore
C:\Program Files (x86)\UCBrowser
C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc
C:\ProgramData\Windows Security
C:\ProgramData\Microsoft\Network\Dsq
C:\Program Files (x86)\YeaDesktop
C:\Users\Siddharth\AppData\Local\Temp\00029546
C:\ProgramData\igfxDH.dll
C:\WINDOWS\system32\drivers\Uefochubsrv.sys
 
End
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= RemoveProxy: =========
 
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value could not remove.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value could not remove.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value could not remove.
 
 
========= End of RemoveProxy: =========
 
C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc\WMPNetworkAcSvc.exe => No running process found
C:\ProgramData\Windows Security\winsecurity.exe => No running process found
C:\ProgramData\Microsoft\Network\Dsq\network\sysnetwk.exe => No running process found
C:\ProgramData\Microsoft\Network\Dsq\browser\syshostctl.exe => No running process found
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\EnableShellExecuteHooks => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\Software\Microsoft\Windows\CurrentVersion\Run\\YeaDesktop => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\Software\Microsoft\Windows\CurrentVersion\Run\\msiql => value could not remove.
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} => value could not remove.
HKLM\Software\Classes\CLSID\{5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} => key could not remove, key could be protected
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\JzShlobj => key could not remove, key could be protected
HKLM\Software\Classes\CLSID\{9A0700D2-920A-4E52-8697-9B5230C92612} => key could not remove, key could be protected
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKU\S-1-5-21-511330708-1322164562-341044212-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value could not remove.
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value could not remove.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} => key could not remove, key could be protected
HKLM\Software\Wow6432Node\Classes\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} => key could not remove, key could be protected
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910} => key could not remove, key could be protected
HKLM\Software\Wow6432Node\Classes\CLSID\{AE7CD045-E861-484f-8273-0445EE161910} => key could not remove, key could be protected
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077} => key could not remove, key could be protected
HKLM\Software\Wow6432Node\Classes\CLSID\{F4971EE7-DAA0-4053-9964-665D8EE6A077} => key could not remove, key could be protected
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value could not remove.
HKLM\Software\Wow6432Node\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => key could not remove, key could be protected
C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\user.js => moved successfully
C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\user.js => not found.
C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\Extensions\669206@extcorp.com.xpi => moved successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\web2pdfextension@web2pdf.adobedotcom => value could not remove.
HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer => key could not remove, key could be protected
HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect => key could not remove, key could be protected
HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer => key could not remove, key could be protected
HKLM\Software\Wow6432Node\MozillaPlugins\Adobe Acrobat => key could not remove, key could be protected
HKLM\Software\Wow6432Node\MozillaPlugins\adobe.com/AdobeAAMDetect => key could not remove, key could be protected
Chrome HomePage => removed successfully
Chrome StartupUrls => removed successfully
C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg => moved successfully
C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi => moved successfully
C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\WindowsSecurity => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\WMPNetworkAcSvc => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\HitmanProScheduler => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\ibtsiva => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\JszipService => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\OracleOraDb11g_home1TNSListener => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\TMService => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\UCBrowserSvc => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\WTFast.Service => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\XBox => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\ZAMSvc => key could not remove, key could be protected
LanmaMaster => Unable to stop service.
HKLM\System\CurrentControlSet\Services\LanmaMaster => key could not remove, key could be protected
ucdrv => Unable to stop service.
HKLM\System\CurrentControlSet\Services\ucdrv => key could not remove, key could be protected
Uefochubsrv => Unable to stop service.
HKLM\System\CurrentControlSet\Services\Uefochubsrv => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\JszipProtect => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\WtfEngineDrv => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\ZAM => key could not remove, key could be protected
C:\WINDOWS\system32\Drivers\oitxzdnd.sys => moved successfully
C:\WINDOWS\system32\Drivers\bmlqbomv.sys => moved successfully
C:\WINDOWS\system32\Drivers\gunwfmra.sys => moved successfully
C:\WINDOWS\system32\Drivers\idnlgfgw.sys => moved successfully
C:\WINDOWS\system32\Drivers\agtovjam.sys => moved successfully
C:\WINDOWS\system32\Drivers\quxyinba.sys => moved successfully
C:\WINDOWS\system32\Drivers\qcnsbptr.sys => moved successfully
C:\WINDOWS\system32\Drivers\wcdmqsmi.sys => moved successfully
C:\WINDOWS\system32\Drivers\xrxtfylq.sys => moved successfully
C:\WINDOWS\system32\Drivers\hqmoumov.sys => moved successfully
C:\WINDOWS\system32\Drivers\rthprwky.sys => moved successfully
C:\WINDOWS\system32\Drivers\soejmvjv.sys => moved successfully
C:\WINDOWS\system32\Drivers\brfwriza.sys => moved successfully
C:\WINDOWS\system32\Drivers\xulflwqu.sys => moved successfully
C:\WINDOWS\system32\Drivers\vvorfrdh.sys => moved successfully
C:\WINDOWS\system32\Drivers\ykhekyxd.sys => moved successfully
C:\WINDOWS\system32\SppExtComObjPatcher.exe => moved successfully
C:\WINDOWS\system32\SppExtComObjHook.dll => moved successfully
 
"C:\Program Files (x86)\UCBrowser" folder move:
 
Could not move "C:\Program Files (x86)\UCBrowser" => Scheduled to move on reboot.
 
