Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit WinNt/AdClocker and maybe some anothers


  • This topic is locked This topic is locked
10 replies to this topic

#1 rezaeefar

rezaeefar

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 26 June 2017 - 09:31 PM

Hi

My name is  Amin

 

I have problems with some rootkit, Malware and I have found and deleted many files and folders related to these.

 

Just now biggest problem is message "The requested resource is in use" in use of windows defender and any other antiviruses and malware removal tools.

 

I found these files and processes that can't be removed and stopped:

Service: "Windows Management Service" that uses the file "C:\Users\Mojdeh\AppData\Local\fegipntm\xrrrnz\ct.exe"

File: C:\Users\Mojdeh\AppData\Roaming\isMiner\minerstart.vbs

 

I have a windows 10 x64 running on my HP notebook.

 

I used FRST64 and FRST.TXT and Addition.TXT files are attached.

 

Can You please help me to make my fixlist.txt or say me any instructions I should do.

 

Thank you

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:41 AM

Posted 26 June 2017 - 10:02 PM

Welcome :)

  • Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Right-Click MBAR.exe and select AVOiBNU.jpgRun as administrator to run the installer.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:41 AM

Posted 28 June 2017 - 11:27 AM

Are you still with us?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 rezaeefar

rezaeefar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 30 June 2017 - 03:46 AM

Are you still with us?

Hi

Sorry because I'm late.

I do the check three times.

First time more than 200 malwares.

Malwarebytes Anti-Rootkit BETA 1.9.4.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.06.27.02
  rootkit: v2017.05.27.01
 
Windows 10 x64 NTFS
Internet Explorer 11.1358.14393.0
Amin :: MOJDEH-PC [administrator]
 
6/28/2017 10:47:00 PM
mbar-log-2017-06-28 (22-47-00).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 318845
Time elapsed: 22 minute(s), 36 second(s)
 
Memory Processes Detected: 1
C:\Users\Mojdeh\AppData\Local\fegipntm\xrrrnz\ct.exe (Trojan.Clicker.Generic) -> 3908 -> Delete on reboot. [5ed00c382b7e8ea8856e2dc66a973cc4]
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 7
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\bb31ce5182cb85eb8d0e0b348b0dc874 (Adware.Wajam.Generic) -> Delete on reboot. [b5791b293c6db482379886cec13f8878]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\windowsmanagementservice (Trojan.Clicker.Generic) -> Delete on reboot. [5ed00c382b7e8ea8856e2dc66a973cc4]
HKLM\SOFTWARE\Soci2Sear Browser Enhancer (Adware.Social2Search) -> Delete on reboot. [a18d0f35b2f767cf91edc108bb46847c]
HKLM\SOFTWARE\WOW6432NODE\Soci2Sear Browser Enhancer (Adware.Social2Search) -> Delete on reboot. [210d84c0ebbeb581abd3696014ed9a66]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\11598763487076930564 (Adware.DNSUnlocker) -> Delete on reboot. [e04e162efdac6bcb28bda45cfe04a55b]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\drmkpro64 (Rootkit.Agent.PUA) -> Delete on reboot. [9a943e06b5f4e452d08b96b7748d8878]
HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\MICROSOFT\2UPS (Adware.Tuto4PC) -> Delete on reboot. [7faf8fb5b1f83cfa5e0880827a88748c]
 
Registry Values Detected: 2
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDOWSMANAGEMENTSERVICE|ImagePath (Trojan.Clicker) -> Data: C:\Users\Mojdeh\AppData\Local\fegipntm\xrrrnz\ct.exe -> Delete on reboot. [2b033c089d0c0531940f735107faf30d]
HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\MICROSOFT\2UPS|partner (Adware.Tuto4PC) -> Data: we -> Delete on reboot. [7faf8fb5b1f83cfa5e0880827a88748c]
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 18
C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp (Adware.Tuto4PC.Generic) -> Delete on reboot. [51dda79da504310531e3eb1c9a686e92]
C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\_isetup (Adware.Tuto4PC.Generic) -> Delete on reboot. [51dda79da504310531e3eb1c9a686e92]
C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF (Adware.Tuto4PC.Generic) -> Delete on reboot. [3fefb094bcedce68a78e689f9f6359a7]
C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ (Adware.Tuto4PC.Generic) -> Delete on reboot. [161850f4d8d184b2c471897e639fc53b]
C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM (Adware.Tuto4PC.Generic) -> Delete on reboot. [141aa69eb9f0c17558dd64a321e15ba5]
C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA (Adware.Tuto4PC.Generic) -> Delete on reboot. [2a04de662e7b0036979e29de0bf7c937]
C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4 (Adware.Tuto4PC.Generic) -> Delete on reboot. [30fe083caefb46f0da5b7a8d8082b34d]
C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4 (Adware.Tuto4PC.Generic) -> Delete on reboot. [171789bbb2f76bcbe0558483748ec23e]
C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW (Adware.Tuto4PC.Generic) -> Delete on reboot. [e14d78cc3b6e41f55ed763a442c08d73]
C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF (Adware.Tuto4PC.Generic) -> Delete on reboot. [86a8c2822c7d7bbbac89c2454bb78c74]
C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB (Adware.Tuto4PC.Generic) -> Delete on reboot. [c56962e25257e84ec570e22534ce6d93]
C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM (Adware.Tuto4PC.Generic) -> Delete on reboot. [1618f94b6c3d4aecde57c542e81a6997]
C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX (Adware.Tuto4PC.Generic) -> Delete on reboot. [3bf360e401a8b086e94cb84f7e8433cd]
C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI (Adware.Tuto4PC.Generic) -> Delete on reboot. [c866b78dedbc2115fe3765a24cb62ad6]
C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8 (Adware.Tuto4PC.Generic) -> Delete on reboot. [c76791b3ebbe6acc43f2fd0a6b973cc4]
C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0 (Adware.Tuto4PC.Generic) -> Delete on reboot. [949a67ddf9b0e0562d08eb1c986a44bc]
C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6 (Adware.Tuto4PC.Generic) -> Delete on reboot. [a58992b222878ea8ef466b9c17eb7a86]
C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X (Adware.Tuto4PC.Generic) -> Delete on reboot. [50de77cd892084b2b67f08ffbc46b24e]
 
