DoraSousa

If the thread is open next weekend ill post it for sure. you were very very helpful thank you!

Hi ill be back at my moms next weekend. Ill post the log then. i dont have the laptop with me now .

All good Thank you!

# AdwCleaner 7.0.3.1 - Logfile created on Sun Oct 29 20:42:48 2017 # Updated on 2017/29/09 by Malwarebytes # Database: 10-28-2017.1 # Running on Windows 10 Home (X64) # Mode: scan # Support: https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** No malicious registry entries found. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries. ************************* C:/AdwCleaner/AdwCleaner[C0].txt - [7871 B] - [2017/10/27 22:41:10] C:/AdwCleaner/AdwCleaner[C1].txt - [1474 B] - [2017/10/27 22:52:32] C:/AdwCleaner/AdwCleaner[S0].txt - [8918 B] - [2017/10/27 22:40:3] C:/AdwCleaner/AdwCleaner[S1].txt - [1335 B] - [2017/10/27 22:51:5] C:/AdwCleaner/AdwCleaner[S2].txt - [1219 B] - [2017/10/27 23:44:56] C:/AdwCleaner/AdwCleaner[S3].txt - [1288 B] - [2017/10/28 17:59:33] C:/AdwCleaner/AdwCleaner[S4].txt - [1357 B] - [2017/10/29 10:32:55] ########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt ########## RogueKiller V12.11.21.0 (x64) [Oct 23 2017] (Free) por Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Site : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Sistema Operativo : Windows 10 (10.0.15063) 64 bits version Iniciou : Modo normal Utilizador : Asus [Administrador] Começado de : C:\Users\Asus\Downloads\RogueKiller_portable64.exe Modo : Apagar -- Data : 10/29/2017 20:44:43 (Duration : 01:39:52) ¤¤¤ Processos : 0 ¤¤¤ ¤¤¤ Registo : 7 ¤¤¤ [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-848942897-2584456738-1363378028-1001\Software\IM -> Apagado [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-848942897-2584456738-1363378028-1001\Software\IM -> Apagado [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-848942897-2584456738-1363378028-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus17win10.msn.com/?pc=ASTE -> Substituído (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome) [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-848942897-2584456738-1363378028-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus17win10.msn.com/?pc=ASTE -> Substituído (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome) [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Substituído (2) [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Substituído (2) [Adw.Eszjuxuan] (X64) HKEY_USERS\S-1-5-21-848942897-2584456738-1363378028-1001\Control Panel\Desktop | SCRNSAVE.EXE : C:\ProgramData\DreamScreen\DreamCompress.scr [x] -> Substituído (C:\WINDOWS\system32\logon.scr) ¤¤¤ Tarefas : 0 ¤¤¤ ¤¤¤ Arquivos : 0 ¤¤¤ ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Arquivos de hosts : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Carregado) ¤¤¤ ¤¤¤ Navegadores : 0 ¤¤¤ ¤¤¤ Verificação da MBR : ¤¤¤ +++++ PhysicalDrive0: TOSHIBA MQ01ABD100 +++++ --- User --- [MBR] 64456e49656c5aac93e83c0c002019e8 [BSP] cc721506ceac3a98992e90c7e0ea2caa : Empty|VT.Unknown MBR Code Partition table: 0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB 1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 16 MB 2 - Basic data partition | Offset (sectors): 567296 | Size: 953093 MB 3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1952501760 | Size: 499 MB User = LL1 ... OK User = LL2 ... OK

