Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus after downloading file. WerFault.exe-Application Error


  • This topic is locked This topic is locked
57 replies to this topic

#1 zachj

zachj

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 12 June 2018 - 11:03 AM

WerFault.exe-Application Error  keeps popping up and says "The instruction at 0x00000000000 referenced memory at 0x0000000000.  The memory could not be written."

 

It won't let me open files or programs and screen will turn black here and there.  A screen pops up takes up entire desktop and top left of screen it says Racuabgmh.

 

I ran malwarebytes in safe mode, picked up tons of bad files.  Quarantined but doesn't seem to help.  AdwCleaner didn't pick up anything afterward.

 

Please help.  Thank you


Edited by hamluis, 12 June 2018 - 12:12 PM.
Merged topics - Hamluis.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:46 AM

Posted 12 June 2018 - 11:08 AM

https://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

 

Louis



#3 zachj

zachj
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 12 June 2018 - 11:22 AM

Farbar Recovery Scan is below...

 

WerFault.exe-Application Error  keeps popping up and says "The instruction at 0x00000000000 referenced memory at 0x0000000000.  The memory could not be written."

 

It won't let me open files or programs and screen will turn black here and there.  A screen pops up takes up entire desktop and top left of screen it says Racuabgmh.

 

I ran malwarebytes in safe mode, picked up tons of bad files.  Quarantined but doesn't seem to help.  AdwCleaner didn't pick up anything afterward.

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 06.06.2018 01
Ran by zj (administrator) on DESKTOP-FLF3NP0 (12-06-2018 12:16:15)
Running from C:\Users\zj\Desktop
Loaded Profiles: zj (Available Profiles: zj)
Platform: Microsoft Windows 10 Pro Version 1803 17134.1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Safe Mode (minimal)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => system
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [588704 2018-03-28] (Oracle Corporation)
HKLM\...\Run: [WindowsDefender] => system
HKLM\...\Run: [AvastUI.exe] => AvastUI.exe
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-19\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2018-04-11] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2018-04-11] (Microsoft Corporation)
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Run: [gentleMouse] => C:\Program Files\Gentle Computing\GentleMouse\GentleMouse.exe [1888256 2006-10-17] (Gentle Computing, LLC)
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Run: [BlueStacks Agent] => C:\Program Files\Bluestacks\HD-Agent.exe [161336 2017-08-30] (BlueStack Systems, Inc.)
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [27545056 2017-02-14] (Skype Technologies S.A.)
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Run: [BingSvc] => C:\Users\zj\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-05] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [13619968 2018-04-12] (Piriform Ltd)
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Run: [EaseUS0] => C:\Users\zj\AppData\Roaming\EaseUS0\EaseUS0.exe [515072 2018-06-12] (Blade API Monitor)
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Run: [SecurityHealth] => system
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Run: [WindowsDefender] => system
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Run: [AvastUI.exe] => AvastUI.exe
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Run: [1Bluestacks] => C:\Users\zj\AppData\Roaming\1Bluestacks\1Bluestacks.exe [0 2018-06-12] ()
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Policies\system: [EnableLUA] 0
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Policies\Explorer: [TaskbarNoNotification] 1
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FAH.lnk [2017-01-19]
ShortcutTarget: FAH.lnk -> C:\Program Files\WinZip\FAHConsole.exe (WinZip Computing, S.L.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Update Notifier.lnk [2017-01-19]
ShortcutTarget: Update Notifier.lnk -> C:\Program Files\WinZip\WZUpdateNotifier.exe (WinZip)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Preloader.lnk [2017-01-19]
ShortcutTarget: WinZip Preloader.lnk -> C:\Program Files\WinZip\WzPreloader.exe (WinZip Computing, S.L.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{f43240b8-1657-47b8-a884-59985e5884b2}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
SearchScopes: HKU\S-1-5-21-1113276245-3942252821-4013509334-1001 -> {255AF694-2592-412B-9AF7-BDC56F5292C6} URL = hxxps://search.yahoo.com/search?p={searchTerms}&intl=us&fr=yset_ie_syc_oracle&type=orcl_default&partnerexternal-oracle=external-oracle
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll [2018-04-29] (Microsoft Corporation)
BHO: iMacros Browser Helper Object -> {34D5A80A-992D-4F07-9509-66E9E133BAAF} -> C:\Program Files\Ipswitch\iMacros\iMacrosBHO.dll [2017-02-01] ()
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_171\bin\ssv.dll [2018-04-28] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_171\bin\jp2ssv.dll [2018-04-28] (Oracle Corporation)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-06-01] (Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-06-01] (Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-06-01] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-06-01] (Microsoft Corporation)
 
FireFox:
========
FF DefaultProfile: 61cmq8pb.default
FF ProfilePath: C:\Users\zj\AppData\Roaming\Mozilla\Firefox\Profiles\61cmq8pb.default [2018-06-12]
FF Homepage: Mozilla\Firefox\Profiles\61cmq8pb.default -> file:///C:/ProgramData/Quoteexs/ff.HP
FF NewTab: Mozilla\Firefox\Profiles\61cmq8pb.default -> file:///C:/ProgramData/Quoteexs/ff.NT
FF Plugin: @java.com/DTPlugin,version=11.171.2 -> C:\Program Files\Java\jre1.8.0_171\bin\dtplugin\npDeployJava1.dll [2018-04-28] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.171.2 -> C:\Program Files\Java\jre1.8.0_171\bin\plugin2\npjp2.dll [2018-04-28] (Oracle Corporation)
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2018-04-03] (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-03-02] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-18] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-18] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=3.0.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2018-02-27] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-05-10] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1113276245-3942252821-4013509334-1001: tdameritrade.com/thinkorswim -> C:\Users\zj\AppData\Local\thinkorswim\npthinkorswim.dll [2018-01-19] (TD Ameritrade)
FF Plugin HKU\S-1-5-21-1113276245-3942252821-4013509334-1001: tdameritrade.com/tossc -> C:\Users\zj\AppData\Local\thinkorswim\nptossc.dll [2018-01-19] (TD Ameritrade)
 
