Windows 10 is slow in Normal mode but perfectly fast in Safe mode!?

It's been happening from this last week, even there is no background apps running or no apps running, my laptop will be releasing hot air and responding super slow. This morning i boot it in safe mode and found out everything is fast and perfect. 

My firewall is mostly detecting only 2 things and I don't know how to remove them! 

1. Sound.exe 
2. Nhqeminer 

 

Thats not all there might be more errors or infections running stealthy making my pc slower.

Sometimes when i click restart my pc i get this message- "  Your PC ran into a problem and needs to restart. Windows is collecting information on the error and we'll restart it for you (100% complete)" after it completes my pc restarts again. 

I don't wanna lose anything on my pc since all my backups are in it and since my pc is already infected I cannot put the files on external harddrive. I would like to get it clean first so i can make a backup of my computer.

Additional Details about my Laptop 
Intel core : i3 
6Gb Ram 
451 hdd 

 

 

 

FRST.TXT

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 08-07-2017

 

Joey-Sarkaria:

Joey-Sarkaria:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

• I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
• Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
• If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
• If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
• Logs can take a while to research, so please be patient.
• Some issues just cannot be solved so you must be prepared for this.
• Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
• Please print or copy and save the instructions.
• Back up all your data and important files on another (external) drive before starting to run malware removal tools.
• You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
• Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
• Please use only the tools you have been instructed to use.
• If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
• Please copy and paste the requested log files inside your post(s), unless otherwise instructed. Please do not use code or quote boxes.
• There are no silly questions. Ask for clarification, if you have any questions or concerns.
• Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
• Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
• Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
• I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

You should back up all your important data files to an external hard drive or other external media. It is unlikely that your documents, photos, music, and videos have been infected. That is just a precaution to back them up. Malware removal can be tricky.

.

I have found some suspicious files that might be malware.

Please upload the following file(s) individually to VirusTotal.:

• C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msce.exe
• C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msces.exe
• C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sound.vbs
• C:\WINDOWS\system32\epmntdrv.sys
• C:\WINDOWS\SysWOW64\epmntdrv.sys
• C:\WINDOWS\system32\EuGdiDrv.sys
• C:\WINDOWS\SysWOW64\EuGdiDrv.sys
• C:\Users\Prabh\AppData\Roaming\mcjEo.exe
• C:\Users\Prabh\AppData\Roaming\44t6E.exe
• C:\Users\Prabh\AppData\Roaming\rmgr7.exe
• C:\Users\Prabh\AppData\Roaming\X3UnL.exe
• C:\Users\Prabh\AppData\Roaming\F5xLE.exe
• C:\WINDOWS\SysWOW64\xboxgipsynthetic.dll
• C:\WINDOWS\system32\xboxgipsynthetic.dll

• Please press the Scan it! button to produce a fresh scan.
• When the scan completes, please copy and paste the URL/link at the top of the screen into your next reply so that I can review the scan results.
• Repeat until all of the files listed above have been scanned and all URLs/links have been copied into your reply.

.

In going over your logs I noticed that you have BitTorrent installed. Please consider the following advice to reduce the possibility of being infected when surfing the web.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
• They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
• Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
• The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, your computer will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

.

Did you install this Chrome extension? My research indicates that it is very questionable and may be associated with phishing attempts. I would recommend that you disable and delete this extension.

 

CHR Extension: (AdF.ly Skipper ★WORKING: 7/1/2017★) - C:\Users\Prabh\AppData\Local\Google\Chrome\User Data\Default\Extensions\obnfifcganohemahpomajbhocfkdgmjb [2017-07-01]

.