C:\WINDOWS\System32\Tasks\UCBrowserUpdaterCore => moved successfully
C:\WINDOWS\System32\Tasks\UCBrowserUpdater => moved successfully
C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater => moved successfully
C:\Users\Siddharth\AppData\Local\UCBrowser => moved successfully
C:\Users\Siddharth\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk => moved successfully
C:\ProgramData\service.exe => moved successfully
C:\Program Files (x86)\KMSPico => moved successfully
C:\WINDOWS\MEMORY.DMP => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{049F4AE0-F947-439D-A0E4-D76EBAD9FDE9} => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{049F4AE0-F947-439D-A0E4-D76EBAD9FDE9} => key could not remove. Access Denied.
C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserSecureUpdater => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9066D739-1FE9-45B4-93DE-141BE00CD836} => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9066D739-1FE9-45B4-93DE-141BE00CD836} => key could not remove. Access Denied.
C:\WINDOWS\System32\Tasks\UCBrowserUpdater => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserUpdater => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D378712A-78C3-42AF-A2A0-9DF72F7E62D1} => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D378712A-78C3-42AF-A2A0-9DF72F7E62D1} => key could not remove. Access Denied.
C:\WINDOWS\System32\Tasks\UCBrowserUpdaterCore => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserUpdaterCore => key could not remove. Access Denied.
"C:\WINDOWS\system32\Drivers\agtovjam.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\bmlqbomv.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\brfwriza.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\gunwfmra.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\hqmoumov.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\idnlgfgw.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\oitxzdnd.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\qcnsbptr.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\quxyinba.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\rthprwky.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\soejmvjv.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\vvorfrdh.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\wcdmqsmi.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\xrxtfylq.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\xulflwqu.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\ykhekyxd.sys" => ":changelist" ADS not found.
Windows Firewall is disabled. => Error: No automatic fix found for this entry.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{2462CF60-EADE-4810-B384-BD4C3974F3DB}C:\program files\java\jdk1.8.0_51\bin\java.exe => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{BA393644-EF8D-4C8B-8EDB-8B3844A8969B}C:\program files\java\jdk1.8.0_51\bin\java.exe => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2B6F377B-5FEA-4872-AC0C-9B866C863386} => value could not remove.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8D5ECCAC-7B5D-4F74-B1D3-5A296723FFAF} => value could not remove.
"C:\Windows\System32\Tasks\UCBrowserSecureUpdater" => not found.
"C:\Windows\System32\Tasks\UCBrowserUpdaterCore" => not found.
 
"C:\Program Files (x86)\UCBrowser" folder move:
 
Could not move "C:\Program Files (x86)\UCBrowser" => Scheduled to move on reboot.
 
C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc => moved successfully
C:\ProgramData\Windows Security => moved successfully
C:\ProgramData\Microsoft\Network\Dsq => moved successfully
"C:\Program Files (x86)\YeaDesktop" => not found.
"C:\Users\Siddharth\AppData\Local\Temp\00029546" => not found.
C:\ProgramData\igfxDH.dll => moved successfully
Could not move "C:\WINDOWS\system32\drivers\Uefochubsrv.sys" => Scheduled to move on reboot.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 15233937 B
Java, Flash, Steam htmlcache => 359056577 B
Windows/system/drivers => 1364812 B
Edge => 16934483 B
Chrome => 28743735 B
Firefox => 367616589 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 9228844 B
Siddharth => 74495528 B
DefaultAppPool => 0 B
 
RecycleBin => 0 B
EmptyTemp: => 839.3 MB temporary data Removed.
 
================================


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 AM

Posted 10 June 2017 - 01:18 PM

Repair these services.

Please Download Tweaking.com - Windows Repair from Here
  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    10 - Remove Policies Set By Infections
    11 - Repair Start Menu Icons Removed by Infections
    12 - Repair Icons
    17 - Repair Windows Updates
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.
===

Restart the computer normally.

How is the computer running now?

#5 seed12121212

seed12121212
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 10 June 2017 - 01:25 PM

i will be doing the tweak up sir there is one more problem if my pc goes to sleep then when i enter the correct password it says its wrong so i always have to force shutdown and again start the pc 



#6 seed12121212

seed12121212
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 10 June 2017 - 01:56 PM

It

 

Repair these services.

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    10 - Remove Policies Set By Infections
    11 - Repair Start Menu Icons Removed by Infections
    12 - Repair Icons
    17 - Repair Windows Updates
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.
===

Restart the computer normally.

How is the computer running now?