Files Detected: 185
C:\WINDOWS\SYSTEM32\drivers\ndistpr64.sys (Rootkit.Agent.PUA) -> Delete on reboot. [a1184d89fddc3c481bce6ecc1384a192]
C:\Windows\System32\drivers\bb31ce5182cb85eb8d0e0b348b0dc874.sys (Adware.Wajam.Generic) -> Delete on reboot. [6039828ec2db0ba44aa490ccc9005913]
C:\Program Files (x86)\vtxnwlrzf3z\DWE5N0PKISDE5KF.exe (Adware.Tuto4PC) -> Delete on reboot. [64caf3513f6aa195b5c0c4adbf422ad6]
C:\Users\Mojdeh\AppData\Local\Temp\16DBKPX.exe (Adware.Tuto4PC) -> Delete on reboot. [6cc2e65e159432048772d4cadd23e020]
C:\Users\Mojdeh\AppData\Local\Temp\mmc29.exe (Adware.Tuto4PC) -> Delete on reboot. [e24c2d17d5d43303a6df5f9435ccc937]
C:\Users\Mojdeh\AppData\Local\Temp\setup.exe (Adware.SquareNet) -> Delete on reboot. [3af4e4602a7fe84e128ad322946d9967]
C:\Users\Mojdeh\AppData\Local\Temp\OneSystemCare.exe (Adware.OptimizerEliteMax) -> Delete on reboot. [9d9163e13772b4824084010807f90bf5]
C:\Users\Mojdeh\AppData\Local\Temp\0t3jjBD9E\0t3jjBD9E.exe (Adware.Tuto4PC) -> Delete on reboot. [d75743014663e05675bf1ae619e931cf]
C:\Users\Mojdeh\AppData\Local\Temp\0VYIrWQC2\zIPKF1UcR.exe (Adware.Amonetize) -> Delete on reboot. [c56955ef4267d165b9259e599e639769]
C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [4be33d072881d3630a2abc44837f29d7]
C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [9698b78db3f63ff70f16ce29857c4db3]
C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\Like.exe (Adware.Tuto4PC) -> Delete on reboot. [e54974d01b8ef93dde47de19758c09f7]
C:\Users\Mojdeh\AppData\Local\Temp\1497120636\s5-20170325.exe (Adware.Yelloader) -> Delete on reboot. [da544df734759c9a679832ad09f88779]
C:\Users\Mojdeh\AppData\Local\Temp\1497120636\s5m_install_325.exe (Trojan.Clicker) -> Delete on reboot. [be7080c4cedb7eb84885d5f6649dde22]
C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [72bc7cc8b7f2e551c07407f944be58a8]
C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [64ca6adabdecbe788b9a2bcced14bf41]
C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\Like.exe (Adware.Tuto4PC) -> Delete on reboot. [fd31044069409d9967beb54215ec4eb2]
C:\Users\Mojdeh\AppData\Local\Temp\a9xA8hSan\a9xA8hSan.exe (Adware.Amonetize) -> Delete on reboot. [2c0257eddfca261001dd26d115ecfd03]
C:\Users\Mojdeh\AppData\Local\Temp\gwt8hFg1n\CdEyvEq3l.exe (Adware.Tuto4PC) -> Delete on reboot. [36f80440eabf181e2ef706f17e83ca36]
C:\Users\Mojdeh\AppData\Local\Temp\KWQq4NQR9\iJHsiRTrX.exe (Adware.Tuto4PC) -> Delete on reboot. [44eadf657336d2645a6ce90a9b661be5]
C:\Users\Mojdeh\AppData\Local\Temp\LIy1b5yh4\B72eXbhOV.exe (Adware.Tuto4PC) -> Delete on reboot. [042a49fbdecb77bf63d1d0305ca6659b]
C:\Users\Mojdeh\AppData\Local\Temp\SKwSt59mE\SKwSt59mE.exe (Adware.Amonetize) -> Delete on reboot. [2509c282cfda86b0d10d50a7986946ba]
C:\Users\Mojdeh\AppData\Local\Temp\stlB8t7Cz\stlB8t7Cz.exe (Adware.Tuto4PC) -> Delete on reboot. [f33bcd77d0d959ddce57fafdc23f47b9]
C:\Users\Mojdeh\AppData\Local\Temp\t5v5BQwm9\t5v5BQwm9.exe (Adware.Tuto4PC) -> Delete on reboot. [ca6445ff50599d99418538bb8c7510f0]
C:\Users\Mojdeh\AppData\Local\Temp\7YvYgBRgo\tFHouA2in.exe (Adware.Tuto4PC) -> Delete on reboot. [6ac4cb79c0e9171f9194e413b0518c74]
C:\Users\Mojdeh\AppData\Local\Temp\57rWcRhmg\OvOMEOCqe.exe (Adware.Amonetize) -> Delete on reboot. [26082d1795141c1a994544b355ac8f71]
C:\Users\Mojdeh\AppData\Local\Temp\EGWyBAeE2\EGWyBAeE2.exe (Adware.Amonetize) -> Delete on reboot. [b47a00443376340222bc4fa8f30e7789]
C:\Users\Mojdeh\AppData\Local\Temp\FnDoRYw6R\FnDoRYw6R.exe (Adware.Tuto4PC) -> Delete on reboot. [44eab292f7b283b3f4404eb2aa58619f]
C:\Users\Mojdeh\AppData\Local\Temp\g7yEYAoeL\EjTSYLalr.exe (Adware.Amonetize) -> Delete on reboot. [79b5a59f7138d85eaf2fd027d13052ae]
C:\Users\Mojdeh\AppData\Local\Temp\ga7Xkvaul\ga7Xkvaul.exe (Adware.Amonetize.Generic) -> Delete on reboot. [62cc5ee6f3b6b48231afe5fcb74a24dc]
C:\Users\Mojdeh\AppData\Local\Temp\2qM9uDcfb\2qM9uDcfb.exe (Adware.Tuto4PC) -> Delete on reboot. [eb435de7aefb83b3497df20156ab6a96]
C:\Users\Mojdeh\AppData\Local\Temp\9kCMDe5OS\w1OcQdgPR.exe (Adware.Tuto4PC) -> Delete on reboot. [f836f74de8c1d95d8ee73a3726dbd42c]
C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [ab83ce766b3e241247ed17e98f73b050]
C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [e34b1e2694152d0985a0a156ae53dc24]
C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\Like.exe (Adware.Tuto4PC) -> Delete on reboot. [1a142222971247ef131265924ab727d9]
C:\Users\Mojdeh\AppData\Local\Temp\Pw6GNv3TO\Pw6GNv3TO.exe (Adware.Tuto4PC) -> Delete on reboot. [b37b2420b1f854e2f63e619f9d65ef11]
C:\Users\Mojdeh\AppData\Local\Temp\Qk7xvxjHl\jHacTYbW9.exe (Adware.Tuto4PC) -> Delete on reboot. [de50e4601d8c87af5175d0236b962dd3]
C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [bf6fe75d3772f73ff440a25e788a9070]
C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [1915ae9635749c9a8f969d5a5fa29e62]
C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\Like.exe (Adware.Tuto4PC) -> Delete on reboot. [fc32e95b397091a584a1a7507190817f]
C:\Users\Mojdeh\AppData\Local\Temp\RHGtWL9GP\doSTaJkIN.exe (Adware.Tuto4PC) -> Delete on reboot. [949a7cc81396ba7cbc78a957de246b95]
C:\Users\Mojdeh\AppData\Local\Temp\Ro5TD102k\Ro5TD102k.exe (Adware.Amonetize) -> Delete on reboot. [f13df0543475cd6933abac4bb64be51b]
C:\Users\Mojdeh\AppData\Local\Temp\RoePebIIu\RoePebIIu.exe (Adware.Tuto4PC) -> Delete on reboot. [ad81d2724b5e5adc21049661d72aff01]
C:\Users\Mojdeh\AppData\Local\Temp\rq1n1AxE0\rq1n1AxE0.exe (Adware.Tuto4PC) -> Delete on reboot. [a886321265447db99a9a20e07290e917]
C:\Users\Mojdeh\AppData\Local\Temp\vWiAjQQZ3\llMM5XzwU.exe (Adware.Tuto4PC) -> Delete on reboot. [aa840d376f3a4ee8a18433c47988e21e]
C:\Users\Mojdeh\AppData\Local\Temp\WKfh2GKuU\WKfh2GKuU.exe (Adware.Amonetize.Generic) -> Delete on reboot. [b17dc77da4050036538d7f62ea17659b]
C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [ee40e163cedbc1753df77e82639f4fb1]
C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [41ed7bc9248554e20e1701f609f8aa56]
C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\Like.exe (Adware.Tuto4PC) -> Delete on reboot. [4ae4b292b7f258de52d32dcace33659b]
C:\Users\Mojdeh\AppData\Local\Temp\6NgInIQsA\EA7KBNU2o.exe (Adware.Tuto4PC) -> Delete on reboot. [5ad4db692c7d999d7cb830d0bf4316ea]
C:\Users\Mojdeh\AppData\Local\Temp\6oYhFl5TC\t5aHSkgUB.exe (Adware.Tuto4PC) -> Delete on reboot. [1915093b7930ec4ae441f700a45dc33d]
C:\Users\Mojdeh\AppData\Local\Temp\1NLkCfqsx\8nto3oxBa.exe (Adware.Tuto4PC) -> Delete on reboot. [fa34d074159449edc501777c54aded13]
C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [75b9c77d9019cc6aa88c907062a060a0]
C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [55d947fd515821156114640d19e827d9]
C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\Like.exe (Adware.Tuto4PC) -> Delete on reboot. [36f82b1981280f2790e56a07bf42d729]
C:\Users\Mojdeh\AppData\Local\Temp\2CxiYsLkr\ojJHcrVmq.exe (Adware.Tuto4PC) -> Delete on reboot. [ce60eb596742c07685af1ce435cd6b95]
C:\Users\Mojdeh\AppData\Local\Temp\4SJLS3Kpi\4SJLS3Kpi.exe (Adware.Tuto4PC) -> Delete on reboot. [e44a66def3b696a0c76d6b95b64c9967]
C:\Users\Mojdeh\AppData\Local\Temp\4trk9GZPk\DgimnL2p9.exe (Adware.Tuto4PC) -> Delete on reboot. [220c222276339b9b45816f84758c0000]
C:\Users\Mojdeh\AppData\Local\Temp\biWgkFVbC\biWgkFVbC.exe (Adware.Tuto4PC) -> Delete on reboot. [1a147aca4e5b2c0a4bda7b7ce51c748c]
C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [8aa4b490456443f362d2d62a7c8649b7]
C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [05295de79316d363ed388b6c52af2dd3]
C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\Like.exe (Adware.Tuto4PC) -> Delete on reboot. [0c22cc782a7f88ae061f17e029d8ab55]
C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\lol.exe (Adware.Tuto4PC) -> Delete on reboot. [9f8f73d1b0f9e353e590274a728f08f8]
C:\Users\Mojdeh\AppData\Local\Temp\is-3HI8R.tmp\up.exe (Adware.Tuto4PC) -> Delete on reboot. [73bb350fc2e7e2540e17ab4c669b39c7]
C:\Users\Mojdeh\AppData\Local\Temp\is-64SHT.tmp\up.exe (Adware.Tuto4PC) -> Delete on reboot. [45e973d1c8e160d6081d956248b9dd23]
C:\Users\Mojdeh\AppData\Local\Temp\is-DOV7P.tmp\HelpTool.dll (Adware.Agent) -> Delete on reboot. [ec42c1838722d75fd615d41a2bd5ab55]
C:\Users\Mojdeh\AppData\Local\Temp\is-EBI50.tmp\up.exe (Adware.Tuto4PC) -> Delete on reboot. [a7872d174d5cad8944e15c9b14ed5ba5]
C:\Users\Mojdeh\AppData\Local\Temp\is-ENDPR.tmp\up.exe (Adware.Tuto4PC) -> Delete on reboot. [de50a3a1d5d40036e24318df90716c94]
C:\Users\Mojdeh\AppData\Local\Temp\is-ENE12.tmp\up.exe (Adware.Tuto4PC) -> Delete on reboot. [9b9394b02287b086d0a5bdb42bd68d73]
C:\Users\Mojdeh\AppData\Local\Temp\is-FRSD1.tmp\up.exe (Adware.Tuto4PC) -> Delete on reboot. [15193f052485d5614c290e63857c16ea]
C:\Users\Mojdeh\AppData\Local\Temp\is-GT19F.tmp\up.exe (Adware.Tuto4PC) -> Delete on reboot. [c8660242436665d1e4411bdc52af06fa]
C:\Users\Mojdeh\AppData\Local\Temp\is-J5VDA.tmp\up.exe (Adware.Tuto4PC) -> Delete on reboot. [6dc165df3772a09675b09e5929d80ef2]
C:\Users\Mojdeh\AppData\Local\Temp\is-KC5QF.tmp\up.exe (Adware.Tuto4PC) -> Delete on reboot. [43eb57eda504c47267beeb0c29d8649c]
C:\Users\Mojdeh\AppData\Local\Temp\is-KS0R4.tmp\up.exe (Adware.Tuto4PC) -> Delete on reboot. [9a94e85c7237b086190ca0576b967e82]
C:\Users\Mojdeh\AppData\Local\Temp\RuVaU4L4V\RuVaU4L4V.exe (Adware.Tuto4PC) -> Delete on reboot. [5dd167ddeabf38fef035b542a75aa25e]
C:\Users\Mojdeh\AppData\Local\Temp\S2rgMLRPa\UwB4yYtUR.exe (Adware.Tuto4PC) -> Delete on reboot. [39f5c0849514b581d064e81899692ad6]
C:\Users\Mojdeh\AppData\Local\Temp\is-LG37P.tmp\HelpTool.dll (Adware.Agent) -> Delete on reboot. [2b035be93970cd69a64520cec63abf41]
C:\Users\Mojdeh\AppData\Local\Temp\is-PV48V.tmp\up.exe (Adware.Tuto4PC) -> Delete on reboot. [f7379ea6f1b83ff74a2bc7aab05129d7]
C:\Users\Mojdeh\AppData\Local\Temp\is-SGDSJ.tmp\up.exe (Adware.Tuto4PC) -> Delete on reboot. [1618251f6f3a45f1f431a65132cf08f8]
C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [de508bb94f5a142238fcff01ba4844bc]
C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [032b8eb6edbc74c2ec395d9ace335aa6]
C:\Users\Mojdeh\AppData\Local\Temp\JoiiUnh7S\JoiiUnh7S.exe (Adware.Tuto4PC) -> Delete on reboot. [c26c8db7baefb87eadc8fb7630d16b95]
C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [87a793b16a3f241238fcb64a669c817f]
C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [df4f152f634649edfa2b0bec689924dc]
C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\Like.exe (Adware.Tuto4PC) -> Delete on reboot. [85a9b68e476241f57baa599eec15c838]
C:\Users\Mojdeh\AppData\Local\Temp\Kltq3xGpj\Kltq3xGpj.exe (Adware.Tuto4PC) -> Delete on reboot. [240ae3619d0cc4729c989b659270c23e]
C:\Users\Mojdeh\AppData\Local\Temp\OCFgK4QHw\YLhEQCVHg.exe (Adware.Tuto4PC) -> Delete on reboot. [4ce24df73673b383dee82bc8a061de22]
C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [b8762321b3f6af874be9d12fbc468e72]
C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [41ed54f0baef2b0b8ee7254c946df60a]