Please run a FRST fix for me.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

Start::
CreateRestorePoint:
CloseProcesses:
File: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msce.exe
File: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msces.exe
File: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sound.vbs
File: C:\WINDOWS\system32\epmntdrv.sys
File: C:\WINDOWS\SysWOW64\epmntdrv.sys
File: C:\WINDOWS\system32\EuGdiDrv.sys
File: C:\WINDOWS\SysWOW64\EuGdiDrv.sys
Folder: C:\Users\Prabh\AppData\Roaming\djz89is
Folder: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winnydows
Folder: C:\Program Files (x86)\Winnydows
File: C:\Users\Prabh\AppData\Roaming\mcjEo.exe
File: C:\Users\Prabh\AppData\Roaming\44t6E.exe
File: C:\Users\Prabh\AppData\Roaming\rmgr7.exe
File: C:\Users\Prabh\AppData\Roaming\X3UnL.exe
File: C:\Users\Prabh\AppData\Roaming\F5xLE.exe
File: C:\WINDOWS\SysWOW64\xboxgipsynthetic.dll
File: C:\WINDOWS\system32\xboxgipsynthetic.dll
ContextMenuHandlers01: [Cover Designer] -> {73FCA462-9BD5-4065-A73F-A8E5F6904EF7} =>  -> No File
ContextMenuHandlers01: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
ContextMenuHandlers06: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
Task: {1ED8B0D7-7A62-4EF2-8E17-C8100581DD98} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION
EmptyTemp:
End::

• Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.
• Right click FRST/FRST64.exe, and select "Run as Administrator".
• Press Fix button once and wait.
• Please reboot the computer, if requested.
• A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
• Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.


Thank you and have a great day.

Regards,
-Phil

Joey-Sarkaria:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

• I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
• Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
• If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
• If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
• Logs can take a while to research, so please be patient.
• Some issues just cannot be solved so you must be prepared for this.
• Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
• Please print or copy and save the instructions.
• Back up all your data and important files on another (external) drive before starting to run malware removal tools.
• You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
• Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
• Please use only the tools you have been instructed to use.
• If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
• Please copy and paste the requested log files inside your post(s), unless otherwise instructed. Please do not use code or quote boxes.
• There are no silly questions. Ask for clarification, if you have any questions or concerns.
• Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
• Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
• Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
• I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

You should back up all your important data files to an external hard drive or other external media. It is unlikely that your documents, photos, music, and videos have been infected. That is just a precaution to back them up. Malware removal can be tricky.

.

I have found some suspicious files that might be malware.

Please upload the following file(s) individually to VirusTotal.:

• C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msce.exe
• C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msces.exe
• C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sound.vbs
• C:\WINDOWS\system32\epmntdrv.sys
• C:\WINDOWS\SysWOW64\epmntdrv.sys
• C:\WINDOWS\system32\EuGdiDrv.sys
• C:\WINDOWS\SysWOW64\EuGdiDrv.sys
• C:\Users\Prabh\AppData\Roaming\mcjEo.exe
• C:\Users\Prabh\AppData\Roaming\44t6E.exe
• C:\Users\Prabh\AppData\Roaming\rmgr7.exe
• C:\Users\Prabh\AppData\Roaming\X3UnL.exe
• C:\Users\Prabh\AppData\Roaming\F5xLE.exe
• C:\WINDOWS\SysWOW64\xboxgipsynthetic.dll
• C:\WINDOWS\system32\xboxgipsynthetic.dll

• Please press the Scan it! button to produce a fresh scan.
• When the scan completes, please copy and paste the URL/link at the top of the screen into your next reply so that I can review the scan results.
• Repeat until all of the files listed above have been scanned and all URLs/links have been copied into your reply.

.

In going over your logs I noticed that you have BitTorrent installed. Please consider the following advice to reduce the possibility of being infected when surfing the web.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
• They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
• Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
• The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, your computer will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

.

Did you install this Chrome extension? My research indicates that it is very questionable and may be associated with phishing attempts. I would recommend that you disable and delete this extension.

 

CHR Extension: (AdF.ly Skipper ★WORKING: 7/1/2017★) - C:\Users\Prabh\AppData\Local\Google\Chrome\User Data\Default\Extensions\obnfifcganohemahpomajbhocfkdgmjb [2017-07-01]

.