0 threats now

wow, and I thought it was all good by now Malwarebytes www.malwarebytes.com -Detalhes de Relatório- Data da Verificação: 29/10/17 Hora da Verificação: 17:36 Ficheiro de Registo: a449246e-bccf-11e7-8691-9c5c8ed6aaa4.json Administrador: Sim -Informação de Software- Versão: 3.2.2.2029 Versão dos Componentes: 1.0.212 Versão do Pacote de Atualização: 1.0.3123 Licença: Versão de Avaliação Gratuita -Informação do Sistema- SO: Windows 10 (Build 15063.674) CPU: x64 Sistema de Ficheiros: NTFS Utilizador: DESKTOP-V39V5JJ\Asus -Resumo da Verificação- Tipo de Verificação: Verificação de Ameaças Resultado: Concluída Objetos Verificados: 401126 Ameaças Detetadas: 17 Ameaças Movidas para Quarentena: 17 Tempo Decorrido: 10 min, 20 s -Opções de Verificação- Memória: Ativado Arranque: Ativado Sistema de Ficheiros: Ativado Arquivos: Ativado Rootkits: Desativado Heurística: Ativado PPI: Detetar MPI: Detetar -Detalhes da Verificação- Processo: 0 (Nenhum item malicioso detetado) Módulo: 0 (Nenhum item malicioso detetado) Chave de Registo: 8 PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-848942897-2584456738-1363378028-1001\CONSOLE\%SYSTEMROOT%_SYSTEM32_SVCHOST.EXE, Movido para Quarentena, [5416], [425124],1.0.3123 PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-848942897-2584456738-1363378028-1001\CONSOLE\TASKENG.EXE, Movido para Quarentena, [5416], [425125],1.0.3123 PUP.Optional.UCBrowser, HKU\S-1-5-18\SOFTWARE\UCBrowser, Movido para Quarentena, [1376], [403633],1.0.3123 PUP.Optional.UCBrowser, HKLM\SOFTWARE\WOW6432NODE\UCBrowserPID, Movido para Quarentena, [1376], [407412],1.0.3123 PUP.Optional.UCBrowser, HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\UCBrowserPID, Movido para Quarentena, [1376], [403634],1.0.3123 PUP.Optional.UCBrowser, HKLM\SOFTWARE\UCBrowser, Movido para Quarentena, [1376], [407411],1.0.3123 Rogue.SearchEngage, HKLM\SOFTWARE\MICROSOFT\TRACING\saveup_RASAPI32, Movido para Quarentena, [1982], [357112],1.0.3123 Rogue.SearchEngage, HKLM\SOFTWARE\MICROSOFT\TRACING\saveup_RASMANCS, Movido para Quarentena, [1982], [357112],1.0.3123 Valor de Registo: 3 PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-848942897-2584456738-1363378028-1001\CONSOLE\%SYSTEMROOT%_SYSTEM32_SVCHOST.EXE|WINDOWPOSITION, Movido para Quarentena, [5416], [425124],1.0.3123 PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-848942897-2584456738-1363378028-1001\CONSOLE\TASKENG.EXE|WINDOWPOSITION, Movido para Quarentena, [5416], [425125],1.0.3123 PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-848942897-2584456738-1363378028-1001\CONSOLE\%SYSTEMROOT%_SYSTEM32_WINDOWSPOWERSHELL_V1.0_POWERSHELL.EXE|WINDOWPOSITION, Movido para Quarentena, [5416], [425126],1.0.3123 Dados de Registo: 0 (Nenhum item malicioso detetado) Fluxo de Dados: 0 (Nenhum item malicioso detetado) Pasta: 1 PUP.Optional.OnlineIO, C:\WINDOWS\INSTALLER\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}, Movido para Quarentena, [557], [391425],1.0.3123 Ficheiro: 5 PUP.Optional.WinHTTP, C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\WINHTTP.DLL, Movido para Quarentena, [7978], [382898],1.0.3123 PUP.Optional.OnlineIO, C:\WINDOWS\INSTALLER\SOURCEHASH{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}, Movido para Quarentena, [557], [391431],1.0.3123 PUP.Optional.OnlineIO, C:\Windows\Installer\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}\online.exe, Movido para Quarentena, [557], [391425],1.0.3123 PUP.Optional.OnlineIO, C:\Windows\Installer\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}\SystemFoldermsiexec.exe, Movido para Quarentena, [557], [391425],1.0.3123 RiskWare.BitCoinMiner, C:\WINDOWS\UPUP.EXE, Movido para Quarentena, [94], [441900],1.0.3123 Setor Físico: 0 (Nenhum item malicioso detetado) (end)

the zip (or Rar) is too big to be submited:

