Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help...Computer has a nasty infection.


  • This topic is locked This topic is locked
20 replies to this topic

#1 SonDavid

SonDavid

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 10 March 2018 - 06:24 PM

Hello, everyone.

 

I am new to Bleeding Computer. I am writing this topic to get some help in diagnosing my pc. I never ran across a laptop so affect like this. 

 

Here's a list of errors I am getting:

 

I can't run Malwarebytes(which I bought a premium subscription to because it's the only antivirus I use).

 

I used Superantivirus and it managed to grab all of the infected files. When it wants me to restart, it gets this "Getting Windows-ready" loop which buffers for like 5 hours.

 

I would be so easy to Factory reset this laptop but I can't do that either. 

 

I have a Lenovo B570 laptop which used to have windows 7 pre-installed.  The OS I have now is Windows 10. I used FRST scan tool and I used RKill. I have the logs attachment so safe us for having to make this topic so long. 

 

I tried to use HijackThis but it's just like Malwarebytes. It will not run.

I would love to save the trouble and headaches by booting Linux on this laptop. My nephews love the windows store to play games on. How can I get this laptop fixed? 

Attached Files


Edited by hamluis, 10 March 2018 - 06:26 PM.
Moved from W10 Spt to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,842 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:22 AM

Posted 10 March 2018 - 10:43 PM

Hi

Welcome :)

I'll be helping you with your computer.

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)

Let's begin... :)

The computer is infected with a variant of the SmarService Rootkit. Very difficult to remove, but with the right protocol we may be able to do so.

You will need another computer to download FRST64 to a USB drive, run FRST64 in the Recovery Environment, then back in Normal Mode.

Please download Farbar Recovery Scan Tool in an uninfected computer and save it to a flash drive (Pen Drive).

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. In your case is FRST64.exe

Please also download the attached file and save it in the same location the FRST64 is saved in the flash drive.

Boot to the Recovery Console's Command prompt in the infected computer.

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums

Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums
After any of these actions is performed, all user sessions are signed off and the Boot Options menu is displayed. The PC will restart into the WinRE and the selected feature is launched.

On the boot options, select Troubleshooting > Advanced Options > Command prompt.

Once in the Command Prompt:

  • Insert the USB drive containing FRST64 and the Fixlist
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First press the Scan button. That will deactivate the rootkit, once the scan is finished, press the Fix button.
  • These actions will make two logs, a Fixlog.txt and a FRST.txt logs in the flash drive. Please copy and paste them in your reply.

Once finished in the Recovery Environment, restart the computer in Normal Mode.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. In your case is FRST64.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.

I will expect the following reports:

Frst.txt produced in the Recovery Console
Fixlog.txt produced in the Recovery Console
Frst.txt produced in Normal Mode
Addition.txt produced in Normal Mode


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 SonDavid

SonDavid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 11 March 2018 - 12:33 PM

I manage to get three files. When the scan finished in recovery, I could not get the fix logs. It said no fixlist found error.

 

 

Recovery - FRST64

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11.03.2018 01
Ran by TayJay (administrator) on DESKTOP-22SL93T (11-03-2018 13:03:27)
Running from C:\Users\TayJay\AppData\Local\Temp
Loaded Profiles: TayJay (Available Profiles: TayJay)
Platform: Windows 10 Home Version 1709 16299.15 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Safe Mode (minimal)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(TOSHIBA CORPORATION) C:\Windows\System32\exeldozsvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\HelpPane.exe
() C:\Users\TayJay\AppData\Local\vdbnsag\vdbnsag.exe
() C:\Users\TayJay\AppData\Local\vdbnsag\vdbhmxe.exe
() C:\Users\TayJay\AppData\Local\snmrgwb\pskxciv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Farbar) C:\Users\TayJay\AppData\Local\Temp\45A5.tmp.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13885696 2015-06-24] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_DOLBYDRAGON] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1402624 2015-06-24] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_MICPKEY] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1402624 2015-06-24] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3944136 2015-06-03] (Synaptics Incorporated)
HKLM\...\Run: [applica] => "C:\Program Files (x86)\applica\applica.exe"
HKLM-x32\...\Run: [331BigDog] => C:\Program Files (x86)\USB Camera\VM331STI.EXE [571928 2015-09-03] (Vimicro)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [136488 2010-12-05] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe [224352 2010-12-05] (CyberLink Corp.)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (FRISK Software International/F-Prot) <==== ATTENTION
HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (G DATA Software AG) <==== ATTENTION
HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== ATTENTION
HKLM\ DisallowedCertificates: 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F (Kaspersky Lab) <==== ATTENTION
HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== ATTENTION
HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (CURIOLAB S.M.B.A.) <==== ATTENTION
HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== ATTENTION
HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 (Kaspersky Lab) <==== ATTENTION
HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: DB77E5CFEC34459146748B667C97B185619251BA (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (Total Defense, Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== ATTENTION
HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\Run: [wtrwll] => rundll32.exe "C:\Users\TayJay\AppData\Local\wtrwll.dll",wtrwll <==== ATTENTION
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7964080 2018-01-12] (SUPERAntiSpyware)
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [10290608 2018-02-07] (Piriform Ltd)
AppInit_DLLs-x32: C:\ProgramData\TeamVieverService.dll => C:\ProgramData\TeamVieverService.dll [267264 2018-03-03] ()
GroupPolicy: Restriction - Chrome <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{09421c50-a479-45bd-a66e-aa5d6537be24}: [DhcpNameServer] 75.75.75.75 75.75.76.76
 