Please run a FRST fix for me.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

Start::
CreateRestorePoint:
CloseProcesses:
File: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msce.exe
File: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msces.exe
File: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sound.vbs
File: C:\WINDOWS\system32\epmntdrv.sys
File: C:\WINDOWS\SysWOW64\epmntdrv.sys
File: C:\WINDOWS\system32\EuGdiDrv.sys
File: C:\WINDOWS\SysWOW64\EuGdiDrv.sys
Folder: C:\Users\Prabh\AppData\Roaming\djz89is
Folder: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winnydows
Folder: C:\Program Files (x86)\Winnydows
File: C:\Users\Prabh\AppData\Roaming\mcjEo.exe
File: C:\Users\Prabh\AppData\Roaming\44t6E.exe
File: C:\Users\Prabh\AppData\Roaming\rmgr7.exe
File: C:\Users\Prabh\AppData\Roaming\X3UnL.exe
File: C:\Users\Prabh\AppData\Roaming\F5xLE.exe
File: C:\WINDOWS\SysWOW64\xboxgipsynthetic.dll
File: C:\WINDOWS\system32\xboxgipsynthetic.dll
ContextMenuHandlers01: [Cover Designer] -> {73FCA462-9BD5-4065-A73F-A8E5F6904EF7} =>  -> No File
ContextMenuHandlers01: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
ContextMenuHandlers06: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
Task: {1ED8B0D7-7A62-4EF2-8E17-C8100581DD98} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION
EmptyTemp:
End::

• Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.
• Right click FRST/FRST64.exe, and select "Run as Administrator".
• Press Fix button once and wait.
• Please reboot the computer, if requested.
• A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
• Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.


Thank you and have a great day.

Regards,
-Phil

 I am backing it up right now, it's on 7% total file size tranferring is 130 gb so will take a awhile.

Virus Total for followings things you've asked 

1. https://www.virustotal.com/en/file/3671cd2ac2bb1e8267192f8608d1395437893525a26826bfd07103a1b998b4aa/analysis/

2. https://www.virustotal.com/en/file/42c711e313531ae2869ce385eec0a883bb5cfdd165fe7ec3cf3ebda4e04eb9e1/analysis/

3. https://www.virustotal.com/en/file/839b9f4173c2f21074568c8f4d6b106c575d4bb26631826e937c70905055c6ae/analysis/1499651266/

4. https://www.virustotal.com/en/file/7eb808fcefb69ab8b38158825ad368bfd2631a3620e2b466390ec1e1b7147c1b/analysis/

5. https://www.virustotal.com/en/file/5e8b32d70be5854f26f8ceead539a5e28b54e2dee764456507083bfbcb301538/analysis/

6. https://www.virustotal.com/en/file/b3c1def26c9c9123d34395717220b450c705b5fa9fc8e321adc444a4d63e6f36/analysis/

7. https://www.virustotal.com/en/file/88210b2651b27a669307e464150ae87486647558a0e2b40e308a20e72a4bd2fd/analysis/

8. https://www.virustotal.com/en/file/d1e563c162c472b19b6ccd112341fda3d0d64cbe5c7f39584af56be1e84cf32a/analysis/

9. https://www.virustotal.com/en/file/b7dc643c989ee70c6a30f77f4e49f087b66e376203d9e0871e173d262c9903ba/analysis/

10. https://www.virustotal.com/en/file/48c07237e7f8471012b1443fefca4f013cc988a50c866aadac4ec5026b6fa497/analysis/

11. https://www.virustotal.com/en/file/222af0e3efff4de4f76328410b01f32f462c3d6d36a87622e234c30a8c38728f/analysis/1499654981/

12. https://www.virustotal.com/en/file/27cbab70186d0cb43c5957d58c026ede4cc6b4ee9650b715a6cad7c8fd9beaa7/analysis/

13. https://www.virustotal.com/en/file/28894f2670fc959285ed620cc6018d91a91e775968f6acfd6b02dec677ea2dda/analysis/

14. https://www.virustotal.com/en/file/ec670fad735718ffbedbdaf3f777491423dfa8c25afda937a53f472b5c6ae563/analysis/

 

Yes, i am aware that i have bit torrent downloaded and i do use vpn and i do not click on malicious stuff like popups and ads. But i wont use the bittorrent until my pc is cleaned.