now Fix result of Farbar Recovery Scan Tool (x64) Version: 26-10-2017 Ran by SYSTEM (28-10-2017 21:07:10) Run:5 Running from d:\ Boot Mode: Recovery ============================================== fixlist content: ***************** DeleteKey: HKLM\System\CurrentControlSet\Services\DrToolKrl R5 DrToolKrl; C:\Windows\System32\Drivers\DrToolKrl.sys [53136 2017-10-27] () [File not signed] C:\Windows\System32\Drivers\DrToolKrl.sys ***************** HKLM\System\CurrentControlSet\Services\DrToolKrl => key not found. HKLM\System\ControlSet001\Services\DrToolKrl => key removed successfully DrToolKrl => service removed successfully C:\Windows\System32\Drivers\DrToolKrl.sys => moved successfully ==== End of Fixlog 21:07:10 ==== you are the best! thanks I think it good now?

hopefuly I follow the instrction correctely Fix result of Farbar Recovery Scan Tool (x64) Version: 26-10-2017 Ran by Asus (28-10-2017 20:32:20) Run:4 Running from E:\ Loaded Profiles: Asus (Available Profiles: defaultuser0 & Asus) Boot Mode: Normal ============================================== fixlist content: ***************** DeleteKey: HKLM\System\CurrentControlSet\Services\DrToolKrl R5 DrToolKrl; C:\Windows\System32\Drivers\DrToolKrl.sys [53136 2017-10-27] () [File not signed] C:\Windows\System32\Drivers\DrToolKrl.sys ***************** HKLM\System\CurrentControlSet\Services\DrToolKrl => key could not remove. Access Denied. DrToolKrl => Unable to stop service. HKLM\System\CurrentControlSet\Services\DrToolKrl => key could not remove. Access Denied. Could not move "C:\Windows\System32\Drivers\DrToolKrl.sys" => Scheduled to move on reboot.