Internet Explorer:
==================
SearchScopes: HKU\S-1-5-21-426501694-2717639335-1212792558-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-01-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-01-02] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default [2018-03-11]
CHR Extension: (Slides) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-01-02]
CHR Extension: (Docs) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-01-02]
CHR Extension: (Google Drive) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-01-02]
CHR Extension: (YouTube) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-01-02]
CHR Extension: (Sheets) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-01-02]
CHR Extension: (Google Docs Offline) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-01-02]
CHR Extension: (Lookup Pro) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghdonojphkbfhdccpohfhckojkpfanlg [2018-01-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-01-02]
CHR Extension: (Gmail) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-01-02]
CHR Extension: (Chrome Media Router) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-01-02]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
HKLM\SYSTEM\CurrentControlSet\Services\enalwu <==== ATTENTION (Rootkit!)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-01-30] (SUPERAntiSpyware.com) [File not signed]
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [23928 2017-08-16] ()
S2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [249032 2015-06-03] (Synaptics Incorporated)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [355304 2017-09-29] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [105944 2017-09-29] (Microsoft Corporation)
S3 --; C:\Users\TayJay\AppData\Local\Temp\UK5ii9xbW\social2search.exe /wl 1 [X] <==== ATTENTION
S2 apexpsvc; "C:\Users\TayJay\AppData\Local\urszihan\apexpsvc.exe" /svc [X]
S2 dahhService; C:\ProgramData\dahhService\dahhService.exe [X]
S2 hFB5EiZmkJfc Updater; C:\Program Files (x86)\hFB5EiZmkJfc Updater\hFB5EiZmkJfc Updater.exe [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AsusVBus; C:\WINDOWS\System32\drivers\AsusVBus.sys [39704 2015-10-07] (Windows ® Win 7 DDK provider)
S3 BCM43XX; C:\WINDOWS\system32\DRIVERS\bcmwl63a.sys [7585280 2017-09-29] (Broadcom Corporation)
S1 MpKsl85bedc2c; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6B18E70D-CE06-46C3-B5DB-D98E813FDCAD}\MpKsl85bedc2c.sys [58120 2017-12-29] () [File not signed]
S3 PVUSB; C:\WINDOWS\System32\drivers\CESG64.sys [63808 2007-02-19] (CASIO COMPUTER CO.,LTD.)
S3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [604160 2017-09-29] (Realtek )
S3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [410848 2015-08-26] (Realsil Semiconductor Corporation)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SmbDrv; C:\WINDOWS\System32\drivers\Smb_driver_AMDASF.sys [42184 2015-06-03] (Synaptics Incorporated)
R3 SmbDrvI; C:\WINDOWS\System32\drivers\Smb_driver_Intel.sys [42696 2015-06-03] (Synaptics Incorporated)
S3 ssudqcfilter; C:\WINDOWS\System32\drivers\ssudqcfilter.sys [57648 2015-12-08] (QUALCOMM Incorporated)
S3 vm331avs; C:\WINDOWS\System32\Drivers\vm331avs.sys [648872 2015-09-03] (Vimicro Corporation)
S3 vpnpbus; C:\WINDOWS\System32\drivers\vpnpbus.sys [18624 2016-08-03] (/n software, Inc.)
S3 WacHidRouterPro; C:\WINDOWS\System32\drivers\wachidrouter.sys [119952 2017-01-25] (Wacom Technology)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44608 2017-09-29] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [309144 2017-09-29] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [119192 2017-09-29] (Microsoft Corporation)
S3 fjmpsw; system32\drivers\mpsvzc.sys [X]
S1 msidntfs; system32\drivers\msidntfs.sys [X]
S3 qtwzdg; system32\drivers\wzdgjm.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-10 18:27 - 2018-03-10 18:27 - 000142672 ____N C:\WINDOWS\system32\Drivers\rtduybeh.sys
2018-03-10 17:44 - 2018-03-11 13:03 - 000000000 ____D C:\FRST
2018-03-10 17:43 - 2018-03-11 13:04 - 000331610 _____ C:\WINDOWS\ntbtlog.txt
2018-03-10 11:39 - 2018-03-10 11:39 - 000388608 _____ (Trend Micro Inc.) C:\Users\TayJay\Desktop\HijackThis.exe
2018-03-10 11:38 - 2018-03-10 11:39 - 002403328 _____ (Farbar) C:\Users\TayJay\Desktop\FRST64.exe
2018-03-10 11:25 - 2018-03-10 11:29 - 069440952 _____ (Malwarebytes ) C:\Users\TayJay\Desktop\nothingImportant.exe
2018-03-05 13:06 - 2018-03-05 13:07 - 000000000 ____D C:\WINDOWS\system32\MRT
2018-03-05 13:05 - 2018-03-05 13:06 - 130067560 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2018-03-05 13:05 - 2018-03-05 13:05 - 130067560 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2018-03-05 12:08 - 2018-03-05 12:08 - 000012872 _____ (SurfRight B.V.) C:\WINDOWS\system32\bootdelete.exe
2018-03-05 12:08 - 2018-03-05 12:08 - 000008810 _____ C:\WINDOWS\system32\.crusader
2018-03-05 12:08 - 2018-03-05 12:08 - 000004638 _____ C:\WINDOWS\system32\bootdelete.lst
2018-03-05 11:54 - 2018-03-05 11:54 - 000055232 _____ C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2018-03-05 11:53 - 2018-03-05 12:08 - 000000000 ____D C:\ProgramData\HitmanPro
2018-03-05 11:51 - 2018-03-05 11:53 - 011605440 _____ (SurfRight B.V.) C:\Users\TayJay\Downloads\HitmanPro_x64.exe
2018-03-05 11:50 - 2018-03-05 11:50 - 008222496 _____ (Malwarebytes) C:\Users\TayJay\Downloads\AdwCleaner.exe
2018-03-05 11:47 - 2018-03-05 11:47 - 000983168 _____ (Bleeping Computer, LLC) C:\Users\TayJay\Downloads\rkill64.exe
2018-03-05 11:46 - 2018-03-05 11:46 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\TayJay\Downloads\rkill.exe
2018-03-05 11:22 - 2018-03-05 11:22 - 000003936 _____ C:\WINDOWS\System32\Tasks\CCleaner Update
2018-03-05 11:22 - 2018-03-05 11:22 - 000002872 _____ C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
2018-03-05 11:22 - 2018-03-05 11:22 - 000000906 _____ C:\Users\Public\Desktop\CCleaner.lnk
2018-03-05 11:22 - 2018-03-05 11:22 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2018-03-05 11:22 - 2018-03-05 11:22 - 000000000 ____D C:\Program Files\CCleaner
2018-03-05 11:21 - 2018-03-05 11:21 - 011217568 _____ (Piriform Ltd) C:\Users\TayJay\Downloads\ccsetup540.exe
2018-03-05 09:35 - 2018-03-05 09:35 - 000566128 _____ (Malwarebytes) C:\Users\TayJay\Downloads\mbam-clean-2.3.0.1001.exe
2018-03-05 09:12 - 2018-03-05 09:12 - 000000000 ____D C:\SUPERDelete
2018-03-05 09:11 - 2018-03-05 09:11 - 000001849 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2018-03-05 09:11 - 2018-03-05 09:11 - 000000544 _____ C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task 89a1f62d-7b9c-40e5-9917-cda71408b1c5.job
2018-03-05 09:11 - 2018-03-05 09:11 - 000000544 _____ C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task 34d18afc-401e-40df-8c23-7f79614cb674.job
2018-03-05 09:11 - 2018-03-05 09:11 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\SUPERAntiSpyware.com
2018-03-05 09:11 - 2018-03-05 09:11 - 000000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2018-03-05 09:11 - 2018-03-05 09:11 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2018-03-05 09:11 - 2018-03-05 09:11 - 000000000 ____D C:\Program Files\SUPERAntiSpyware
2018-03-05 09:10 - 2018-03-05 09:11 - 031916584 _____ (SUPERAntiSpyware) C:\Users\TayJay\Downloads\SUPERAntiSpyware.exe
2018-03-05 08:59 - 2018-03-10 17:44 - 000002093 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-03-05 08:59 - 2018-03-05 08:59 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-03-05 08:59 - 2017-11-29 10:11 - 000077432 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2018-03-05 08:58 - 2018-03-05 08:58 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-03-05 08:58 - 2018-03-05 08:58 - 000000000 ____D C:\Program Files\Malwarebytes
2018-03-05 08:52 - 2018-03-05 08:52 - 067456464 _____ (Malwarebytes ) C:\Users\TayJay\Downloads\mb3-setup-exp89v1.exp89v1-3.3.1.2183-1.0.262-1.0.4030 (1).exe
2018-03-05 08:45 - 2018-03-05 08:45 - 000000000 ____D C:\Users\TayJay\Desktop\mbar
2018-03-04 22:23 - 2018-03-04 22:23 - 000000000 ____D C:\Users\TayJay\AppData\Local\snmrgwb
2018-03-03 21:23 - 2018-03-03 21:23 - 000000000 ____D C:\Users\TayJay\Documents\Youcam
2018-03-03 21:23 - 2018-03-03 21:23 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\CyberLink
2018-03-03 21:23 - 2018-03-03 21:23 - 000000000 ____D C:\Users\TayJay\AppData\Local\CyberLink
2018-03-03 21:23 - 2018-03-03 21:23 - 000000000 ____D C:\ProgramData\CyberLink
2018-03-03 21:19 - 2018-03-03 21:21 - 000037032 _____ C:\TDSSKiller.3.1.0.16_03.03.2018_20.19.19_log.txt
2018-03-03 21:09 - 2018-03-03 21:09 - 000000000 ____D C:\TDSSKiller_Quarantine
2018-03-03 21:07 - 2018-03-03 21:16 - 000400614 _____ C:\TDSSKiller.3.1.0.16_03.03.2018_20.07.24_log.txt
2018-03-03 21:02 - 2018-03-03 21:02 - 000267264 _____ C:\ProgramData\TeamVieverService.dll
2018-03-03 20:50 - 2018-03-03 20:51 - 014178840 _____ (Malwarebytes Corp.) C:\Users\TayJay\Downloads\mbar-1.10.3.1001.exe
2018-03-03 19:26 - 2018-03-05 12:08 - 000000000 ____D C:\Program Files\4NG4LH7W8G
2018-03-03 19:26 - 2018-03-03 21:17 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\h2ifcildl3t
2018-03-03 19:25 - 2018-03-05 12:08 - 000000000 ____D C:\Program Files\2Y31IBGK1W
2018-03-03 19:25 - 2018-03-03 21:17 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\qbjcrqpklsi
2018-03-03 19:19 - 2018-03-05 09:02 - 000000000 ____D C:\Users\TayJay\AppData\Local\ElevatedDiagnostics
2018-03-03 19:12 - 2018-03-03 19:12 - 000000322 _____ C:\WINDOWS\delsu.cmd
2018-03-03 19:11 - 2018-03-05 12:08 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\eb664d17c829460f9f3d907280584604
2018-03-03 19:11 - 2018-03-05 12:08 - 000000000 ____D C:\Users\TayJay\AppData\Local\2ef317df4c5d48a9a6a73bb10a4e76b9
2018-03-03 19:11 - 2018-03-03 19:11 - 000004104 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateSecurityTaskMachine_GC
2018-03-03 19:11 - 2018-03-03 19:11 - 000004104 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateSecurityTaskMachine_CO
2018-03-03 19:11 - 2018-03-03 19:11 - 000003884 _____ C:\WINDOWS\System32\Tasks\{38A553EE-23E7-E888-90D0-A25B60141F59}
2018-03-03 19:10 - 2018-03-05 12:08 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\ef4b4bebfd1d48b887d323eb5afaaa6d
2018-03-03 19:10 - 2018-03-03 19:11 - 068171320 _____ (Malwarebytes ) C:\Users\TayJay\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.4170.exe
2018-03-03 19:10 - 2018-03-03 19:11 - 000000000 ____D C:\ProgramData\5ba2d091-5ed1-0
2018-03-03 19:10 - 2018-03-03 19:10 - 000000000 ____D C:\ProgramData\5ba2d091-7757-1
2018-03-03 19:10 - 2018-03-03 19:10 - 000000000 ____D C:\ProgramData\5ba2d091-6543-1
2018-03-03 19:10 - 2018-03-03 19:10 - 000000000 ____D C:\ProgramData\5ba2d091-5317-0
2018-03-03 19:10 - 2018-03-03 19:10 - 000000000 ____D C:\ProgramData\5ba2d091-2a65-0
2018-03-03 19:10 - 2018-03-03 19:10 - 000000000 ____D C:\ProgramData\5ba2d091-1c25-1
2018-03-03 19:09 - 2018-03-03 19:09 - 000004546 _____ C:\WINDOWS\System32\Tasks\456AFE18-7D8F-9434-8841-4A392D2C1E3E
2018-03-03 19:09 - 2018-03-03 19:09 - 000000000 ____D C:\Users\TayJay\AppData\Local\3854FDE4-7C4F-5200-6A10-BF1A8307045D
2018-03-03 19:09 - 2018-03-03 19:09 - 000000000 ____D C:\ProgramData\15c5941f
2018-03-03 19:08 - 2018-03-03 19:08 - 000000000 ____D C:\ProgramData\{4b395e9e-312c-0}
2018-03-03 19:08 - 2018-03-03 19:08 - 000000000 ____D C:\ProgramData\{4a8e1975-112c-0}
2018-03-03 19:08 - 2018-03-03 19:08 - 000000000 ____D C:\ProgramData\{476a7294-512c-1}
2018-03-03 19:08 - 2018-03-03 19:08 - 000000000 ____D C:\ProgramData\{2bca6a22-212c-1}
2018-03-03 19:08 - 2018-03-03 19:08 - 000000000 ____D C:\ProgramData\{276120ab-412c-1}
2018-03-03 19:08 - 2018-03-03 19:08 - 000000000 ____D C:\ProgramData\{250b2139-012c-0}
2018-03-03 19:00 - 2018-03-03 19:00 - 000000000 _____ C:\Users\TayJay\Downloads\mb3-setup-exp89v1.exp89v1-3.3.1.2183-1.0.262-1.0.4030.exe
2018-03-03 18:44 - 2018-03-03 18:44 - 000000000 ____D C:\ProgramData\0896b11e-3145-1
2018-03-03 18:43 - 2018-03-03 18:43 - 000000000 ____D C:\ProgramData\b68f6bda-78a7-1
2018-03-03 18:42 - 2018-03-03 18:42 - 000000000 ____D C:\ProgramData\596e943e-06f3-1
2018-03-03 18:39 - 2018-03-11 13:00 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-11 13:01 - 2018-01-05 08:57 - 000000000 ____D C:\Users\TayJay\AppData\Local\vdbnsag
2018-03-11 13:00 - 2017-12-26 22:15 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-03-11 12:59 - 2018-01-05 08:55 - 002888192 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\exeldozsvc.exe
2018-03-11 11:51 - 2017-12-26 22:33 - 001421842 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-03-11 11:51 - 2017-12-26 21:54 - 000000000 ___HD C:\Program Files\WindowsApps
2018-03-11 11:51 - 2017-12-26 21:54 - 000000000 ____D C:\WINDOWS\DeliveryOptimization
2018-03-11 11:51 - 2017-12-26 21:54 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-03-11 11:51 - 2017-12-26 21:47 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-03-11 11:48 - 2018-01-05 08:59 - 000004168 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{0696A1FA-9FA1-4F4A-B21F-F32BBC66CEEB}
2018-03-11 11:45 - 2018-01-05 08:55 - 000000258 __RSH C:\ProgramData\ntuser.pol
2018-03-11 11:44 - 2017-12-26 22:16 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-03-11 11:43 - 2017-12-26 21:42 - 038535168 _____ C:\WINDOWS\system32\config\HARDWARE
2018-03-10 18:27 - 2017-12-26 21:42 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2018-03-10 18:26 - 2018-01-05 09:07 - 000000000 ____D C:\Users\TayJay\AppData\Local\wisrgxo
2018-03-10 11:33 - 2017-12-26 21:00 - 000000000 ___RD C:\Users\TayJay\OneDrive
2018-03-10 11:29 - 2017-12-26 21:01 - 000003378 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-426501694-2717639335-1212792558-1001
2018-03-10 11:29 - 2017-12-26 21:00 - 000002409 _____ C:\Users\TayJay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2018-03-05 14:57 - 2017-12-26 21:42 - 000000000 ____D C:\WINDOWS\Panther
2018-03-05 12:51 - 2017-12-26 21:52 - 000000000 ____D C:\WINDOWS\INF
2018-03-05 12:08 - 2018-01-05 09:15 - 000000000 ____D C:\ProgramData\79a6160ccfad44f8acda1f4b4ba3149b
2018-03-05 12:08 - 2018-01-05 08:56 - 000000000 ____D C:\Program Files\a92652ccfc6c5a64a2f6a0a92914b30b
2018-03-05 12:08 - 2018-01-05 08:55 - 000000000 ____D C:\Users\TayJay\AppData\Local\a7cf1c9a168b4df9bb27b2af34cf4215
2018-03-05 12:08 - 2018-01-05 08:54 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\fb45c4f97c6a434da219c56a0e4067e8
2018-03-05 12:08 - 2018-01-05 08:54 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\f370b6b8319049ff8e1ae34574ca6ad1
2018-03-05 12:08 - 2018-01-05 08:54 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\0e6da40139b84235b6e54b6b5ca3f595
2018-03-05 11:24 - 2017-12-26 21:54 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2018-03-05 11:09 - 2018-01-05 08:55 - 000000016 _____ C:\ProgramData\rwi.hhad
2018-03-05 11:09 - 2018-01-05 08:55 - 000000004 _____ C:\ProgramData\lock.dat
2018-03-05 10:06 - 2018-01-05 15:34 - 000000000 ____D C:\Users\TayJay\AppData\Local\e4203841e8e744d2982724fb6ec1bc7f
2018-03-05 10:06 - 2018-01-05 09:15 - 000000000 ____D C:\Users\TayJay\AppData\Local\a4fd633edc144fdabf869ae4ce11c8d6
2018-03-05 10:06 - 2018-01-05 09:15 - 000000000 ____D C:\ProgramData\5c2a3b85e2ac4cc580c813dcc2f6397d
2018-03-05 10:05 - 2018-01-05 15:35 - 000000000 ____D C:\Program Files\W5WJVKIKJA
2018-03-05 10:05 - 2018-01-05 15:35 - 000000000 ____D C:\Program Files\R2USZUBAZ2
2018-03-05 10:05 - 2018-01-05 15:35 - 000000000 ____D C:\Program Files\PHYGCFDGV7
2018-03-05 10:05 - 2018-01-05 15:35 - 000000000 ____D C:\Program Files\3PHK0ZLLSN
2018-03-05 10:05 - 2018-01-05 15:34 - 000000000 ____D C:\Program Files\XCR4DBPB7V
2018-03-05 10:05 - 2018-01-05 15:34 - 000000000 ____D C:\Program Files\DQW4ZW4QAO
2018-03-05 10:05 - 2018-01-05 10:19 - 000000000 ____D C:\Program Files\6JC41U7J17
2018-03-05 10:05 - 2018-01-05 09:52 - 000000000 ____D C:\Program Files\VL6DRP7V24
2018-03-05 10:05 - 2018-01-05 09:52 - 000000000 ____D C:\Program Files\J1PTJF3YIE
2018-03-05 10:05 - 2018-01-05 09:51 - 000000000 ____D C:\Program Files\KIU52D9M8O
2018-03-05 10:05 - 2018-01-05 09:16 - 000000000 ____D C:\Program Files\NNAA3IZOIP
2018-03-05 10:05 - 2018-01-05 09:16 - 000000000 ____D C:\Program Files\1R8G0K9TDA
2018-03-05 10:05 - 2018-01-05 09:14 - 000000000 ____D C:\Program Files\E1W2X3BXTT
2018-03-05 10:05 - 2018-01-05 09:05 - 000000000 ____D C:\Program Files\MJXZC71KAX
2018-03-05 10:05 - 2018-01-05 09:05 - 000000000 ____D C:\Program Files\LBGNJV71HM
2018-03-05 10:05 - 2018-01-05 09:03 - 000000000 ____D C:\Program Files\27I5E4HJQA
2018-03-05 10:05 - 2018-01-05 08:57 - 000000000 ____D C:\Program Files\OK471D1QDG
2018-03-05 10:05 - 2018-01-05 08:56 - 000000000 ____D C:\Program Files\AU8H0KC2AD
2018-03-05 10:05 - 2018-01-05 08:54 - 000000000 ____D C:\Program Files\J5HVTXPTBR
2018-03-05 10:05 - 2018-01-05 08:53 - 000000000 ____D C:\Program Files\I40EAEJRR0
2018-03-05 10:05 - 2018-01-05 08:53 - 000000000 ____D C:\Program Files (x86)\tv033y3dqug
2018-03-05 10:05 - 2018-01-05 08:53 - 000000000 ____D C:\Program Files (x86)\foldershare
2018-03-05 10:05 - 2018-01-05 08:53 - 000000000 ____D C:\Program Files (x86)\bestDownloader
2018-03-04 17:47 - 2018-01-05 08:56 - 000000000 ____D C:\Users\TayJay\AppData\Local\AdService
2018-03-03 21:37 - 2017-12-26 22:14 - 000222832 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2018-03-03 21:36 - 2017-12-26 22:01 - 000000000 ____D C:\WINDOWS\OCR
2018-03-03 21:21 - 2017-12-31 21:26 - 000000000 ____D C:\Users\TayJay\AppData\Local\LenovoServiceBridge
2018-03-03 21:17 - 2018-01-05 15:35 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\ymbx15nku4v
2018-03-03 21:17 - 2018-01-05 15:35 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\odbrxpkq1fd
2018-03-03 21:17 - 2018-01-05 15:35 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\m4bwtxe4sjt
2018-03-03 21:17 - 2018-01-05 15:35 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\gbaje055b3h
2018-03-03 21:17 - 2018-01-05 15:35 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\dtpcna3dfl1
2018-03-03 21:17 - 2018-01-05 15:35 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\cvpd24i1qhe
2018-03-03 21:17 - 2018-01-05 15:34 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\sevlwzxczzt
2018-03-03 21:17 - 2018-01-05 15:34 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\nmycohxhom1
2018-03-03 21:17 - 2018-01-05 15:34 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\91eb6c8e825d44a3a13c7075297ad585
2018-03-03 21:17 - 2018-01-05 15:34 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\88dec4dab0954629b5828d4fc2f693ea
2018-03-03 21:17 - 2018-01-05 15:34 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\4e5jwxj15ok
2018-03-03 21:17 - 2018-01-05 11:03 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\ao3wi3keeze
2018-03-03 21:17 - 2018-01-05 10:19 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\wmb55coydgp
2018-03-03 21:17 - 2018-01-05 10:19 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\mj0jt0ghue5
2018-03-03 21:17 - 2018-01-05 10:18 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\3cc0b21nzvg
2018-03-03 21:17 - 2018-01-05 09:52 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\neofcfb5ysy
2018-03-03 21:17 - 2018-01-05 09:52 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\02w2gbq0dgv
2018-03-03 21:17 - 2018-01-05 09:51 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\x4gvzenkhf3
2018-03-03 21:17 - 2018-01-05 09:51 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\42emoy0wbsd
2018-03-03 21:17 - 2018-01-05 09:51 - 000000000 ____D C:\Users\TayJay\AppData\Local\c4eaf2e9861e4cbcb7a1db1ae22cce7b
2018-03-03 21:17 - 2018-01-05 09:05 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\uligfod3p4y
2018-03-03 21:17 - 2018-01-05 09:04 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\x0tnifxyqzd
2018-03-03 21:17 - 2018-01-05 09:04 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\mkfaekun4er
2018-03-03 21:17 - 2018-01-05 09:04 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\ctjsvzdivhq
2018-03-03 21:17 - 2018-01-05 09:04 - 000000000 ____D C:\ProgramData\2f3182cfe30242439396018675f0d114
2018-03-03 21:17 - 2018-01-05 09:03 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\fxbsceot3lw
2018-03-03 21:17 - 2018-01-05 08:56 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\brkda4krv5i
2018-03-03 21:17 - 2018-01-05 08:55 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\um52ogkmphp
2018-03-03 21:17 - 2018-01-05 08:55 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\3cva52tu10v
2018-03-03 21:17 - 2018-01-05 08:54 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\p4lvy0a4klb
2018-03-03 21:17 - 2018-01-05 08:54 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\5fzh43wf5an
2018-03-03 21:17 - 2018-01-05 08:54 - 000000000 ____D C:\Program Files (x86)\Multitimer
2018-03-03 21:17 - 2018-01-05 08:53 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\3o0ogsqwp2v
2018-03-03 21:17 - 2018-01-05 08:52 - 000000000 ____D C:\Users\TayJay\AppData\Local\PCBooster
2018-03-03 20:17 - 2017-12-26 20:55 - 000000000 ____D C:\Users\TayJay
2018-03-03 19:12 - 2017-12-31 21:32 - 000000555 _____ C:\WINDOWS\SysWOW64\InstallUtil.InstallLog
2018-03-03 19:12 - 2017-12-31 21:26 - 000000000 ____D C:\WINDOWS\System32\Tasks\TVT
2018-03-03 19:12 - 2017-12-31 21:26 - 000000000 ____D C:\ProgramData\Lenovo
2018-03-03 19:10 - 2018-01-05 08:58 - 000000000 ____D C:\ProgramData\0896b11e-6327-0
2018-03-03 19:10 - 2018-01-05 08:55 - 000000000 ____D C:\ProgramData\596e943e-5347-0
2018-03-03 19:10 - 2018-01-05 08:54 - 000000000 ____D C:\ProgramData\596e943e-6003-1
2018-03-03 19:08 - 2018-01-05 08:58 - 000000000 ____D C:\ProgramData\0896b11e-53b3-1
2018-03-03 19:03 - 2017-12-26 21:54 - 000000000 ____D C:\WINDOWS\system32\NDF
2018-03-03 18:43 - 2018-01-05 08:54 - 000000000 ____D C:\Program Files (x86)\applica
2018-03-03 18:05 - 2018-01-05 15:36 - 000000332 _____ C:\WINDOWS\Tasks\plaAVjRQXWCDePSecyr.job
2018-03-03 18:05 - 2018-01-05 15:35 - 000000322 _____ C:\WINDOWS\Tasks\BcyoMZkjXMgFaPP.job
2018-03-03 18:05 - 2018-01-05 11:09 - 000000344 _____ C:\WINDOWS\Tasks\saKXaLnxQURzlMgex.job
 
