BSOD and cannot complete MWB3 installation (proc error)

[JonathanCarson]

I was encountering BSOD every time my PC was booting, even just leaving it on the log in screen. Tried a system restore, which told me it could not be completed and i should run a disk check. Haven't ran the disk check. Booted in to safe mode and tried to install MWB3, initially IE tells me that it is not an authorised signature and wouldn't run the file, when I got it to run i encountered an error that was along the lines of a 'proc error'. Tried downloading FARBAR through IE, kept crashing before download would start, also got homepage hijacked by 'safefinder'. 

 

Used Chrome, found FARBAR and downloaded, installed and ran. files are attached. 

 

I also encounter an issue where my internet explorer is automatically set to use a proxy and i need to disable it to begin to browse the internet. 

Addition.txt

FRST.txt

[Aura]

Hi JonathanCarson

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

• As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
• As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
• The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
• If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
• If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
• Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
• I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules;
• In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
• I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
  This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
  

This being said, it's time to clean-up some malware, so let's get started, shall we?

Please give me a few hours to review your logs and get back at you.

[Aura]

Well, it looks like your system is infected from A to Z, but don't worry, we'll get it up back on its feet in no time.

Malicious Programs Warning!

I noticed that you have malicious programs installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up.

• AdBlocker
• AnonymizerGadget
• AppTrailers - AppTrailers for Desktop
• ByteFence Anti-Malware
• Chromium
• CloudExtender
• DragonBoost
• KMSpico 4.1
• One System Care
• PRO PC Cleaner
• SafeFinder
• Social2Search
• uTorrentControl_v2 Toolbar
• WeatherBuddy
• WebDiscover Browser 3.15.2
  

If you have an issue when uninstalling a program, please let me know.

Farbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
• Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
• Click on the Fix button;
  
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Copy and paste its content in your next reply;
  

fixlist.txt

[JonathanCarson]

Hi, Thanks for your help. I am progressing with the uninstalls however will need to finish them off tomorrow (I am in England) I have been running everything in safe mode with networking.
I have encountered a couple of issues, the utorrentcontrol toolbar just won't do anything when going through windows uninstall programs. I have also found this on c drive and using uninstaller there still does not proceed.
 I cannot find dragonboost anywhere, even when searching my c drive.

 Weatherbuddy tries to tell me there is an error with the windows installer service and won't go any further 
 The webdiscover browser tells me setup files are corrupted and won't proceed (I can find this on c drive, should I just delete files?). 

 As you can see I am having lots of fun!

[Aura]

If you cannot uninstall a program, move to the other one. We'll get rid of all of them in the end anyway  

[JonathanCarson]

Hi, 

 

my log file is below. As stated before, I have still been unable to uninstall the WebDiscover Browser, Weatherbuddy, uTorrentControl Toolbar and I have been unable to find any reference to DragonBoost. 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-06-2017 01
Ran by Jonathan (16-06-2017 21:55:34) Run:1
Running from F:\Downloads
Loaded Profiles: Jonathan (Available Profiles: Jonathan & UpdatusUser)
Boot Mode: Safe Mode (with Networking)
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