 

I did added that extension and i removed it from chrome now.

Doesn't let me do the fix scan, says could not locate the file fix in the same folder something like that.

Joey-Sarkaria:

Thank you for your post. I would ask that you not quote my previous posts. It is of no value.

.

Hopefully your backup is completed by now. That is one of the most overlooked security precautions.

.

Thank you for the VirusTotal scan results. I am supplying an amended FRST "fixlist" script, based on the VT scan results.

.

Thank you for agreeing to suspend use of P2P software while we disinfect your computer.

.

Thank you for removing the Chrome extension that I suggested be removed.

.

step5: Please run a FRST fix for me.

NOTICE: This "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.

start::
CreateRestorePoint:
CloseProcesses:
Startup: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msce.exe [2017-06-22] ()
C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msce.exe
Startup: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msces.exe [2017-06-22] ()
C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msces.exe
Startup: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sound.vbs [2017-06-03] ()
C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sound.vbs
Folder: C:\Users\Prabh\AppData\Roaming\djz89is
Folder: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winnydows
Folder: C:\Program Files (x86)\Winnydows
C:\Users\Prabh\AppData\Roaming\mcjEo.exe
C:\Users\Prabh\AppData\Roaming\44t6E.exe
C:\Users\Prabh\AppData\Roaming\rmgr7.exe
C:\Users\Prabh\AppData\Roaming\X3UnL.exe
C:\Users\Prabh\AppData\Roaming\F5xLE.exe
ContextMenuHandlers01: [Cover Designer] -> {73FCA462-9BD5-4065-A73F-A8E5F6904EF7} =>  -> No File
ContextMenuHandlers01: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
ContextMenuHandlers06: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
Task: {1ED8B0D7-7A62-4EF2-8E17-C8100581DD98} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION
EmptyTemp:
End::

• Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy" to copy the "fix" script into the Windows clipboard.
• Right click FRST64.exe, and select "Run as Administrator".
• Press Fix button once and wait.
• If that does not work for you, please download and copy the attached "fixlist.txt" file to this folder, where FRST64.exe is located: C:\Users\Prabh\Downloads. Then press the "Fix" button again.
• Please reboot the computer, if requested.
• A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
• Please copy and paste the contents of the "fixlog.txt" file directly into your next reply.

.

Thank you and have a great day.

Regards,
-Phil

Joey-Sarkaria:

Thank you for your post. I would ask that you not quote my previous posts. It is of no value.

.

Hopefully your backup is completed by now. That is one of the most overlooked security precautions.

.

Thank you for the VirusTotal scan results. I am supplying an amended FRST "fixlist" script, based on the VT scan results.

.

Thank you for agreeing to suspend use of P2P software while we disinfect your computer.

.

Thank you for removing the Chrome extension that I suggested be removed.

.

step5: Please run a FRST fix for me.

NOTICE: This "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.

start::
CreateRestorePoint:
CloseProcesses:
Startup: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msce.exe [2017-06-22] ()
C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msce.exe
Startup: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msces.exe [2017-06-22] ()
C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msces.exe
Startup: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sound.vbs [2017-06-03] ()
C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sound.vbs
Folder: C:\Users\Prabh\AppData\Roaming\djz89is
Folder: C:\Users\Prabh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winnydows
Folder: C:\Program Files (x86)\Winnydows
C:\Users\Prabh\AppData\Roaming\mcjEo.exe
C:\Users\Prabh\AppData\Roaming\44t6E.exe
C:\Users\Prabh\AppData\Roaming\rmgr7.exe
C:\Users\Prabh\AppData\Roaming\X3UnL.exe
C:\Users\Prabh\AppData\Roaming\F5xLE.exe
ContextMenuHandlers01: [Cover Designer] -> {73FCA462-9BD5-4065-A73F-A8E5F6904EF7} =>  -> No File
ContextMenuHandlers01: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
ContextMenuHandlers06: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
Task: {1ED8B0D7-7A62-4EF2-8E17-C8100581DD98} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION
EmptyTemp:
End::

• Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy" to copy the "fix" script into the Windows clipboard.
• Right click FRST64.exe, and select "Run as Administrator".
• Press Fix button once and wait.
• If that does not work for you, please download and copy the attached "fixlist.txt" file to this folder, where FRST64.exe is located: C:\Users\Prabh\Downloads. Then press the "Fix" button again.
• Please reboot the computer, if requested.
• A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
• Please copy and paste the contents of the "fixlog.txt" file directly into your next reply.