==================== Files in the root of some directories =======
 
2018-01-05 08:55 - 2018-03-05 11:09 - 000000004 _____ () C:\ProgramData\lock.dat
2018-03-03 21:02 - 2018-03-03 21:02 - 000267264 _____ () C:\ProgramData\TeamVieverService.dll
2018-01-05 08:54 - 2018-01-05 08:54 - 000011568 _____ () C:\Users\TayJay\AppData\Local\InstallationConfiguration.xml
2018-01-05 08:54 - 2018-01-05 08:54 - 000140800 _____ () C:\Users\TayJay\AppData\Local\installer.dat
2018-01-05 08:54 - 2018-01-05 15:34 - 000930816 _____ () C:\Users\TayJay\AppData\Local\po.db
2018-01-05 08:55 - 2018-01-05 09:04 - 000014848 _____ () C:\Users\TayJay\AppData\Local\wtrwll.dll
 
Some files in TEMP:
====================
2018-03-11 13:03 - 2018-03-11 13:03 - 002402816 _____ (Farbar) C:\Users\TayJay\AppData\Local\Temp\45A5.tmp.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\WINDOWS\system32\drivers\rtduybeh.sys -> Access Denied <======= ATTENTION
 
LastRegBack: 2018-03-05 13:55
 
==================== End of FRST.txt ============================
 
Normal FRST64
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11.03.2018 01
Ran by TayJay (administrator) on DESKTOP-22SL93T (11-03-2018 13:21:55)
Running from C:\Users\TayJay\Desktop
Loaded Profiles: TayJay (Available Profiles: TayJay)
Platform: Windows 10 Home Version 1709 16299.15 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(TOSHIBA CORPORATION) C:\Windows\System32\exeldozsvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(CyberLink) C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
() C:\Windows\Temp\gC8F6.tmp.exe
(Vimicro) C:\Program Files (x86)\USB Camera\VM331STI.EXE
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
() C:\Users\TayJay\AppData\Local\vdbnsag\vdbnsag.exe
() C:\Users\TayJay\AppData\Local\vdbnsag\vdbhmxe.exe
() C:\Users\TayJay\AppData\Local\snmrgwb\pskxciv.exe
() C:\Users\TayJay\AppData\Local\vdbnsag\vdbhmxe.exe
(Lenovo Group Limited) C:\Users\TayJay\AppData\Local\Programs\Lenovo\Lenovo Service Bridge\LSBUpdater.exe
() C:\Users\TayJay\AppData\Local\vdbnsag\vdbhmxe.exe
() C:\Users\TayJay\AppData\Local\vdbnsag\vdbhmxe.exe
() C:\Users\TayJay\AppData\Local\vdbnsag\vdbhmxe.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13885696 2015-06-24] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_DOLBYDRAGON] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1402624 2015-06-24] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_MICPKEY] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1402624 2015-06-24] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3944136 2015-06-03] (Synaptics Incorporated)
HKLM\...\Run: [applica] => "C:\Program Files (x86)\applica\applica.exe"
HKLM-x32\...\Run: [331BigDog] => C:\Program Files (x86)\USB Camera\VM331STI.EXE [571928 2015-09-03] (Vimicro)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [136488 2010-12-05] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe [224352 2010-12-05] (CyberLink Corp.)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (FRISK Software International/F-Prot) <==== ATTENTION
HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (G DATA Software AG) <==== ATTENTION
HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== ATTENTION
HKLM\ DisallowedCertificates: 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F (Kaspersky Lab) <==== ATTENTION
HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== ATTENTION
HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (CURIOLAB S.M.B.A.) <==== ATTENTION
HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== ATTENTION
HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 (Kaspersky Lab) <==== ATTENTION
HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: DB77E5CFEC34459146748B667C97B185619251BA (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (Total Defense, Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== ATTENTION
HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\Run: [wtrwll] => rundll32.exe "C:\Users\TayJay\AppData\Local\wtrwll.dll",wtrwll <==== ATTENTION
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7964080 2018-01-12] (SUPERAntiSpyware)
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [10290608 2018-02-07] (Piriform Ltd)
AppInit_DLLs-x32: C:\ProgramData\TeamVieverService.dll => C:\ProgramData\TeamVieverService.dll [267264 2018-03-03] ()
GroupPolicy: Restriction - Chrome <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{09421c50-a479-45bd-a66e-aa5d6537be24}: [DhcpNameServer] 75.75.75.75 75.75.76.76
 