HKLM\...\Run: [WebDiscoverBrowser] => C:\Program Files\WebDiscoverBrowser\3.15.2\browser.exe [918240 2017-05-01] () <===== ATTENTION
HKLM-x32\...\Run: [AnonymizerGadget] => C:\Users\Jonathan\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe [349704 2017-05-30] (Jetico ltd) <===== ATTENTION
HKLM-x32\...\Run: [AppTrailers] => C:\Users\Jonathan\AppData\Roaming\AppTrailers\AppTrailers.exe [47835880 2017-03-28] () <===== ATTENTION
HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (FRISK Software International/F-Prot) <==== ATTENTION
HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (G DATA Software AG) <==== ATTENTION
HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== ATTENTION
HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== ATTENTION
HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (CURIOLAB S.M.B.A.) <==== ATTENTION
HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== ATTENTION
HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: DB77E5CFEC34459146748B667C97B185619251BA (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (Total Defense, Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== ATTENTION
HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== ATTENTION
HKU\S-1-5-21-98057761-1509031509-3500754796-1001\...\Run: [pmpcrc] => rundll32.exe "C:\Users\Jonathan\AppData\Local\pmpcrc.dll",pmpcrc <===== ATTENTION
HKU\S-1-5-21-98057761-1509031509-3500754796-1001\...\Run: [Owsics] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Jonathan\AppData\Local\Odxvics\zqgpudjd.dll <===== ATTENTION
HKU\S-1-5-21-98057761-1509031509-3500754796-1001\...\Run: [Interstatnogui] => C:\Users\Jonathan\AppData\Roaming\Interstatnogui\interstatnogui.exe [3022640 2017-05-30] (IT Genius) <===== ATTENTION
HKU\S-1-5-21-98057761-1509031509-3500754796-1001\...\Run: [Chromium] => c:\users\jonathan\appdata\local\chromium\application\chrome.exe [828416 2017-01-21] (The Chromium Authors)
AppInit_DLLs: C:\ProgramData\Hotfresh\TresSonsoft.dll => C:\ProgramData\Hotfresh\TresSonsoft.dll [343552 2017-06-06] ()
AppInit_DLLs-x32: C:\ProgramData\Hotfresh\Konksing.dll => C:\ProgramData\Hotfresh\Konksing.dll [246784 2017-06-06] ()
Startup: C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WeatherBuddy.lnk [2017-05-30] <===== ATTENTION
ShortcutTarget: WeatherBuddy.lnk -> C:\Users\Jonathan\AppData\Local\WeatherBuddy\WeatherBuddy.exe (ELLS LLC) <===== ATTENTION
GroupPolicy: Restriction - Chrome <======= ATTENTION

ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => 127.0.0.1:8003
ProxyEnable: [S-1-5-19] => Proxy is enabled.
ProxyServer: [S-1-5-19] => 127.0.0.1:8003
ProxyEnable: [S-1-5-20] => Proxy is enabled.
ProxyServer: [S-1-5-20] => 127.0.0.1:8003
ProxyServer: [S-1-5-21-98057761-1509031509-3500754796-1001] => 127.0.0.1:8003