.

Thank you and have a great day.

Regards,
-Phil

No my backup was so it's still in process 58% completed. 

Yes i was able to start fix and here is the log-

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 08-07-2017

Ran by Prabh (10-07-2017 10:42:00) Run:1

Running from C:\Users\Prabh\Downloads

Loaded Profiles: Prabh & netfl (Available Profiles: Prabh & netfl)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

start

CreateRestorePoint

CloseProcesses

Startup CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupmsce.exe [2017-06-22] ()

CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupmsce.exe

Startup CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupmsces.exe [2017-06-22] ()

CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupmsces.exe

Startup CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupsound.vbs [2017-06-03] ()

CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupsound.vbs

Folder CUsersPrabhAppDataRoamingdjz89is

Folder CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsWinnydows

Folder CProgram Files (x86)Winnydows

CUsersPrabhAppDataRoamingmcjEo.exe

CUsersPrabhAppDataRoaming44t6E.exe

CUsersPrabhAppDataRoamingrmgr7.exe

CUsersPrabhAppDataRoamingX3UnL.exe

CUsersPrabhAppDataRoamingF5xLE.exe

ContextMenuHandlers01 [Cover Designer] - {73FCA462-9BD5-4065-A73F-A8E5F6904EF7} =  - No File

ContextMenuHandlers01 [WinRAR32] - {B41DB860-8EE4-11D2-9906-E49FADC173CA} =  - No File

ContextMenuHandlers06 [WinRAR32] - {B41DB860-8EE4-11D2-9906-E49FADC173CA} =  - No File

Task {1ED8B0D7-7A62-4EF2-8E17-C8100581DD98} - OneDrive Standalone Update Task v2 - No File ==== ATTENTION

EmptyTemp

End

*****************

 

CreateRestorePoint => Error: No automatic fix found for this entry.

CloseProcesses => Error: No automatic fix found for this entry.

Startup CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupmsce.exe [2017-06-22] () => Error: No automatic fix found for this entry.

CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupmsce.exe => Error: No automatic fix found for this entry.

Startup CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupmsces.exe [2017-06-22] () => Error: No automatic fix found for this entry.

CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupmsces.exe => Error: No automatic fix found for this entry.

Startup CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupsound.vbs [2017-06-03] () => Error: No automatic fix found for this entry.

CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupsound.vbs => Error: No automatic fix found for this entry.

Folder CUsersPrabhAppDataRoamingdjz89is => Error: No automatic fix found for this entry.

Folder CUsersPrabhAppDataRoamingMicrosoftWindowsStart MenuProgramsWinnydows => Error: No automatic fix found for this entry.

Folder CProgram Files (x86)Winnydows => Error: No automatic fix found for this entry.

CUsersPrabhAppDataRoamingmcjEo.exe => Error: No automatic fix found for this entry.

CUsersPrabhAppDataRoaming44t6E.exe => Error: No automatic fix found for this entry.

CUsersPrabhAppDataRoamingrmgr7.exe => Error: No automatic fix found for this entry.

CUsersPrabhAppDataRoamingX3UnL.exe => Error: No automatic fix found for this entry.

CUsersPrabhAppDataRoamingF5xLE.exe => Error: No automatic fix found for this entry.

ContextMenuHandlers01 [Cover Designer] - {73FCA462-9BD5-4065-A73F-A8E5F6904EF7} =  - No File => Error: No automatic fix found for this entry.

ContextMenuHandlers01 [WinRAR32] - {B41DB860-8EE4-11D2-9906-E49FADC173CA} =  - No File => Error: No automatic fix found for this entry.