Internet Explorer:
==================
SearchScopes: HKU\S-1-5-21-426501694-2717639335-1212792558-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-01-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-01-02] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default [2018-03-11]
CHR Extension: (Slides) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-01-02]
CHR Extension: (Docs) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-01-02]
CHR Extension: (Google Drive) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-01-02]
CHR Extension: (YouTube) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-01-02]
CHR Extension: (Sheets) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-01-02]
CHR Extension: (Google Docs Offline) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-01-02]
CHR Extension: (Lookup Pro) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghdonojphkbfhdccpohfhckojkpfanlg [2018-01-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-01-02]
CHR Extension: (Gmail) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-01-02]
CHR Extension: (Chrome Media Router) - C:\Users\TayJay\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-01-02]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
HKLM\SYSTEM\CurrentControlSet\Services\enalwu <==== ATTENTION (Rootkit!)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-01-30] (SUPERAntiSpyware.com) [File not signed]
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [23928 2017-08-16] ()
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [249032 2015-06-03] (Synaptics Incorporated)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [355304 2017-09-29] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [105944 2017-09-29] (Microsoft Corporation)
S3 --; C:\Users\TayJay\AppData\Local\Temp\UK5ii9xbW\social2search.exe /wl 1 [X] <==== ATTENTION
S2 apexpsvc; "C:\Users\TayJay\AppData\Local\urszihan\apexpsvc.exe" /svc [X]
S2 dahhService; C:\ProgramData\dahhService\dahhService.exe [X]
S2 hFB5EiZmkJfc Updater; C:\Program Files (x86)\hFB5EiZmkJfc Updater\hFB5EiZmkJfc Updater.exe [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AsusVBus; C:\WINDOWS\System32\drivers\AsusVBus.sys [39704 2015-10-07] (Windows ® Win 7 DDK provider)
R3 BCM43XX; C:\WINDOWS\system32\DRIVERS\bcmwl63a.sys [7585280 2017-09-29] (Broadcom Corporation)
S1 MpKsl85bedc2c; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6B18E70D-CE06-46C3-B5DB-D98E813FDCAD}\MpKsl85bedc2c.sys [58120 2017-12-29] () [File not signed]
S3 PVUSB; C:\WINDOWS\System32\drivers\CESG64.sys [63808 2007-02-19] (CASIO COMPUTER CO.,LTD.)
S3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [604160 2017-09-29] (Realtek )
S3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [410848 2015-08-26] (Realsil Semiconductor Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SmbDrv; C:\WINDOWS\System32\drivers\Smb_driver_AMDASF.sys [42184 2015-06-03] (Synaptics Incorporated)
R3 SmbDrvI; C:\WINDOWS\System32\drivers\Smb_driver_Intel.sys [42696 2015-06-03] (Synaptics Incorporated)
S3 ssudqcfilter; C:\WINDOWS\System32\drivers\ssudqcfilter.sys [57648 2015-12-08] (QUALCOMM Incorporated)
R3 vm331avs; C:\WINDOWS\System32\Drivers\vm331avs.sys [648872 2015-09-03] (Vimicro Corporation)
S3 vpnpbus; C:\WINDOWS\System32\drivers\vpnpbus.sys [18624 2016-08-03] (/n software, Inc.)
S3 WacHidRouterPro; C:\WINDOWS\System32\drivers\wachidrouter.sys [119952 2017-01-25] (Wacom Technology)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44608 2017-09-29] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [309144 2017-09-29] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [119192 2017-09-29] (Microsoft Corporation)
S3 fjmpsw; system32\drivers\mpsvzc.sys [X]
R3 knqtxa; system32\drivers\qtxadg.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-11 13:21 - 2018-03-11 13:22 - 000015659 _____ C:\Users\TayJay\Desktop\FRST.txt
2018-03-11 13:21 - 2018-03-11 13:21 - 000000000 ____D C:\Users\TayJay\Desktop\FRST-OlderVersion
2018-03-11 13:17 - 2018-03-11 13:17 - 000142672 ____N C:\WINDOWS\system32\Drivers\rtdhloru.sys
2018-03-10 17:44 - 2018-03-11 13:21 - 000000000 ____D C:\FRST
2018-03-10 17:43 - 2018-03-11 13:17 - 000332034 _____ C:\WINDOWS\ntbtlog.txt
2018-03-10 11:39 - 2018-03-10 11:39 - 000388608 _____ (Trend Micro Inc.) C:\Users\TayJay\Desktop\HijackThis.exe
2018-03-10 11:38 - 2018-03-11 13:21 - 002402816 _____ (Farbar) C:\Users\TayJay\Desktop\FRST64.exe
2018-03-10 11:25 - 2018-03-10 11:29 - 069440952 _____ (Malwarebytes ) C:\Users\TayJay\Desktop\nothingImportant.exe
2018-03-05 13:06 - 2018-03-05 13:07 - 000000000 ____D C:\WINDOWS\system32\MRT
2018-03-05 13:05 - 2018-03-05 13:06 - 130067560 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2018-03-05 13:05 - 2018-03-05 13:05 - 130067560 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2018-03-05 12:08 - 2018-03-05 12:08 - 000012872 _____ (SurfRight B.V.) C:\WINDOWS\system32\bootdelete.exe
2018-03-05 12:08 - 2018-03-05 12:08 - 000008810 _____ C:\WINDOWS\system32\.crusader
2018-03-05 12:08 - 2018-03-05 12:08 - 000004638 _____ C:\WINDOWS\system32\bootdelete.lst
2018-03-05 11:54 - 2018-03-05 11:54 - 000055232 _____ C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2018-03-05 11:53 - 2018-03-05 12:08 - 000000000 ____D C:\ProgramData\HitmanPro
2018-03-05 11:51 - 2018-03-05 11:53 - 011605440 _____ (SurfRight B.V.) C:\Users\TayJay\Downloads\HitmanPro_x64.exe
2018-03-05 11:50 - 2018-03-05 11:50 - 008222496 _____ (Malwarebytes) C:\Users\TayJay\Downloads\AdwCleaner.exe
2018-03-05 11:47 - 2018-03-05 11:47 - 000983168 _____ (Bleeping Computer, LLC) C:\Users\TayJay\Downloads\rkill64.exe
2018-03-05 11:46 - 2018-03-05 11:46 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\TayJay\Downloads\rkill.exe
2018-03-05 11:22 - 2018-03-05 11:22 - 000003936 _____ C:\WINDOWS\System32\Tasks\CCleaner Update
2018-03-05 11:22 - 2018-03-05 11:22 - 000002872 _____ C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
2018-03-05 11:22 - 2018-03-05 11:22 - 000000906 _____ C:\Users\Public\Desktop\CCleaner.lnk
2018-03-05 11:22 - 2018-03-05 11:22 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2018-03-05 11:22 - 2018-03-05 11:22 - 000000000 ____D C:\Program Files\CCleaner
2018-03-05 11:21 - 2018-03-05 11:21 - 011217568 _____ (Piriform Ltd) C:\Users\TayJay\Downloads\ccsetup540.exe
2018-03-05 09:35 - 2018-03-05 09:35 - 000566128 _____ (Malwarebytes) C:\Users\TayJay\Downloads\mbam-clean-2.3.0.1001.exe
2018-03-05 09:12 - 2018-03-05 09:12 - 000000000 ____D C:\SUPERDelete
2018-03-05 09:11 - 2018-03-05 09:11 - 000001849 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2018-03-05 09:11 - 2018-03-05 09:11 - 000000544 _____ C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task 89a1f62d-7b9c-40e5-9917-cda71408b1c5.job
2018-03-05 09:11 - 2018-03-05 09:11 - 000000544 _____ C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task 34d18afc-401e-40df-8c23-7f79614cb674.job
2018-03-05 09:11 - 2018-03-05 09:11 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\SUPERAntiSpyware.com
2018-03-05 09:11 - 2018-03-05 09:11 - 000000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2018-03-05 09:11 - 2018-03-05 09:11 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2018-03-05 09:11 - 2018-03-05 09:11 - 000000000 ____D C:\Program Files\SUPERAntiSpyware
2018-03-05 09:10 - 2018-03-05 09:11 - 031916584 _____ (SUPERAntiSpyware) C:\Users\TayJay\Downloads\SUPERAntiSpyware.exe
2018-03-05 08:59 - 2018-03-10 17:44 - 000002093 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-03-05 08:59 - 2018-03-05 08:59 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-03-05 08:59 - 2017-11-29 10:11 - 000077432 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2018-03-05 08:58 - 2018-03-05 08:58 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-03-05 08:58 - 2018-03-05 08:58 - 000000000 ____D C:\Program Files\Malwarebytes
2018-03-05 08:52 - 2018-03-05 08:52 - 067456464 _____ (Malwarebytes ) C:\Users\TayJay\Downloads\mb3-setup-exp89v1.exp89v1-3.3.1.2183-1.0.262-1.0.4030 (1).exe
2018-03-05 08:45 - 2018-03-05 08:45 - 000000000 ____D C:\Users\TayJay\Desktop\mbar
2018-03-04 22:23 - 2018-03-04 22:23 - 000000000 ____D C:\Users\TayJay\AppData\Local\snmrgwb
2018-03-03 21:23 - 2018-03-03 21:23 - 000000000 ____D C:\Users\TayJay\Documents\Youcam
2018-03-03 21:23 - 2018-03-03 21:23 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\CyberLink
2018-03-03 21:23 - 2018-03-03 21:23 - 000000000 ____D C:\Users\TayJay\AppData\Local\CyberLink
2018-03-03 21:23 - 2018-03-03 21:23 - 000000000 ____D C:\ProgramData\CyberLink
2018-03-03 21:19 - 2018-03-03 21:21 - 000037032 _____ C:\TDSSKiller.3.1.0.16_03.03.2018_20.19.19_log.txt
2018-03-03 21:09 - 2018-03-03 21:09 - 000000000 ____D C:\TDSSKiller_Quarantine
2018-03-03 21:07 - 2018-03-03 21:16 - 000400614 _____ C:\TDSSKiller.3.1.0.16_03.03.2018_20.07.24_log.txt
2018-03-03 21:02 - 2018-03-03 21:02 - 000267264 _____ C:\ProgramData\TeamVieverService.dll
2018-03-03 20:50 - 2018-03-03 20:51 - 014178840 _____ (Malwarebytes Corp.) C:\Users\TayJay\Downloads\mbar-1.10.3.1001.exe
2018-03-03 19:26 - 2018-03-05 12:08 - 000000000 ____D C:\Program Files\4NG4LH7W8G
2018-03-03 19:26 - 2018-03-03 21:17 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\h2ifcildl3t
2018-03-03 19:25 - 2018-03-05 12:08 - 000000000 ____D C:\Program Files\2Y31IBGK1W
2018-03-03 19:25 - 2018-03-03 21:17 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\qbjcrqpklsi
2018-03-03 19:19 - 2018-03-05 09:02 - 000000000 ____D C:\Users\TayJay\AppData\Local\ElevatedDiagnostics
2018-03-03 19:12 - 2018-03-03 19:12 - 000000322 _____ C:\WINDOWS\delsu.cmd
2018-03-03 19:11 - 2018-03-05 12:08 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\eb664d17c829460f9f3d907280584604
2018-03-03 19:11 - 2018-03-05 12:08 - 000000000 ____D C:\Users\TayJay\AppData\Local\2ef317df4c5d48a9a6a73bb10a4e76b9
2018-03-03 19:11 - 2018-03-03 19:11 - 000004104 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateSecurityTaskMachine_GC
2018-03-03 19:11 - 2018-03-03 19:11 - 000004104 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateSecurityTaskMachine_CO
2018-03-03 19:11 - 2018-03-03 19:11 - 000003884 _____ C:\WINDOWS\System32\Tasks\{38A553EE-23E7-E888-90D0-A25B60141F59}
2018-03-03 19:10 - 2018-03-05 12:08 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\ef4b4bebfd1d48b887d323eb5afaaa6d
2018-03-03 19:10 - 2018-03-03 19:11 - 068171320 _____ (Malwarebytes ) C:\Users\TayJay\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.4170.exe
2018-03-03 19:10 - 2018-03-03 19:11 - 000000000 ____D C:\ProgramData\5ba2d091-5ed1-0
2018-03-03 19:10 - 2018-03-03 19:10 - 000000000 ____D C:\ProgramData\5ba2d091-7757-1
2018-03-03 19:10 - 2018-03-03 19:10 - 000000000 ____D C:\ProgramData\5ba2d091-6543-1
2018-03-03 19:10 - 2018-03-03 19:10 - 000000000 ____D C:\ProgramData\5ba2d091-5317-0
2018-03-03 19:10 - 2018-03-03 19:10 - 000000000 ____D C:\ProgramData\5ba2d091-2a65-0
2018-03-03 19:10 - 2018-03-03 19:10 - 000000000 ____D C:\ProgramData\5ba2d091-1c25-1
2018-03-03 19:09 - 2018-03-03 19:09 - 000004546 _____ C:\WINDOWS\System32\Tasks\456AFE18-7D8F-9434-8841-4A392D2C1E3E
2018-03-03 19:09 - 2018-03-03 19:09 - 000000000 ____D C:\Users\TayJay\AppData\Local\3854FDE4-7C4F-5200-6A10-BF1A8307045D
2018-03-03 19:09 - 2018-03-03 19:09 - 000000000 ____D C:\ProgramData\15c5941f
2018-03-03 19:08 - 2018-03-03 19:08 - 000000000 ____D C:\ProgramData\{4b395e9e-312c-0}
2018-03-03 19:08 - 2018-03-03 19:08 - 000000000 ____D C:\ProgramData\{4a8e1975-112c-0}
2018-03-03 19:08 - 2018-03-03 19:08 - 000000000 ____D C:\ProgramData\{476a7294-512c-1}
2018-03-03 19:08 - 2018-03-03 19:08 - 000000000 ____D C:\ProgramData\{2bca6a22-212c-1}
2018-03-03 19:08 - 2018-03-03 19:08 - 000000000 ____D C:\ProgramData\{276120ab-412c-1}
2018-03-03 19:08 - 2018-03-03 19:08 - 000000000 ____D C:\ProgramData\{250b2139-012c-0}
2018-03-03 19:00 - 2018-03-03 19:00 - 000000000 _____ C:\Users\TayJay\Downloads\mb3-setup-exp89v1.exp89v1-3.3.1.2183-1.0.262-1.0.4030.exe
2018-03-03 18:44 - 2018-03-03 18:44 - 000000000 ____D C:\ProgramData\0896b11e-3145-1
2018-03-03 18:43 - 2018-03-03 18:43 - 000000000 ____D C:\ProgramData\b68f6bda-78a7-1
2018-03-03 18:42 - 2018-03-03 18:42 - 000000000 ____D C:\ProgramData\596e943e-06f3-1
2018-03-03 18:39 - 2018-03-11 13:00 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-11 13:20 - 2018-01-05 08:57 - 000000000 ____D C:\Users\TayJay\AppData\Local\vdbnsag
2018-03-11 13:19 - 2018-01-05 08:55 - 000000258 __RSH C:\ProgramData\ntuser.pol
2018-03-11 13:18 - 2017-12-26 22:16 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-03-11 13:17 - 2018-01-05 08:55 - 002888192 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\exeldozsvc.exe
2018-03-11 13:17 - 2017-12-26 21:42 - 038535168 _____ C:\WINDOWS\system32\config\HARDWARE
2018-03-11 13:17 - 2017-12-26 21:42 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2018-03-11 13:05 - 2017-12-26 22:33 - 001441388 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-03-11 13:00 - 2017-12-26 22:15 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-03-11 11:51 - 2017-12-26 21:54 - 000000000 ___HD C:\Program Files\WindowsApps
2018-03-11 11:51 - 2017-12-26 21:54 - 000000000 ____D C:\WINDOWS\DeliveryOptimization
2018-03-11 11:51 - 2017-12-26 21:54 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-03-11 11:51 - 2017-12-26 21:47 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-03-11 11:48 - 2018-01-05 08:59 - 000004168 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{0696A1FA-9FA1-4F4A-B21F-F32BBC66CEEB}
2018-03-10 18:26 - 2018-01-05 09:07 - 000000000 ____D C:\Users\TayJay\AppData\Local\wisrgxo
2018-03-10 11:33 - 2017-12-26 21:00 - 000000000 ___RD C:\Users\TayJay\OneDrive
2018-03-10 11:29 - 2017-12-26 21:01 - 000003378 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-426501694-2717639335-1212792558-1001
2018-03-10 11:29 - 2017-12-26 21:00 - 000002409 _____ C:\Users\TayJay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2018-03-05 14:57 - 2017-12-26 21:42 - 000000000 ____D C:\WINDOWS\Panther
2018-03-05 12:51 - 2017-12-26 21:52 - 000000000 ____D C:\WINDOWS\INF
2018-03-05 12:08 - 2018-01-05 09:15 - 000000000 ____D C:\ProgramData\79a6160ccfad44f8acda1f4b4ba3149b
2018-03-05 12:08 - 2018-01-05 08:56 - 000000000 ____D C:\Program Files\a92652ccfc6c5a64a2f6a0a92914b30b
2018-03-05 12:08 - 2018-01-05 08:55 - 000000000 ____D C:\Users\TayJay\AppData\Local\a7cf1c9a168b4df9bb27b2af34cf4215
2018-03-05 12:08 - 2018-01-05 08:54 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\fb45c4f97c6a434da219c56a0e4067e8
2018-03-05 12:08 - 2018-01-05 08:54 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\f370b6b8319049ff8e1ae34574ca6ad1
2018-03-05 12:08 - 2018-01-05 08:54 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\0e6da40139b84235b6e54b6b5ca3f595
2018-03-05 11:24 - 2017-12-26 21:54 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2018-03-05 11:09 - 2018-01-05 08:55 - 000000016 _____ C:\ProgramData\rwi.hhad
2018-03-05 11:09 - 2018-01-05 08:55 - 000000004 _____ C:\ProgramData\lock.dat
2018-03-05 10:06 - 2018-01-05 15:34 - 000000000 ____D C:\Users\TayJay\AppData\Local\e4203841e8e744d2982724fb6ec1bc7f
2018-03-05 10:06 - 2018-01-05 09:15 - 000000000 ____D C:\Users\TayJay\AppData\Local\a4fd633edc144fdabf869ae4ce11c8d6
2018-03-05 10:06 - 2018-01-05 09:15 - 000000000 ____D C:\ProgramData\5c2a3b85e2ac4cc580c813dcc2f6397d
2018-03-05 10:05 - 2018-01-05 15:35 - 000000000 ____D C:\Program Files\W5WJVKIKJA
2018-03-05 10:05 - 2018-01-05 15:35 - 000000000 ____D C:\Program Files\R2USZUBAZ2
2018-03-05 10:05 - 2018-01-05 15:35 - 000000000 ____D C:\Program Files\PHYGCFDGV7
2018-03-05 10:05 - 2018-01-05 15:35 - 000000000 ____D C:\Program Files\3PHK0ZLLSN
2018-03-05 10:05 - 2018-01-05 15:34 - 000000000 ____D C:\Program Files\XCR4DBPB7V
2018-03-05 10:05 - 2018-01-05 15:34 - 000000000 ____D C:\Program Files\DQW4ZW4QAO
2018-03-05 10:05 - 2018-01-05 10:19 - 000000000 ____D C:\Program Files\6JC41U7J17
2018-03-05 10:05 - 2018-01-05 09:52 - 000000000 ____D C:\Program Files\VL6DRP7V24
2018-03-05 10:05 - 2018-01-05 09:52 - 000000000 ____D C:\Program Files\J1PTJF3YIE
2018-03-05 10:05 - 2018-01-05 09:51 - 000000000 ____D C:\Program Files\KIU52D9M8O
2018-03-05 10:05 - 2018-01-05 09:16 - 000000000 ____D C:\Program Files\NNAA3IZOIP
2018-03-05 10:05 - 2018-01-05 09:16 - 000000000 ____D C:\Program Files\1R8G0K9TDA
2018-03-05 10:05 - 2018-01-05 09:14 - 000000000 ____D C:\Program Files\E1W2X3BXTT
2018-03-05 10:05 - 2018-01-05 09:05 - 000000000 ____D C:\Program Files\MJXZC71KAX
2018-03-05 10:05 - 2018-01-05 09:05 - 000000000 ____D C:\Program Files\LBGNJV71HM
2018-03-05 10:05 - 2018-01-05 09:03 - 000000000 ____D C:\Program Files\27I5E4HJQA
2018-03-05 10:05 - 2018-01-05 08:57 - 000000000 ____D C:\Program Files\OK471D1QDG
2018-03-05 10:05 - 2018-01-05 08:56 - 000000000 ____D C:\Program Files\AU8H0KC2AD
2018-03-05 10:05 - 2018-01-05 08:54 - 000000000 ____D C:\Program Files\J5HVTXPTBR
2018-03-05 10:05 - 2018-01-05 08:53 - 000000000 ____D C:\Program Files\I40EAEJRR0
2018-03-05 10:05 - 2018-01-05 08:53 - 000000000 ____D C:\Program Files (x86)\tv033y3dqug
2018-03-05 10:05 - 2018-01-05 08:53 - 000000000 ____D C:\Program Files (x86)\foldershare
2018-03-05 10:05 - 2018-01-05 08:53 - 000000000 ____D C:\Program Files (x86)\bestDownloader
2018-03-04 17:47 - 2018-01-05 08:56 - 000000000 ____D C:\Users\TayJay\AppData\Local\AdService
2018-03-03 21:37 - 2017-12-26 22:14 - 000222832 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2018-03-03 21:36 - 2017-12-26 22:01 - 000000000 ____D C:\WINDOWS\OCR
2018-03-03 21:21 - 2017-12-31 21:26 - 000000000 ____D C:\Users\TayJay\AppData\Local\LenovoServiceBridge
2018-03-03 21:17 - 2018-01-05 15:35 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\ymbx15nku4v
2018-03-03 21:17 - 2018-01-05 15:35 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\odbrxpkq1fd
2018-03-03 21:17 - 2018-01-05 15:35 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\m4bwtxe4sjt
2018-03-03 21:17 - 2018-01-05 15:35 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\gbaje055b3h
2018-03-03 21:17 - 2018-01-05 15:35 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\dtpcna3dfl1
2018-03-03 21:17 - 2018-01-05 15:35 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\cvpd24i1qhe
2018-03-03 21:17 - 2018-01-05 15:34 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\sevlwzxczzt
2018-03-03 21:17 - 2018-01-05 15:34 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\nmycohxhom1
2018-03-03 21:17 - 2018-01-05 15:34 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\91eb6c8e825d44a3a13c7075297ad585
2018-03-03 21:17 - 2018-01-05 15:34 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\88dec4dab0954629b5828d4fc2f693ea
2018-03-03 21:17 - 2018-01-05 15:34 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\4e5jwxj15ok
2018-03-03 21:17 - 2018-01-05 11:03 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\ao3wi3keeze
2018-03-03 21:17 - 2018-01-05 10:19 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\wmb55coydgp
2018-03-03 21:17 - 2018-01-05 10:19 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\mj0jt0ghue5
2018-03-03 21:17 - 2018-01-05 10:18 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\3cc0b21nzvg
2018-03-03 21:17 - 2018-01-05 09:52 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\neofcfb5ysy
2018-03-03 21:17 - 2018-01-05 09:52 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\02w2gbq0dgv
2018-03-03 21:17 - 2018-01-05 09:51 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\x4gvzenkhf3
2018-03-03 21:17 - 2018-01-05 09:51 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\42emoy0wbsd
2018-03-03 21:17 - 2018-01-05 09:51 - 000000000 ____D C:\Users\TayJay\AppData\Local\c4eaf2e9861e4cbcb7a1db1ae22cce7b
2018-03-03 21:17 - 2018-01-05 09:05 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\uligfod3p4y
2018-03-03 21:17 - 2018-01-05 09:04 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\x0tnifxyqzd
2018-03-03 21:17 - 2018-01-05 09:04 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\mkfaekun4er
2018-03-03 21:17 - 2018-01-05 09:04 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\ctjsvzdivhq
2018-03-03 21:17 - 2018-01-05 09:04 - 000000000 ____D C:\ProgramData\2f3182cfe30242439396018675f0d114
2018-03-03 21:17 - 2018-01-05 09:03 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\fxbsceot3lw
2018-03-03 21:17 - 2018-01-05 08:56 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\brkda4krv5i
2018-03-03 21:17 - 2018-01-05 08:55 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\um52ogkmphp
2018-03-03 21:17 - 2018-01-05 08:55 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\3cva52tu10v
2018-03-03 21:17 - 2018-01-05 08:54 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\p4lvy0a4klb
2018-03-03 21:17 - 2018-01-05 08:54 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\5fzh43wf5an
2018-03-03 21:17 - 2018-01-05 08:54 - 000000000 ____D C:\Program Files (x86)\Multitimer
2018-03-03 21:17 - 2018-01-05 08:53 - 000000000 ____D C:\Users\TayJay\AppData\Roaming\3o0ogsqwp2v
2018-03-03 21:17 - 2018-01-05 08:52 - 000000000 ____D C:\Users\TayJay\AppData\Local\PCBooster
2018-03-03 20:17 - 2017-12-26 20:55 - 000000000 ____D C:\Users\TayJay
2018-03-03 19:12 - 2017-12-31 21:32 - 000000555 _____ C:\WINDOWS\SysWOW64\InstallUtil.InstallLog
2018-03-03 19:12 - 2017-12-31 21:26 - 000000000 ____D C:\WINDOWS\System32\Tasks\TVT
2018-03-03 19:12 - 2017-12-31 21:26 - 000000000 ____D C:\ProgramData\Lenovo
2018-03-03 19:10 - 2018-01-05 08:58 - 000000000 ____D C:\ProgramData\0896b11e-6327-0
2018-03-03 19:10 - 2018-01-05 08:55 - 000000000 ____D C:\ProgramData\596e943e-5347-0
2018-03-03 19:10 - 2018-01-05 08:54 - 000000000 ____D C:\ProgramData\596e943e-6003-1
2018-03-03 19:08 - 2018-01-05 08:58 - 000000000 ____D C:\ProgramData\0896b11e-53b3-1
2018-03-03 19:03 - 2017-12-26 21:54 - 000000000 ____D C:\WINDOWS\system32\NDF
2018-03-03 18:43 - 2018-01-05 08:54 - 000000000 ____D C:\Program Files (x86)\applica
2018-03-03 18:05 - 2018-01-05 15:36 - 000000332 _____ C:\WINDOWS\Tasks\plaAVjRQXWCDePSecyr.job
2018-03-03 18:05 - 2018-01-05 15:35 - 000000322 _____ C:\WINDOWS\Tasks\BcyoMZkjXMgFaPP.job
2018-03-03 18:05 - 2018-01-05 11:09 - 000000344 _____ C:\WINDOWS\Tasks\saKXaLnxQURzlMgex.job
 