Chrome: 
=======
CHR HomePage: Default -> msn.com/?pc=__PARAM__&ocid=__PARAM__DHP&osmkt=en-us
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Profile: C:\Users\zj\AppData\Local\Google\Chrome\User Data\Default [2018-06-12]
CHR Extension: (Slides) - C:\Users\zj\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-13]
CHR Extension: (Docs) - C:\Users\zj\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-16]
CHR Extension: (Google Drive) - C:\Users\zj\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-01-18]
CHR Extension: (YouTube) - C:\Users\zj\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-01-18]
CHR Extension: (Sheets) - C:\Users\zj\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-13]
CHR Extension: (Google Docs Offline) - C:\Users\zj\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-01-18]
CHR Extension: (Search DW) - C:\Users\zj\AppData\Local\Google\Chrome\User Data\Default\Extensions\loopfhhjebfdiedohdimifdjcdolcljm [2017-03-04]
CHR Extension: (Video Deck for YouTube™) - C:\Users\zj\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpoakikepagdiphlmfaeifpojdmbnegj [2017-04-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\zj\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-07]
CHR Extension: (Gmail) - C:\Users\zj\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-01-18]
CHR Extension: (Chrome Media Router) - C:\Users\zj\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-04-23]
CHR HKLM\...\Chrome\Extension: [dofoafnmdocgkdphpkdooahjkhpmakjd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AxAutoMntSrv; C:\Program Files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe [39376 2015-03-12] (Alcohol Soft Development Team)
S2 AxVirtualAHCISrv; C:\Program Files\Alcohol Soft\Alcohol 120\AxAHCIServiceEx.exe [99712 2015-12-04] (Alcohol Soft Development Team)
S3 BstHdAndroidSvc; C:\Program Files\Bluestacks\HD-Service.exe [387128 2017-08-30] (BlueStack Systems, Inc.)
S2 BstHdLogRotatorSvc; C:\Program Files\Bluestacks\HD-LogRotatorService.exe [369720 2017-08-30] (BlueStack Systems, Inc.)
S2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [5793960 2018-05-24] (Microsoft Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4753104 2018-05-09] (Malwarebytes)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [3151784 2018-04-11] (Microsoft Corporation)
S3 ssh-agent; C:\WINDOWS\System32\OpenSSH\ssh-agent.exe [353792 2018-03-19] ()
S2 StarWindServiceAE; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [370688 2009-12-23] (StarWind Software) [File not signed]
S2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [10888944 2017-04-25] (TeamViewer GmbH)
S4 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.16.17656.18052-0\NisSrv.exe [3805632 2018-05-30] (Microsoft Corporation)
S4 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.16.17656.18052-0\MsMpEng.exe [81280 2018-05-30] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 BazisVirtualCDBus; C:\WINDOWS\System32\drivers\BazisVirtualCDBus.sys [121688 2015-09-28] (Sysprogs OU)
S3 BstkDrv; C:\Program Files\Bluestacks\BstkDrv.sys [220216 2017-06-21] (Bluestack System Inc. )
R3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [220896 2018-06-12] (Malwarebytes)
R0 sptd2; C:\WINDOWS\System32\Drivers\sptd2.sys [163896 2018-05-14] (Duplex Secure Ltd)
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [38912 2018-05-30] (Microsoft Corporation)
S0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [258600 2018-05-30] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [45608 2018-05-30] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-06-12 12:16 - 2018-06-12 12:16 - 000013389 _____ C:\Users\zj\Desktop\FRST.txt
2018-06-12 12:15 - 2018-06-12 12:16 - 000000000 ____D C:\FRST
2018-06-12 12:15 - 2018-06-12 12:14 - 001773568 _____ (Farbar) C:\Users\zj\Desktop\FRST.exe
2018-06-12 12:15 - 2018-06-12 11:47 - 000388608 _____ (Trend Micro Inc.) C:\Users\zj\Desktop\HijackThis.exe
2018-06-12 11:39 - 2018-06-12 12:15 - 000004036 _____ C:\WINDOWS\ntbtlog.txt
2018-06-12 11:21 - 2018-06-12 11:21 - 000000000 ____D C:\Users\zj\AppData\Roaming\1Bluestacks
2018-06-12 11:03 - 2018-06-12 11:17 - 000000000 ____D C:\Users\zj\AppData\LocalLow\iPadian
2018-06-12 10:56 - 2018-06-12 11:37 - 000220896 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2018-06-12 10:56 - 2018-06-12 10:56 - 000002097 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-06-12 10:56 - 2018-06-12 10:56 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-06-12 10:20 - 2018-05-24 06:55 - 000128736 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbae.sys
2018-06-12 10:08 - 2018-06-12 10:08 - 000000536 _____ C:\Users\zj\Desktop\mb-clean-results.txt
2018-06-12 09:59 - 2018-06-12 11:34 - 000000001 _____ C:\wde3cnhb8wyq1nd
2018-06-12 09:59 - 2018-06-12 11:21 - 000000000 ____D C:\Users\zj\AppData\Roaming\1MozillaFirefox
2018-06-12 09:59 - 2018-06-12 09:59 - 001895383 _____ C:\Users\zj\AppData\Local\Triojob.bin
2018-06-12 09:59 - 2018-06-12 09:59 - 000140800 _____ C:\Users\zj\AppData\Local\installer.dat
2018-06-12 09:59 - 2018-06-12 09:59 - 000000000 ____D C:\Users\zj\AppData\Roaming\EaseUS0
2018-06-12 09:59 - 2018-06-12 09:59 - 000000000 ____D C:\Program Files\NetLoader
2018-06-12 09:58 - 2018-06-12 11:22 - 000000000 ___HD C:\Program Files\harley
2018-06-12 09:58 - 2018-06-12 11:22 - 000000000 ___HD C:\Program Files\Essayist
2018-06-12 09:58 - 2018-06-12 11:22 - 000000000 ____D C:\Program Files\saviour
2018-06-12 09:58 - 2018-06-12 11:22 - 000000000 ____D C:\Program Files\Lambchop
2018-06-12 09:58 - 2018-06-12 11:00 - 000000000 ____D C:\Program Files\dorling
2018-06-12 09:58 - 2018-06-12 09:58 - 000000012 _____ C:\WINDOWS\b47089282
2018-06-12 09:58 - 2018-06-12 09:58 - 000000000 ____D C:\Program Files\Crusading
2018-06-12 09:55 - 2018-06-12 09:55 - 000740072 _____ C:\Users\zj\Downloads\Unconfirmed 253112.crdownload
2018-06-12 09:36 - 2018-06-12 09:36 - 001938109 _____ (Kitocifac ) C:\Users\zj\Downloads\JavaSetup_3299140567.exe
2018-06-10 00:01 - 2018-06-10 00:02 - 000189805 _____ C:\Users\zj\Desktop\64280.jpeg
2018-06-01 08:49 - 2018-06-01 08:49 - 000000000 ____D C:\Program Files\Common Files\DESIGNER
2018-05-15 22:44 - 2018-05-15 22:44 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinCDEmu
2018-05-15 22:43 - 2018-05-15 23:39 - 000000000 ____D C:\Program Files\WinCDEmu
2018-05-15 22:00 - 2018-05-15 22:00 - 000000000 ____D C:\ProgramData\SystemAcCrux
2018-05-15 22:00 - 2018-05-15 22:00 - 000000000 ____D C:\My Backups
2018-05-15 22:00 - 2018-01-03 19:39 - 000066112 _____ (CHENGDU YIWO Tech Development Co., Ltd) C:\WINDOWS\system32\Drivers\eubakup.sys
2018-05-15 22:00 - 2018-01-03 18:35 - 000203840 _____ (CHENGDU YIWO Tech Development Co., Ltd) C:\WINDOWS\system32\Drivers\EuFdDisk.sys
2018-05-15 22:00 - 2018-01-03 18:35 - 000055872 _____ C:\WINDOWS\system32\Drivers\EUBKMON.sys
2018-05-15 22:00 - 2018-01-03 18:35 - 000030272 _____ (CHENGDU YIWO Tech Development Co., Ltd) C:\WINDOWS\system32\Drivers\eudskacs.sys
2018-05-15 21:59 - 2018-05-15 21:59 - 000000000 ____D C:\Program Files\AVAST Software
2018-05-15 21:58 - 2018-05-15 22:03 - 000000000 ____D C:\Program Files\EaseUS
2018-05-15 21:57 - 2018-05-15 23:39 - 000000000 ____D C:\ProgramData\McAfee
2018-05-15 21:57 - 2018-05-15 21:57 - 000000000 ____D C:\ProgramData\AVAST Software
2018-05-15 21:43 - 2018-05-15 21:43 - 000000000 ____D C:\_CDRestored
2018-05-15 01:02 - 2018-05-15 01:12 - 000000000 ____D C:\Users\zj\Documents\Alcohol 120%
2018-05-14 23:08 - 2018-05-14 23:08 - 000000000 ____D C:\Users\zj\AppData\Roaming\WinRAR
2018-05-14 23:06 - 2018-05-14 23:06 - 000000000 ____D C:\Users\zj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-05-14 23:06 - 2018-05-14 23:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-05-14 23:05 - 2018-05-14 23:06 - 000000000 ____D C:\Program Files\WinRAR
2018-05-14 23:05 - 2018-05-14 23:05 - 000000000 ____D C:\Program Files\AddSoft
2018-05-14 23:04 - 2018-05-15 01:13 - 000000124 _____ C:\Users\zj\Documents\ax_files.xml
2018-05-14 22:49 - 2018-05-15 23:39 - 000000000 ____D C:\Program Files\Smart File Advisor
2018-05-14 22:49 - 2018-05-15 00:26 - 000000000 ____D C:\ProgramData\Alcohol Soft
2018-05-14 22:49 - 2018-05-14 22:49 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart File Advisor
2018-05-14 22:49 - 2018-05-14 22:49 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Alcohol 120%
2018-05-14 22:49 - 2018-05-14 22:49 - 000000000 ____D C:\Program Files\Alcohol Soft
2018-05-14 22:45 - 2018-05-14 22:45 - 000163896 _____ (Duplex Secure Ltd) C:\WINDOWS\system32\Drivers\sptd2.sys
2018-05-14 20:57 - 2013-02-28 11:21 - 065986812 _____ C:\Users\zj\Desktop\initrd.img
2018-05-14 13:05 - 2018-05-16 21:54 - 000000000 ____D C:\Users\zj\AppData\Local\D3DSCache
2018-05-13 01:28 - 2018-05-13 01:33 - 000000000 ____D C:\WINDOWS\system32\config\bbimigrate
2018-05-13 01:27 - 2018-05-13 01:28 - 000000000 ____D C:\WINDOWS\ServiceProfiles
2018-05-13 01:27 - 2018-05-13 01:27 - 000008192 _____ C:\WINDOWS\system32\config\userdiff
2018-05-13 01:22 - 2018-05-13 01:22 - 000778936 _____ (Microsoft Corporation) C:\WINDOWS\system32\PresentationNative_v0300.dll
2018-05-13 01:22 - 2018-05-13 01:22 - 000103120 _____ (Microsoft Corporation) C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2018-05-13 01:22 - 2018-05-13 01:22 - 000035456 _____ (Microsoft Corporation) C:\WINDOWS\system32\TsWpfWrp.exe
2018-05-13 01:22 - 2018-05-13 01:22 - 000000000 ____D C:\Program Files\Reference Assemblies
2018-05-13 01:22 - 2018-05-13 01:22 - 000000000 ____D C:\Program Files\MSBuild
2018-05-13 01:21 - 2018-05-13 01:21 - 003398144 _____ (Microsoft Corporation) C:\WINDOWS\system32\xpsrchvw.exe
2018-05-13 01:21 - 2018-05-13 01:21 - 000575488 _____ (Microsoft Corporation) C:\WINDOWS\system32\XpsFilt.dll
2018-05-13 01:21 - 2018-05-13 01:21 - 000082432 _____ (Microsoft Corporation) C:\WINDOWS\system32\XPSSHHDR.dll
2018-05-13 01:21 - 2018-05-13 01:21 - 000076060 _____ C:\WINDOWS\system32\xpsrchvw.xml
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-06-12 11:41 - 2018-05-12 21:45 - 000838560 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-06-12 11:41 - 2018-04-11 16:31 - 000000000 ____D C:\WINDOWS\INF