C:\Users\Mojdeh\AppData\Local\Temp\OyBJWjqIT\OyBJWjqIT.exe (Adware.Amonetize) -> Delete on reboot. [54da87bde6c353e336a838bf8f7251af]
C:\Users\Mojdeh\AppData\Local\Temp\pjjtw2x8y\M1vSK1Iaw.exe (Adware.Tuto4PC) -> Delete on reboot. [cf5fc282783151e5e63f6790db2611ef]
C:\Users\Mojdeh\AppData\Local\Temp\BNzRFiZKT\XuKhThaMS.exe (Adware.Tuto4PC) -> Delete on reboot. [5bd33113acfda4920c28f7095aa88e72]
C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [121c2e167d2c1b1b1d17916fc14107f9]
C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [37f7d96ba7029e98978e0ceb51b0a45c]
C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\Like.exe (Adware.Tuto4PC) -> Delete on reboot. [6fbfb78dd4d5280e042140b744bd0ff1]
C:\Users\Mojdeh\AppData\Local\Temp\c3af0b2fc9814ca89ee76f3c88eb9b4a\Setup.exe (Adware.Amonetize.Generic) -> Delete on reboot. [bb73ea5ad6d340f634ac8160857c1ae6]
C:\Users\Mojdeh\AppData\Local\Temp\is-L8QUU.tmp\up.exe (Adware.Tuto4PC) -> Delete on reboot. [9d91fa4a337692a45fc6728513ee6e92]
C:\Users\Mojdeh\AppData\Local\Temp\T6F6ZEbIj\T6F6ZEbIj.exe (Adware.Amonetize) -> Delete on reboot. [d15d70d4acfd5dd94995cf28ee133fc1]
C:\Users\Mojdeh\AppData\Local\Temp\{bdd6bc03e2b742c58c4a404bf4c44085}\l6l8EQA3Zb\uninstall.exe (Adware.Amonetize) -> Delete on reboot. [ba74360e5f4a9e985876150607fa9e62]
C:\Users\Mojdeh\AppData\Local\Temp\xq5iNclxu\JwLUMie5k.exe (Adware.Tuto4PC) -> Delete on reboot. [4ee0d56f03a6999df5d116dd857cf709]
C:\Users\Mojdeh\AppData\Local\Temp\zHDSYEr9B\VoOicCCbA.exe (Adware.Tuto4PC) -> Delete on reboot. [2c02ba8a179256e0caab4a27f809936d]
C:\Users\Mojdeh\AppData\Local\Temp\ZlUSU7BW2\ZlUSU7BW2.exe (Adware.Tuto4PC) -> Delete on reboot. [9a94ac986148ef47899cb14658a9aa56]
C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [31fddd67a4056dc98ea608f80df57d83]
C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [83ab94b0a3061c1ad055ea0d7c855fa1]
C:\Users\Mojdeh\AppData\Local\Temp\AdRbwQrXc\AdRbwQrXc.exe (Adware.Tuto4PC) -> Delete on reboot. [41ed182cffaac86e0abca84b5ba63ec2]
C:\Users\Mojdeh\AppData\Local\Temp\al5r3CI0S\mrL33HByI.exe (Adware.Tuto4PC) -> Delete on reboot. [56d88aba2188df57edd911e2d829d22e]
C:\Users\Mojdeh\AppData\Local\Temp\AocB40boD\MuRd464Xt.exe (Adware.Tuto4PC) -> Delete on reboot. [042a67dd149568ce310329d71de5669a]
C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [6ac4c57fbbee72c482b29b656e94768a]
C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [e74732121297270f939294634cb5f010]
C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\Like.exe (Adware.Tuto4PC) -> Delete on reboot. [44eae85c5f4a0b2be93cdd1a9d641de3]
C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [a688281c2089e155d75d04fc946e37c9]
C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [53db04404960d85e7ef7125fad543cc4]
C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\Like.exe (Adware.Tuto4PC) -> Delete on reboot. [c46a0242971247efd79ee88918e9bc44]
C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [44eab78d5b4e3501fb397987956d55ab]
C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [b97565df0c9d62d41015ac4bd1307f81]
C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\Like.exe (Adware.Tuto4PC) -> Delete on reboot. [121cd66e50593df9b57009ee788947b9]
C:\Users\Mojdeh\AppData\Local\Temp\iNL9Eu9Xd\iNL9Eu9Xd.exe (Adware.Tuto4PC) -> Delete on reboot. [4ce24cf861487fb710b619da629f5da3]
C:\Users\Mojdeh\AppData\Local\Temp\{6d575aaf342d46cf9477c90c84b8b145}\aOBi+OtRC6\uninstall.exe (Adware.Amonetize) -> Delete on reboot. [5fcff74dadfc36008a4473a849b8659b]
C:\Users\Mojdeh\AppData\Local\Temp\{90e100bebac2444390bae6d7aef0f31b}\KYdTtiLJXn\uninstall.exe (Adware.Amonetize) -> Delete on reboot. [ce60f35180291a1c6c62958621e0b848]
C:\Users\Mojdeh\AppData\Local\Temp\tIlSvNxbz\tIlSvNxbz.exe (Adware.Tuto4PC) -> Delete on reboot. [230b5de7ccdd300654d1ad4aca370af6]
C:\Users\Mojdeh\AppData\Local\Temp\u83JNFp4k\u83JNFp4k.exe (Adware.Amonetize) -> Delete on reboot. [ef3fa4a0b6f379bd0ad4fcfb3ac79070]
C:\Users\Mojdeh\AppData\Local\Temp\3emoJjTCt\XIpQan7eg.exe (Adware.Amonetize) -> Delete on reboot. [f23cd173d8d11026637b8374867b59a7]
C:\Users\Mojdeh\AppData\Local\Temp\3P5X0W83v\3P5X0W83v.exe (Adware.Tuto4PC) -> Delete on reboot. [c16d69dbb3f62f07c7ffda19fe0348b8]
C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\AfficheOne.exe (Adware.Tuto4PC) -> Delete on reboot. [4de1cf751792e74f22127d83ea189a66]
C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\Era5Le.exe (Adware.Tuto4PC) -> Delete on reboot. [4ae4d173bced092d0c69d29fb54c45bb]
C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\Like.exe (Adware.Tuto4PC) -> Delete on reboot. [dc520f35a306f6403d38a3cebe43a65a]
C:\Users\Mojdeh\AppData\Local\Temp\DFP09mlM3\m3cQAkFQ0.exe (Adware.Tuto4PC) -> Delete on reboot. [4ce2e163456447efb97b18e847bb51af]
C:\Users\Mojdeh\AppData\Local\Temp\DJG6PMd0h\ZqSw3Lo1f.exe (Adware.Tuto4PC) -> Delete on reboot. [62ccdd677d2cb97d11b51cd70001847c]
C:\Users\Mojdeh\AppData\Local\Temp\dpv3dKG71\z6GtrJQ90.exe (Adware.Amonetize.Generic) -> Delete on reboot. [c46a58ecf1b8e94d8c54756cdd24dd23]
C:\Users\Mojdeh\AppData\Local\6ced7ffd8c4646c1b58094bb4692ec73\wKhzwR0ygE8c.exe (Adware.Tuto4PC) -> Delete on reboot. [a38b8abaccddf442801a608f56ab17e9]
C:\Users\Mojdeh\AppData\Local\fegipntm\xrrrnz\ct.exe (Trojan.Clicker.Generic) -> Delete on reboot. [5ed00c382b7e8ea8856e2dc66a973cc4]
C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\lol.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [51dda79da504310531e3eb1c9a686e92]
C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\idp.dll (Adware.Tuto4PC.Generic) -> Delete on reboot. [51dda79da504310531e3eb1c9a686e92]
C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\itdownload.dll (Adware.Tuto4PC.Generic) -> Delete on reboot. [51dda79da504310531e3eb1c9a686e92]
C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\_isetup\_isdecmp.dll (Adware.Tuto4PC.Generic) -> Delete on reboot. [51dda79da504310531e3eb1c9a686e92]
C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\_isetup\_setup64.tmp (Adware.Tuto4PC.Generic) -> Delete on reboot. [51dda79da504310531e3eb1c9a686e92]
C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\_isetup\_shfoldr.dll (Adware.Tuto4PC.Generic) -> Delete on reboot. [51dda79da504310531e3eb1c9a686e92]
C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [3fefb094bcedce68a78e689f9f6359a7]
C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [3fefb094bcedce68a78e689f9f6359a7]
C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [3fefb094bcedce68a78e689f9f6359a7]
C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [161850f4d8d184b2c471897e639fc53b]
C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [161850f4d8d184b2c471897e639fc53b]
C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [161850f4d8d184b2c471897e639fc53b]
C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [141aa69eb9f0c17558dd64a321e15ba5]
C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [141aa69eb9f0c17558dd64a321e15ba5]
C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [141aa69eb9f0c17558dd64a321e15ba5]
C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [2a04de662e7b0036979e29de0bf7c937]
C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [2a04de662e7b0036979e29de0bf7c937]
C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [2a04de662e7b0036979e29de0bf7c937]
C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [30fe083caefb46f0da5b7a8d8082b34d]
C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [30fe083caefb46f0da5b7a8d8082b34d]
C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [30fe083caefb46f0da5b7a8d8082b34d]
C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [171789bbb2f76bcbe0558483748ec23e]
C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [171789bbb2f76bcbe0558483748ec23e]
C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [171789bbb2f76bcbe0558483748ec23e]
C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [e14d78cc3b6e41f55ed763a442c08d73]
C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [e14d78cc3b6e41f55ed763a442c08d73]
C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [e14d78cc3b6e41f55ed763a442c08d73]
C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [86a8c2822c7d7bbbac89c2454bb78c74]
C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [86a8c2822c7d7bbbac89c2454bb78c74]
C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [86a8c2822c7d7bbbac89c2454bb78c74]
C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [c56962e25257e84ec570e22534ce6d93]
C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [c56962e25257e84ec570e22534ce6d93]
C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [c56962e25257e84ec570e22534ce6d93]
C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [1618f94b6c3d4aecde57c542e81a6997]
C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [1618f94b6c3d4aecde57c542e81a6997]
C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [1618f94b6c3d4aecde57c542e81a6997]
C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [3bf360e401a8b086e94cb84f7e8433cd]
C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [3bf360e401a8b086e94cb84f7e8433cd]
C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [3bf360e401a8b086e94cb84f7e8433cd]
C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [c866b78dedbc2115fe3765a24cb62ad6]
C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [c866b78dedbc2115fe3765a24cb62ad6]
C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [c866b78dedbc2115fe3765a24cb62ad6]
C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [c76791b3ebbe6acc43f2fd0a6b973cc4]
C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [c76791b3ebbe6acc43f2fd0a6b973cc4]
C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [c76791b3ebbe6acc43f2fd0a6b973cc4]
C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [949a67ddf9b0e0562d08eb1c986a44bc]
C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [949a67ddf9b0e0562d08eb1c986a44bc]
C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\Like.exe (Adware.Tuto4PC.Generic) -> Delete on reboot. [949a67ddf9b0e0562d08eb1c986a44bc]
C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [a58992b222878ea8ef466b9c17eb7a86]
C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [a58992b222878ea8ef466b9c17eb7a86]
C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\Like.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [a58992b222878ea8ef466b9c17eb7a86]
C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\AfficheOne.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [50de77cd892084b2b67f08ffbc46b24e]
C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\Era5Le.exe.config (Adware.Tuto4PC.Generic) -> Delete on reboot. [50de77cd892084b2b67f08ffbc46b24e]
C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\Like.exe (Adware.Tuto4PC.Generic) -> Delete on reboot. [50de77cd892084b2b67f08ffbc46b24e]
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 