ContextMenuHandlers06 [WinRAR32] - {B41DB860-8EE4-11D2-9906-E49FADC173CA} =  - No File => Error: No automatic fix found for this entry.

Task {1ED8B0D7-7A62-4EF2-8E17-C8100581DD98} - OneDrive Standalone Update Task v2 - No File ==== ATTENTION => Error: No automatic fix found for this entry.

EmptyTemp => Error: No automatic fix found for this entry.

 

==== End of Fixlog 10:42:00 ====

Joey-Sarkaria:

 

Thank you for your post.  It appears that you might not be following the FRST "fixlist.txt" instructions that I provided.  The entire script bombed.

 

If you look, you will see that the FRST "fixlist" script syntax in your last post does not match the syntax that I provided to you in my previous post.  There are colons missing and the file path backslashes are gone.  I am not sure what you are doing wrong?  Is it possible you are trying to use a word processing program to handle the FRST "fixlist" script?  If so, don't.

 

Did you try to download the "fixlist.txt" file that I attached to my last post?

 

Please download and copy that attached "fixlist.txt" file to the exact same folder where FRST64.exe is located.  The right-click FRST64.exe, select "Run as Administrator" and press the "Fix" button once.  Do nothing else.

 

Please copy and paste the contents of the resulting "fixlog.txt" file into your next reply.

 

Good luck, thank you, and have a great day,  ... and please stop quoting my posts to you.

 

Regards,

-Phil

Edited by garioch7, 10 July 2017 - 01:03 PM.

Post too long so i am attaching the file!

Joey-Sarkaria:

 

Thank you for your "fixlog.txt" file.  The Winnydows folder search resulted in the large log size.

 

The fixlist.txt script executed properly this time.  

 

How is your computer working now?  If there are still issues, please describe them in as much detail as possible, and provide the content of any error messages or screen pop-ups that occur.

 

If all is reasonably good, then we will continue with some standard anti-malware scans to ensure that your computer is completely disinfected.

 

Please note that, due to "real life" commitments, I will be unavailable until tomorrow afternoon.  Thank you for your understanding.

 

Have a great day.

 

Regards,

-Phil

 

 

there is a difference yes but i got this notification from malwarebytes like sound.exe found or sometimes my computer gets slow, it wont even open task manager :/ like happened today, i was tranferring one folder to dropbox and it got too slow it wont respond me !

Joey-Sarkaria:
 
Thank you for your post.  I just saw it before I was heading out to mow my large rural property which takes the day, so I won't be back until tomorrow afternoon.  In the meantime, let's run some more standard anti-malware scans.
 
I know that you have already run the ESET online scan and Malwarebytes before.  I ask that you follow all of the instructions below carefully because I want to see the logs of the in-depth scans.
 
.
 
ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

• Download esetsmartinstaller_enu.exe and save it to your Desktop.
• Double click the icon.
• Check YES, I accept the Terms of Use.
• Click the Start button.
• Accept any security warnings from your browser.
• Then select: "Enable detection of potentially unwanted applications" - Yes.
• Click Advanced settings.
• Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

• Click Change next to Current scan targets:
• Place a check mark in any additional drive you wish to scan then click OK.
• Click Start.
• ESET will then download updates and begin scanning your computer.
• If no threats are found simply click Uninstall application on close and hit Finish.
• If threats are found click List of found threats.
• Click Export to text file.
• Save the file on your Desktop as ESET.txt.
• Click Back.
• Check Uninstall application on close and Delete quarantined files.
• Click Finish.
• Close the ESET Online Scanner window.
• Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

Don't forget to re-enable your antivirus when finished!

.

Please run a Malwarebytes Anti-Malware scan for me.

• Please download Malwarebytes to your Desktop.
• Double-click mb3-setup-{version}.exe and follow the prompts to install the program.
• Then click Finish.
• Next, please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."
• Ensure that under "Potential Threat Protetion", both switches are set to "Always Detect PUPs/PUMs (recommended).
• Then scroll to the bottom of that page and ensure that "Automatic Quarantine" is turned "On."
• Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
• If an update of the definitions is available, it will be downloaded and installed before the scan commences.
• When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
• Restart your computer when prompted to do so.