The one I have here (this is my moms laptop) its only 1Gb is that enough? cheers

hey Aura the result: (also as an attachment) Fix result of Farbar Recovery Scan Tool (x64) Version: 26-10-2017 Ran by Asus (28-10-2017 19:52:54) Run:3 Running from C:\Users\Asus\Desktop Loaded Profiles: Asus (Available Profiles: defaultuser0 & Asus) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: HKLM\...\Run: [SERVICE] => [X] HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\Run: [8916310] => C:\Users\Asus\AppData\Roaming\f1s1cpqsrwb\o1iojei13sa.exe [856838 2017-10-27] ( ) HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\Run: [1299320] => C:\Users\Asus\AppData\Roaming\bfwgzsciu1m\2omxi0gm5zl.exe [856838 2017-10-27] ( ) HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\Run: [9218657] => C:\Users\Asus\AppData\Roaming\0bqii3lzfef\jazkiwx3h34.exe [856838 2017-10-27] ( ) HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\Run: [5785869] => C:\Users\Asus\AppData\Roaming\iska5afetxo\okgzqcccz0q.exe [856838 2017-10-27] ( ) HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\Run: [8685070] => C:\Users\Asus\AppData\Roaming\4w5revbu24z\gsic40u1tk3.exe [856838 2017-10-27] ( ) HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\Run: [7313697] => C:\Users\Asus\AppData\Roaming\nt5veqvxrpn\azlseumzpkn.exe [856838 2017-10-27] ( ) HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\Run: [1150304] => C:\Users\Asus\AppData\Roaming\slpod3t4eeu\mreichg1yd0.exe [856838 2017-10-27] ( ) HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\Run: [4753942] => C:\Users\Asus\AppData\Roaming\zdsrlaj4waa\bax5x1025hr.exe [856838 2017-10-27] ( ) HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\Run: [Win64svc] => krk.tmp ShellExecuteHooks: No Name - {5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} - -> No File GroupPolicy: Restriction - Chrome <==== ATTENTION GroupPolicy\User: Restriction <==== ATTENTION "DrToolKrl" => service could not be unlocked. <==== ATTENTION R5 DrToolKrl; C:\Windows\System32\Drivers\DrToolKrl.sys [53136 2017-10-27] () [File not signed] R5 DrToolKrl; <==== ATTENTION: Locked Service S1 tltucuae; \??\C:\WINDOWS\system32\drivers\tltucuae.sys [X] S1 uhyfzvig; \??\C:\WINDOWS\system32\drivers\uhyfzvig.sys [X] S1 vtuiso; system32\drivers\vtuiso.sys [X] S1 wfcre; system32\drivers\wfcre.sys [X] Task: {44383721-89D9-4D85-B126-17397C76E787} - System32\Tasks\{FC8C2E69-4121-49F1-807A-760BB684636F} => "c:\windows\system32\launchwinapp.exe" hxxps://ui.skype.com/ui/0/7.35.0.103/pp/go/help.faq.installer?source=lightinstaller&LastError=1603 Task: {6FFB83E5-B616-4DD5-A123-B5F07D77BA9F} - System32\Tasks\{C3BD56FC-E07B-461F-BE75-8439DD725691} => "c:\windows\system32\launchwinapp.exe" hxxps://ui.skype.com/ui/0/7.35.0.103/pp/go/help.faq.installer?source=lightinstaller&LastError=1603 Task: {D95E2DA4-6479-4A7D-8BEA-6E174835DEB2} - \DecAsus -> No File <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G1.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G3.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\StartupApproved\Run: => "4753942" HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\StartupApproved\Run: => "1150304" HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\StartupApproved\Run: => "7313697" HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\StartupApproved\Run: => "5785869" HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\StartupApproved\Run: => "9218657" HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\StartupApproved\Run: => "8685070" HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\StartupApproved\Run: => "8916310" HKU\S-1-5-21-848942897-2584456738-1363378028-1001\...\StartupApproved\Run: => "1299320" FirewallRules: [TCP Query User{30D5F275-795E-4B98-A169-0562DC5F7C96}C:\users\asus\appdata\local\temp\e4a2.tmpxl\download\minithunderplatform.exe] => (Block) C:\users\asus\appdata\local\temp\e4a2.tmpxl\download\minithunderplatform.exe FirewallRules: [UDP Query User{06581E84-737A-43EB-A08C-2DDC4111E2E2}C:\users\asus\appdata\local\temp\e4a2.tmpxl\download\minithunderplatform.exe] => (Block) C:\users\asus\appdata\local\temp\e4a2.tmpxl\download\minithunderplatform.exe FirewallRules: [{23539C09-26E1-49A5-87A7-C67033219742}] => (Allow) 㩃啜敳獲䅜畳屳灁䑰瑡屡潒浡湩屧獳屮獳⹮硥e FirewallRules: [{826373A1-BB12-4652-9418-D50B6489C76F}] => (Allow) 㩃啜敳獲䅜畳屳灁䑰瑡屡潒浡湩屧獳屮慳敶灵攮數 C:\Disk C:\Windat C:\WinSys C:\Program Files (x86)\Microleaves C:\ProgramData\CupCheck C:\ProgramData\LCFApp C:\ProgramData\Thunder Network C:\ProgramData\ntuser.pol C:\Users\Public\Thunder Network C:\Users\Asus\AppData\Local\UCBrowser C:\Users\Asus\AppData\Local\installer.dat C:\Users\Asus\AppData\Roaming\ChromeHelper C:\Users\Asus\AppData\Roaming\f1s1cpqsrwb C:\Users\Asus\AppData\Roaming\bfwgzsciu1m C:\Users\Asus\AppData\Roaming\0bqii3lzfef C:\Users\Asus\AppData\Roaming\iska5afetxo C:\Users\Asus\AppData\Roaming\4w5revbu24z C:\Users\Asus\AppData\Roaming\nt5veqvxrpn C:\Users\Asus\AppData\Roaming\slpod3t4eeu C:\Users\Asus\AppData\Roaming\zdsrlaj4waa C:\Users\Asus\AppData\Roaming\TeamViewer C:\Users\Asus\AppData\Roaming\CsQuery.dll C:\Users\Asus\AppData\Roaming\CsQuery.xml C:\Users\Asus\AppData\Roaming\sp_data.sys C:\Windows\upup.exe C:\Windows\System32\Drivers\DrToolKrl.sys C:\WINDOWS\SysWOW64\lyouwlkd C:\WINDOWS\SysWOW64\Connecting EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\SERVICE => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\Software\Microsoft\Windows\CurrentVersion\Run\\8916310 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\Software\Microsoft\Windows\CurrentVersion\Run\\1299320 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\Software\Microsoft\Windows\CurrentVersion\Run\\9218657 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\Software\Microsoft\Windows\CurrentVersion\Run\\5785869 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\Software\Microsoft\Windows\CurrentVersion\Run\\8685070 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\Software\Microsoft\Windows\CurrentVersion\Run\\7313697 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\Software\Microsoft\Windows\CurrentVersion\Run\\1150304 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\Software\Microsoft\Windows\CurrentVersion\Run\\4753942 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Win64svc => value removed successfully HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} => value removed successfully