Second time about 5.

Malwarebytes Anti-Rootkit BETA 1.9.4.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.06.28.08
  rootkit: v2017.05.27.01
 
Windows 10 x64 NTFS
Internet Explorer 11.1358.14393.0
Amin :: MOJDEH-PC [administrator]
 
6/28/2017 11:32:01 PM
mbar-log-2017-06-28 (23-32-01).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 318762
Time elapsed: 28 minute(s), 8 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 2
HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\MICROSOFT\BIGTIME (Adware.Tuto4PC) -> Delete on reboot. [ecac380ceabf59dd9bb12707d12f07f9]
HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\MICROSOFT\EWMON (Adware.Tuto4PC) -> Delete on reboot. [2177152faffaa492cb93004d80808a76]
 
Registry Values Detected: 2
HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\MICROSOFT\BIGTIME|partner (Adware.Tuto4PC) -> Data: amonetize -> Delete on reboot. [ecac380ceabf59dd9bb12707d12f07f9]
HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\MICROSOFT\EWMON|partner (Adware.Tuto4PC) -> Data: amonetize -> Delete on reboot. [2177152faffaa492cb93004d80808a76]
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
C:\Windows\System32\tprdpw64.exe (Trojan.Clicker) -> Delete on reboot. [78207ec6a30686b0bb7203f95ca549b7]
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 

Third time nothing.

 

Malwarebytes Anti-Rootkit BETA 1.9.4.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.06.28.08
  rootkit: v2017.05.27.01
 
Windows 10 x64 NTFS
Internet Explorer 11.1358.14393.0
Amin :: MOJDEH-PC [administrator]
 
6/29/2017 12:13:12 AM
mbar-log-2017-06-29 (00-13-12).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 318649
Time elapsed: 26 minute(s), 42 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
And this is system log
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.4.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 10.0.14393 Windows 10 x64
 
Account is Administrative
 
Internet Explorer version: 11.1358.14393.0
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.095000 GHz
Memory total: 4226142208, free: 1574449152
 
Downloaded database version: v2017.06.27.02
Downloaded database version: v2017.05.27.01
Downloaded database version: v2017.06.16.01
=======================================
Initializing...
Driver version: 0.3.0.4
------------ Kernel report ------------
     06/28/2017 22:46:48
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\cng.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\system32\drivers\ndistpr64.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\system32\drivers\NDIS.SYS
\SystemRoot\system32\drivers\TDI.SYS
\SystemRoot\system32\drivers\zam64.sys
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\system32\drivers\WdFilter.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volume.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\iorate.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\drivers\cdrom.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\??\C:\WINDOWS\system32\drivers\bb31ce5182cb85eb8d0e0b348b0dc874.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\csc.sys
\??\C:\WINDOWS\System32\drivers\zamguard64.sys
\??\C:\WINDOWS\System32\drivers\zam64.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_a140581a8f8b58b7\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\TeeDriverW8x64.sys
\SystemRoot\System32\drivers\usbehci.sys
\SystemRoot\System32\drivers\USBPORT.SYS
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\portcls.sys
\SystemRoot\System32\drivers\drmk.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\sdbus.sys
\SystemRoot\System32\drivers\athwnx.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\rt640x64.sys
\SystemRoot\System32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\wmiacpi.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\usbhub.sys
\SystemRoot\system32\DRIVERS\HdAudio.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\system32\DRIVERS\snp2uvc.sys
\SystemRoot\system32\DRIVERS\btfilter.sys
\SystemRoot\System32\drivers\BTHUSB.sys
\SystemRoot\System32\drivers\bthport.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\win32kbase.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\wcifs.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\system32\drivers\wcnfs.sys
\SystemRoot\System32\drivers\registry.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\system32\DRIVERS\idmwfp.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\monitor.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
----------- End -----------
Done!
 
Scan started
Database versions:
  main:    v2017.06.27.02
  rootkit: v2017.05.27.01
 
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffb40debecd060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffb40debe51ae0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffb40debecd060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffb40debc974f0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffb40debc95060, DeviceName: \Device\00000031\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
File C:\WINDOWS\SYSTEM32\drivers\ndistpr64.sys will be destroyed
Infected: C:\WINDOWS\SYSTEM32\drivers\ndistpr64.sys --> [Rootkit.Agent.PUA]
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 4166D6A8
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 1024000
    Partition is bootable
    Partition file system is NTFS
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1026048  Numsec = 125952000
    Partition is not bootable
    Partition file system is NTFS
 
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 126978048  Numsec = 487671808
    Partition is not bootable
    Partition file system is NTFS
 
    Partition 3 type is Other (0xc)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 614649856  Numsec = 10489856
    Partition is not bootable
    Partition file system is FAT32
 
Disk Size: 320072933376 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
Done!
File C:\Windows\System32\drivers\bb31ce5182cb85eb8d0e0b348b0dc874.sys will be destroyed
Infected: C:\Windows\System32\drivers\bb31ce5182cb85eb8d0e0b348b0dc874.sys --> [Adware.Wajam.Generic]
Infected: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\bb31ce5182cb85eb8d0e0b348b0dc874 --> [Adware.Wajam.Generic]
Infected: C:\Program Files (x86)\vtxnwlrzf3z\DWE5N0PKISDE5KF.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\16DBKPX.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\mmc29.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\setup.exe --> [Adware.SquareNet]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\OneSystemCare.exe --> [Adware.OptimizerEliteMax]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\0t3jjBD9E\0t3jjBD9E.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\0VYIrWQC2\zIPKF1UcR.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\Like.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\1497120636\s5-20170325.exe --> [Adware.Yelloader]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\1497120636\s5m_install_325.exe --> [Trojan.Clicker]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\Like.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\a9xA8hSan\a9xA8hSan.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\gwt8hFg1n\CdEyvEq3l.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\KWQq4NQR9\iJHsiRTrX.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\LIy1b5yh4\B72eXbhOV.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\SKwSt59mE\SKwSt59mE.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\stlB8t7Cz\stlB8t7Cz.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\t5v5BQwm9\t5v5BQwm9.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\7YvYgBRgo\tFHouA2in.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\57rWcRhmg\OvOMEOCqe.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\EGWyBAeE2\EGWyBAeE2.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\FnDoRYw6R\FnDoRYw6R.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\g7yEYAoeL\EjTSYLalr.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ga7Xkvaul\ga7Xkvaul.exe --> [Adware.Amonetize.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\2qM9uDcfb\2qM9uDcfb.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\9kCMDe5OS\w1OcQdgPR.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\Like.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\Pw6GNv3TO\Pw6GNv3TO.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\Qk7xvxjHl\jHacTYbW9.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\Like.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\RHGtWL9GP\doSTaJkIN.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\Ro5TD102k\Ro5TD102k.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\RoePebIIu\RoePebIIu.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\rq1n1AxE0\rq1n1AxE0.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\vWiAjQQZ3\llMM5XzwU.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\WKfh2GKuU\WKfh2GKuU.exe --> [Adware.Amonetize.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\Like.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\6NgInIQsA\EA7KBNU2o.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\6oYhFl5TC\t5aHSkgUB.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\1NLkCfqsx\8nto3oxBa.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\Like.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\2CxiYsLkr\ojJHcrVmq.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\4SJLS3Kpi\4SJLS3Kpi.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\4trk9GZPk\DgimnL2p9.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\biWgkFVbC\biWgkFVbC.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\Like.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\lol.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-3HI8R.tmp\up.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-64SHT.tmp\up.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-DOV7P.tmp\HelpTool.dll --> [Adware.Agent]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-EBI50.tmp\up.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-ENDPR.tmp\up.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-ENE12.tmp\up.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-FRSD1.tmp\up.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-GT19F.tmp\up.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-J5VDA.tmp\up.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-KC5QF.tmp\up.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-KS0R4.tmp\up.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\RuVaU4L4V\RuVaU4L4V.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\S2rgMLRPa\UwB4yYtUR.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-LG37P.tmp\HelpTool.dll --> [Adware.Agent]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-PV48V.tmp\up.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-SGDSJ.tmp\up.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\JoiiUnh7S\JoiiUnh7S.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\Like.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\Kltq3xGpj\Kltq3xGpj.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\OCFgK4QHw\YLhEQCVHg.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\OyBJWjqIT\OyBJWjqIT.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\pjjtw2x8y\M1vSK1Iaw.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\BNzRFiZKT\XuKhThaMS.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\Like.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\c3af0b2fc9814ca89ee76f3c88eb9b4a\Setup.exe --> [Adware.Amonetize.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-L8QUU.tmp\up.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\T6F6ZEbIj\T6F6ZEbIj.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\{bdd6bc03e2b742c58c4a404bf4c44085}\l6l8EQA3Zb\uninstall.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\xq5iNclxu\JwLUMie5k.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\zHDSYEr9B\VoOicCCbA.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ZlUSU7BW2\ZlUSU7BW2.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\AdRbwQrXc\AdRbwQrXc.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\al5r3CI0S\mrL33HByI.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\AocB40boD\MuRd464Xt.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\Like.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\Like.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\Like.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\iNL9Eu9Xd\iNL9Eu9Xd.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\{6d575aaf342d46cf9477c90c84b8b145}\aOBi+OtRC6\uninstall.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\{90e100bebac2444390bae6d7aef0f31b}\KYdTtiLJXn\uninstall.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\tIlSvNxbz\tIlSvNxbz.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\u83JNFp4k\u83JNFp4k.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\3emoJjTCt\XIpQan7eg.exe --> [Adware.Amonetize]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\3P5X0W83v\3P5X0W83v.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\AfficheOne.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\Era5Le.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\Like.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\DFP09mlM3\m3cQAkFQ0.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\DJG6PMd0h\ZqSw3Lo1f.exe --> [Adware.Tuto4PC]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\dpv3dKG71\z6GtrJQ90.exe --> [Adware.Amonetize.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\6ced7ffd8c4646c1b58094bb4692ec73\wKhzwR0ygE8c.exe --> [Adware.Tuto4PC]
File "C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat" is sparse (flags = 32768)
Infected: C:\Users\Mojdeh\AppData\Local\fegipntm\xrrrnz\ct.exe --> [Trojan.Clicker.Generic]
Infected: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\windowsmanagementservice --> [Trojan.Clicker.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\fegipntm\xrrrnz\ct.exe --> [Trojan.Clicker.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\lol.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\idp.dll --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\itdownload.dll --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\_isetup --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\_isetup\_isdecmp.dll --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\_isetup\_setup64.tmp --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\_isetup\_shfoldr.dll --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4 --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4 --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8 --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0 --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\Like.exe --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6 --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\Like.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\AfficheOne.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\Era5Le.exe.config --> [Adware.Tuto4PC.Generic]
Infected: C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\Like.exe --> [Adware.Tuto4PC.Generic]
Infected: HKLM\SOFTWARE\Soci2Sear Browser Enhancer --> [Adware.Social2Search]
Infected: HKLM\SOFTWARE\WOW6432NODE\Soci2Sear Browser Enhancer --> [Adware.Social2Search]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\11598763487076930564 --> [Adware.DNSUnlocker]
Infected: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\drmkpro64 --> [Rootkit.Agent.PUA]
Infected: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDOWSMANAGEMENTSERVICE|ImagePath --> [Trojan.Clicker]
Infected: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\MICROSOFT\2UPS|partner --> [Adware.Tuto4PC]
Infected: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\MICROSOFT\2UPS --> [Adware.Tuto4PC]
Scan finished
Creating System Restore point...
Could not create restore point...
Cleaning up...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action reg.exe...
Success!
Executing an action cmd.exe...
Success!
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action reg.exe
Queuing an action cmd.exe
Queuing an action cmd.exe
Queuing an action cmd.exe
Queuing an action cmd.exe
Queuing an action cmd.exe
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
 