2018-06-12 11:38 - 2018-05-10 21:36 - 000000000 ___DC C:\WINDOWS\Panther
2018-06-12 11:38 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2018-06-12 11:36 - 2018-05-12 21:49 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-06-12 11:36 - 2018-04-11 08:45 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2018-06-12 11:35 - 2017-03-09 01:11 - 000000000 ____D C:\Users\zj\AppData\LocalLow\Adobe
2018-06-12 11:32 - 2018-01-22 20:20 - 000000000 ____D C:\AdwCleaner
2018-06-12 11:23 - 2017-12-14 14:05 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-06-12 11:14 - 2018-05-12 21:34 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-06-12 11:01 - 2017-01-18 00:45 - 000002253 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-06-12 11:01 - 2017-01-18 00:45 - 000002206 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-06-12 11:01 - 2016-09-27 22:12 - 000001287 _____ C:\Users\zj\Desktop\Internet Explorer.lnk
2018-06-12 10:55 - 2017-02-27 19:35 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-06-12 10:20 - 2018-04-11 16:36 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-06-12 10:02 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-06-12 09:31 - 2017-01-19 15:08 - 000000000 ____D C:\Users\zj\AppData\Local\MSfree Inc
2018-06-11 20:25 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\FxsTmp
2018-06-11 17:43 - 2017-01-18 01:13 - 000000209 _____ C:\Users\zj\Desktop\Lock-Orders.csv
2018-06-11 14:24 - 2018-04-24 16:56 - 000000000 ____D C:\Users\zj\Desktop\apics
2018-06-11 08:45 - 2018-04-11 16:36 - 000000000 ___HD C:\Program Files\WindowsApps
2018-06-07 15:01 - 2018-04-11 16:25 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-06-05 19:29 - 2018-04-11 16:39 - 000835056 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2018-06-05 19:29 - 2018-04-11 16:39 - 000179704 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2018-06-04 15:22 - 2017-09-13 09:10 - 000000000 ____D C:\Users\zj\Desktop\pics
2018-06-01 08:49 - 2018-04-11 16:36 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2018-06-01 08:47 - 2017-01-19 13:37 - 000000000 ____D C:\Program Files\Microsoft Office
2018-05-31 18:01 - 2018-04-06 17:53 - 000009413 _____ C:\Users\zj\Desktop\String-pay.xlsx
2018-05-30 14:48 - 2018-02-14 19:37 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2018-05-29 16:03 - 2018-05-12 21:36 - 000000000 ____D C:\Users\zj
2018-05-21 00:10 - 2018-04-24 17:17 - 000000000 ____D C:\Users\zj\Desktop\New4
2018-05-20 12:10 - 2017-12-14 14:05 - 000000000 ____D C:\Users\zj\AppData\LocalLow\Mozilla
2018-05-19 23:42 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\WinBioPlugIns
2018-05-16 16:59 - 2016-09-21 13:18 - 000000000 ____D C:\Users\zj\AppData\Local\ConnectedDevicesPlatform
2018-05-15 00:43 - 2016-07-05 02:04 - 000000000 ___HD C:\Users\zj\AppData\Local\VirtualStore
2018-05-15 00:20 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\System
2018-05-14 10:23 - 2018-05-12 21:34 - 000393320 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\zu-ZA
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\yo-NG
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\xh-ZA
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\wo-SN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\vi-VN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\uz-Latn-UZ
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\ur-PK
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\ug-CN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\tt-RU
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\tn-ZA
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\tk-TM
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\ti-ET
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\tg-Cyrl-TJ
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\te-IN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\sw-KE
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\sr-Cyrl-RS
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\sr-Cyrl-BA
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\sq-AL
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\sd-Arab-PK
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\rw-RW
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\quz-PE
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\quc-Latn-GT
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\prs-AF
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\pa-IN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\pa-Arab-PK
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\or-IN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\nso-ZA
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\nn-NO
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\ne-NP
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\mt-MT
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\mr-IN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\mn-MN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\ml-IN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\mk-MK
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\mi-NZ
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\lo-LA
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\lb-LU
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\ky-KG
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\ku-Arab-IQ
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\kok-IN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\kn-IN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\km-KH
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\kk-KZ
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\ka-GE
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\is-IS
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\ig-NG
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\id-ID
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\hy-AM
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\ha-Latn-NG
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\gu-IN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\gd-GB
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\ga-IE
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\fil-PH
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\fa-IR
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\cy-GB
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\chr-CHER-US
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\ca-ES-valencia
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\bs-Latn-BA
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\bn-IN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\bn-BD
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\be-BY
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\az-Latn-AZ
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\as-IN
2018-05-14 10:22 - 2018-04-11 18:25 - 000000000 ____D C:\WINDOWS\system32\af-ZA
2018-05-14 10:22 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\TextInput
2018-05-14 10:22 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\ta-in
2018-05-14 10:22 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\si-lk
2018-05-14 10:22 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\setup
2018-05-14 10:22 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\oobe
2018-05-14 10:22 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\appraiser
2018-05-14 10:22 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\am-et
2018-05-14 10:22 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\Provisioning
2018-05-14 10:22 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\bcastdvr
2018-05-14 10:22 - 2018-04-11 16:36 - 000000000 ____D C:\Program Files\Windows Photo Viewer
2018-05-14 09:03 - 2017-03-09 01:11 - 000002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2018-05-13 04:41 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\appcompat
2018-05-13 01:33 - 2018-04-11 16:39 - 000000000 ____D C:\WINDOWS\Setup
2018-05-13 01:33 - 2018-04-11 16:37 - 000028672 _____ C:\WINDOWS\system32\config\BCD-Template
2018-05-13 01:33 - 2018-04-11 16:36 - 000000000 __RHD C:\Users\Public\Libraries
2018-05-13 01:33 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\WinBioDatabase
2018-05-13 01:33 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\spool
2018-05-13 01:33 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\NDF
2018-05-13 01:33 - 2018-03-04 14:21 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2018-05-13 01:33 - 2018-01-25 14:07 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2018-05-13 01:33 - 2017-09-29 07:55 - 000000000 ____D C:\WINDOWS\system32\Tasks_Migrated
2018-05-13 01:33 - 2017-07-07 06:32 - 000000000 ____D C:\Program Files\UNP
2018-05-13 01:33 - 2017-06-01 23:38 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2018-05-13 01:33 - 2017-04-26 23:34 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2018-05-13 01:33 - 2017-03-28 21:51 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NinjaTrader 8
2018-05-13 01:33 - 2017-03-01 18:19 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2018-05-13 01:33 - 2017-02-28 14:27 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2018-05-13 01:33 - 2017-02-26 19:07 - 000000000 ____D C:\WINDOWS\system32\appmgmt
2018-05-13 01:33 - 2017-01-19 13:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools
2018-05-13 01:33 - 2017-01-19 01:51 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip 21.0
2018-05-13 01:33 - 2017-01-03 02:04 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iMacros
2018-05-13 01:33 - 2016-09-27 22:17 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NinjaTrader 7
2018-05-13 01:33 - 2016-07-05 00:22 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GentleMouse
2018-05-13 01:21 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\lv-LV
2018-05-13 01:21 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\lt-LT
2018-05-13 01:21 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\et-EE
2018-05-13 01:21 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\es-MX
2018-05-13 01:21 - 2018-04-11 16:36 - 000000000 ____D C:\WINDOWS\system32\en-GB
 