HKLM\Software\Classes\CLSID\{5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} => key not found. C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully C:\WINDOWS\system32\GroupPolicy\User => moved successfully "DrToolKrl" => service could not be unlocked. <==== ATTENTION => Error: No automatic fix found for this entry. DrToolKrl => Unable to stop service. HKLM\System\CurrentControlSet\Services\DrToolKrl => key could not remove. Access Denied. DrToolKrl => Unable to stop service. HKLM\System\CurrentControlSet\Services\DrToolKrl => key could not remove. Access Denied. HKLM\System\CurrentControlSet\Services\tltucuae => key removed successfully tltucuae => service removed successfully HKLM\System\CurrentControlSet\Services\uhyfzvig => key removed successfully uhyfzvig => service removed successfully HKLM\System\CurrentControlSet\Services\vtuiso => key removed successfully vtuiso => service removed successfully HKLM\System\CurrentControlSet\Services\wfcre => key removed successfully wfcre => service removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{44383721-89D9-4D85-B126-17397C76E787} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{44383721-89D9-4D85-B126-17397C76E787} => key removed successfully C:\WINDOWS\System32\Tasks\{FC8C2E69-4121-49F1-807A-760BB684636F} => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{FC8C2E69-4121-49F1-807A-760BB684636F} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6FFB83E5-B616-4DD5-A123-B5F07D77BA9F} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6FFB83E5-B616-4DD5-A123-B5F07D77BA9F} => key removed successfully C:\WINDOWS\System32\Tasks\{C3BD56FC-E07B-461F-BE75-8439DD725691} => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{C3BD56FC-E07B-461F-BE75-8439DD725691} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D95E2DA4-6479-4A7D-8BEA-6E174835DEB2} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D95E2DA4-6479-4A7D-8BEA-6E174835DEB2} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DecAsus => key removed successfully C:\WINDOWS\Tasks\Online Application V2G1.job => moved successfully C:\WINDOWS\Tasks\Online Application V2G3.job => moved successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\4753942 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\4753942 => value not found. HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\1150304 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\1150304 => value not found. HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\7313697 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\7313697 => value not found. HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\5785869 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\5785869 => value not found. HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\9218657 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\9218657 => value not found. HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\8685070 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\8685070 => value not found. HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\8916310 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\8916310 => value not found. HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\1299320 => value removed successfully HKU\S-1-5-21-848942897-2584456738-1363378028-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\1299320 => value not found. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{30D5F275-795E-4B98-A169-0562DC5F7C96}C:\users\asus\appdata\local\temp\e4a2.tmpxl\download\minithunderplatform.exe => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{06581E84-737A-43EB-A08C-2DDC4111E2E2}C:\users\asus\appdata\local\temp\e4a2.tmpxl\download\minithunderplatform.exe => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{23539C09-26E1-49A5-87A7-C67033219742} => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{826373A1-BB12-4652-9418-D50B6489C76F} => value removed successfully C:\Disk => moved successfully C:\Windat => moved successfully C:\WinSys => moved successfully "C:\Program Files (x86)\Microleaves" => not found. C:\ProgramData\CupCheck => moved successfully C:\ProgramData\LCFApp => moved successfully C:\ProgramData\Thunder Network => moved successfully C:\ProgramData\ntuser.pol => moved successfully C:\Users\Public\Thunder Network => moved successfully C:\Users\Asus\AppData\Local\UCBrowser => moved successfully C:\Users\Asus\AppData\Local\installer.dat => moved successfully C:\Users\Asus\AppData\Roaming\ChromeHelper => moved successfully C:\Users\Asus\AppData\Roaming\f1s1cpqsrwb => moved successfully C:\Users\Asus\AppData\Roaming\bfwgzsciu1m => moved successfully C:\Users\Asus\AppData\Roaming\0bqii3lzfef => moved successfully C:\Users\Asus\AppData\Roaming\iska5afetxo => moved successfully C:\Users\Asus\AppData\Roaming\4w5revbu24z => moved successfully C:\Users\Asus\AppData\Roaming\nt5veqvxrpn => moved successfully C:\Users\Asus\AppData\Roaming\slpod3t4eeu => moved successfully C:\Users\Asus\AppData\Roaming\zdsrlaj4waa => moved successfully C:\Users\Asus\AppData\Roaming\TeamViewer => moved successfully C:\Users\Asus\AppData\Roaming\CsQuery.dll => moved successfully C:\Users\Asus\AppData\Roaming\CsQuery.xml => moved successfully C:\Users\Asus\AppData\Roaming\sp_data.sys => moved successfully C:\Windows\upup.exe => moved successfully Could not move "C:\Windows\System32\Drivers\DrToolKrl.sys" => Scheduled to move on reboot. C:\WINDOWS\SysWOW64\lyouwlkd => moved successfully C:\WINDOWS\SysWOW64\Connecting => moved successfully =========== EmptyTemp: ========== BITS transfer queue => 8413184 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6378874 B Java, Flash, Steam htmlcache => 0 B Windows/system/drivers => 578732 B Edge => 56518823 B Chrome => 0 B Firefox => 0 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 11750 B systemprofile32 => 0 B LocalService => 0 B NetworkService => 3750 B defaultuser0 => 0 B Asus => 261693 B RecycleBin => 0 B EmptyTemp: => 68.8 MB temporary data Removed. ================================ Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 28-10-2017 19:56:09) "C:\Windows\System32\Drivers\DrToolKrl.sys" => Could not move Result of scheduled keys to remove after reboot: HKLM\System\CurrentControlSet\Services\DrToolKrl => key could not remove. Access Denied. HKLM\System\CurrentControlSet\Services\DrToolKrl => key could not remove. Access Denied. ==== End of Fixlog 19:56:11 ==== Fixlog.txt