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.4.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 10.0.9200 Windows 10 x64
 
Account is Administrative
 
Internet Explorer version: 11.1358.14393.0
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.095000 GHz
Memory total: 4226142208, free: 2761859072
 
Downloaded database version: v2017.06.27.03
Downloaded database version: v2017.06.27.04
Downloaded database version: v2017.06.27.05
Downloaded database version: v2017.06.27.06
Downloaded database version: v2017.06.28.01
Downloaded database version: v2017.06.28.02
Downloaded database version: v2017.06.28.03
Downloaded database version: v2017.06.28.04
Downloaded database version: v2017.06.28.05
Downloaded database version: v2017.06.28.06
Downloaded database version: v2017.06.28.07
Downloaded database version: v2017.06.28.08
=======================================
Initializing...
Driver version: 0.3.0.4
------------ Kernel report ------------
     06/28/2017 23:31:37
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\cng.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\system32\drivers\zam64.sys
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\system32\drivers\WdFilter.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volume.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\iorate.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\drivers\cdrom.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\csc.sys
\??\C:\WINDOWS\System32\drivers\zamguard64.sys
\??\C:\WINDOWS\System32\drivers\zam64.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_a140581a8f8b58b7\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\TeeDriverW8x64.sys
\SystemRoot\System32\drivers\usbehci.sys
\SystemRoot\System32\drivers\USBPORT.SYS
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\portcls.sys
\SystemRoot\System32\drivers\drmk.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\sdbus.sys
\SystemRoot\System32\drivers\athwnx.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\rt640x64.sys
\SystemRoot\System32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\wmiacpi.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\usbhub.sys
\SystemRoot\system32\DRIVERS\HdAudio.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\system32\DRIVERS\snp2uvc.sys
\SystemRoot\system32\DRIVERS\btfilter.sys
\SystemRoot\System32\drivers\BTHUSB.sys
\SystemRoot\System32\drivers\bthport.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\win32kbase.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\system32\drivers\wcifs.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\system32\drivers\wcnfs.sys
\SystemRoot\System32\drivers\registry.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\idmwfp.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\tunnel.sys
\SystemRoot\system32\Drivers\WdNisDrv.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
----------- End -----------
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\ndistpr64.sys-k.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\ndistpr64.sys-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\ndistpr64.sys-(1)-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-1026048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-2-126978048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-3-614649856-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\bb31ce5182cb85eb8d0e0b348b0dc874.sys-k.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\bb31ce5182cb85eb8d0e0b348b0dc874.sys-u.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\bb31ce5182cb85eb8d0e0b348b0dc874.sys-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\bb31ce5182cb85eb8d0e0b348b0dc874.sys-(1)-r.mbam...
Removing C:\WINDOWS\SYSTEM32\drivers\ndistpr64.sys...
Removing C:\Windows\System32\drivers\bb31ce5182cb85eb8d0e0b348b0dc874.sys...
Removing C:\Program Files (x86)\vtxnwlrzf3z\DWE5N0PKISDE5KF.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\16DBKPX.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\mmc29.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\setup.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\OneSystemCare.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\0t3jjBD9E\0t3jjBD9E.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\0VYIrWQC2\zIPKF1UcR.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\1497120636\s5-20170325.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\1497120636\s5m_install_325.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\a9xA8hSan\a9xA8hSan.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\gwt8hFg1n\CdEyvEq3l.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\KWQq4NQR9\iJHsiRTrX.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\LIy1b5yh4\B72eXbhOV.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\SKwSt59mE\SKwSt59mE.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\stlB8t7Cz\stlB8t7Cz.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\t5v5BQwm9\t5v5BQwm9.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\7YvYgBRgo\tFHouA2in.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\57rWcRhmg\OvOMEOCqe.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\EGWyBAeE2\EGWyBAeE2.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\FnDoRYw6R\FnDoRYw6R.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\g7yEYAoeL\EjTSYLalr.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\ga7Xkvaul\ga7Xkvaul.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\2qM9uDcfb\2qM9uDcfb.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\9kCMDe5OS\w1OcQdgPR.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\Pw6GNv3TO\Pw6GNv3TO.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\Qk7xvxjHl\jHacTYbW9.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\RHGtWL9GP\doSTaJkIN.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\Ro5TD102k\Ro5TD102k.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\RoePebIIu\RoePebIIu.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\rq1n1AxE0\rq1n1AxE0.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\vWiAjQQZ3\llMM5XzwU.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\WKfh2GKuU\WKfh2GKuU.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\6NgInIQsA\EA7KBNU2o.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\6oYhFl5TC\t5aHSkgUB.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\1NLkCfqsx\8nto3oxBa.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\2CxiYsLkr\ojJHcrVmq.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\4SJLS3Kpi\4SJLS3Kpi.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\4trk9GZPk\DgimnL2p9.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\biWgkFVbC\biWgkFVbC.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\lol.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-3HI8R.tmp\up.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-64SHT.tmp\up.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-DOV7P.tmp\HelpTool.dll...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-EBI50.tmp\up.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-ENDPR.tmp\up.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-ENE12.tmp\up.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-FRSD1.tmp\up.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-GT19F.tmp\up.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-J5VDA.tmp\up.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-KC5QF.tmp\up.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-KS0R4.tmp\up.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\RuVaU4L4V\RuVaU4L4V.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\S2rgMLRPa\UwB4yYtUR.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-LG37P.tmp\HelpTool.dll...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-PV48V.tmp\up.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-SGDSJ.tmp\up.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\JoiiUnh7S\JoiiUnh7S.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\Kltq3xGpj\Kltq3xGpj.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\OCFgK4QHw\YLhEQCVHg.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\OyBJWjqIT\OyBJWjqIT.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\pjjtw2x8y\M1vSK1Iaw.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\BNzRFiZKT\XuKhThaMS.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\c3af0b2fc9814ca89ee76f3c88eb9b4a\Setup.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-L8QUU.tmp\up.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\T6F6ZEbIj\T6F6ZEbIj.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\{bdd6bc03e2b742c58c4a404bf4c44085}\l6l8EQA3Zb\uninstall.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\xq5iNclxu\JwLUMie5k.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\zHDSYEr9B\VoOicCCbA.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\ZlUSU7BW2\ZlUSU7BW2.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\AdRbwQrXc\AdRbwQrXc.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\al5r3CI0S\mrL33HByI.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\AocB40boD\MuRd464Xt.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\iNL9Eu9Xd\iNL9Eu9Xd.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\{6d575aaf342d46cf9477c90c84b8b145}\aOBi+OtRC6\uninstall.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\{90e100bebac2444390bae6d7aef0f31b}\KYdTtiLJXn\uninstall.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\tIlSvNxbz\tIlSvNxbz.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\u83JNFp4k\u83JNFp4k.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\3emoJjTCt\XIpQan7eg.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\3P5X0W83v\3P5X0W83v.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\AfficheOne.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\Era5Le.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\DFP09mlM3\m3cQAkFQ0.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\DJG6PMd0h\ZqSw3Lo1f.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\dpv3dKG71\z6GtrJQ90.exe...
Removing C:\Users\Mojdeh\AppData\Local\6ced7ffd8c4646c1b58094bb4692ec73\wKhzwR0ygE8c.exe...
Removing C:\Users\Mojdeh\AppData\Local\fegipntm\xrrrnz\ct.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\lol.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\idp.dll...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\itdownload.dll...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\_isetup\_isdecmp.dll...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\_isetup\_setup64.tmp...
Removing C:\Users\Mojdeh\AppData\Local\Temp\is-1K8OR.tmp\_isetup\_shfoldr.dll...
Removing C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\0WU3IN27RF\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\15RS2RYBYZ\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\24JI9GOGIM\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\9QILG1AGKA\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\BQUY92ZIE4\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\CGBMQY64B4\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\D1LRHLRTTW\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\H44YKR2PAF\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\HQA386A8IB\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\HS9GDO0KIM\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\J4PAG731SX\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\K57XEQRTQI\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\N32V30ROC8\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\ORRVXW7AV0\Like.exe...
Removing C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\QMG14B2IS6\Like.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\AfficheOne.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\Era5Le.exe.config...
Removing C:\Users\Mojdeh\AppData\Local\Temp\ZTHELGC13X\Like.exe...
Removal finished
Done!
 