 

It was not successful here is the log

Tweaking.com - Windows Repair v3.9.33
--------------------------------------------------------------------------------
 
System Variables
--------------------------------------------------------------------------------
OS: Windows 10 Home Single Language
OS Architecture: 64-bit
OS Version: 10.0.15063.296
OS Service Pack: 
Computer Name: SIDDHARTHJOSHI
Windows Drive: C:\
Windows Path: C:\WINDOWS
Program Files: C:\Program Files
Program Files (x86): C:\Program Files (x86)
Current Profile: C:\Users\Siddharth
Current Profile SID: S-1-5-21-511330708-1322164562-341044212-1001
Current Profile Classes: S-1-5-21-511330708-1322164562-341044212-1001_Classes
Profiles Location: C:\Users
Profiles Location 2: C:\WINDOWS\ServiceProfiles
Local Settings AppData: C:\Users\Siddharth\AppData\Local
--------------------------------------------------------------------------------
 
System Information
--------------------------------------------------------------------------------
System Up Time: 0 Days 00:29:32
 
Process Count: 186
Commit Total: 4.70 GB
Commit Limit: 16.92 GB
Commit Peak: 4.82 GB
Handle Count: 66832
Kernel Total: 930.20 MB
Kernel Paged: 659.79 MB
Kernel Non Paged: 270.41 MB
System Cache: 6.02 GB
Thread Count: 2185
--------------------------------------------------------------------------------
 
Memory Before Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 15.92 GB
Memory Used: 4.23 GB(26.5502%)
Memory Avail.: 11.69 GB
--------------------------------------------------------------------------------
 
Cleaning Memory Before Starting Repairs...
 
Memory After Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 15.92 GB
Memory Used: 3.12 GB(19.6079%)
Memory Avail.: 12.80 GB
--------------------------------------------------------------------------------
 
Starting Repairs...
   Started at (11-Jun-17 12:21:37 AM)
 
 
The current repair has failed to start for over 30 sec.
Trying Again....
 
 
The current repair has failed to start for over 30 sec.
Trying Again....
 
 
The current repair has failed to start for over 30 sec.
Trying Again....
 
   Done, but failed, at (11-Jun-17 12:23:37 AM)
   Total Repair Time: 00:02:02
 
The current repair has failed to start 4 times.
Something is keeping the repair from running.
 
Try running the repairs in Windows Safe Mode. (This will keep 3rd party programs from getting in the way of the repairs)
If the repairs still fail then please post in the Tweaking.com forums for support.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 AM

Posted 11 June 2017 - 06:52 AM

Quote from the Tweaking log.

Try running the repairs in Windows Safe Mode. (This will keep 3rd party programs from getting in the way of the repairs)
If the repairs still fail then please post in the Tweaking.com forums for support.

Before we go this way run these programs. We may be able to identify what is causing this.


Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#8 seed12121212

seed12121212
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 11 June 2017 - 11:59 AM

Quote from the Tweaking log.

Try running the repairs in Windows Safe Mode. (This will keep 3rd party programs from getting in the way of the repairs)
If the repairs still fail then please post in the Tweaking.com forums for support.

Before we go this way run these programs. We may be able to identify what is causing this.


Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

 

I did the rkill pasting the log below but was unable to install rogue killer there was a error that said" Error writing to registry key RegSetValue Ex failed code 5" the virus is not allowing me to install anything even my steam doesnt work it says some that it cant read registry sometimes 

 

 

 

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 06/11/2017 10:23:44 PM in x64 mode.
Windows Version: Windows 10 Home Single Language 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Active Proxy Server Detected
 
 * ProxyOverride value deleted.
 * ProxyServer value deleted.
 * AutoConfigURL value deleted.
 * Proxy settings were backed up to Registry file.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Backup Registry file created at:
 C:\Users\Siddharth\Desktop\rkill\rkill-06-11-2017-10-23-56.reg
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Firewall Disabled
 
   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000
 
Checking Windows Service Integrity: 
 
 * Security Center (wscsvc) is not Running.
   Startup Type set to: Disabled
 
 * agp440 [Missing Service]
 * DcpSvc [Missing Service]
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]
 * AppMgmt [Missing Service]
 * CSC [Missing Service]
 * CscService [Missing Service]
 * PeerDistSvc [Missing Service]
 
 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * RetailDemo => %SystemRoot%\System32\svchost.exe -k rdxgroup [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.
 
 * HOSTS file entries found: 
 
  127.0.0.1                   thislineskipsanyemptylines
  127.0.0.1                   thislineskipsanyemptylines
  127.0.0.1                   thislineskipsanyemptylines
 
Program finished at: 06/11/2017 10:24:37 PM
Execution time: 0 hours(s), 0 minute(s), and 52 seconds(s)


#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 AM

Posted 12 June 2017 - 07:13 AM


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:
Hosts:
Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Restart the computer normally after the fix.

Then Download and run this MBAM program.

Malwarebytes Anti-Rootkit

Please download [url=https://www.malwarebytes.com/antirootkit

Anti-Rootkit BETA and save it to your Desktop.
  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Please copy and paste the entire content of that log in your next reply;
If you have any problems running either one come back and let me know.
===

Let me know what problem persists.

#10 seed12121212

seed12121212
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 12 June 2017 - 08:40 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 

start

CreateRestorePoint:
CloseProcesses:
Hosts:
Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Restart the computer normally after the fix.

Then Download and run this MBAM program.

Malwarebytes Anti-Rootkit

Please download [url=https://www.malwarebytes.com/antirootkit

Anti-Rootkit BETA and save it to your Desktop.
  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Please copy and paste the entire content of that log in your next reply;
If you have any problems running either one come back and let me know.
===

Let me know what problem persists.