==================== Files in the root of some directories =======
 
2018-06-12 09:59 - 2018-06-12 09:59 - 000140800 _____ () C:\Users\zj\AppData\Local\installer.dat
2018-06-12 09:59 - 2018-06-12 09:59 - 001895383 _____ () C:\Users\zj\AppData\Local\Triojob.bin
2017-03-21 22:02 - 2017-03-21 22:02 - 000000552 _____ () C:\Users\zj\AppData\Local\TroubleshooterConfig.json
 
Some files in TEMP:
====================
2018-06-12 09:59 - 2018-06-12 09:59 - 000246272 _____ () C:\Users\zj\AppData\Local\Temp\3CAE.tmp.exe
2018-06-12 09:59 - 2018-06-12 09:59 - 000235795 _____ () C:\Users\zj\AppData\Local\Temp\5048.tmp.exe
2018-06-12 09:59 - 2018-06-12 09:59 - 000484352 _____ () C:\Users\zj\AppData\Local\Temp\lame_enc.dll
2018-06-12 10:08 - 2018-06-08 22:28 - 076534856 _____ (Malwarebytes                                                ) C:\Users\zj\AppData\Local\Temp\mb3-setup-consumer-3.5.1.2522-1.0.365-1.0.5292.exe
2018-06-12 09:59 - 2018-06-12 09:59 - 010522026 _____ () C:\Users\zj\AppData\Local\Temp\UIdlcv7hPMEmbd4Fzx0L2dCuez6S6j2Nq.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-05-12 21:33
 