Scan started
Database versions:
  main:    v2017.06.28.08
  rootkit: v2017.05.27.01
 
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffff90845dc36060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffff90845dc36ae0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffff90845dc36060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffff90845da2f5b0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffff90845da0e400, DeviceName: \Device\00000031\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 4166D6A8
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 1024000
    Partition is bootable
    Partition file system is NTFS
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1026048  Numsec = 125952000
    Partition is not bootable
    Partition file system is NTFS
 
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 126978048  Numsec = 487671808
    Partition is not bootable
    Partition file system is NTFS
 
    Partition 3 type is Other (0xc)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 614649856  Numsec = 10489856
    Partition is not bootable
    Partition file system is FAT32
 
Disk Size: 320072933376 bytes
Sector size: 512 bytes
 
Done!
File "C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat" is sparse (flags = 32768)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.7C" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.83" is compressed (flags = 1)
Infected: C:\Windows\System32\tprdpw64.exe --> [Trojan.Clicker]
Infected: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\MICROSOFT\BIGTIME|partner --> [Adware.Tuto4PC]
Infected: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\MICROSOFT\BIGTIME --> [Adware.Tuto4PC]
Infected: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\MICROSOFT\EWMON|partner --> [Adware.Tuto4PC]
Infected: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\MICROSOFT\EWMON --> [Adware.Tuto4PC]
Scan finished
Creating System Restore point...
Could not create restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
 
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.4.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 10.0.9200 Windows 10 x64
 
Account is Administrative
 
Internet Explorer version: 11.1358.14393.0
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.095000 GHz
Memory total: 4226142208, free: 2925211648
 
=======================================
Initializing...
Driver version: 0.3.0.4
------------ Kernel report ------------
     06/29/2017 00:12:55
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\cng.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\system32\drivers\WdFilter.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volume.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\iorate.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\drivers\cdrom.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\csc.sys
\??\C:\WINDOWS\System32\drivers\zamguard64.sys
\??\C:\WINDOWS\System32\drivers\zam64.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_a140581a8f8b58b7\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\TeeDriverW8x64.sys
\SystemRoot\System32\drivers\usbehci.sys
\SystemRoot\System32\drivers\USBPORT.SYS
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\portcls.sys
\SystemRoot\System32\drivers\drmk.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\sdbus.sys
\SystemRoot\System32\drivers\athwnx.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\rt640x64.sys
\SystemRoot\System32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\wmiacpi.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\usbhub.sys
\SystemRoot\system32\DRIVERS\HdAudio.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\system32\DRIVERS\snp2uvc.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\win32kbase.sys
\SystemRoot\system32\DRIVERS\btfilter.sys
\SystemRoot\System32\drivers\BTHUSB.sys
\SystemRoot\System32\drivers\bthport.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\wcifs.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\system32\drivers\wcnfs.sys
\SystemRoot\System32\drivers\registry.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\idmwfp.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\tunnel.sys
\SystemRoot\system32\Drivers\WdNisDrv.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
----------- End -----------
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-1026048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-2-126978048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-3-614649856-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
Done!
 
Scan started
Database versions:
  main:    v2017.06.28.08
  rootkit: v2017.05.27.01
 
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffb28ebfc4e060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffb28ebfc4eae0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffb28ebfc4e060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffb28ebfa9c7c0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffb28ebfa9f060, DeviceName: \Device\00000031\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 4166D6A8
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 1024000
    Partition is bootable
    Partition file system is NTFS
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1026048  Numsec = 125952000
    Partition is not bootable
    Partition file system is NTFS
 
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 126978048  Numsec = 487671808
    Partition is not bootable
    Partition file system is NTFS
 
    Partition 3 type is Other (0xc)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 614649856  Numsec = 10489856
    Partition is not bootable
    Partition file system is FAT32
 
Disk Size: 320072933376 bytes
Sector size: 512 bytes
 
Done!
File "C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat" is sparse (flags = 32768)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.7C" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-02DF51455BB184F47089596E65F7F8EB23DDE7E5.bin.83" is compressed (flags = 1)
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-1026048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-2-126978048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-3-614649856-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.4.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 10.0.9200 Windows 10 x64
 
Account is Administrative
 
Internet Explorer version: 11.1358.14393.0
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.095000 GHz
Memory total: 4226142208, free: 2745577472
 
Downloaded database version: v2017.06.28.09
Downloaded database version: v2017.06.29.01
Downloaded database version: v2017.06.29.02
Downloaded database version: v2017.06.29.03
Downloaded database version: v2017.06.29.04
Downloaded database version: v2017.06.29.05
Downloaded database version: v2017.06.29.06
Downloaded database version: v2017.06.29.07
Downloaded database version: v2017.06.29.08
Downloaded database version: v2017.06.30.01
Downloaded database version: v2017.06.30.02
Downloaded database version: v2017.06.30.03
Initializing...
======================
Driver version: 0.3.0.4
------------ Kernel report ------------
     06/30/2017 12:15:09
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\cng.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\system32\drivers\WdFilter.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volume.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\iorate.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\drivers\cdrom.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\csc.sys
\??\C:\WINDOWS\System32\drivers\zamguard64.sys
\??\C:\WINDOWS\System32\drivers\zam64.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_a140581a8f8b58b7\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\TeeDriverW8x64.sys
\SystemRoot\System32\drivers\usbehci.sys
\SystemRoot\System32\drivers\USBPORT.SYS
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\portcls.sys
\SystemRoot\System32\drivers\drmk.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\sdbus.sys
\SystemRoot\System32\drivers\athwnx.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\rt640x64.sys
\SystemRoot\System32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\wmiacpi.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\usbhub.sys
\SystemRoot\system32\DRIVERS\HdAudio.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\system32\DRIVERS\snp2uvc.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\win32kbase.sys
\SystemRoot\system32\DRIVERS\btfilter.sys
\SystemRoot\System32\drivers\BTHUSB.sys
\SystemRoot\System32\drivers\bthport.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\wcifs.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\system32\drivers\wcnfs.sys
\SystemRoot\System32\drivers\registry.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\idmwfp.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\Drivers\WdNisDrv.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\drivers\tunnel.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
----------- End -----------
Done!
 
Scan started
Database versions:
  main:    v2017.06.30.03
  rootkit: v2017.05.27.01
 
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffb28ebfc4e060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffb28ebfc4eae0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffb28ebfc4e060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffb28ebfa9c7c0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffb28ebfa9f060, DeviceName: \Device\00000031\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 4166D6A8
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 1024000
    Partition is bootable
    Partition file system is NTFS
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1026048  Numsec = 125952000
    Partition is not bootable
    Partition file system is NTFS
 
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 126978048  Numsec = 487671808
    Partition is not bootable
    Partition file system is NTFS
 
    Partition 3 type is Other (0xc)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 614649856  Numsec = 10489856
    Partition is not bootable
    Partition file system is FAT32
 
Disk Size: 320072933376 bytes
Sector size: 512 bytes
 
Done!
File "C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat" is sparse (flags = 32768)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-9672B341277A32F706F9977B5E01CF52B65BDE69.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-9672B341277A32F706F9977B5E01CF52B65BDE69.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-9672B341277A32F706F9977B5E01CF52B65BDE69.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-9672B341277A32F706F9977B5E01CF52B65BDE69.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-9672B341277A32F706F9977B5E01CF52B65BDE69.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-9672B341277A32F706F9977B5E01CF52B65BDE69.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-9672B341277A32F706F9977B5E01CF52B65BDE69.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-9672B341277A32F706F9977B5E01CF52B65BDE69.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-9672B341277A32F706F9977B5E01CF52B65BDE69.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-9672B341277A32F706F9977B5E01CF52B65BDE69.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-9672B341277A32F706F9977B5E01CF52B65BDE69.bin.7C" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-9672B341277A32F706F9977B5E01CF52B65BDE69.bin.83" is compressed (flags = 1)
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-1026048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-2-126978048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-3-614649856-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:41 AM

Posted 30 June 2017 - 05:57 PM

That was quite an infection.

 

 

  • Highlight the entire content of the quote box below.

Start::  
Task: {0B9CAD22-7311-46FF-A26B-DADA8AF02853} - System32\Tasks\One System CarePeriod => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe <==== ATTENTION
Task: {351F2A79-5E61-451C-960B-6BAED3CF567D} - System32\Tasks\{780C7947-7A7E-7D0D-7D11-797A0E7A1108} => powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand OwA7ACAAIAA7ACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAVwBhAHIAbgBpAG4AZwBQAHIAZQBmAGUAcgBlAG4AYwBlAD0A (the data entry has 10088 more characters). <==== ATTENTION
Task: {35C06FBB-3E92-4CAC-BEE5-98D0195423C0} - System32\Tasks\One System Care Task => C:\PROGRA~2\ONESYS~1\SYSTEM~1.EXE <==== ATTENTION
Task: {40CB36E4-4078-4AFF-BFDF-13B0E3149049} - System32\Tasks\2ff3e5b2b08659c37a16279d2f98fe08 => sc start 2ff3e5b2b08659c37a16279d2f98fe08 <==== ATTENTION
Task: {CF1EC23E-7660-4CFB-9437-AFE148F88447} - System32\Tasks\One System Care Monitor => C:\Program Files (x86)\OneSystemCare\CleanupConsole.exe <==== ATTENTION
Task: {DF63132C-F27B-4DB7-ACEE-57F92DB5F803} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\VideErroroReporting => C:\\ProgramData\\WindowsVideoErrorReporting\\wvermgr.exe [2017-06-11] () <==== ATTENTION
Task: {E6116BED-8330-4CDF-AC59-442FFBA0FAB7} - System32\Tasks\One System Care Run Delay => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\One System CarePeriod.job =>  <==== ATTENTION
C:\WINDOWS\system32\drivers\drmkpro64.sys
C:\Users\Mojdeh\AppData\Local\fegipntm
R2 windowsmanagementservice; C:\Users\Mojdeh\AppData\Local\fegipntm\xrrrnz\ct.exe [689664 2017-05-30] () [File not signed] <==== ATTENTION
R1 bb31ce5182cb85eb8d0e0b348b0dc874; C:\WINDOWS\system32\drivers\bb31ce5182cb85eb8d0e0b348b0dc874.sys [71544 2017-06-06] (3TZGHS) <==== ATTENTION
C:\WINDOWS\system32\drivers\bb31ce5182cb85eb8d0e0b348b0dc874.sys
R5 drmkpro64;  <==== ATTENTION: Locked Service <==== ATTENTION
S4 2ff3e5b2b08659c37a16279d2f98fe08; "C:\Program Files\2ff3e5b2b08659c37a16279d2f98fe08\da26ebd4e3a2381b478597debe070204.exe" [X]
C:\Users\Mojdeh\AppData\Local\fegipntm
2017-06-23 14:56 - 2017-06-23 14:56 - 0789048 _____ (WeMonetize                                                  ) C:\Users\Mojdeh\AppData\Local\Temp\16DBKPX.exe
2017-06-23 15:12 - 2017-06-25 03:54 - 0392704 _____ () C:\Users\Mojdeh\AppData\Local\Temp\AppHelperV3.exe
2017-06-11 04:14 - 2017-06-11 04:14 - 29032005 _____ (AppTrailers) C:\Users\Mojdeh\AppData\Local\Temp\AppTrailers.9.1.10amt.exe
2017-06-10 23:20 - 2017-06-10 23:21 - 0116301 _____ () C:\Users\Mojdeh\AppData\Local\Temp\load.exe
2017-06-11 04:14 - 2017-06-11 04:14 - 0698875 _____ (VideoBox                                                    ) C:\Users\Mojdeh\AppData\Local\Temp\mediasrv.exe
2017-06-23 14:56 - 2017-06-23 14:56 - 1424477 _____ (                                                            ) C:\Users\Mojdeh\AppData\Local\Temp\mmc26.exe
2017-06-23 14:54 - 2017-06-23 14:54 - 0677787 _____ (Norio                                                       ) C:\Users\Mojdeh\AppData\Local\Temp\mmc29.exe
2017-06-23 14:52 - 2017-06-23 14:52 - 0623302 _____ (                                                            ) C:\Users\Mojdeh\AppData\Local\Temp\mmc9.exe
2017-06-11 04:13 - 2017-06-11 04:14 - 4417064 _____ () C:\Users\Mojdeh\AppData\Local\Temp\OneSystemCare.exe
2016-10-23 20:54 - 2017-02-04 22:36 - 10551176 _____ () C:\Users\Mojdeh\AppData\Local\Temp\psiphon-tunnel-core.exe
2016-11-11 00:02 - 2016-11-11 00:02 - 1477736 _____ () C:\Users\Mojdeh\AppData\Local\Temp\psiphon3-meek.exe
2016-11-11 00:02 - 2016-11-11 00:02 - 0808552 _____ (Simon Tatham) C:\Users\Mojdeh\AppData\Local\Temp\psiphon3-plonk.exe
2017-06-10 23:19 - 2017-06-10 23:20 - 0624640 _____ () C:\Users\Mojdeh\AppData\Local\Temp\setup.exe
2017-06-10 23:12 - 2017-06-10 23:19 - 7967744 _____ () C:\Users\Mojdeh\AppData\Local\Temp\wajam_install.exe
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