==================== Files in the root of some directories =======
 
2018-01-05 08:55 - 2018-03-05 11:09 - 000000004 _____ () C:\ProgramData\lock.dat
2018-03-03 21:02 - 2018-03-03 21:02 - 000267264 _____ () C:\ProgramData\TeamVieverService.dll
2018-01-05 08:54 - 2018-01-05 08:54 - 000011568 _____ () C:\Users\TayJay\AppData\Local\InstallationConfiguration.xml
2018-01-05 08:54 - 2018-01-05 08:54 - 000140800 _____ () C:\Users\TayJay\AppData\Local\installer.dat
2018-01-05 08:54 - 2018-01-05 15:34 - 000930816 _____ () C:\Users\TayJay\AppData\Local\po.db
2018-01-05 08:55 - 2018-01-05 09:04 - 000014848 _____ () C:\Users\TayJay\AppData\Local\wtrwll.dll
 
Some files in TEMP:
====================
2018-03-11 13:03 - 2018-03-11 13:03 - 002402816 _____ (Farbar) C:\Users\TayJay\AppData\Local\Temp\45A5.tmp.exe
2018-03-11 13:07 - 2018-03-11 13:07 - 002402816 _____ (Farbar) C:\Users\TayJay\AppData\Local\Temp\7C61.tmp.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\WINDOWS\system32\drivers\rtdhloru.sys -> Access Denied <======= ATTENTION
 