==================== End of FRST.txt ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 06.06.2018 01
Ran by zj (12-06-2018 12:16:59)
Running from C:\Users\zj\Desktop
Microsoft Windows 10 Pro Version 1803 17134.1 (X86) (2018-05-13 01:50:25)
Boot Mode: Safe Mode (minimal)
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1113276245-3942252821-4013509334-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1113276245-3942252821-4013509334-503 - Limited - Disabled)
Guest (S-1-5-21-1113276245-3942252821-4013509334-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-1113276245-3942252821-4013509334-504 - Limited - Disabled)
zj (S-1-5-21-1113276245-3942252821-4013509334-1001 - Administrator - Enabled) => C:\Users\zj
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 17.00 beta (HKLM\...\7-Zip) (Version: 17.00 beta - Igor Pavlov)
Adobe Acrobat Reader DC (HKLM\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.011.20040 - Adobe Systems Incorporated)
Apple Application Support (32-bit) (HKLM\...\{D2FE6376-E549-4F63-A2C5-CA24DA035DE4}) (Version: 5.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2A2C8640-5402-428A-909A-0236CB2B77C7}) (Version: 10.3.2.3 - Apple Inc.)
Apple Software Update (HKLM\...\{52D87F32-70E4-4348-8148-C0B9F35B1314}) (Version: 2.3.0.177 - Apple Inc.)
BlueStacks 3 (HKLM\...\BlueStacks) (Version: 3.7.41.1619 - BlueStack Systems, Inc.)
Bonjour (HKLM\...\{D168AAD0-6686-47C1-B599-CDD4888B9D1A}) (Version: 3.1.0.1 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.42 - Piriform)
GentleMouse (HKLM\...\{F375AC85-D050-425A-A166-004EF4396B49}) (Version: 2.0 - Gentle Computing)
Google Chrome (HKLM\...\Google Chrome) (Version: 66.0.3359.181 - Google Inc.)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
iMacros Version 11.5.499.3066 (x86) (HKLM\...\{9C5118F7-E26D-4fc0-B7F4-4A067A0808FA}_is1) (Version: 11.5.499.3066 - Ipswitch, Inc)
Java 8 Update 171 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F32180171F0}) (Version: 8.0.1710.11 - Oracle Corporation)
Malwarebytes version 3.5.1.2522 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.5.1.2522 - Malwarebytes)
Microsoft Office Professional Plus 2016 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 16.0.9330.2087 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\OneDriveSetup.exe) (Version: 18.065.0329.0002 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Mozilla Firefox 59.0.3 (x86 en-US) (HKLM\...\Mozilla Firefox 59.0.3 (x86 en-US)) (Version: 59.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 59.0.3.6691 - Mozilla)
NetLoader 1.62 (HKLM\...\NetLoader 1.62) (Version: 1.62 - NetLoader)
NinjaTrader 7 (HKLM\...\{79D6E936-FD0C-4213-9A2B-3955CE618101}) (Version: 7.0.1031 - NinjaTrader)
NinjaTrader 8 (HKLM\...\{6F34E272-15C7-4D46-85AC-53FE5DCE653A}) (Version: 8.0.5.2 - NinjaTrader, LLC)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.9330.2087 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-0000-0000000FF1CE}) (Version: 16.0.9330.2087 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.9330.2087 - Microsoft Corporation) Hidden
Python 3.5.2 (32-bit) (HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\{cf72a2ab-2f1d-49fd-a0d7-1065e6357e1e}) (Version: 3.5.2150.0 - Python Software Foundation)
Python 3.5.2 Core Interpreter (32-bit) (HKLM\...\{EB0611B2-7F10-4D97-BCF2-DCAAB1199498}) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Development Libraries (32-bit) (HKLM\...\{5DB2183B-62D3-407F-BBC1-EAD2F36283FA}) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Documentation (32-bit) (HKLM\...\{1FBA5182-78DD-4940-9F06-96E5042B7061}) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Executables (32-bit) (HKLM\...\{33B10015-A9B1-4210-B50A-26C6443979B0}) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 pip Bootstrap (32-bit) (HKLM\...\{9ADF9987-3327-48C6-91B3-B10900366491}) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Standard Library (32-bit) (HKLM\...\{FCBB04F4-D2CF-4F55-BE92-B3898696B318}) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Tcl/Tk Support (32-bit) (HKLM\...\{C1153533-FDC4-4922-892D-B71810F69566}) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Test Suite (32-bit) (HKLM\...\{9D50A6D7-410A-4469-87B7-35FA84CBD479}) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python 3.5.2 Utility Scripts (32-bit) (HKLM\...\{E6DEBF43-7ACF-4E88-9BBF-9B5945683281}) (Version: 3.5.2150.0 - Python Software Foundation) Hidden
Python Launcher (HKLM\...\{963ECCDD-F09F-4C24-9367-8B5D748AA7C8}) (Version: 3.5.2121.0 - Python Software Foundation)
Skype™ 7.33 (HKLM\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.33.104 - Skype Technologies S.A.)
TeamViewer 12 (HKLM\...\TeamViewer) (Version: 12.0.77242 - TeamViewer)
thinkorswim (HKLM\...\9968-4488-2169-7623) (Version: desktop - thinkorswim, Inc)
VLC media player (HKLM\...\VLC media player) (Version: 3.0.1 - VideoLAN)
Windows 10 Update and Privacy Settings (HKLM\...\{542CC2C2-ABAF-4604-8723-DA296AF74540}) (Version: 1.0.14.0 - Microsoft Corporation)
WinRAR 5.50 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.50.0 - win.rar GmbH)
WinZip 21.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C2410C}) (Version: 21.0.12288 - WinZip Computing, S.L. )
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1113276245-3942252821-4013509334-1001_Classes\CLSID\{79b4acff-94d2-58c5-baf6-23df99c7fcba}\InprocServer32 -> C:\Users\zj\AppData\Local\thinkorswim\npthinkorswim.dll (TD Ameritrade)
CustomCLSID: HKU\S-1-5-21-1113276245-3942252821-4013509334-1001_Classes\CLSID\{dcc9a6f3-492c-5f51-a65d-3dd92b26c165}\InprocServer32 -> C:\Users\zj\AppData\Local\thinkorswim\nptossc.dll (TD Ameritrade)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2017-04-29] (Igor Pavlov)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers1: [WinZip] -> {E0D79304-84BE-11CE-9641-444553540000} => C:\Program Files\WinZip\wzshlstb.dll [2016-12-13] (WinZip Computing, S.L.)
ContextMenuHandlers2: [AlcoholShellEx] -> {32020A01-506E-484D-A2A8-BE3CF17601C3} => C:\Program Files\Alcohol Soft\Alcohol 120\AxShlex.dll [2014-09-06] (Alcohol Soft Development Team)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2017-04-29] (Igor Pavlov)
ContextMenuHandlers4: [WinZip] -> {E0D79304-84BE-11CE-9641-444553540000} => C:\Program Files\WinZip\wzshlstb.dll [2016-12-13] (WinZip Computing, S.L.)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2017-04-29] (Igor Pavlov)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers6: [WinZip] -> {E0D79304-84BE-11CE-9641-444553540000} => C:\Program Files\WinZip\wzshlstb.dll [2016-12-13] (WinZip Computing, S.L.)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {08E6F822-50F6-4671-BD0B-0F78EFC44C82} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [2018-06-01] (Microsoft Corporation)
Task: {0977C104-A393-4E45-ACC1-C75B47ECB5BB} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-06-01] (Microsoft Corporation)
Task: {1C27697F-AE3B-49F5-ACF8-6D6D3DFABC5E} - System32\Tasks\mournmourn => C:\Program Files\Crusading\iou.exe [2018-06-12] ()
Task: {1E06D697-56B3-49BB-8B62-18C66136A43C} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.16.17656.18052-0\MpCmdRun.exe [2018-05-30] (Microsoft Corporation)
Task: {31AAC942-68A7-4EF5-A319-18FA6FD6DDBE} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {3A832BEE-A596-4244-9DAA-BF0798909301} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2017-01-18] (Google Inc.)
Task: {41A2D2F2-CF7C-4CA1-9600-E90A6B072F26} - System32\Tasks\WinZipBackGroundToolsTask => C:\Program Files\WinZip\WzBGTools.exe [2016-12-13] (WinZip Computing, S.L.)
Task: {42C621DB-CE36-455F-A7AB-01F31BD0D4A1} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-05-24] (Microsoft Corporation)
Task: {45A076B0-C8BC-4AE6-A076-718384FDC365} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2018-04-12] (Piriform Ltd)
Task: {5E204EE1-5DA6-4AAE-A40C-47807338573E} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2018-04-12] (Piriform Ltd)
Task: {5E97C96F-ACDD-4F8F-B55E-35BDD7D7066E} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.16.17656.18052-0\MpCmdRun.exe [2018-05-30] (Microsoft Corporation)
Task: {6758DDDE-9954-4EF6-8371-1E652E0B63B1} - System32\Tasks\battererbatterer => C:\Program Files\dorling\dorling.exe
Task: {6D398F7B-EE42-4C63-94FE-94864B47C830} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-02-09] (Adobe Systems Incorporated)
Task: {86C0B20B-65CE-4346-9994-26631287124E} - System32\Tasks\batterer => C:\Program Files\dorling\dorling.exe
Task: {91778B1D-DC19-4836-92F1-E7BE45893498} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [2018-06-01] (Microsoft Corporation)
Task: {B1D3D956-199A-4706-AE5E-79609057F8C1} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.16.17656.18052-0\MpCmdRun.exe [2018-05-30] (Microsoft Corporation)
Task: {C213EF7B-5958-4F69-B15B-D4F929D4FE7C} - System32\Tasks\Microsoft\Windows\HelloFace\FODCleanupTask => C:\WINDOWS\System32\WinBioPlugIns\FaceFodUninstaller.exe [2018-04-11] ()
Task: {C4DC5630-93AB-4D6F-8C7A-4D2885A8A2A2} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.16.17656.18052-0\MpCmdRun.exe [2018-05-30] (Microsoft Corporation)
Task: {C5CC67F3-6740-4544-A458-3B42E46013F5} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2017-01-18] (Google Inc.)
Task: {D3BC84A5-747A-4FFF-A328-E183DCA91034} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-05-24] (Microsoft Corporation)
Task: {D924FF36-F068-487D-A2ED-0C20EA2F85B5} - System32\Tasks\Microsoft\Office\OfficeOsfInstaller => C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\osfinstaller.exe [2018-06-01] (Microsoft Corporation)
Task: {DC21FCA0-9ED5-49FC-B4A9-E62CC57C1B0C} - System32\Tasks\WinZip Update Notifier => C:\Program Files\WinZip\WZUpdateNotifier.exe [2016-12-13] (WinZip)
Task: {DFA1DBB8-FDBB-4D3D-A317-5F8324101526} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-06-01] (Microsoft Corporation)
Task: {F7F1C009-3D7A-4235-8314-02FC65EE7EDC} - System32\Tasks\mourn => C:\Program Files\Crusading\iou.exe [2018-06-12] ()
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2018-06-12 10:20 - 2018-04-25 13:16 - 001930960 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2018-04-11 16:29 - 2018-04-11 16:29 - 000364200 _____ () C:\Windows\System32\InputHost.dll
2018-04-11 16:29 - 2018-04-11 16:29 - 000308224 _____ () C:\Windows\ShellExperiences\TileControl.dll
2018-04-11 16:29 - 2018-04-11 16:29 - 001670656 _____ () C:\Windows\ShellComponents\TaskFlowUI.dll
2018-04-11 16:29 - 2018-04-11 18:25 - 001609216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-10-30 01:48 - 2018-06-12 11:00 - 000000850 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\Services: lfsvc => 3
HKLM\...\StartupApproved\StartupFolder: => "Update Notifier.lnk"
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\StartupApproved\Run: => "BlueStacks Agent"
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\StartupApproved\Run: => "gentleMouse"
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\StartupApproved\Run: => "BingSvc"
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\StartupApproved\Run: => "Skype"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{DB5D6927-A1A4-4314-B695-352F9A77F056}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{FFA3F8CC-235F-4095-B903-E6D88800A967}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{6DD6FED0-3E20-42D2-BF48-FDDBB3EDB0A0}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [UDP Query User{57B13A14-1A83-437E-B920-62098A6DF67F}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe
FirewallRules: [TCP Query User{5A7AE636-341B-48E7-B9BE-A0A197741FB5}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{C1CD6A87-BD4B-4D30-B373-7D74351EFF9D}C:\program files\ninjatrader 8\bin\ninjatrader.exe] => (Allow) C:\program files\ninjatrader 8\bin\ninjatrader.exe
FirewallRules: [TCP Query User{B1B579FE-F9F1-4752-A675-3BC87182CD9B}C:\program files\ninjatrader 8\bin\ninjatrader.exe] => (Allow) C:\program files\ninjatrader 8\bin\ninjatrader.exe
FirewallRules: [{06FC9F0D-BB04-4E41-98E7-05C2E22E1675}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{401BA40F-442F-4A64-8A55-40D9592401EF}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [UDP Query User{A8B3B933-15B1-44FD-A2FF-B71A74C89CAC}C:\users\zj\downloads\anydesk.exe] => (Allow) C:\users\zj\downloads\anydesk.exe
FirewallRules: [TCP Query User{E60D6698-138F-4036-A975-2789E471A9D6}C:\users\zj\downloads\anydesk.exe] => (Allow) C:\users\zj\downloads\anydesk.exe
FirewallRules: [{CCDDF6E5-2DB8-4AD9-8B0B-53083F600A9D}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{6F7DBD0B-B46C-443A-A5F2-F60ECF200731}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{548DF097-EDC7-47B2-9941-C089B077E408}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [{087B34DD-936A-472D-B13B-3D2D572A2270}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [UDP Query User{158DD880-1721-4BD9-BEC6-FE00960F077D}C:\program files\ninjatrader 8\bin\ninjatrader.exe] => (Allow) C:\program files\ninjatrader 8\bin\ninjatrader.exe
FirewallRules: [TCP Query User{AD0BC8D1-E88B-4194-AB84-F8FF50C45055}C:\program files\ninjatrader 8\bin\ninjatrader.exe] => (Allow) C:\program files\ninjatrader 8\bin\ninjatrader.exe
FirewallRules: [{2BFC32AD-75C3-4CA7-90C1-247CDDF3394E}] => (Allow) C:\Program Files\Skype\Phone\Skype.exe
FirewallRules: [{106B068C-BE4F-4FDD-8569-FE574BA499AA}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{E584EBF7-7517-4A4A-8702-0A09CFFA639D}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [UDP Query User{F42041B8-3B1F-4DA5-9FD9-705B0E5DA58C}C:\program files\ninjatrader 7\bin\ninjatrader.exe] => (Allow) C:\program files\ninjatrader 7\bin\ninjatrader.exe
FirewallRules: [TCP Query User{B3B8D144-03EA-4862-AE9C-85DBA7236FB5}C:\program files\ninjatrader 7\bin\ninjatrader.exe] => (Allow) C:\program files\ninjatrader 7\bin\ninjatrader.exe
FirewallRules: [TCP Query User{E7843958-AB74-4821-A5CD-3004D124AD74}C:\users\zj\appdata\local\microsoft\windows\inetcache\ie\qg3u1uud\anydesk.exe] => (Allow) C:\users\zj\appdata\local\microsoft\windows\inetcache\ie\qg3u1uud\anydesk.exe
FirewallRules: [UDP Query User{5B65CB61-332B-462D-9ABB-8B26A0BD3BB1}C:\users\zj\appdata\local\microsoft\windows\inetcache\ie\qg3u1uud\anydesk.exe] => (Allow) C:\users\zj\appdata\local\microsoft\windows\inetcache\ie\qg3u1uud\anydesk.exe
FirewallRules: [{F3384EF2-ACE8-4353-B61A-4922D3B1B00E}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{39EC31A9-3AAB-4D03-A1E9-6E356A5CD9FC}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [TCP Query User{86BB0FD2-2865-4869-ACCF-34008F75639D}C:\programdata\kmsautos\bin\kmsss.exe] => (Allow) C:\programdata\kmsautos\bin\kmsss.exe
FirewallRules: [UDP Query User{440435FF-1A41-4988-A913-601BE6249879}C:\programdata\kmsautos\bin\kmsss.exe] => (Allow) C:\programdata\kmsautos\bin\kmsss.exe
FirewallRules: [{729BC488-8945-46FC-983F-EB68AFB47C39}] => (Allow) C:\Program Files\Bluestacks\HD-Plus-Service.exe
FirewallRules: [{F7BD3918-929D-4B0D-AB0D-A8147E333F42}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
FirewallRules: [{F7D54170-D919-4E9E-AB59-92471679457C}] => (Allow) C:\Program Files\Lambchop\Delicately.exe
FirewallRules: [{DB2887FC-EECD-4AFE-98B1-6E668A85C412}] => (Allow) C:\Program Files\Essayist\Delicately.exe
FirewallRules: [{75B3EADB-4EE4-4D00-ACC1-98CFC9068CD8}] => (Allow) C:\Program Files\saviour\Streaker.exe
FirewallRules: [{37A464C7-C49A-4537-B1F5-B5488A4BED99}] => (Allow) C:\Program Files\Essayist\Streaker.exe
 