The Scan log is available through History ->Application logs. Please copy and paste the contents of the log into your next reply.

.

Thank you and have a great day. Be back tomorrow.

Regards,
-Phil

Eset smart scanner got stuck at 39%, won't go further ! My anti virus and windows defender is off

C:\FRST\Quarantine\C\Users\Prabh\AppData\Roaming\44t6E.exe.xBAD a variant of MSIL/Kryptik.JUG trojan cleaned by deleting

C:\FRST\Quarantine\C\Users\Prabh\AppData\Roaming\mcjEo.exe.xBAD a variant of MSIL/Kryptik.JWG trojan cleaned by deleting

C:\FRST\Quarantine\C\Users\Prabh\AppData\Roaming\rmgr7.exe.xBAD BAT/CoinMiner.QI trojan cleaned by deleting

C:\Program Files (x86)\iMCS Productions\Black Ops 3 - Public Cheater\Black Ops 3 - Public Cheater.exe a variant of Win32/Packed.Themida suspicious application cleaned by deleting

C:\Users\Prabh\Documents\Black Ops2\BO2DestinyV1.12_CCAPI_package.rar a variant of Win32/Packed.Themida suspicious application deleted

C:\Users\Prabh\Documents\Black Ops2\Project Theolonius.rar a variant of Generik.LSIYVPH trojan deleted

C:\Users\Prabh\Documents\Black Ops2\setup-bo3pc-1.00.exe a variant of Win32/Packed.Themida suspicious application cleaned by deleting

C:\Users\Prabh\Documents\Black Ops2\BO2DestinyV1.12_CCAPI_package\BO2Destiny_CCAPI.exe a variant of Win32/Packed.Themida suspicious application cleaned by deleting

C:\Users\Prabh\Documents\Black Ops2\Project Theolonius\Project Theolonius\Project Theolonius.exe a variant of Generik.LSIYVPH trojan cleaned by deleting

C:\Users\Prabh\Downloads\Call of DDoS (PS3 Edition).exe a variant of MSIL/Packed.Confuser.J suspicious application cleaned by deleting

C:\Users\Prabh\Downloads\Call of DDoS (PS3 Edition).rar a variant of MSIL/Packed.Confuser.J suspicious application deleted

C:\Users\Prabh\Downloads\Call of DDoS (PS3 Edition)\Call of DDoS (PS3 Edition).exe a variant of MSIL/Packed.Confuser.J suspicious application cleaned by deleting

C:\Users\Prabh\Downloads\iMCS Productions\setup-bo3pc.exe a variant of Win32/Packed.Themida suspicious application cleaned by deleting

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 2017-07-11

Scan Time: 3:34 PM

Logfile: MalwareBytes.txt

Administrator: Yes

 

Version: 2.2.1.1043

Malware Database: v2016.02.16.06

Rootkit Database: v2016.02.08.01

License: Premium

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Disabled

 

OS: Windows 10

CPU: x64

File System: NTFS

User: Prabh

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 413427

Time Elapsed: 44 min, 27 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

Joey-Sarkaria:
 
Thank you for your ESET and MBAM logs.  Let's run a few more scans to see if there are any nuisance malware apps still lurking in your computer.
 
.
 
Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Vista/Windows 7/8/10 users right-click and select Run As Administrator
• The tool will start to update the database, please wait for it to complete the update.
• Click on I Agree button.
• Click on the Scan button.
• AdwCleaner will begin its scan ... please be patient as the scan may take some time to complete.
• After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, then make sure that you uncheck it before running the "Clean" process.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
• After the scan has finished ...
• Uncheck any PUP and adware applications that you want to keep.
• Then click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
• Please copy and paste the contents of that logfile into your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.

.

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Please copy and paste the contents of JRT.txt into your next message.

.

Thank you and have a great day.

Regards,
-Phil