iO5EZayK.png


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg


  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 rezaeefar

rezaeefar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 30 June 2017 - 07:25 PM

Hi

 

Thanks again for your help.

 

I do the instructions.

 

This is Fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-06-2017
Ran by Amin (01-07-2017 04:00:26) Run:1
Running from C:\Users\Mojdeh\Desktop
Loaded Profiles: Amin (Available Profiles: Amin & Mojdeh)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
  
Task: {0B9CAD22-7311-46FF-A26B-DADA8AF02853} - System32\Tasks\One System CarePeriod => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe <==== ATTENTION
Task: {351F2A79-5E61-451C-960B-6BAED3CF567D} - System32\Tasks\{780C7947-7A7E-7D0D-7D11-797A0E7A1108} => powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand OwA7ACAAIAA7ACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAVwBhAHIAbgBpAG4AZwBQAHIAZQBmAGUAcgBlAG4AYwBlAD0A (the data entry has 10088 more characters). <==== ATTENTION
Task: {35C06FBB-3E92-4CAC-BEE5-98D0195423C0} - System32\Tasks\One System Care Task => C:\PROGRA~2\ONESYS~1\SYSTEM~1.EXE <==== ATTENTION
Task: {40CB36E4-4078-4AFF-BFDF-13B0E3149049} - System32\Tasks\2ff3e5b2b08659c37a16279d2f98fe08 => sc start 2ff3e5b2b08659c37a16279d2f98fe08 <==== ATTENTION
Task: {CF1EC23E-7660-4CFB-9437-AFE148F88447} - System32\Tasks\One System Care Monitor => C:\Program Files (x86)\OneSystemCare\CleanupConsole.exe <==== ATTENTION
Task: {DF63132C-F27B-4DB7-ACEE-57F92DB5F803} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\VideErroroReporting => C:\\ProgramData\\WindowsVideoErrorReporting\\wvermgr.exe [2017-06-11] () <==== ATTENTION
Task: {E6116BED-8330-4CDF-AC59-442FFBA0FAB7} - System32\Tasks\One System Care Run Delay => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\One System CarePeriod.job =>  <==== ATTENTION
C:\WINDOWS\system32\drivers\drmkpro64.sys
C:\Users\Mojdeh\AppData\Local\fegipntm
R2 windowsmanagementservice; C:\Users\Mojdeh\AppData\Local\fegipntm\xrrrnz\ct.exe [689664 2017-05-30] () [File not signed] <==== ATTENTION
R1 bb31ce5182cb85eb8d0e0b348b0dc874; C:\WINDOWS\system32\drivers\bb31ce5182cb85eb8d0e0b348b0dc874.sys [71544 2017-06-06] (3TZGHS) <==== ATTENTION
C:\WINDOWS\system32\drivers\bb31ce5182cb85eb8d0e0b348b0dc874.sys
R5 drmkpro64;  <==== ATTENTION: Locked Service <==== ATTENTION
S4 2ff3e5b2b08659c37a16279d2f98fe08; "C:\Program Files\2ff3e5b2b08659c37a16279d2f98fe08\da26ebd4e3a2381b478597debe070204.exe" [X]
C:\Users\Mojdeh\AppData\Local\fegipntm
2017-06-23 14:56 - 2017-06-23 14:56 - 0789048 _____ (WeMonetize                                                  ) C:\Users\Mojdeh\AppData\Local\Temp\16DBKPX.exe
2017-06-23 15:12 - 2017-06-25 03:54 - 0392704 _____ () C:\Users\Mojdeh\AppData\Local\Temp\AppHelperV3.exe
2017-06-11 04:14 - 2017-06-11 04:14 - 29032005 _____ (AppTrailers) C:\Users\Mojdeh\AppData\Local\Temp\AppTrailers.9.1.10amt.exe
2017-06-10 23:20 - 2017-06-10 23:21 - 0116301 _____ () C:\Users\Mojdeh\AppData\Local\Temp\load.exe
2017-06-11 04:14 - 2017-06-11 04:14 - 0698875 _____ (VideoBox                                                    ) C:\Users\Mojdeh\AppData\Local\Temp\mediasrv.exe
2017-06-23 14:56 - 2017-06-23 14:56 - 1424477 _____ (                                                            ) C:\Users\Mojdeh\AppData\Local\Temp\mmc26.exe
2017-06-23 14:54 - 2017-06-23 14:54 - 0677787 _____ (Norio                                                       ) C:\Users\Mojdeh\AppData\Local\Temp\mmc29.exe
2017-06-23 14:52 - 2017-06-23 14:52 - 0623302 _____ (                                                            ) C:\Users\Mojdeh\AppData\Local\Temp\mmc9.exe
2017-06-11 04:13 - 2017-06-11 04:14 - 4417064 _____ () C:\Users\Mojdeh\AppData\Local\Temp\OneSystemCare.exe
2016-10-23 20:54 - 2017-02-04 22:36 - 10551176 _____ () C:\Users\Mojdeh\AppData\Local\Temp\psiphon-tunnel-core.exe
2016-11-11 00:02 - 2016-11-11 00:02 - 1477736 _____ () C:\Users\Mojdeh\AppData\Local\Temp\psiphon3-meek.exe
2016-11-11 00:02 - 2016-11-11 00:02 - 0808552 _____ (Simon Tatham) C:\Users\Mojdeh\AppData\Local\Temp\psiphon3-plonk.exe
2017-06-10 23:19 - 2017-06-10 23:20 - 0624640 _____ () C:\Users\Mojdeh\AppData\Local\Temp\setup.exe
2017-06-10 23:12 - 2017-06-10 23:19 - 7967744 _____ () C:\Users\Mojdeh\AppData\Local\Temp\wajam_install.exe
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
 
*****************
 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0B9CAD22-7311-46FF-A26B-DADA8AF02853} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0B9CAD22-7311-46FF-A26B-DADA8AF02853} => key removed successfully
C:\WINDOWS\System32\Tasks\One System CarePeriod => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System CarePeriod => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{351F2A79-5E61-451C-960B-6BAED3CF567D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{351F2A79-5E61-451C-960B-6BAED3CF567D} => key removed successfully
C:\WINDOWS\System32\Tasks\{780C7947-7A7E-7D0D-7D11-797A0E7A1108} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{780C7947-7A7E-7D0D-7D11-797A0E7A1108} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{35C06FBB-3E92-4CAC-BEE5-98D0195423C0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{35C06FBB-3E92-4CAC-BEE5-98D0195423C0} => key removed successfully
C:\WINDOWS\System32\Tasks\One System Care Task => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System Care Task => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{40CB36E4-4078-4AFF-BFDF-13B0E3149049} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{40CB36E4-4078-4AFF-BFDF-13B0E3149049} => key removed successfully
C:\WINDOWS\System32\Tasks\2ff3e5b2b08659c37a16279d2f98fe08 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\2ff3e5b2b08659c37a16279d2f98fe08 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{CF1EC23E-7660-4CFB-9437-AFE148F88447} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CF1EC23E-7660-4CFB-9437-AFE148F88447} => key removed successfully
C:\WINDOWS\System32\Tasks\One System Care Monitor => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System Care Monitor => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{DF63132C-F27B-4DB7-ACEE-57F92DB5F803} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF63132C-F27B-4DB7-ACEE-57F92DB5F803} => key removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\Windows Error Reporting\VideErroroReporting => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Error Reporting\VideErroroReporting => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E6116BED-8330-4CDF-AC59-442FFBA0FAB7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E6116BED-8330-4CDF-AC59-442FFBA0FAB7} => key removed successfully
C:\WINDOWS\System32\Tasks\One System Care Run Delay => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System Care Run Delay => key removed successfully
C:\WINDOWS\Tasks\One System CarePeriod.job => moved successfully
"C:\WINDOWS\system32\drivers\drmkpro64.sys" => not found.
C:\Users\Mojdeh\AppData\Local\fegipntm => moved successfully
windowsmanagementservice => service not found.
bb31ce5182cb85eb8d0e0b348b0dc874 => service not found.
"C:\WINDOWS\system32\drivers\bb31ce5182cb85eb8d0e0b348b0dc874.sys" => not found.
drmkpro64 => service not found.
HKLM\System\CurrentControlSet\Services\2ff3e5b2b08659c37a16279d2f98fe08 => key removed successfully
2ff3e5b2b08659c37a16279d2f98fe08 => service removed successfully
"C:\Users\Mojdeh\AppData\Local\fegipntm" => not found.
"C:\Users\Mojdeh\AppData\Local\Temp\16DBKPX.exe" => not found.
C:\Users\Mojdeh\AppData\Local\Temp\AppHelperV3.exe => moved successfully
C:\Users\Mojdeh\AppData\Local\Temp\AppTrailers.9.1.10amt.exe => moved successfully
C:\Users\Mojdeh\AppData\Local\Temp\load.exe => moved successfully
C:\Users\Mojdeh\AppData\Local\Temp\mediasrv.exe => moved successfully
C:\Users\Mojdeh\AppData\Local\Temp\mmc26.exe => moved successfully
"C:\Users\Mojdeh\AppData\Local\Temp\mmc29.exe" => not found.
C:\Users\Mojdeh\AppData\Local\Temp\mmc9.exe => moved successfully
"C:\Users\Mojdeh\AppData\Local\Temp\OneSystemCare.exe" => not found.
C:\Users\Mojdeh\AppData\Local\Temp\psiphon-tunnel-core.exe => moved successfully
C:\Users\Mojdeh\AppData\Local\Temp\psiphon3-meek.exe => moved successfully
C:\Users\Mojdeh\AppData\Local\Temp\psiphon3-plonk.exe => moved successfully
"C:\Users\Mojdeh\AppData\Local\Temp\setup.exe" => not found.
"C:\Users\Mojdeh\AppData\Local\Temp\wajam_install.exe" => not found.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
========= RemoveProxy: =========
 
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-1053817937-666166871-1826005414-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
 
 
========= End of RemoveProxy: =========
 
 
========= netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall set allprofiles state ON =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ip reset C:\resettcpip.txt =========
 
Resetting Global, OK!
Resetting Interface, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========
 
Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied.
Failed to clear log Microsoft-Windows-LiveId/Operational. Access is denied.
Failed to clear log Microsoft-Windows-USBVideo/Analytic. The instance name passed was not recognized as valid by a WMI data provider.
 