 

I did the far bar scan here is fixlog.txt  but i wasnot able to fo the antirootkitr it gave the error "DDA driver was not installed which may be caused by rootkit activity" it told me to reboot then i selected yes then it said another error "could not install driver on boot" hence there was no reboot

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 10-06-2017
Ran by Siddharth (10-06-2017 21:00:58) Run:1
Running from F:\
Loaded Profiles: Siddharth (Available Profiles: Siddharth & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
CMD: ipconfig /flushdns
RemoveProxy:
 
() C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc\WMPNetworkAcSvc.exe
(Microsoft Corporation) C:\ProgramData\Windows Security\winsecurity.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Network\Dsq\network\sysnetwk.exe
() C:\ProgramData\Microsoft\Network\Dsq\browser\syshostctl.exe
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-511330708-1322164562-341044212-1001\...\Run: [YeaDesktop] => C:\Program Files (x86)\YeaDesktop\YeaDesktop.exe /autostart <===== ATTENTION
HKU\S-1-5-21-511330708-1322164562-341044212-1001\...\Run: [msiql] => C:\Users\Siddharth\AppData\Local\Temp\00029546\msiql.exe /RUNNING <===== ATTENTION
ShellExecuteHooks: No Name - {5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} - C:\ProgramData\igfxDH.dll [952832 2017-06-05] ()
ShellIconOverlayIdentifiers: [JzShlobj] -> {9A0700D2-920A-4E52-8697-9B5230C92612} => C:\Program Files (x86)\Maoha\JiSuZip\JZipExt.dll -> No File
GroupPolicy: Restriction <======= ATTENTION
ProxyEnable: [S-1-5-21-511330708-1322164562-341044212-1001] => Proxy is enabled.
ProxyServer: [S-1-5-21-511330708-1322164562-341044212-1001] => http=127.0.0.1:8080;https=127.0.0.1:8080
ManualProxies: 1http=127.0.0.1:8080;https=127.0.0.1:8080
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll => No File
BHO-x32: Adobe Acrobat Create PDF Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll => No File
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll => No File
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll No File
FF user.js: detected! => C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\user.js [2017-04-12]
FF Extension: (Tables) - C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\Extensions\669206@extcorp.com.xpi [2017-04-12]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_25_0_0_171.dll [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_171.dll [No File]
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [No File]
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [No File]
CHR HomePage: Default -> hxxp://www.oursurfing.com/?type=sy&ts=1434046796&z=4c0ed6fe04ae38f115173fagfz1c3zee6z4qcm0mdq&from=2sq&uid=HGSTXHTS721010A9E630_JR10006P0GPBEF0GPBEFX
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://in.yhs4.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_pwrisofs_15_25&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Din%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0EzztB0A0E0A0D0DtByB0CyB0Dzz0FyEtN0D0Tzu0StCtByCtBtN1L2XzutAtFtCtDtFtCtDtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyDtD0D0F0B0EzzyCtGyBtByE0BtGyE0FyC0DtGtDzz0D0BtGyCtA0EyDtCyC0FyByEzyyB0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DyCtAyBtAyD0CtDtGtDtD0D0AtGyEzzzzyEt... (long line)
CHR Extension: (Tables) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2017-06-06]
CHR Extension: (Poppit!) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2016-06-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-10]
CHR Extension: (Chrome Media Router) - C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-07]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx <not found>
R2 WindowsSecurity; C:\ProgramData\Windows Security\winsecurity.exe [1376256 2017-05-11] (Microsoft Corporation) [File not signed] <==== ATTENTION
R2 WMPNetworkAcSvc; C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc\WMPNetworkAcSvc.exe [5091840 2016-11-10] () [File not signed] <==== ATTENTION
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [X]
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 JszipService; C:\Program Files (x86)\Maoha\JiSuZip\JszipSvc.exe [X]
R2 OracleOraDb11g_home1TNSListener; E:\app\Siddharth\product\11.2.0\dbhome_1\BIN\TNSLSNR  [X]
S2 TMService; C:\Program Files (x86)\WindowsTM\TMService.exe [X]
S2 UCBrowserSvc; "C:\Program Files (x86)\UCBrowser\Application\UCService.exe" [X] <==== ATTENTION
S2 WTFast.Service; "C:\Program Files (x86)\WTFast\service\WTFast.Service.exe" [X]
S2 XBox; C:\Program Files\XBox\XBLive.exe [X]
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]
R1 LanmaMaster; C:\WINDOWS\system32\drivers\lanmamaster.sys [2967656 2017-03-19] () [File not signed]
R1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== ATTENTION
R2 Uefochubsrv; C:\WINDOWS\system32\drivers\Uefochubsrv.sys [187936 2017-03-19] ()
S1 JszipProtect; \??\C:\Program Files (x86)\Maoha\JiSuZip\JsZipProtect64.sys [X]
S2 WtfEngineDrv; \??\C:\WINDOWS\system32WtfEngineDrv.sys [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
2017-06-07 20:10 - 2017-06-07 20:10 - 00055168 _____ C:\WINDOWS\system32\Drivers\oitxzdnd.sys