Hi Aura thank so much for helping me I attached the files from the scan thanks Addition.txt FRST.txt

Hi again actually I read it again and I made a mistake on the search motor the first time (forgot to include the *) here is the result from the FRST: Farbar Recovery Scan Tool (x64) Version: 26-10-2017 Ran by Asus (28-10-2017 18:40:18) Running from C:\Users\Asus\Desktop Boot Mode: Normal ================== Search Files: "*krk.tmp*" ============= C:\Users\Asus\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\krk.tmp.log [2017-10-27 20:29][2017-10-27 20:29] 000000020 _____ () B3AC9D09E3A47D5FD00C37E075A70ECB [File not signed] ====== End of Search ====== thanks for any help

Hi I have the same problem as discussed in a diferente tread, please help I've used the FSRT thank you in advance Farbar Recovery Scan Tool (x64) Version: 26-10-2017 Ran by Asus (28-10-2017 00:34:27) Running from C:\Users\Asus\Downloads Boot Mode: Normal ================== Search Files: "krk.tmp" ============= C:\Users\Asus\AppData\Local\Temp\krk.tmp [2017-10-28 00:04][2017-10-28 00:04] 000000000 _____ () D41D8CD98F00B204E9800998ECF8427E [File not signed] ====== End of Search ======

hello I have the same problema, please help thank you Farbar Recovery Scan Tool (x64) Version: 26-10-2017 Ran by Asus (28-10-2017 00:34:27) Running from C:\Users\Asus\Downloads Boot Mode: Normal ================== Search Files: "krk.tmp" ============= C:\Users\Asus\AppData\Local\Temp\krk.tmp [2017-10-28 00:04][2017-10-28 00:04] 000000000 _____ () D41D8CD98F00B204E9800998ECF8427E [File not signed] ====== End of Search ======