==================== Restore Points =========================
 
22-05-2018 03:40:20 Scheduled Checkpoint
31-05-2018 08:44:18 Scheduled Checkpoint
07-06-2018 15:00:32 Windows Update
 
==================== Faulty Device Manager Devices =============
 
Name: PCI Serial Port
Description: PCI Serial Port
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (06/12/2018 11:35:41 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mobsync.exe, version: 10.0.17134.1, time stamp: 0x82ad5f4c
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x044dabed
Faulting process id: 0x1a40
Faulting application start time: 0x01d4026301a8462d
Faulting application path: C:\WINDOWS\System32\mobsync.exe
Faulting module path: unknown
Report Id: 1aae06b6-0780-4c78-bcbd-8f6be05a9c09
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (06/12/2018 11:35:36 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: sihost.exe, version: 10.0.17134.1, time stamp: 0xe43c2ee6
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x052eabed
Faulting process id: 0x7d0
Faulting application start time: 0x01d40262ff1ddcf4
Faulting application path: C:\WINDOWS\system32\sihost.exe
Faulting module path: unknown
Report Id: 26c2fe15-807a-46ba-9c89-6aeb1c9f9e65
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (06/12/2018 11:35:30 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mobsync.exe, version: 10.0.17134.1, time stamp: 0x82ad5f4c
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0445abed
Faulting process id: 0x1b0c
Faulting application start time: 0x01d40262fb5711a2
Faulting application path: C:\WINDOWS\System32\mobsync.exe
Faulting module path: unknown
Report Id: 899cb599-9d78-4f61-9781-bad233b24048
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (06/12/2018 11:35:29 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: sihost.exe, version: 10.0.17134.1, time stamp: 0xe43c2ee6
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x1a08
Faulting application start time: 0x01d40262fc67967b
Faulting application path: C:\WINDOWS\system32\sihost.exe
Faulting module path: unknown
Report Id: 64acc45d-b0d4-4cd2-a5a0-a73b11728b40
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (06/12/2018 11:35:25 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: sihost.exe, version: 10.0.17134.1, time stamp: 0xe43c2ee6
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0495abed
Faulting process id: 0x1f5c
Faulting application start time: 0x01d40262f91e010b
Faulting application path: C:\WINDOWS\system32\sihost.exe
Faulting module path: unknown
Report Id: 15eab44c-9b26-49fd-a839-bd75f1c83b31
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (06/12/2018 11:35:20 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: sihost.exe, version: 10.0.17134.1, time stamp: 0xe43c2ee6
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00edabed
Faulting process id: 0x1f04
Faulting application start time: 0x01d40262f61e9103
Faulting application path: C:\WINDOWS\system32\sihost.exe
Faulting module path: unknown
Report Id: 3e836ffa-975e-40cb-b248-47da3af95768
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (06/12/2018 11:35:14 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: sihost.exe, version: 10.0.17134.1, time stamp: 0xe43c2ee6
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00e1abed
Faulting process id: 0x1eac
Faulting application start time: 0x01d40262f2ff7008
Faulting application path: C:\WINDOWS\system32\sihost.exe
Faulting module path: unknown
Report Id: 1b1ec814-cecf-4a53-95c7-c0140d4572d3
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (06/12/2018 11:35:09 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: sihost.exe, version: 10.0.17134.1, time stamp: 0xe43c2ee6
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00faabed
Faulting process id: 0x1dd4
Faulting application start time: 0x01d40262edea3ebf
Faulting application path: C:\WINDOWS\system32\sihost.exe
Faulting module path: unknown
Report Id: 29b167b8-0d15-4d26-8b2f-9cd5d1107a2f
Faulting package full name: 
Faulting package-relative application ID:
 
 
System errors:
=============
Error: (06/12/2018 12:17:34 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error: (06/12/2018 12:17:14 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-FLF3NP0)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (06/12/2018 12:16:59 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-FLF3NP0)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (06/12/2018 12:16:38 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-FLF3NP0)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (06/12/2018 12:16:16 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-FLF3NP0)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (06/12/2018 12:15:28 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-FLF3NP0)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (06/12/2018 12:15:25 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-FLF3NP0)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{9E175B6D-F52A-11D8-B9A5-505054503030}
 
Error: (06/12/2018 12:15:22 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-FLF3NP0)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{9E175B6D-F52A-11D8-B9A5-505054503030}
 
 
Windows Defender:
===================================
Date: 2018-06-12 09:53:42.362
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: SoftwareBundler:Win32/Prepscram.D
ID: 239500
Severity: High
Category: Software Bundler
Path: containerfile:_C:\Users\zj\Downloads\Windows 10 Activator (Compatible with all Editions).zip;file:_C:\Users\zj\Downloads\Windows 10 Activator (Compatible with all Editions).zip->Windows 10 Activator (Compatible with all Editions).iso->Windows 10 Activator (Compatible with all Editions).exe;webfile:_C:\Users\zj\Downloads\Windows 10 Activator (Compatible with all Editions).zip|http://current.buildingcrack.party/614f2f53acbf1d8a7ab1fc37120ce842201bd614dcda3c6f2719/|pid:4172,ProcessStart:131731379976895014
Detection Origin: Internet
Detection Type: FastPath
Detection Source: Downloads and attachments
Process Name: Unknown
Signature Version: AV: 1.269.1089.0, AS: 1.269.1089.0, NIS: 1.269.1089.0
Engine Version: AM: 1.1.14901.4, NIS: 1.1.14901.4
 