2017-06-07 20:08 - 2017-06-07 20:08 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bmlqbomv.sys
2017-06-07 20:05 - 2017-06-07 20:05 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\gunwfmra.sys
2017-06-07 20:03 - 2017-06-07 20:03 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\idnlgfgw.sys
2017-06-07 20:00 - 2017-06-07 20:00 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\agtovjam.sys
2017-06-07 19:58 - 2017-06-07 19:58 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\quxyinba.sys
2017-06-07 19:55 - 2017-06-07 19:55 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\qcnsbptr.sys
2017-06-07 19:53 - 2017-06-07 19:53 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\wcdmqsmi.sys
2017-06-07 19:50 - 2017-06-07 19:50 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\xrxtfylq.sys
2017-06-07 19:47 - 2017-06-07 19:47 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hqmoumov.sys
2017-06-07 19:45 - 2017-06-07 19:45 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rthprwky.sys
2017-06-07 19:42 - 2017-06-07 19:42 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\soejmvjv.sys
2017-06-07 19:39 - 2017-06-07 19:39 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\brfwriza.sys
2017-06-07 19:37 - 2017-06-07 19:37 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\xulflwqu.sys
2017-06-07 19:34 - 2017-06-07 19:34 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\vvorfrdh.sys
2017-06-07 19:31 - 2017-06-07 19:31 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ykhekyxd.sys
2017-06-07 03:47 - 2015-11-11 17:38 - 00008336 _____ C:\WINDOWS\system32\SppExtComObjPatcher.exe
2017-06-07 03:47 - 2014-05-25 06:06 - 00015360 _____ C:\WINDOWS\system32\SppExtComObjHook.dll
2017-06-06 21:38 - 2017-06-07 01:40 - 00000000 ____D C:\Program Files (x86)\UCBrowser
2017-06-06 21:38 - 2017-06-07 01:01 - 00002374 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdaterCore
2017-06-06 21:38 - 2017-06-06 21:38 - 00003520 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdater
2017-06-06 21:38 - 2017-06-06 21:38 - 00003476 _____ C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater
2017-06-06 21:38 - 2017-06-06 21:38 - 00000000 ____D C:\Users\Siddharth\AppData\Local\UCBrowser
2017-06-06 21:23 - 2017-06-07 20:10 - 00000000 ____D C:\Users\Siddharth\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk
2017-06-06 21:23 - 2017-06-06 21:23 - 01623552 _____ C:\ProgramData\service.exe
2017-06-06 21:12 - 2017-06-09 01:25 - 00000000 ____D C:\Program Files (x86)\KMSPico
2017-05-22 01:26 - 2017-05-22 01:26 - 2868859525 _____ C:\WINDOWS\MEMORY.DMP
Task: {049F4AE0-F947-439D-A0E4-D76EBAD9FDE9} - System32\Tasks\UCBrowserSecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe [2017-06-06] (UC Web Inc.) <==== ATTENTION
Task: {9066D739-1FE9-45B4-93DE-141BE00CD836} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
Task: {D378712A-78C3-42AF-A2A0-9DF72F7E62D1} - System32\Tasks\UCBrowserUpdaterCore => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
AlternateDataStreams: C:\WINDOWS\system32\Drivers\agtovjam.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\bmlqbomv.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\brfwriza.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\gunwfmra.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\hqmoumov.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\idnlgfgw.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\oitxzdnd.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\qcnsbptr.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\quxyinba.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\rthprwky.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\soejmvjv.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\vvorfrdh.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\wcdmqsmi.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\xrxtfylq.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\xulflwqu.sys:changelist [2410]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\ykhekyxd.sys:changelist [2410]
Windows Firewall is disabled.
FirewallRules: [TCP Query User{2462CF60-EADE-4810-B384-BD4C3974F3DB}C:\program files\java\jdk1.8.0_51\bin\java.exe] => (Allow) C:\program files\java\jdk1.8.0_51\bin\java.exe
FirewallRules: [UDP Query User{BA393644-EF8D-4C8B-8EDB-8B3844A8969B}C:\program files\java\jdk1.8.0_51\bin\java.exe] => (Allow) C:\program files\java\jdk1.8.0_51\bin\java.exe
FirewallRules: [{2B6F377B-5FEA-4872-AC0C-9B866C863386}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{8D5ECCAC-7B5D-4F74-B1D3-5A296723FFAF}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\Downloader\download\MiniThunderPlatform.exe
C:\Windows\System32\Tasks\UCBrowserSecureUpdater
C:\Windows\System32\Tasks\UCBrowserUpdaterCore
C:\Program Files (x86)\UCBrowser
C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc
C:\ProgramData\Windows Security
C:\ProgramData\Microsoft\Network\Dsq
C:\Program Files (x86)\YeaDesktop
C:\Users\Siddharth\AppData\Local\Temp\00029546
C:\ProgramData\igfxDH.dll
C:\WINDOWS\system32\drivers\Uefochubsrv.sys
 