LastRegBack: 2018-03-05 13:55
 
==================== End of FRST.txt ============================
 
Normal Additon
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11.03.2018 01
Ran by TayJay (11-03-2018 13:24:24)
Running from C:\Users\TayJay\Desktop
Windows 10 Home Version 1709 16299.15 (X64) (2017-12-27 03:31:29)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-426501694-2717639335-1212792558-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-426501694-2717639335-1212792558-503 - Limited - Disabled)
Guest (S-1-5-21-426501694-2717639335-1212792558-501 - Limited - Disabled)
TayJay (S-1-5-21-426501694-2717639335-1212792558-1001 - Administrator - Enabled) => C:\Users\TayJay
WDAGUtilityAccount (S-1-5-21-426501694-2717639335-1212792558-504 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
CCleaner (HKLM\...\CCleaner) (Version: 5.40 - Piriform)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.1.3603 - CyberLink Corp.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.108 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Lenovo EasyCamera (HKLM-x32\...\{ADE16A9D-FBDC-4ecc-B6BD-9C31E51D0332}) (Version: 3.15.0414.1 - Vimicro)
Lenovo Service Bridge (HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\{2C74547D-EF88-47F4-85F5-BE46A31E26B7}_is1) (Version: 4.0.5.9 - Lenovo)
Lenovo System Update (HKLM-x32\...\TVSU_is1) (Version: 5.07.0065 - Lenovo)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft OneDrive (HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\OneDriveSetup.exe) (Version: 18.025.0204.0009 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.21.531.2010 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7535 - Realtek Semiconductor Corp.)
SearchAwesome (HKLM\...\a92652ccfc6c5a64a2f6a0a92914b30b) (Version: 13.14.1.127 (i1.0) - SearchAwesome) <==== ATTENTION
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1254 - SUPERAntiSpyware.com)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.9.5 - Synaptics Incorporated)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll [2017-03-09] (Intel Corporation)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {1440C99E-B721-430F-A71E-85ABCCA7D8EC} - System32\Tasks\{0F0B0D47-0C7D-0E09-0B11-0B7D7F091179} => C:\WINDOWS\system32\WindowsPowershell\v1.0\powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand IAAgADsAIAAgADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAVwBhAHIAbgBpAG4AZwBQAHIAZQBmAGUAcgBlAG4AYwBlAD0AJABzAGMA (the data entry has 10024 more characters). <==== ATTENTION
Task: {1a09a58c-dde7-4d7e-aced-1f9fc42d6f92} - no filepath
Task: {1A7ABC6C-9B6E-472A-B405-E301E502E184} - System32\Tasks\MirageAgent => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [2010-12-05] (CyberLink)
Task: {1F8B6DD8-9C57-4A02-A121-8035C07DFFEA} - System32\Tasks\SystemHealer Task => C:\PROGRA~2\SYSTEM~1\RESCUE~1.EXE <==== ATTENTION
Task: {2C20DBDC-3888-49FB-9E62-B50C8E0416F9} - System32\Tasks\plaAVjRQXWCDePSecyr => rundll32 "C:\Program Files (x86)\aohGTEheqdnWC\mbphsSv.dll",#1
Task: {2EAD14D9-3478-413A-9B90-B9803130A431} - System32\Tasks\GoogleUpdateSecurityTaskMachine_CO => C:\Users\TayJay\AppData\Local\Temp\0d98bd75e750488fbd9a22e767429ac0\chipset.exe exec hide CAGKCRSAUW.cmd  <==== ATTENTION
Task: {39419E71-C30A-4131-9952-E5C6E373962A} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-01-02] (Google Inc.)
Task: {3F9982E0-E14D-43FE-9E82-0FB6EC3E97A5} - System32\Tasks\highpcbooster_onstartup => C:\Program Files (x86)\High PC Booster\high-pc-booster.exe
Task: {428AE469-4D9A-4D9A-8BF3-51B17279C713} - System32\Tasks\FastDataX Task => C:\PROGRA~2\FASTDA~1\FASTDA~1.EXE
Task: {458E2ACC-9A90-4FAE-B16E-5EACDDF610FB} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-01-02] (Google Inc.)
Task: {4848E88E-DDD2-4F86-8489-F9DC1D5CEAF5} - System32\Tasks\LookUpPro => C:\Users\TayJay\AppData\Roaming\LookUpPro\python\pythonw.exe <==== ATTENTION
Task: {49EE4661-0D2E-424E-A04F-FD2CA2AF85FA} - System32\Tasks\pnIxobGIUDXdNt => rundll32 "C:\Program Files (x86)\TwPufLOWyrxU2\uDpDxLscbYUin.dll",#1
Task: {4D78E8F2-0CF3-4B6C-ADD0-7965FA2A928D} - System32\Tasks\S-1-5-21-426501694-2717639335-1212792558-1001\DataSenseLiveTileTask => C:\WINDOWS\System32\DataUsageLiveTileTask.exe [2017-09-29] (Microsoft Corporation)
Task: {58AA77BC-0C87-476F-B048-288BD804FE53} - System32\Tasks\hFB5EiZmkJfc => hfb5eizmkjfc.exe <==== ATTENTION
Task: {5D19D762-C142-43B4-823A-6FFF2BA9CAD0} - System32\Tasks\Lenovo\Lenovo Service Bridge\S-1-5-21-426501694-2717639335-1212792558-1001 => C:\Users\TayJay\AppData\Local\Programs\Lenovo\Lenovo Service Bridge\LSBUpdater.exe [2018-02-07] (Lenovo Group Limited)
Task: {5D9DE258-1133-41A8-B416-169DD1321A8E} - System32\Tasks\LookUpPro2 => C:\Users\TayJay\AppData\Roaming\LookUpPro\python\pythonw.exe <==== ATTENTION
Task: {72308FB9-558C-4623-A5E1-7DB7E9D6D9CA} - System32\Tasks\plaAVjRQXWCDePSecyr2 => rundll32 "C:\Program Files (x86)\aohGTEheqdnWC\mbphsSv.dll",#1
Task: {7239C42C-5091-42E3-B1FC-94E17C0AD8E4} - System32\Tasks\System Healer Delayed => C:\Program Files (x86)\SystemHealer\SystemHealer.exe <==== ATTENTION
Task: {74183F91-4B3C-4E6B-B988-86512E523575} - \GoogleUpdateSecurityTaskMachine_PJ -> No File <==== ATTENTION
Task: {82A12AF7-DB1A-4E85-9CEA-FCF92FF3AA67} - System32\Tasks\GoogleUpdateSecurityTaskMachine_GC => C:\Users\TayJay\AppData\Local\Temp\4b539396bae547629279082d9c4a4c66\chipset.exe exec hide UIKXWAUYQX.cmd  <==== ATTENTION
Task: {97926A8A-54D9-493B-BDA6-6E6E8A0FD57B} - \LaCieS -> No File <==== ATTENTION
Task: {98828305-8442-4C04-A47F-12D543931640} - System32\Tasks\OneSystemCare Task => C:\PROGRA~2\ONESYS~1\SYSTEM~1.EXE <==== ATTENTION
Task: {98E2D891-0F02-4185-8325-6B21DB8E52F5} - \Halite LifeJun Software -> No File <==== ATTENTION
Task: {99E6FDFC-481F-4D76-A56C-82393D6F855A} - System32\Tasks\{38A553EE-23E7-E888-90D0-A25B60141F59} => C:\WINDOWS\system32\regsvr32.exe /s /n /i:"/rt" "C:\PROGRA~3\15c5941f\26dfccfa.dll" <==== ATTENTION
Task: {B42D35FE-39C6-40D5-9DBE-88417A210DCC} - System32\Tasks\GoogleUpdateSecurityTaskMachine_VL => C:\Users\TayJay\AppData\Local\Temp\ed8cff593c3f45019a490d24a153a618\chipset.exe exec hide XXSGUDEXSV.cmd  <==== ATTENTION
Task: {B9800259-720A-4B8D-8EEF-09B081BBC54E} - \GoogleUpdateSecurityTaskMachine_EX -> No File <==== ATTENTION
Task: {BAD7314D-0848-4EAF-AA5C-D2614371E117} - System32\Tasks\saKXaLnxQURzlMgex2 => rundll32 "C:\Program Files (x86)\RrHYXuUpocPTIXdsppR\gWGsdSU.dll",#1
Task: {C392BB34-16B0-4A3C-8505-6815775A36CD} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2018-02-07] (Piriform Ltd)
Task: {C42E27D3-6757-48E9-9CB6-FCD73F3C53D5} - System32\Tasks\BcyoMZkjXMgFaPP2 => rundll32 "C:\Program Files (x86)\umkISPBbU\DDLcYi.dll",#1
Task: {CC9BAA09-EAA3-45F6-82CD-F9CA9D362B96} - System32\Tasks\BcyoMZkjXMgFaPP => rundll32 "C:\Program Files (x86)\umkISPBbU\DDLcYi.dll",#1
Task: {D2F045ED-4A44-4C8D-AE47-81FA6759727E} - System32\Tasks\saKXaLnxQURzlMgex => rundll32 "C:\Program Files (x86)\RrHYXuUpocPTIXdsppR\gWGsdSU.dll",#1
Task: {DBB62F93-150D-44DD-9C8F-C5B916990E5C} - System32\Tasks\System Healer Monitor => C:\Program Files (x86)\SystemHealer\HealerConsole.exe <==== ATTENTION
Task: {DD48514C-C7FD-4736-82F8-91DC867C2693} - \HDWallPaper -> No File <==== ATTENTION
Task: {E472B03A-13EB-451B-94ED-FC93062D7926} - \GoogleUpdateSecurityTaskMachine_QB -> No File <==== ATTENTION
Task: {ECA50798-5C35-44FE-A457-BCA57908D77A} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2018-02-07] (Piriform Ltd)
Task: {F08E300C-013D-4C11-8555-1BD2D8703865} - \GoogleUpdateSecurityTaskMachine_AR -> No File <==== ATTENTION
Task: {F6265B22-C83B-45C3-A248-DB0F5A450E88} - \One System Care Monitor -> No File <==== ATTENTION
Task: {F6AB5609-9223-431E-A2C1-AED46304E576} - System32\Tasks\One System Care Delayed => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe <==== ATTENTION
Task: {FE70367D-BF69-45F7-9C0B-3B2FF3157E9F} - \GoogleUpdateSecurityTaskMachine_PV -> No File <==== ATTENTION
Task: {FEC94F9D-7A2E-4D0C-B0DF-4ABF5EFCE19A} - System32\Tasks\456AFE18-7D8F-9434-8841-4A392D2C1E3E => C:\WINDOWS\SysWOW64\regsvr32.exe /n /s /i:"/2398819baa1a025b /q" "C:\Users\TayJay\AppData\Local\3854FDE4-7C4F-5200-6A10-BF1A8307045D\{26DFCCFA-58E5-331A-1E31-8B1EAA241A61}.."
Task: {FF37CA89-40A2-4DA1-9EA4-CF40EF7BB0B8} - \GoogleUpdateSecurityTaskMachine_WN -> No File <==== ATTENTION
Task: {FF7A0672-F93C-4796-9B2F-0B3CC31D793F} - \GoogleUpdateSecurityTaskMachine_JZ -> No File <==== ATTENTION
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\BcyoMZkjXMgFaPP.job => C:\Program Files (x86)\umkISPBbU\DDLcYi.dll
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\plaAVjRQXWCDePSecyr.job => C:\Program Files (x86)\aohGTEheqdnWC\mbphsSv.dll
Task: C:\WINDOWS\Tasks\saKXaLnxQURzlMgex.job => C:\Program Files (x86)\RrHYXuUpocPTIXdsppR\gWGsdSU.dll
Task: C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task 34d18afc-401e-40df-8c23-7f79614cb674.job => C:\Program Files\SUPERAntiSpyware\SASTask.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Task: C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task 89a1f62d-7b9c-40e5-9917-cda71408b1c5.job => C:\Program Files\SUPERAntiSpyware\SASTask.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-09-29 08:41 - 2017-09-29 08:41 - 000184432 ____N () C:\WINDOWS\SYSTEM32\inputhost.dll
2018-01-05 08:54 - 2015-06-02 00:25 - 002501120 _____ () C:\Program Files\Halite LifeJun Software\Halite LifeJun Software.dll
2017-09-29 08:42 - 2017-09-29 09:43 - 011044864 ____N () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-09-29 08:42 - 2017-09-29 09:43 - 001804288 ____N () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-03-09 01:16 - 2017-03-09 01:16 - 000112264 _____ () C:\Windows\System32\IccLibDll_x64.dll
2018-03-10 11:27 - 2018-03-11 13:19 - 000600576 _____ () C:\WINDOWS\TEMP\gC8F6.tmp.exe
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\79233007.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\79233007.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2017-12-26 21:54 - 2018-03-03 19:10 - 000020520 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1 mydownloaddomain.com
127.0.0.1 plugpackdownload.net
127.0.0.1 texttotalk.org
127.0.0.1 gambling577.xyz
127.0.0.1 htagdownload.space
127.0.0.1 mybcnmonetize.com
127.0.0.1 360devtraking.website
127.0.0.1 dscdn.pw
127.0.0.1 bcnmonetize.go2affise.com
127.0.0.1 gf.tools.avast.com
127.0.0.1 pair.ff.avast.com
127.0.0.1 ipm-provider.ff.avast.com
127.0.0.1 ipm-provider.ff.avast.com
127.0.0.1 ipm-provider.ff.avast.com
127.0.0.1 id.avast.com
127.0.0.1 v4618535.iavs9x.u.avast.com
127.0.0.1 v4618535.ivps9x.u.avast.com
127.0.0.1 v4618535.ivps9tiny.u.avast.com
127.0.0.1 v4618535.vpsnitro.u.avast.com
127.0.0.1 v4618535.vpsnitrotiny.u.avast.com
127.0.0.1 v4618535.iavs5x.u.avast.com
127.0.0.1 v7.stats.avast.com
127.0.0.1 v7.stats.avast.com
127.0.0.1 v7event.stats.avast.com
127.0.0.1 sm00.avast.com
127.0.0.1 submit5.avast.com
127.0.0.1 geoip.avast.com
127.0.0.1 w9448963.iavs9x.u.avast.com
127.0.0.1 w9448963.ivps9x.u.avast.com
127.0.0.1 w9448963.ivps9tiny.u.avast.com
 
