BillQuicksand

# DelFix v1.013 - Logfile created 10/06/2018 at 16:27:37 # Updated 17/04/2016 by Xplode # Username : radlux - ORIONMACHINE # Operating System : Windows 10 Enterprise (64 bits) ~ Activating UAC ... OK ~ Removing disinfection tools ... Deleted : C:\FRST Deleted : C:\AdwCleaner Deleted : HKLM\SOFTWARE\TrendMicro\Hijackthis ~ Creating registry backup ... OK ~ Cleaning system restore ... Deleted : RP #8 [Installed DirectX | 06/10/2018 14:05:55] New restore point created ! ~ Resetting system settings ... OK ########## - EOF - ########## this is the log. And no I don't have questions. I'm just happy my PC is working like it should again. Thank you again for your help.

A day passed since you gave me that fix. I used my PC all day, no issues found. I didn't notice any weirdness either. I would like to say a big thank you Yoan, for guiding me and helping all the way.

I would say it feels like it is normal again. No more weird window pop-ups and inappropriate ads. And I recognize all of the software running in the background.

Fix result of Farbar Recovery Scan Tool (x64) Version: 06.06.2018 01 Ran by radlux (08-06-2018 17:25:48) Run:1 Running from D:\mylife\pc things Loaded Profiles: radlux (Available Profiles: radlux) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION IFEO\CE i386.exe: [Debugger] Enable IFEO\ce-x64.exe: [Debugger] Enable IFEO\Cheat Engine.exe: [Debugger] Enable IFEO\cheatengine-i386.exe: [Debugger] Enable IFEO\cheatengine-x86_64.exe: [Debugger] Enable GroupPolicy: Restriction ? <==== ATTENTION HKU\S-1-5-21-1269290702-2317946217-2171947900-1001\...\StartupApproved\Run: => "X0wxqOLDU4dAAw.exe" HKU\S-1-5-21-1269290702-2317946217-2171947900-1001\...\StartupApproved\Run: => "ycAutoLaunch_EEC923C9130988FC2F79A75E82DFDFE3" FirewallRules: [{AEEBBA59-5C29-492F-B32F-CBE083316E9E}] => (Allow) C:\WINDOWS\system32\rundll32.exe FirewallRules: [{88F336B5-E0BF-4AE8-BD41-952A71E452EA}] => (Allow) C:\Windows\System32\rundll32.exe FirewallRules: [{11366D59-0D1C-489A-8D84-1130BF53B8FC}] => (Allow) C:\Windows\System32\rundll32.exe FirewallRules: [{0F1171D4-1A35-49C8-A07D-F8E928859D41}] => (Allow) C:\Windows\System32\rundll32.exe FirewallRules: [{4347F078-FC98-4F80-A3A7-9560190009C7}] => (Allow) C:\Windows\System32\rundll32.exe C:\Program Files\My Program C:\Users\Radlux\AppData\Local\01c552fdb8eb46989d7c1d3fda7c26f2 C:\Users\Radlux\AppData\Local\adbc066656164514bcef68fb4dbd4770 C:\Users\Radlux\AppData\Local\updater.log C:\Users\Radlux\AppData\Local\UserProducts.xml C:\Users\Radlux\AppData\Roaming\winhttp EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => could not remove, key could be protected "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\CE i386.exe" => removed successfully "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ce-x64.exe" => removed successfully "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\Cheat Engine.exe" => removed successfully "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\cheatengine-i386.exe" => removed successfully "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\cheatengine-x86_64.exe" => removed successfully C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully "HKU\S-1-5-21-1269290702-2317946217-2171947900-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\X0wxqOLDU4dAAw.exe" => removed successfully "HKU\S-1-5-21-1269290702-2317946217-2171947900-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\X0wxqOLDU4dAAw.exe" => not found "HKU\S-1-5-21-1269290702-2317946217-2171947900-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\ycAutoLaunch_EEC923C9130988FC2F79A75E82DFDFE3" => removed successfully "HKU\S-1-5-21-1269290702-2317946217-2171947900-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ycAutoLaunch_EEC923C9130988FC2F79A75E82DFDFE3" => not found "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{AEEBBA59-5C29-492F-B32F-CBE083316E9E}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{88F336B5-E0BF-4AE8-BD41-952A71E452EA}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{11366D59-0D1C-489A-8D84-1130BF53B8FC}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0F1171D4-1A35-49C8-A07D-F8E928859D41}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4347F078-FC98-4F80-A3A7-9560190009C7}" => removed successfully C:\Program Files\My Program => moved successfully C:\Users\Radlux\AppData\Local\01c552fdb8eb46989d7c1d3fda7c26f2 => moved successfully C:\Users\Radlux\AppData\Local\adbc066656164514bcef68fb4dbd4770 => moved successfully C:\Users\Radlux\AppData\Local\updater.log => moved successfully C:\Users\Radlux\AppData\Local\UserProducts.xml => moved successfully C:\Users\Radlux\AppData\Roaming\winhttp => moved successfully =========== EmptyTemp: ========== BITS transfer queue => 9199616 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 138944267 B Java, Flash, Steam htmlcache => 374038656 B Windows/system/drivers => 102213 B Edge => 13 B Chrome => 461581419 B Firefox => 0 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 2783 B LocalService => 0 B LocalService => 0 B NetworkService => 2990 B NetworkService => 0 B Radlux => 157316711 B RecycleBin => 0 B EmptyTemp: => 1.1 GB temporary data Removed. ================================ Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 08-06-2018 17:27:15) Result of scheduled keys to remove after reboot: "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" => removed successfully ==== End of Fixlog 17:27:15 ====