End
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= RemoveProxy: =========
 
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value could not remove.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value could not remove.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value could not remove.
 
 
========= End of RemoveProxy: =========
 
C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc\WMPNetworkAcSvc.exe => No running process found
C:\ProgramData\Windows Security\winsecurity.exe => No running process found
C:\ProgramData\Microsoft\Network\Dsq\network\sysnetwk.exe => No running process found
C:\ProgramData\Microsoft\Network\Dsq\browser\syshostctl.exe => No running process found
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\EnableShellExecuteHooks => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\Software\Microsoft\Windows\CurrentVersion\Run\\YeaDesktop => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\Software\Microsoft\Windows\CurrentVersion\Run\\msiql => value could not remove.
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} => value could not remove.
HKLM\Software\Classes\CLSID\{5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} => key could not remove, key could be protected
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\JzShlobj => key could not remove, key could be protected
HKLM\Software\Classes\CLSID\{9A0700D2-920A-4E52-8697-9B5230C92612} => key could not remove, key could be protected
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKU\S-1-5-21-511330708-1322164562-341044212-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value could not remove.
HKU\S-1-5-21-511330708-1322164562-341044212-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value could not remove.
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value could not remove.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} => key could not remove, key could be protected
HKLM\Software\Wow6432Node\Classes\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} => key could not remove, key could be protected
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910} => key could not remove, key could be protected
HKLM\Software\Wow6432Node\Classes\CLSID\{AE7CD045-E861-484f-8273-0445EE161910} => key could not remove, key could be protected
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077} => key could not remove, key could be protected
HKLM\Software\Wow6432Node\Classes\CLSID\{F4971EE7-DAA0-4053-9964-665D8EE6A077} => key could not remove, key could be protected
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value could not remove.
HKLM\Software\Wow6432Node\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => key could not remove, key could be protected
C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\user.js => moved successfully
C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\user.js => not found.
C:\Users\Siddharth\AppData\Roaming\Mozilla\Firefox\Profiles\7cnnz4xm.default\Extensions\669206@extcorp.com.xpi => moved successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\web2pdfextension@web2pdf.adobedotcom => value could not remove.
HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer => key could not remove, key could be protected
HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect => key could not remove, key could be protected
HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer => key could not remove, key could be protected
HKLM\Software\Wow6432Node\MozillaPlugins\Adobe Acrobat => key could not remove, key could be protected
HKLM\Software\Wow6432Node\MozillaPlugins\adobe.com/AdobeAAMDetect => key could not remove, key could be protected
Chrome HomePage => removed successfully
Chrome StartupUrls => removed successfully
C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg => moved successfully
C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi => moved successfully
C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Siddharth\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\WindowsSecurity => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\WMPNetworkAcSvc => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\HitmanProScheduler => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\ibtsiva => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\JszipService => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\OracleOraDb11g_home1TNSListener => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\TMService => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\UCBrowserSvc => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\WTFast.Service => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\XBox => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\ZAMSvc => key could not remove, key could be protected
LanmaMaster => Unable to stop service.
HKLM\System\CurrentControlSet\Services\LanmaMaster => key could not remove, key could be protected
ucdrv => Unable to stop service.
HKLM\System\CurrentControlSet\Services\ucdrv => key could not remove, key could be protected
Uefochubsrv => Unable to stop service.
HKLM\System\CurrentControlSet\Services\Uefochubsrv => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\JszipProtect => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\WtfEngineDrv => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\ZAM => key could not remove, key could be protected
C:\WINDOWS\system32\Drivers\oitxzdnd.sys => moved successfully
C:\WINDOWS\system32\Drivers\bmlqbomv.sys => moved successfully
C:\WINDOWS\system32\Drivers\gunwfmra.sys => moved successfully
C:\WINDOWS\system32\Drivers\idnlgfgw.sys => moved successfully
C:\WINDOWS\system32\Drivers\agtovjam.sys => moved successfully
C:\WINDOWS\system32\Drivers\quxyinba.sys => moved successfully
C:\WINDOWS\system32\Drivers\qcnsbptr.sys => moved successfully
C:\WINDOWS\system32\Drivers\wcdmqsmi.sys => moved successfully
C:\WINDOWS\system32\Drivers\xrxtfylq.sys => moved successfully
C:\WINDOWS\system32\Drivers\hqmoumov.sys => moved successfully
C:\WINDOWS\system32\Drivers\rthprwky.sys => moved successfully
C:\WINDOWS\system32\Drivers\soejmvjv.sys => moved successfully
C:\WINDOWS\system32\Drivers\brfwriza.sys => moved successfully
C:\WINDOWS\system32\Drivers\xulflwqu.sys => moved successfully
C:\WINDOWS\system32\Drivers\vvorfrdh.sys => moved successfully
C:\WINDOWS\system32\Drivers\ykhekyxd.sys => moved successfully
C:\WINDOWS\system32\SppExtComObjPatcher.exe => moved successfully
C:\WINDOWS\system32\SppExtComObjHook.dll => moved successfully
 
"C:\Program Files (x86)\UCBrowser" folder move:
 
Could not move "C:\Program Files (x86)\UCBrowser" => Scheduled to move on reboot.
 