========= End of CMD: =========
 
 
========= Bitsadmin /Reset /Allusers =========
 
 
BITSADMIN version 3.0
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
{78D11F41-A950-4DB4-9C0A-899764E694B5} canceled.
{A8A68CEC-A5A1-4BF2-8D31-2B6C284A9A37} canceled.
{1142B304-2049-4BDC-BF63-C1304121D9D0} canceled.
{C215DF92-C8AE-4891-82B4-2AE41113DF69} canceled.
{05BED3A9-2D01-491C-A736-865539C377B6} canceled.
{19D34474-FF38-43CC-9A89-278332E7FE2C} canceled.
{0665B5BF-1CEE-4657-B4FE-B79AA0E7EF97} canceled.
{8081F8AA-1770-4FAB-943D-E2CB59694FB4} canceled.
{2A31A1EC-3F30-4141-865B-2EC6898191C5} canceled.
{EAC1F94B-0B89-4610-BC4A-86EC36450B53} canceled.
{031AAD59-AD05-421E-BB9B-D28E1B11C750} canceled.
{B4F7A789-1AEE-41A1-BA13-08AA4C132AFD} canceled.
{322A1C22-66AA-4D07-8106-15BE7A768C58} canceled.
{6B235AA1-DCAF-46C9-B912-02C93932779F} canceled.
{EF17BBF6-8FB3-46A0-9180-4AEBE206E892} canceled.
{568C113A-EE38-47D1-9962-822E1D2C05C4} canceled.
{AB106445-7F35-4247-838F-603BB5FA2EBC} canceled.
{7D2E94C8-51C5-4C11-9CE1-64087F55975C} canceled.
{4EF4C56B-97E3-4C50-BFE7-9D34A5025578} canceled.
{058BC93E-B291-450C-A739-E74903669280} canceled.
{9F7840D3-D52C-4251-98D2-51866737FFC8} canceled.
21 out of 21 jobs canceled.
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 126576246 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 12152227 B
Edge => 69274162 B
Chrome => 821435658 B
Firefox => 373909638 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 13122 B
NetworkService => 5011570 B
Mojdeh => 416791675 B
Mojdeh.MOJDEH-PC => 3521340 B
 
RecycleBin => 0 B
EmptyTemp: => 1.7 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 04:05:25 ====
 
This is JRT.txt:
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Enterprise x64 
Ran by Amin (Administrator) on Sat 07/01/2017 at  4:19:31.25
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 3 
 
Successfully deleted: C:\ProgramData\0524bab9-1577-1 (Folder) 
Successfully deleted: C:\ProgramData\0524bab9-4483-0 (Folder) 
Successfully deleted: C:\ProgramData\0524bab9-7b93-1 (Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 07/01/2017 at  4:22:18.11
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

This is adwcleaner[C0].txt :

 

# AdwCleaner v6.047 - Logfile created 01/07/2017 at 04:40:05
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-06-29.3 [Server]
# Operating System : Windows 10 Enterprise  (X64)
# Username : Amin - MOJDEH-PC
# Running from : C:\Users\Mojdeh\Desktop\adwcleaner_6.047.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Users\Mojdeh\AppData\RoAming\isMiner
[-] Folder deleted: C:\ProgramData\WindowsVideoErrorReporting
[#] Folder deleted on reboot: C:\ProgramData\Application Data\WindowsVideoErrorReporting
[-] Folder deleted: C:\Program Files (x86)\S5
[-] Folder deleted: C:\Program Files (x86)\ScreenShared
[-] Folder deleted: C:\Program Files (x86)\NoterSave
[-] Folder deleted: C:\WINDOWS\SysWOW64\SSL
[-] Folder deleted: C:\Users\Mojdeh\AppData\Roaming\Mozilla\Firefox\Profiles\77c7r4ix.default\extensions\amcontextmenu@loucypher
[#] Folder deleted on reboot: C:\Users\Mojdeh\AppData\Roaming\Mozilla\Firefox\Profiles\77c7r4ix.default\extensions\amcontextmenu@loucypher
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\windowsmanagementservice
[-] Key deleted: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\Software\One System Care
[-] Key deleted: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\Software\WajIEnhance
[-] Key deleted: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\Software\Amigo
[-] Key deleted: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\Software\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}
[-] Key deleted: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\Software\Microsoft\{1f7ee1a8-4436-4ffc-b97b-b5b01e87d3d2}
[-] Key deleted: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\Software\MICROSOFT\wewewe
[-] Key deleted: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\Software\Hotspot
[-] Key deleted: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\Software\Speedownloader0099
[-] Key deleted: HKU\S-1-5-21-1053817937-666166871-1826005414-1001\Software\Microsoft\{6711eba6-cf08-4edw-9528-86004fa424bb}
[#] Key deleted on reboot: HKCU\Software\One System Care
[#] Key deleted on reboot: HKCU\Software\WajIEnhance
[#] Key deleted on reboot: HKCU\Software\Amigo
[#] Key deleted on reboot: HKCU\Software\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}
[#] Key deleted on reboot: HKCU\Software\Microsoft\{1f7ee1a8-4436-4ffc-b97b-b5b01e87d3d2}
[#] Key deleted on reboot: HKCU\Software\MICROSOFT\wewewe
[#] Key deleted on reboot: HKCU\Software\Hotspot
[#] Key deleted on reboot: HKCU\Software\Speedownloader0099
[#] Key deleted on reboot: HKCU\Software\Microsoft\{6711eba6-cf08-4edw-9528-86004fa424bb}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\{1f7ee1a8-4436-4ffc-b97b-b5b01e87d3d2}
[-] Key deleted: HKLM\SOFTWARE\Speedownloader0099
[-] Key deleted: HKLM\SOFTWARE\Microsoft\{6711eba6-cf08-4edw-9528-86004fa424bb}
[#] Key deleted on reboot: [x64] HKCU\Software\One System Care
[#] Key deleted on reboot: [x64] HKCU\Software\WajIEnhance
[#] Key deleted on reboot: [x64] HKCU\Software\Amigo
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\{1f7ee1a8-4436-4ffc-b97b-b5b01e87d3d2}
[#] Key deleted on reboot: [x64] HKCU\Software\MICROSOFT\wewewe
[#] Key deleted on reboot: [x64] HKCU\Software\Hotspot
[#] Key deleted on reboot: [x64] HKCU\Software\Speedownloader0099
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\{6711eba6-cf08-4edw-9528-86004fa424bb}
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\{1f7ee1a8-4436-4ffc-b97b-b5b01e87d3d2}
[-] Key deleted: [x64] HKLM\SOFTWARE\ScreenShared
[-] Key deleted: [x64] HKLM\SOFTWARE\Speedownloader0099
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\{6711eba6-cf08-4edw-9528-86004fa424bb}
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchy
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24F5E422-6A70-4FAA-8CAD-E23D5DC1DAE6}
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DD0688A5-FC8B-4E93-A485-CBF606A56D49}
[#] Key deleted on reboot: HKLM\SOFTWARE\Microsoft\{1f7ee1a8-4436-4ffc-b97b-b5b01e87d3d2}
[-] Key deleted: HKLM\SOFTWARE\CLASSES\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Mojdeh\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Mojdeh\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
[-] [C:\Users\Mojdeh\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Mojdeh\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [5272 Bytes] - [01/07/2017 04:40:05]
C:\AdwCleaner\AdwCleaner[S0].txt - [5347 Bytes] - [01/07/2017 04:29:04]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [5418 Bytes] ##########


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:41 AM

Posted 30 June 2017 - 08:33 PM

That was a great fix.
 
 One more scan:

favicon-32x32.png Please download Malwarebytes to your desktop.

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • Once the program has fully updated, Proceed with the Scan options and select "Threat Scan".
  • The Scan Pane is the introduction to scan-related options in the program. When you click Scan in the Menu Pane, you will see the screen shown below.

02-malwarebytes-premium-scan-methods.jpg


  • After a scan has been executed, scan results are displayed.
  • Put a checkmark on all detected and click on "Quarantine Selected"
  • Selected reports may be viewed on screen, or exported to a text file for later viewing. Please note that only manual (on demand) scans are available for users of the free version of Malwarebytes.

You may export to your clipboard or to a text (TXT) file. Export to a .txt file and post its contents.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 rezaeefar

rezaeefar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 02 July 2017 - 10:28 AM

Hi

 

No threats found.

This is the report:

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 7/2/17
Scan Time: 7:55 PM
Log File: MB.txt
Administrator: Yes
 
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.139
Update Package Version: 1.0.2060
License: Trial
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: MOJDEH-PC\Amin
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 386621
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 2 min, 33 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:41 AM

Posted 02 July 2017 - 03:23 PM

Congratulations,

 

Lets remove the quarantined items.

 

Please download DelFix by Xplode and save to your Desktop.

  • Double-click on delfix.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator.
  • Put a check mark next to these items:
    - Remove disinfection tools
    - Create registry backup
    delfix.jpg
    .
  • Click the "Run" button.
  • When the tool has finished, it will create and open a log report (DelFix.txt)

 

Always keep your antivirus active and updated. I would recommend AVAST as an antivirus.

 

Best regards. :hello:


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 rezaeefar

rezaeefar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 03 July 2017 - 09:53 AM

Hi 

 

It was a great help.

 

 

Thanks a lot



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:41 AM

Posted 03 July 2017 - 10:01 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users