There are 516 more lines.
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Windows\img0.jpg
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: ) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "applica"
HKLM\...\StartupApproved\Run: => "gplyra"
HKLM\...\StartupApproved\Run32: => "applica"
HKLM\...\StartupApproved\Run32: => "booster"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "AJVFZVI8JF3SNFW"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "4BO23ZRIMW5J311"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "DXU6ZU6L7OEDK2V"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "ZPSXDPH51MIHXTO"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "2465782"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "2354198"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "1153011"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "8350254"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "9039279"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "519427"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "5592513"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "7426894"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "9651975"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "4140730"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "5203286"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "2111302"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "798531"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "7541573"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "9983184"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "543994"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "8223062"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "4183677"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "7468766"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "3953832"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "999825"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "2922207"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "3219474"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "6757364"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "3619817"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "8692240"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "6850480"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "7939418"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "3WYXUNNI40COSYI"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "YNTEX5IV31I56VW"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "UkIUVrdKW6zZ.exe"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "gov2HErF.exe"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "SEBWMZSGZ6N5OHX"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "1371053"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "7823010"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "LT4BV8B4WZFIUJE"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "3RPNJXC5OOPY9EF"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "48N9WDWATY6REP8"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "AD4IBKCMW02KPFB"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "AO4A2TCT0XCKUOP"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "K7K9WJFPU12FVEI"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "EQTHYFLGMI.exe"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "aSyBzMtfC.exe"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "d7eVy354E.exe"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "1Z2JIXQN8W06ETB"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "w0l37Pa7Znw.exe"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "D1UYJTAMR6OMCOT"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "MTOPYZNRFQ.exe"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "8xTXIwOrKoieT.exe"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "WLZBELJFJX.exe"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "wtrwll"
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\StartupApproved\Run: => "BQ3D75ZFRV98QRX"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{4919243E-817D-4196-97D5-7D39A26E71FD}] => (Allow) C:\Program Files (x86)\Lenovo\System Update\uncserver.exe
FirewallRules: [{B81FF4CC-A7DD-4071-8668-E887788C5A86}] => (Allow) C:\Program Files (x86)\Lenovo\System Update\uncserver.exe
FirewallRules: [{ED686FD2-F86B-481C-B821-31BD23C2FE3A}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{E620E89C-6895-4ABE-84F6-8525B75097ED}] => (Allow) C:\WINDOWS\System32\rundll32.exe
FirewallRules: [{05E2ECB6-3ABE-4A39-9EA9-AD6FDF79B31F}] => (Allow) C:\Windows\System32\rundll32.exe
FirewallRules: [{C36A3566-2492-4ECC-AC72-1BF06024288E}] => (Allow) C:\Windows\System32\rundll32.exe
FirewallRules: [{E8139F22-AF68-478C-BC33-1A947649B9CD}] => (Allow) C:\Windows\System32\rundll32.exe
FirewallRules: [{261568FE-9487-4CCF-8021-8325DF7B777C}] => (Allow) C:\Windows\System32\rundll32.exe
 
==================== Restore Points =========================
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/11/2018 01:23:47 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2018-03-12T18:21:46Z. Error Code: 0x8007045D.
 
Error: (03/11/2018 01:23:16 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2018-03-12T18:22:16Z. Error Code: 0x8007045D.
 
Error: (03/11/2018 01:15:03 PM) (Source: ESENT) (EventID: 454) (User: )
Description: MicrosoftEdge (2240,R,0) C:\Users\TayJay\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\: Database recovery/restore failed with unexpected error -551.
 
Error: (03/11/2018 01:15:03 PM) (Source: ESENT) (EventID: 517) (User: )
Description: MicrosoftEdge (2240,R,0) C:\Users\TayJay\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\: Database recovery failed with error -551 because it encountered references to a database, 'C:\Users\TayJay\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb', which does not match the current set of logs. The database engine will not permit recovery to complete for this instance until the mismatching database is re-instated. If the database is truly no longer available or no longer required, procedures for recovering from this error are available in the Microsoft Knowledge Base or by following the "more information" link at the bottom of this message.
 
Error: (03/05/2018 11:10:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: dahhService.exe, version: 0.0.0.0, time stamp: 0x5a46169c
Faulting module name: WS2_32.dll, version: 10.0.16299.15, time stamp: 0xefe92f55
Exception code: 0xc0000005
Fault offset: 0x0001b3e7
Faulting process id: 0xa70
Faulting application start time: 0x01d3b49c2c0b5a46
Faulting application path: C:\ProgramData\dahhService\dahhService.exe
Faulting module path: C:\WINDOWS\System32\WS2_32.dll
Report Id: e6f5ea51-5f75-4672-a1ab-d9f91884611a
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (03/05/2018 09:26:06 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 3.0.0.1284, time stamp: 0x5a15ab42
Faulting module name: Qt5Core.dll, version: 5.6.2.0, time stamp: 0x59a63e00
Exception code: 0xc0000005
Fault offset: 0x001aa3b6
Faulting process id: 0x1d38
Faulting application start time: 0x01d3b48dda34dd72
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll
Report Id: 0d187b75-fadf-49c7-988d-56479f83650c
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (03/05/2018 08:59:32 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 3.0.0.1284, time stamp: 0x5a15ab42
Faulting module name: Qt5Core.dll, version: 5.6.2.0, time stamp: 0x59a63e00
Exception code: 0xc0000005
Fault offset: 0x001aa3b6
Faulting process id: 0xa30
Faulting application start time: 0x01d3b48a2f202abb
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll
Report Id: c3abb38a-d330-4e73-997a-9ff3cbac6133
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (03/05/2018 08:59:23 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 3.0.0.1284, time stamp: 0x5a15ab42
Faulting module name: Qt5Core.dll, version: 5.6.2.0, time stamp: 0x59a63e00
Exception code: 0xc0000005
Fault offset: 0x001aa3b6
Faulting process id: 0x214
Faulting application start time: 0x01d3b48a29c55763
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll
Report Id: 17a715c5-61ee-492d-b6b3-f1a800669439
Faulting package full name: 
Faulting package-relative application ID:
 
 
System errors:
=============
Error: (03/11/2018 01:24:25 PM) (Source: Ntfs) (EventID: 55) (User: NT AUTHORITY)
Description: A corruption was discovered in the file system structure on volume C:.
 
A corruption was found in a file system index structure.  The file reference number is 0xb000000017717.  The name of the file is "\Windows\Logs\CBS".  The corrupted index attribute is ":$I30:$INDEX_ALLOCATION".
 
Error: (03/11/2018 01:24:17 PM) (Source: Ntfs) (EventID: 55) (User: NT AUTHORITY)
Description: A corruption was discovered in the file system structure on volume C:.
 
The exact nature of the corruption is unknown.  The file system structures need to be scanned online.
 
Error: (03/11/2018 01:23:46 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/11/2018 01:23:46 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/11/2018 01:23:46 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/11/2018 01:23:46 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/11/2018 01:23:46 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/11/2018 01:23:16 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
 
Windows Defender:
===================================
Date: 2018-01-05 08:07:12.813
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: SoftwareBundler:MSIL/Wizrem
ID: 225135
Severity: High
Category: Software Bundler
Path: file:_C:\Program Files\Windows Mail\GBUYYXQKXN\FNIFYJMRJT.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Signature Version: AV: 1.259.967.0, AS: 1.259.967.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0
 
Date: 2018-01-05 07:56:15.131
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: TrojanSpy:Win32/Tougle.G!bit
ID: 2147723316
Severity: Severe
Category: Trojan Monitoring Software
Path: process:_pid:6708,ProcessStart:131596340319181238
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
Process Name: C:\ProgramData\dahhService\dahhService.exe
Signature Version: AV: 1.259.967.0, AS: 1.259.967.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0
 
Date: 2018-01-05 07:53:57.823
Description: 
Windows Defender Antivirus has detected a suspicious behavior.
Name: Behavior:Win32/DroppedKnownMalware
ID: 512968576
Severity: Low
Category: Suspicious Behavior
Path Found: file:_C:\Users\TayJay\AppData\Local\Temp\is-M9DJT.tmp\jfk0021.exe;process:_4372
Detection Origin: Local machine
Detection Type: Suspicious
Detection Source: Real-Time Protection
Status: Executing
Process Name: C:\Users\TayJay\AppData\Local\Temp\is-M9DJT.tmp\jfk0021.exe
Signature ID: 41453017067075
Signature Version: AV: 1.259.967.0, AS: 1.259.967.0
Engine Version: 1.1.14405.2
Fidelity Label:  Low
Target File Name:  C:\Program Files\Windows Mail\GBUYYXQKXN\FNIFYJMRJT.exe
 
Date: 2018-01-05 07:53:49.465
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: SoftwareBundler:MSIL/Wizrem
ID: 225135
Severity: High
Category: Software Bundler
Path: file:_C:\Program Files\Windows Mail\GBUYYXQKXN\FNIFYJMRJT.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\TayJay\AppData\Local\Temp\is-M9DJT.tmp\jfk0021.exe
Signature Version: AV: 1.259.967.0, AS: 1.259.967.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0
 
Date: 2018-01-05 07:52:58.802
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/Spiltderp.A
ID: 2147697176
Severity: Severe
Category: Trojan
Path: process:_pid:6504,ProcessStart:131596339629065409
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
Process Name: C:\Users\TayJay\AppData\Local\Temp\component.exe
Signature Version: AV: 1.259.967.0, AS: 1.259.967.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0
 
Date: 2018-03-03 19:39:00.557
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.259.967.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14405.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved 
 
Date: 2018-03-03 19:39:00.556
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 118.2.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: Network Inspection System
Update Type: Full
Current Engine Version: 
Previous Engine Version: 2.1.14202.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved 
 
Date: 2018-03-03 19:39:00.527
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.259.967.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14405.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved 
 
Date: 2018-03-03 19:39:00.527
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.259.967.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiSpyware
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14405.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved 
 
Date: 2018-03-03 19:39:00.526
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.259.967.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14405.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved 
 
==================== Memory info =========================== 
 
Processor: Intel® Pentium® CPU B960 @ 2.20GHz
Percentage of memory in use: 29%
Total physical RAM: 6058.14 MB
Available physical RAM: 4265.27 MB
Total Virtual: 7018.14 MB
Available Virtual: 5334.35 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:397.18 GB) (Free:372.25 GB) NTFS
Drive d: (LENOVO) (Fixed) (Total:45.32 GB) (Free:43.07 GB) NTFS
 
\\?\Volume{fb1ff7d9-0000-0000-0000-100000000000}\ () (Fixed) (Total:0.2 GB) (Free:0.16 GB) NTFS
 
==================== MBR & Partition Table ==================
 
==================== End of Addition.txt ============================
 


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,842 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:22 AM

Posted 11 March 2018 - 09:39 PM

Sorry, but you did not follow the order of events, and did not run FRST64 in the Recovery Environment. As I mentioned before there is a protocol that must be followed to remove this rootkit. The Recovery Environment is not Safe Mode. It is an environment where Windows will detach, thereby allowing us to remove the rootkit. See the tutorial at Windows10 forums. Let me know if you are having problems reaching the Recovery Environment.