C:\WINDOWS\System32\Tasks\UCBrowserUpdaterCore => moved successfully
C:\WINDOWS\System32\Tasks\UCBrowserUpdater => moved successfully
C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater => moved successfully
C:\Users\Siddharth\AppData\Local\UCBrowser => moved successfully
C:\Users\Siddharth\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk => moved successfully
C:\ProgramData\service.exe => moved successfully
C:\Program Files (x86)\KMSPico => moved successfully
C:\WINDOWS\MEMORY.DMP => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{049F4AE0-F947-439D-A0E4-D76EBAD9FDE9} => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{049F4AE0-F947-439D-A0E4-D76EBAD9FDE9} => key could not remove. Access Denied.
C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserSecureUpdater => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9066D739-1FE9-45B4-93DE-141BE00CD836} => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9066D739-1FE9-45B4-93DE-141BE00CD836} => key could not remove. Access Denied.
C:\WINDOWS\System32\Tasks\UCBrowserUpdater => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserUpdater => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D378712A-78C3-42AF-A2A0-9DF72F7E62D1} => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D378712A-78C3-42AF-A2A0-9DF72F7E62D1} => key could not remove. Access Denied.
C:\WINDOWS\System32\Tasks\UCBrowserUpdaterCore => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserUpdaterCore => key could not remove. Access Denied.
"C:\WINDOWS\system32\Drivers\agtovjam.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\bmlqbomv.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\brfwriza.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\gunwfmra.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\hqmoumov.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\idnlgfgw.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\oitxzdnd.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\qcnsbptr.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\quxyinba.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\rthprwky.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\soejmvjv.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\vvorfrdh.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\wcdmqsmi.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\xrxtfylq.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\xulflwqu.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\ykhekyxd.sys" => ":changelist" ADS not found.
Windows Firewall is disabled. => Error: No automatic fix found for this entry.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{2462CF60-EADE-4810-B384-BD4C3974F3DB}C:\program files\java\jdk1.8.0_51\bin\java.exe => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{BA393644-EF8D-4C8B-8EDB-8B3844A8969B}C:\program files\java\jdk1.8.0_51\bin\java.exe => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2B6F377B-5FEA-4872-AC0C-9B866C863386} => value could not remove.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8D5ECCAC-7B5D-4F74-B1D3-5A296723FFAF} => value could not remove.
"C:\Windows\System32\Tasks\UCBrowserSecureUpdater" => not found.
"C:\Windows\System32\Tasks\UCBrowserUpdaterCore" => not found.
 
"C:\Program Files (x86)\UCBrowser" folder move:
 
Could not move "C:\Program Files (x86)\UCBrowser" => Scheduled to move on reboot.
 
C:\Users\Siddharth\AppData\Roaming\WMPNetworkAcSvc => moved successfully
C:\ProgramData\Windows Security => moved successfully
C:\ProgramData\Microsoft\Network\Dsq => moved successfully
"C:\Program Files (x86)\YeaDesktop" => not found.
"C:\Users\Siddharth\AppData\Local\Temp\00029546" => not found.
C:\ProgramData\igfxDH.dll => moved successfully
Could not move "C:\WINDOWS\system32\drivers\Uefochubsrv.sys" => Scheduled to move on reboot.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 15233937 B
Java, Flash, Steam htmlcache => 359056577 B
Windows/system/drivers => 1364812 B
Edge => 16934483 B
Chrome => 28743735 B
Firefox => 367616589 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 9228844 B
Siddharth => 74495528 B
DefaultAppPool => 0 B
 
RecycleBin => 0 B
EmptyTemp: => 839.3 MB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 12-06-2017 18:57:42)
 
"C:\Program Files (x86)\UCBrowser" => Could not move
"C:\Program Files (x86)\UCBrowser" => Could not move
"C:\WINDOWS\system32\drivers\Uefochubsrv.sys" => Could not move
 
Result of scheduled keys to remove after reboot:
 
HKLM\Software\Classes\CLSID\{5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} => key could not remove, key could be protected
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\JzShlobj => key could not remove, key could be protected
HKLM\Software\Classes\CLSID\{9A0700D2-920A-4E52-8697-9B5230C92612} => key could not remove, key could be protected
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} => key could not remove, key could be protected
HKLM\Software\Wow6432Node\Classes\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} => key could not remove, key could be protected
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910} => key could not remove, key could be protected
HKLM\Software\Wow6432Node\Classes\CLSID\{AE7CD045-E861-484f-8273-0445EE161910} => key could not remove, key could be protected
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077} => key could not remove, key could be protected
HKLM\Software\Wow6432Node\Classes\CLSID\{F4971EE7-DAA0-4053-9964-665D8EE6A077} => key could not remove, key could be protected
HKLM\Software\Wow6432Node\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => key could not remove, key could be protected
HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer => key could not remove, key could be protected
HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect => key could not remove, key could be protected
HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer => key could not remove, key could be protected
HKLM\Software\Wow6432Node\MozillaPlugins\Adobe Acrobat => key could not remove, key could be protected
HKLM\Software\Wow6432Node\MozillaPlugins\adobe.com/AdobeAAMDetect => key could not remove, key could be protected
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\WindowsSecurity => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\WMPNetworkAcSvc => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\HitmanProScheduler => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\ibtsiva => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\JszipService => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\OracleOraDb11g_home1TNSListener => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\TMService => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\UCBrowserSvc => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\WTFast.Service => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\XBox => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\ZAMSvc => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\LanmaMaster => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\ucdrv => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\Uefochubsrv => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\JszipProtect => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\WtfEngineDrv => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\ZAM => key could not remove, key could be protected
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{049F4AE0-F947-439D-A0E4-D76EBAD9FDE9} => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{049F4AE0-F947-439D-A0E4-D76EBAD9FDE9} => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserSecureUpdater => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9066D739-1FE9-45B4-93DE-141BE00CD836} => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9066D739-1FE9-45B4-93DE-141BE00CD836} => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserUpdater => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D378712A-78C3-42AF-A2A0-9DF72F7E62D1} => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D378712A-78C3-42AF-A2A0-9DF72F7E62D1} => key could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserUpdaterCore => key could not remove. Access Denied.
 