here you go Addition.txt FRST.txt

RogueKiller V12.12.20.0 (x64) [Jun 4 2018] (Free) by Adlice Software Operating System : Windows 10 (10.0.17134) 64 bits version Started in : Normal mode User : radlux [Administrator] Started from : C:\Users\Radlux\Desktop\RogueKiller_portable64.exe Mode : Delete -- Date : 06/06/2018 19:27:11 (Duration : 00:22:29) ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 2 ¤¤¤ [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1269290702-2317946217-2171947900-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Replaced (http://search.msn.com/spbasic.htm) [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1269290702-2317946217-2171947900-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Replaced (http://search.msn.com/spbasic.htm) ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: ST2000VX008-2E3164 +++++ --- User --- [MBR] 703903d4f3903668c4dc30991ba79209 [BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code Partition table: 0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB 1 - Basic data partition | Offset (sectors): 264192 | Size: 1907600 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: ADATA SU800NS38 +++++ --- User --- [MBR] b138114d6bf4c46d6813adb68b152026 [BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code Partition table: 0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB 1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 100 MB 2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1128448 | Size: 16 MB 3 - Basic data partition | Offset (sectors): 1161216 | Size: 121537 MB User = LL1 ... OK User = LL2 ... OK

UPDATE RELATED TO MY FIRST POST I did another AVAST performance scan, and the GOTO: <Product Name> program disappeared. The last performance scan I did was yesterday morning. And I ran AdwCleaner yesterday night, which found malwares. So maybe it was one of those malwares.

Hey Yoan, I am so thankful for you fast reply. I did a Malwarebytes search just now, and it says no threats detected.

hello, I've got unlucky 3 days ago and a virus package started to download and install itself on my PC. After I accidentally opened the malware infected exe file, due to a weird pop-up which immediately closed itself, I checked my virus scanner and it was turned off. After that I removed my internet cable with insane human speed, and got a lot of error messages that this and that program could not install. After lot of googling I scanned my PC with Avast and Malwarebytes. And they together found over 90 suspicious files. More than 20 were trojan bitcoinminer. After that I noticed that my PC got slightly faster, but then chrome opened itself directing me to a random page. I found out about SearchScope malware, I downloaded AdwCleaner. It found 2 more trojans and 11 PUPs. I remembered a program called HiJackThis which was used back then. And after I used it I found more SearchScope lines in the registry, I manually deleted them (there were 5). But then 2 of those searchscope registry files renewed itself, and none of my scanners could find anything. And lastly in the HiJackThis txt file I found an exe called cheatengine, since I never used it, I googled after it, and found out it's a virus too. Sorry if I wrote too much, I thought it will be easier to help knowing what I did in the last 3 days. The reason why I am asking for help is that I cannot clean up the trash after the malwares, because I cannot find them. And I am getting kind of tired and confused by now. Thank you for helping with this. I included my HiJackThis file too, because it says (file missing) to the cheatengine.exes, and that is what made me confused. I could not include my Malwarebytes threat scan log, because I installed, scanned and uninstalled it, due to weird working after the scan. And now I installed it again, it is fine now. One last thing I could not find anything useful about it on the internet. Only my AVAST shows it when I do a performance scan, it says there is a program called GOTO: <Product Name> running in the background. Is that a malware/spyware? Bill. Addition.txt FRST.txt HiJackThis.log AdwCleaner[C00].txt