Date: 2018-06-12 09:50:02.273
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: SoftwareBundler:Win32/ICLoader
ID: 222548
Severity: High
Category: Software Bundler
Path: containerfile:_C:\Users\zj\Downloads\KMSAuto-Net-Portable.rar;file:_C:\Users\zj\Downloads\KMSAuto-Net-Portable.rar->KMSAuto-Net-Portable.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Signature Version: AV: 1.269.1089.0, AS: 1.269.1089.0, NIS: 1.269.1089.0
Engine Version: AM: 1.1.14901.4, NIS: 1.1.14901.4
 
Date: 2018-06-12 09:48:52.392
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: SoftwareBundler:Win32/Prepscram.D
ID: 239500
Severity: High
Category: Software Bundler
Path: containerfile:_C:\Users\zj\Downloads\Windows 10 Activator (Compatible with all Editions).img;file:_C:\Users\zj\Downloads\Windows 10 Activator (Compatible with all Editions).img->Windows 10 Activator (Compatible with all Editions).exe;webfile:_C:\Users\zj\Downloads\Windows 10 Activator (Compatible with all Editions).img|http://current.buildingcrack.party/60585e8d39ddeab4a10a7343385f5c1cb8153076481b12ef03af/|pid:4172,ProcessStart:131731379976895014
Detection Origin: Internet
Detection Type: FastPath
Detection Source: Downloads and attachments
Process Name: Unknown
Signature Version: AV: 1.269.1089.0, AS: 1.269.1089.0, NIS: 1.269.1089.0
Engine Version: AM: 1.1.14901.4, NIS: 1.1.14901.4
 
Date: 2018-06-12 09:47:19.310
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: SoftwareBundler:Win32/ICLoader
ID: 222548
Severity: High
Category: Software Bundler
Detection Origin: Internet
Detection Type: Concrete
Detection Source: Downloads and attachments
Process Name: Unknown
Signature Version: AV: 1.269.1089.0, AS: 1.269.1089.0, NIS: 1.269.1089.0
Engine Version: AM: 1.1.14901.4, NIS: 1.1.14901.4
 
Date: 2018-06-12 09:35:01.610
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: High
Category: Tool
Path: containerfile:_C:\Users\zj\Downloads\KMSAuto Net 2015 v1.3.8 Portable.zip;file:_C:\Users\zj\Downloads\KMSAuto Net 2015 v1.3.8 Portable.zip->KMSAuto Net 2015 v1.3.8 Portable/KMSAuto Net.exe;webfile:_C:\Users\zj\Downloads\KMSAuto Net 2015 v1.3.8 Portable.zip|http://www75.uptobox.com/dl/mlonBQKPfPY7cYWPUzD1FkxIpN4mAL9Qh2EIG0FVS1e540L9caF6fH-L_MyNaEcCoves_MlSDnVR3n2pKhGS5nheC_VuuSndQt_uMHzleTUGC1es8cH-vP95NJiHxHUW_d0--fN3mmH7lOVgW44cKA/KMSAutoDESKTOP-FLF3NP0\zjNet%202015%20v1.3.8%20Portable.zip|pid:4172,ProcessStart:131731379976895014
Detection Origin: Internet
Detection Type: Concrete
Detection Source: Downloads and attachments
Process Name: Unknown
Signature Version: AV: 1.269.1089.0, AS: 1.269.1089.0, NIS: 1.269.1089.0
Engine Version: AM: 1.1.14901.4, NIS: 1.1.14901.4
 
CodeIntegrity:
===================================
 
Date: 2018-06-11 08:39:24.041
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\FlightSettings.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-06-11 08:39:24.030
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\FlightSettings.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-06-11 08:39:23.714
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\FlightSettings.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-06-11 08:39:23.702
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\FlightSettings.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-06-11 08:39:23.687
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\dsreg.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-06-11 08:39:23.674
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\dsreg.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-06-11 08:39:23.311
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\dbgeng.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-06-11 08:39:23.287
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\aepic.dll because the set of per-page image hashes could not be found on the system.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
Percentage of memory in use: 23%
Total physical RAM: 3316.61 MB
Available physical RAM: 2552.85 MB
Total Virtual: 3892.61 MB
Available Virtual: 3367.8 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:931.02 GB) (Free:892.04 GB) NTFS
Drive e: (ESD-USB) (Removable) (Total:14.44 GB) (Free:11.8 GB) FAT32
 
\\?\Volume{b66b9fad-0000-0000-0000-100000000000}\ (System Reserved) (Fixed) (Total:0.49 GB) (Free:0.16 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: B66B9FAD)
Partition 1: (Active) - (Size=500 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 14.5 GB) (Disk ID: 17851784)
Partition 1: (Active) - (Size=14.5 GB) - (Type=0C)
 
==================== End of Addition.txt ============================
 

 

 

 

 



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 12 June 2018 - 08:16 PM

Hi zachj :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Please give me some time to review your logs and get back at you.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 12 June 2018 - 08:27 PM

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 zachj

zachj
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 12 June 2018 - 09:21 PM

Thanks for the help Aura!  The computer already seems better.  When I was opening the task manager previously it would just close right down, it's no longer doing that, and the WerFault.exe error is no longer popping up.  Couple things though, when I tried to run Farbar the virus would not allow it to run as I figured, so I went into Safe Mode with Networking and ran it.  Is this ok?  I can probably rerun it in normal mode now if needed.  And the computer seems better but I am now noticing that I cannot open the windows button on bottom left of the taskbar to get to all the programs and settings etc.  I cannot even access it in safe mode.  Look forward to hearing back.  Thanks

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 06.06.2018 01
Ran by zj (12-06-2018 21:57:02) Run:2
Running from C:\Users\zj\Desktop
Loaded Profiles: zj (Available Profiles: zj)
Boot Mode: Safe Mode (with Networking)
 
==============================================
 
fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
 
HKLM\...\Run: [SecurityHealth] => system
HKLM\...\Run: [WindowsDefender] => system
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Run: [SecurityHealth] => system
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Run: [WindowsDefender] => system
HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\...\Run: [1Bluestacks] => C:\Users\zj\AppData\Roaming\1Bluestacks\1Bluestacks.exe [0 2018-06-12] ()
 
SearchScopes: HKU\S-1-5-21-1113276245-3942252821-4013509334-1001 -> {255AF694-2592-412B-9AF7-BDC56F5292C6} URL = hxxps://search.yahoo.com/search?p={searchTerms}&intl=us&fr=yset_ie_syc_oracle&type=orcl_default&partnerexternal-oracle=external-oracle
FF Homepage: Mozilla\Firefox\Profiles\61cmq8pb.default -> file:///C:/ProgramData/Quoteexs/ff.HP
FF NewTab: Mozilla\Firefox\Profiles\61cmq8pb.default -> file:///C:/ProgramData/Quoteexs/ff.NT
 
CHR HomePage: Default -> msn.com/?pc=__PARAM__&ocid=__PARAM__DHP&osmkt=en-us
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR HKLM\...\Chrome\Extension: [dofoafnmdocgkdphpkdooahjkhpmakjd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
 
Task: {1C27697F-AE3B-49F5-ACF8-6D6D3DFABC5E} - System32\Tasks\mournmourn => C:\Program Files\Crusading\iou.exe [2018-06-12] ()
Task: {31AAC942-68A7-4EF5-A319-18FA6FD6DDBE} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {6758DDDE-9954-4EF6-8371-1E652E0B63B1} - System32\Tasks\battererbatterer => C:\Program Files\dorling\dorling.exe
Task: {86C0B20B-65CE-4346-9994-26631287124E} - System32\Tasks\batterer => C:\Program Files\dorling\dorling.exe
Task: {F7F1C009-3D7A-4235-8314-02FC65EE7EDC} - System32\Tasks\mourn => C:\Program Files\Crusading\iou.exe [2018-06-12] ()
 
FirewallRules: [{F7D54170-D919-4E9E-AB59-92471679457C}] => (Allow) C:\Program Files\Lambchop\Delicately.exe
FirewallRules: [{DB2887FC-EECD-4AFE-98B1-6E668A85C412}] => (Allow) C:\Program Files\Essayist\Delicately.exe
FirewallRules: [{75B3EADB-4EE4-4D00-ACC1-98CFC9068CD8}] => (Allow) C:\Program Files\saviour\Streaker.exe
FirewallRules: [{37A464C7-C49A-4537-B1F5-B5488A4BED99}] => (Allow) C:\Program Files\Essayist\Streaker.exe
 