==== End of Fixlog 18:57:53 ====


#11 seed12121212

seed12121212
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 12 June 2017 - 09:12 AM

Oh ! sorry sir i forgot to restart it is scanning now please wait i will post the log sry for the foolishness



#12 seed12121212

seed12121212
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 12 June 2017 - 11:33 AM

i did the antiroot kit scan here is the log

 

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.06.12.02
  rootkit: v2017.05.27.01
 
Windows 10 x64 NTFS
Internet Explorer 11.296.15063.0
Siddharth :: SIDDHARTHJOSHI [administrator]
 
12-Jun-17 7:40:49 PM
mbar-log-2017-06-12 (19-40-49).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 336675
Time elapsed: 23 minute(s), 45 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 12
HKLM\SOFTWARE\CLASSES\CLSID\{5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} (Adware.Elex.SHHKRST) -> Delete on reboot. [b59da19d387146f06f997bf6d828c23e]
HKLM\SOFTWARE\CLASSES\CLSID\{9A0700D2-920A-4E52-8697-9B5230C92612} (Adware.Elex) -> Delete on reboot. [d77b2f0f0c9de4523840806eff027f81]
HKLM\SOFTWARE\CLASSES\JZipShell.JzShlobj (Adware.Elex) -> Delete on reboot. [74de18269a0fde58f48447a758a92ed2]
HKLM\SOFTWARE\CLASSES\JZipShell.JzShlobj.1 (Adware.Elex) -> Delete on reboot. [4d0583bb2881f24490e840aee9186f91]
HKLM\SOFTWARE\WOW6432NODE\CLASSES\JZipShell.JzShlobj (Adware.Elex) -> Delete on reboot. [4f039da1cedbca6ce69239b53ec3ef11]
HKLM\SOFTWARE\WOW6432NODE\CLASSES\JZipShell.JzShlobj.1 (Adware.Elex) -> Delete on reboot. [4f03ed515752a0968debdc12857c0ff1]
HKLM\SOFTWARE\CLASSES\WOW6432NODE\JZipShell.JzShlobj (Adware.Elex) -> Delete on reboot. [64eee9554168f2444731638bf80911ef]
HKLM\SOFTWARE\CLASSES\WOW6432NODE\JZipShell.JzShlobj.1 (Adware.Elex) -> Delete on reboot. [f45ec17d664359dd294fc82637caaf51]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\JszipProtect (Adware.Elex) -> Delete on reboot. [63efe757d0d996a028b3fe03c63b6d93]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\JszipService (Adware.Elex) -> Delete on reboot. [f35f5ae4307974c289905b302dd401ff]
HKU\S-1-5-21-511330708-1322164562-341044212-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\www.yeadesktop.com (Adware.YeaDesktop) -> Delete on reboot. [3c16e757f9b0092d0bdb49c7e8190cf4]
HKU\S-1-5-21-511330708-1322164562-341044212-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\yeadesktop.com (Adware.YeaDesktop) -> Delete on reboot. [044e84ba01a87cba9056b65a5da4e020]
 
Registry Values Detected: 1
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} (Adware.Elex.SHHKRST) -> Data:  -> Delete on reboot. [a8aae05e3f6a73c3b6526e03748c1ae6]
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 6
C:\WINDOWS\SYSTEM32\drivers\F785D4AC4C7B.dat (Adware.ChinAd) -> Delete on reboot. [0a00697ae02cb4b27eb486585323f00e]
C:\WINDOWS\SYSTEM32\drivers\Uefochubsrv.sys (Adware.ChinAd) -> Delete on reboot. [1a3efb491f04121fd8795a9a2ad0f5b0]
C:\WINDOWS\SYSTEM32\drivers\lanmamaster.sys (Adware.ChinAd) -> Delete on reboot. [b9bf0b6ee264badb90f32a471916a62f]
C:\Windows\SysWOW64\Auhardwaregl.dll (Adware.ChinAd) -> Delete on reboot. [a6ac49f5e6c33ff7595024aeb44d6997]
C:\Windows\System32\lanmamasterHelp.dll (Adware.ChinAd) -> Delete on reboot. [bc968cb2347557dfcc64b719e819c23e]
C:\Users\Siddharth\AppData\Roaming\IDM\DwnlData\Siddharth\get_files-download-storage_website_1285\get_files-download-storage_website (Adware.Agent) -> Delete on reboot. [173b1e209910fc3ace60a551669ba55b]
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)


#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 AM

Posted 12 June 2017 - 12:40 PM

If the problem persists please run the Farbar tool normally one more time.

Post fresh FRST and Addition.txt file for my review.

p.s.
Make sure that the box to create an Addition.txt file is marked.

#14 seed12121212

seed12121212
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 12 June 2017 - 12:57 PM

If the problem persists please run the Farbar tool normally one more time.

Post fresh FRST and Addition.txt file for my review.

p.s.
Make sure that the box to create an Addition.txt file is marked.

Every thing is resolved thank you so much nasdaq how should i prevent this in future use antimalware premiuim?



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 AM

Posted 13 June 2017 - 06:30 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users