 

Please try again.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,842 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:22 AM

Posted 11 March 2018 - 09:47 PM

Run these commands at an Administrator Command Prompt:

 

bcdedit.exe /set {default} recoveryenabled Yes

bcdedit.exe /set {bootmgr} displaybootmenu Yes

Exit

 

That could help you reach the Recovery Environment.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 SonDavid

SonDavid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 11 March 2018 - 11:00 PM

Run these commands at an Administrator Command Prompt:

 

bcdedit.exe /set {default} recoveryenabled Yes

bcdedit.exe /set {bootmgr} displaybootmenu Yes

Exit

 

That could help you reach the Recovery Environment.

 

My fault...I thought you meant Safe Mode when you said Recovery Environment. For some reason, I can not get to Recovery. I tried to go to Advanced Startup option but i get this Getting Windows Ready loop....I will try those commands in Safe Mode to see if i can get to Recovery Mode. 



#7 SonDavid

SonDavid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 11 March 2018 - 11:35 PM

Those commands work successful but when I restart the computer I get errors. I wonder if I can use my Dell laptop to get make a recovery USB to boot with my Lenovo laptop. Is that possible?


Edited by SonDavid, 11 March 2018 - 11:37 PM.


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,842 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:22 AM

Posted 12 March 2018 - 12:50 AM

Yes.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 SonDavid

SonDavid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 12 March 2018 - 12:55 AM

I did it. I found a way to get to the Recovery Environment. Here are the logs from the Recovery Environment.

Attached Files



#10 SonDavid

SonDavid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 12 March 2018 - 01:07 AM

Here are the files from the normal boot.

 

Attached Files



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,842 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:22 AM

Posted 12 March 2018 - 11:14 AM

Nice logs. From now-on we will be working in Normal Mode.

 

Please remove the following program:
 
SearchAwesome

  • Highlight the entire content of the quote box below.

Start::  
HKU\S-1-5-21-426501694-2717639335-1212792558-1001\...\Run: [wtrwll] => rundll32.exe "C:\Users\TayJay\AppData\Local\wtrwll.dll",wtrwll <==== ATTENTION
C:\Users\TayJay\AppData\Local\wtrwll.dll
C:\Users\TayJay\AppData\Local\Temp\*.tmp.exe
Task: {2EAD14D9-3478-413A-9B90-B9803130A431} - System32\Tasks\GoogleUpdateSecurityTaskMachine_CO => C:\Users\TayJay\AppData\Local\Temp\0d98bd75e750488fbd9a22e767429ac0\chipset.exe exec hide CAGKCRSAUW.cmd  <==== ATTENTION
Task: {82A12AF7-DB1A-4E85-9CEA-FCF92FF3AA67} - System32\Tasks\GoogleUpdateSecurityTaskMachine_GC => C:\Users\TayJay\AppData\Local\Temp\4b539396bae547629279082d9c4a4c66\chipset.exe exec hide UIKXWAUYQX.cmd  <==== ATTENTION
Task: {B42D35FE-39C6-40D5-9DBE-88417A210DCC} - System32\Tasks\GoogleUpdateSecurityTaskMachine_VL => C:\Users\TayJay\AppData\Local\Temp\ed8cff593c3f45019a490d24a153a618\chipset.exe exec hide XXSGUDEXSV.cmd  <==== ATTENTION
C:\Users\TayJay\AppData\Local\Temp\4b539396bae547629279082d9c4a4c66
C:\Users\TayJay\AppData\Local\Temp\ed8cff593c3f45019a490d24a153a618
C:\Users\TayJay\AppData\Local\Temp\0d98bd75e750488fbd9a22e767429ac0
Task: {FEC94F9D-7A2E-4D0C-B0DF-4ABF5EFCE19A} - System32\Tasks\456AFE18-7D8F-9434-8841-4A392D2C1E3E => C:\WINDOWS\SysWOW64\regsvr32.exe /n /s /i:"/2398819baa1a025b /q" "C:\Users\TayJay\AppData\Local\3854FDE4-7C4F-5200-6A10-BF1A8307045D\{26DFCCFA-58E5-331A-1E31-8B1EAA241A61}.."
GroupPolicy: Restriction <==== ATTENTION
Task: {1440C99E-B721-430F-A71E-85ABCCA7D8EC} - System32\Tasks\{0F0B0D47-0C7D-0E09-0B11-0B7D7F091179} => C:\WINDOWS\system32\WindowsPowershell\v1.0\powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand IAAgADsAIAAgADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAVwBhAHIAbgBpAG4AZwBQAHIAZQBmAGUAcgBlAG4AYwBlAD0AJABzAGMA (the data entry has 10024 more characters). <==== ATTENTION
Task: {1F8B6DD8-9C57-4A02-A121-8035C07DFFEA} - System32\Tasks\SystemHealer Task => C:\PROGRA~2\SYSTEM~1\RESCUE~1.EXE <==== ATTENTION
Task: {2EAD14D9-3478-413A-9B90-B9803130A431} - System32\Tasks\GoogleUpdateSecurityTaskMachine_CO => C:\Users\TayJay\AppData\Local\Temp\0d98bd75e750488fbd9a22e767429ac0\chipset.exe exec hide CAGKCRSAUW.cmd  <==== ATTENTION
Task: {4848E88E-DDD2-4F86-8489-F9DC1D5CEAF5} - System32\Tasks\LookUpPro => C:\Users\TayJay\AppData\Roaming\LookUpPro\python\pythonw.exe <==== ATTENTION
Task: {58AA77BC-0C87-476F-B048-288BD804FE53} - System32\Tasks\hFB5EiZmkJfc => hfb5eizmkjfc.exe <==== ATTENTION
Task: {5D9DE258-1133-41A8-B416-169DD1321A8E} - System32\Tasks\LookUpPro2 => C:\Users\TayJay\AppData\Roaming\LookUpPro\python\pythonw.exe <==== ATTENTION
Task: {7239C42C-5091-42E3-B1FC-94E17C0AD8E4} - System32\Tasks\System Healer Delayed => C:\Program Files (x86)\SystemHealer\SystemHealer.exe <==== ATTENTION
Task: {74183F91-4B3C-4E6B-B988-86512E523575} - \GoogleUpdateSecurityTaskMachine_PJ -> No File <==== ATTENTION
Task: {82A12AF7-DB1A-4E85-9CEA-FCF92FF3AA67} - System32\Tasks\GoogleUpdateSecurityTaskMachine_GC => C:\Users\TayJay\AppData\Local\Temp\4b539396bae547629279082d9c4a4c66\chipset.exe exec hide UIKXWAUYQX.cmd  <==== ATTENTION
Task: {97926A8A-54D9-493B-BDA6-6E6E8A0FD57B} - \LaCieS -> No File <==== ATTENTION
Task: {98828305-8442-4C04-A47F-12D543931640} - System32\Tasks\OneSystemCare Task => C:\PROGRA~2\ONESYS~1\SYSTEM~1.EXE <==== ATTENTION
Task: {98E2D891-0F02-4185-8325-6B21DB8E52F5} - \Halite LifeJun Software -> No File <==== ATTENTION
Task: {99E6FDFC-481F-4D76-A56C-82393D6F855A} - System32\Tasks\{38A553EE-23E7-E888-90D0-A25B60141F59} => C:\WINDOWS\system32\regsvr32.exe /s /n /i:"/rt" "C:\PROGRA~3\15c5941f\26dfccfa.dll" <==== ATTENTION
Task: {B42D35FE-39C6-40D5-9DBE-88417A210DCC} - System32\Tasks\GoogleUpdateSecurityTaskMachine_VL => C:\Users\TayJay\AppData\Local\Temp\ed8cff593c3f45019a490d24a153a618\chipset.exe exec hide XXSGUDEXSV.cmd  <==== ATTENTION
Task: {B9800259-720A-4B8D-8EEF-09B081BBC54E} - \GoogleUpdateSecurityTaskMachine_EX -> No File <==== ATTENTION
Task: {DBB62F93-150D-44DD-9C8F-C5B916990E5C} - System32\Tasks\System Healer Monitor => C:\Program Files (x86)\SystemHealer\HealerConsole.exe <==== ATTENTION
Task: {DD48514C-C7FD-4736-82F8-91DC867C2693} - \HDWallPaper -> No File <==== ATTENTION
Task: {E472B03A-13EB-451B-94ED-FC93062D7926} - \GoogleUpdateSecurityTaskMachine_QB -> No File <==== ATTENTION
Task: {F08E300C-013D-4C11-8555-1BD2D8703865} - \GoogleUpdateSecurityTaskMachine_AR -> No File <==== ATTENTION
Task: {F6265B22-C83B-45C3-A248-DB0F5A450E88} - \One System Care Monitor -> No File <==== ATTENTION
Task: {F6AB5609-9223-431E-A2C1-AED46304E576} - System32\Tasks\One System Care Delayed => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe <==== ATTENTION
Task: {FE70367D-BF69-45F7-9C0B-3B2FF3157E9F} - \GoogleUpdateSecurityTaskMachine_PV -> No File <==== ATTENTION
Task: {FF37CA89-40A2-4DA1-9EA4-CF40EF7BB0B8} - \GoogleUpdateSecurityTaskMachine_WN -> No File <==== ATTENTION
Task: {FF7A0672-F93C-4796-9B2F-0B3CC31D793F} - \GoogleUpdateSecurityTaskMachine_JZ -> No File <==== ATTENTION
Task: {74183F91-4B3C-4E6B-B988-86512E523575} - \GoogleUpdateSecurityTaskMachine_PJ -> No File <==== ATTENTION
Task: {97926A8A-54D9-493B-BDA6-6E6E8A0FD57B} - \LaCieS -> No File <==== ATTENTION
Task: {98E2D891-0F02-4185-8325-6B21DB8E52F5} - \Halite LifeJun Software -> No File <==== ATTENTION
Task: {B9800259-720A-4B8D-8EEF-09B081BBC54E} - \GoogleUpdateSecurityTaskMachine_EX -> No File <==== ATTENTION
Task: {DD48514C-C7FD-4736-82F8-91DC867C2693} - \HDWallPaper -> No File <==== ATTENTION
Task: {E472B03A-13EB-451B-94ED-FC93062D7926} - \GoogleUpdateSecurityTaskMachine_QB -> No File <==== ATTENTION
Task: {F08E300C-013D-4C11-8555-1BD2D8703865} - \GoogleUpdateSecurityTaskMachine_AR -> No File <==== ATTENTION
Task: {F6265B22-C83B-45C3-A248-DB0F5A450E88} - \One System Care Monitor -> No File <==== ATTENTION
Task: {FE70367D-BF69-45F7-9C0B-3B2FF3157E9F} - \GoogleUpdateSecurityTaskMachine_PV -> No File <==== ATTENTION
Task: {FF37CA89-40A2-4DA1-9EA4-CF40EF7BB0B8} - \GoogleUpdateSecurityTaskMachine_WN -> No File <==== ATTENTION
Task: {FF7A0672-F93C-4796-9B2F-0B3CC31D793F} - \GoogleUpdateSecurityTaskMachine_JZ -> No File <==== ATTENTION
Task: {1a09a58c-dde7-4d7e-aced-1f9fc42d6f92} - no filepath
CMD: fltmc instances
Folder: C:\Windows\System32\Drivers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

65MBhLLb.png

  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg

  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

 
favicon-32x32.png Scan with Malwarebytes antimalware:

  • Once the program has fully updated, Proceed with the Scan options and select "Threat Scan".
  • The Scan Pane is the introduction to scan-related options in the program. When you click Scan in the Menu Pane, you will see the screen shown below.

02-malwarebytes-premium-scan-methods.jpg

  • After a scan has been executed, scan results are displayed.
  • Put a checkmark on all detected and click on "Quarantine Selected"
  • Selected reports may be viewed on screen, or exported to a text file for later viewing. Please note that only manual (on demand) scans are available for users of the free version of Malwarebytes.

You may export to your clipboard or to a text (TXT) file. Export to a .txt file and post its contents.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 SonDavid

SonDavid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 12 March 2018 - 02:02 PM

Here you go. 

 

Attached Files



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,842 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:22 AM

Posted 12 March 2018 - 05:40 PM

Did you remove the items found by Malwarebytes antimalware?
 
RQKuhw1.pngRogueKiller

  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 SonDavid

SonDavid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 12 March 2018 - 11:33 PM

 

Did you remove the items found by Malwarebytes antimalware?
 
RQKuhw1.pngRogueKiller

  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

 

I did not delete the files in Malwarebytes. Do you want me to delete them?



#15 SonDavid

SonDavid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 13 March 2018 - 12:15 AM

RogueKiller V12.12.8.0 (x64) [Mar 12 2018] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : TayJay [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 03/12/2018 23:41:31 (Duration : 00:24:09)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[Tr.GameAssist][Folder] C:\Program Files (x86)\Company\GameAsist -> Deleted
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500LM012 HN-M500MBB +++++
--- User ---
[MBR] ef74de39dad1692f7ae72fc6c845508a
[BSP] 29ca63be05c5d1fcdb3c050ad03af1d7 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 200 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 411648 | Size: 406716 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN (0x5) [VISIBLE] Offset (sectors): 833366016 | Size: 46407 MB
3 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 928407552 | Size: 23616 MB
User = LL1 ... OK
User = LL2 ... OK





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users