C:\wde3cnhb8wyq1nd
C:\Program Files\Crusading
C:\Program Files\NetLoader
C:\Program Files\harley
C:\Program Files\Essayist
C:\Program Files\saviour
C:\Program Files\Lambchop
C:\Program Files\dorling
C:\ProgramData\Quoteexs
C:\Users\zj\Downloads\JavaSetup_3299140567.exe
C:\Users\zj\Downloads\Windows 10 Activator (Compatible with all Editions).zip
C:\Users\zj\Downloads\Windows 10 Activator (Compatible with all Editions).img
C:\Users\zj\Downloads\KMSAuto-Net-Portable.rar
C:\Users\zj\Downloads\KMSAuto Net 2015 v1.3.8 Portable.zip
C:\Users\zj\AppData\Local\Triojob.bin
C:\Users\zj\AppData\Local\installer.dat
C:\Users\zj\AppData\Local\Temp\UIdlcv7hPMEmbd4Fzx0L2dCuez6S6j2Nq.exe
C:\Users\zj\AppData\Roaming\1MozillaFirefox
C:\Users\zj\AppData\Roaming\1Bluestacks
C:\Users\zj\AppData\Roaming\EaseUS0
C:\WINDOWS\b47089282
C:\WINDOWS\System32\mobsync.exe
C:\WINDOWS\system32\sihost.exe
 
EmptyTemp:
*****************
 
Processes closed successfully.
Error: Restore point can only be created in normal mode.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\SecurityHealth" => removed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\WindowsDefender" => removed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" => removed successfully.
"HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\Software\Microsoft\Windows\CurrentVersion\Run\\SecurityHealth" => removed successfully.
"HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\Software\Microsoft\Windows\CurrentVersion\Run\\WindowsDefender" => removed successfully.
"HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\Software\Microsoft\Windows\CurrentVersion\Run\\1Bluestacks" => removed successfully.
"HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{255AF694-2592-412B-9AF7-BDC56F5292C6}" => removed successfully.
HKLM\Software\Classes\CLSID\{255AF694-2592-412B-9AF7-BDC56F5292C6} => not found
"Firefox homepage" => removed successfully.
"Firefox newtab" => removed successfully.
"Chrome HomePage" => removed successfully.
"Chrome DefaultSearchURL" => removed successfully.
"Chrome DefaultSearchKeyword" => removed successfully.
"Chrome DefaultSuggestURL" => removed successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\dofoafnmdocgkdphpkdooahjkhpmakjd" => removed successfully.
"HKU\S-1-5-21-1113276245-3942252821-4013509334-1001\SOFTWARE\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1C27697F-AE3B-49F5-ACF8-6D6D3DFABC5E}" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1C27697F-AE3B-49F5-ACF8-6D6D3DFABC5E}" => removed successfully.
C:\Windows\System32\Tasks\mournmourn => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\mournmourn" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{31AAC942-68A7-4EF5-A319-18FA6FD6DDBE}" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{31AAC942-68A7-4EF5-A319-18FA6FD6DDBE}" => removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6758DDDE-9954-4EF6-8371-1E652E0B63B1}" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6758DDDE-9954-4EF6-8371-1E652E0B63B1}" => removed successfully.
C:\Windows\System32\Tasks\battererbatterer => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\battererbatterer" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{86C0B20B-65CE-4346-9994-26631287124E}" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{86C0B20B-65CE-4346-9994-26631287124E}" => removed successfully.
C:\Windows\System32\Tasks\batterer => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\batterer" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F7F1C009-3D7A-4235-8314-02FC65EE7EDC}" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F7F1C009-3D7A-4235-8314-02FC65EE7EDC}" => removed successfully.
C:\Windows\System32\Tasks\mourn => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\mourn" => removed successfully.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F7D54170-D919-4E9E-AB59-92471679457C}" => removed successfully.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{DB2887FC-EECD-4AFE-98B1-6E668A85C412}" => removed successfully.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{75B3EADB-4EE4-4D00-ACC1-98CFC9068CD8}" => removed successfully.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{37A464C7-C49A-4537-B1F5-B5488A4BED99}" => removed successfully.
C:\wde3cnhb8wyq1nd => moved successfully
C:\Program Files\Crusading => moved successfully
C:\Program Files\NetLoader => moved successfully
C:\Program Files\harley => moved successfully
C:\Program Files\Essayist => moved successfully
C:\Program Files\saviour => moved successfully
C:\Program Files\Lambchop => moved successfully
C:\Program Files\dorling => moved successfully
"C:\ProgramData\Quoteexs" => not found
C:\Users\zj\Downloads\JavaSetup_3299140567.exe => moved successfully
"C:\Users\zj\Downloads\Windows 10 Activator (Compatible with all Editions).zip" => not found
"C:\Users\zj\Downloads\Windows 10 Activator (Compatible with all Editions).img" => not found
"C:\Users\zj\Downloads\KMSAuto-Net-Portable.rar" => not found
"C:\Users\zj\Downloads\KMSAuto Net 2015 v1.3.8 Portable.zip" => not found
C:\Users\zj\AppData\Local\Triojob.bin => moved successfully
C:\Users\zj\AppData\Local\installer.dat => moved successfully
C:\Users\zj\AppData\Local\Temp\UIdlcv7hPMEmbd4Fzx0L2dCuez6S6j2Nq.exe => moved successfully
C:\Users\zj\AppData\Roaming\1MozillaFirefox => moved successfully
C:\Users\zj\AppData\Roaming\1Bluestacks => moved successfully
C:\Users\zj\AppData\Roaming\EaseUS0 => moved successfully
C:\WINDOWS\b47089282 => moved successfully
C:\WINDOWS\System32\mobsync.exe => moved successfully
C:\WINDOWS\system32\sihost.exe => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 9199616 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 72990910 B
Java, Flash, Steam htmlcache => 1102 B
Windows/system/drivers => 2136089 B
Edge => 9045071 B
Chrome => 133626149 B
Firefox => 17865491 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
LocalService => 0 B
NetworkService => 0 B
zj => 303086000 B
 
RecycleBin => 190215 B
EmptyTemp: => 522.7 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 21:57:25 ====


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 13 June 2018 - 08:14 AM

It's good, no worries. And we'll address the Start Menu issue shortly. Can you .zip the C:\FRST\Quarantine folder and attach it here?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 zachj

zachj
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 13 June 2018 - 08:43 AM

Please see attached.



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 13 June 2018 - 12:01 PM

I don't see any attachment in your previous post.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 zachj

zachj
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 13 June 2018 - 12:12 PM

It's 14mb it won't attach! Can you access this link below with the file? I used WeTransfer site.  All I have is 7zip, winzip is trying to make me pay to use. 

 

https://we.tl/TX01PAGPxO


Edited by zachj, 13 June 2018 - 12:23 PM.


#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 13 June 2018 - 12:23 PM

You can upload the file on SendSpace.com and PM me the download link :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 zachj

zachj
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 13 June 2018 - 12:24 PM

I just edited my post above, here's the link with the file again..

 

https://we.tl/TX01PAGPxO



#13 zachj

zachj
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 13 June 2018 - 10:02 PM

This is making me nervous, I have not heard back and ever since I ran Farbar I cannot access Start to get to programs and settings and I cannot access the network settings to get to my VPN which I need to access very badly for work.  It won't even let me perform a simple disk cleanup.  



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 14 June 2018 - 07:29 AM

Sorry for the delay. Alright, let's try something.

EndqYRa.pngSystem File Checker (SFC)
Follow the instructions below to run a SFC scan on your system and to provide the CBS log in your next reply;
  • On Windows Vista & 7, click on the Windows Start Menu, then enter cmd in the search box, right-click on the cmd icon and select Spcusrh.pngRun as Administrator
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1 and Windows 10, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the command below and press on Enter;
    sfc /scannow
    Note: There's a space between "sfc" and "/scannow";
  • Once the scan is complete, enter the command below and press on Enter
    copy %windir%\logs\cbs\cbs.log "%userprofile%\Desktop\cbs.txt"
  • A file called cbs.txt will have appeared on your Desktop. Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;
Note: Please note that the CBS.log is volatile, which means that if you don't upload it after the SFC scan is completed, it won't have the information from the scan anymore. So archive it and upload it as soon as you can.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 zachj

zachj
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 14 June 2018 - 08:36 AM

I could not right click on windows logo, I had to hold down the windows button on keyboard and hit R.  After the scan was done the cmd window shut down right away.  I put in cmd in the run box and put in your command.  I hope this link below has what you required....

 

https://we.tl/RlJvYPIJi6






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users