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://uk.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_nxtad_17_22&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dgb%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0Fzzzz0F0F0F0BtB0CtA0C0FzztN0D0Tzu0StCzyyByCtN1L2XzutAtFtAtBtFtCtFyDtBtN1L1Czu1BzztN1L1G1B1V1N2Y1L1Qzu2SyCyD0CyB0BzytC0EtGtDyC0C0EtGyC0DzztDtGtA0EzztCtG0D0DyDtBtAtCyEtDtC0Ezy0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0F0EyDtDtCzzyCyEtGtCzyyCyDtGyE0EtAyBtG0AzyyCtBtG0B0FtC0DtDtA0ByEyEzzyB0C2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtBzyyDtC%26cr%3D1940103760%26a%3Dwbf_nxtad_17_22%26os_ver%3D6.3%26os%3DWindows%2B8.1%2BPro
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://uk.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_nxtad_17_22&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dgb%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0Fzzzz0F0F0F0BtB0CtA0C0FzztN0D0Tzu0StCzyyByCtN1L2XzutAtFtAtBtFtCtFyDtBtN1L1Czu1BzztN1L1G1B1V1N2Y1L1Qzu2SyCyD0CyB0BzytC0EtGtDyC0C0EtGyC0DzztDtGtA0EzztCtG0D0DyDtBtAtCyEtDtC0Ezy0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0F0EyDtDtCzzyCyEtGtCzyyCyDtGyE0EtAyBtG0AzyyCtBtG0B0FtC0DtDtA0ByEyEzzyB0C2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtBzyyDtC%26cr%3D1940103760%26a%3Dwbf_nxtad_17_22%26os_ver%3D6.3%26os%3DWindows%2B8.1%2BPro
HKU\S-1-5-21-98057761-1509031509-3500754796-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRYSttY34mamef947lyuY0Qs102op0UmvHKVEaATIQ0_Mg-QH0PsdLYjfuzphkmKLcMjgKxemRL2it8zSqb2rUcifpkTiUIzBGuSKtpkU8jbMvQbfw8-RxoG8xBBcYpMrJyWMV5xouSIoc547F1zM0NOiz9bt8ByK4YtEWpBEkUciOGdv&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_nxtad_17_22&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dgb%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0Fzzzz0F0F0F0BtB0CtA0C0FzztN0D0Tzu0StCzyyByCtN1L2XzutAtFtAtBtFtCtFyDtBtN1L1Czu1BzztN1L1G1B1V1N2Y1L1Qzu2SyCyD0CyB0BzytC0EtGtDyC0C0EtGyC0DzztDtGtA0EzztCtG0D0DyDtBtAtCyEtDtC0Ezy0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0F0EyDtDtCzzyCyEtGtCzyyCyDtGyE0EtAyBtG0AzyyCtBtG0B0FtC0DtDtA0ByEyEzzyB0C2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtBzyyDtC%26cr%3D1940103760%26a%3Dwbf_nxtad_17_22%26os_ver%3D6.3%26os%3DWindows%2B8.1%2BPro&p={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_nxtad_17_22&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dgb%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0Fzzzz0F0F0F0BtB0CtA0C0FzztN0D0Tzu0StCzyyByCtN1L2XzutAtFtAtBtFtCtFyDtBtN1L1Czu1BzztN1L1G1B1V1N2Y1L1Qzu2SyCyD0CyB0BzytC0EtGtDyC0C0EtGyC0DzztDtGtA0EzztCtG0D0DyDtBtAtCyEtDtC0Ezy0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0F0EyDtDtCzzyCyEtGtCzyyCyDtGyE0EtAyBtG0AzyyCtBtG0B0FtC0DtDtA0ByEyEzzyB0C2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtBzyyDtC%26cr%3D1940103760%26a%3Dwbf_nxtad_17_22%26os_ver%3D6.3%26os%3DWindows%2B8.1%2BPro&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL = 
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRYSttY34mamef947lyuY0Qs102op0UmvHKVEaATIQ0_Mg-QH0PsdLYjfuzphkmKLcMjgKxemRL2it8zSqb2rUcifpkTiUIzBGuSKtpkU8jbMvQbfw8-RxoG8xBBcYpMrJyWMV5xouSIoc547F1zM0NOiz9bt8ByK4YtEWpBEkUciOGdv&q={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_nxtad_17_22&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dgb%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDtD0F0Fzzzz0F0F0F0BtB0CtA0C0FzztN0D0Tzu0StCzyyByCtN1L2XzutAtFtAtBtFtCtFyDtBtN1L1Czu1BzztN1L1G1B1V1N2Y1L1Qzu2SyCyD0CyB0BzytC0EtGtDyC0C0EtGyC0DzztDtGtA0EzztCtG0D0DyDtBtAtCyEtDtC0Ezy0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0F0EyDtDtCzzyCyEtGtCzyyCyDtGyE0EtAyBtG0AzyyCtBtG0B0FtC0DtDtA0ByEyEzzyB0C2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtBzyyDtC%26cr%3D1940103760%26a%3Dwbf_nxtad_17_22%26os_ver%3D6.3%26os%3DWindows%2B8.1%2BPro&p={searchTerms}
SearchScopes: HKU\S-1-5-21-98057761-1509031509-3500754796-1001 -> {ielnksrch} URL = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRYSttY34mamef947lyuY0Qs102op0UmvHKVEaATIQ0_Mg-QH0PsdLYjfuzphkmKLcMjgKxemRL2it8zSqb2rUcifpkTiUIzBGuSKtpkU8jbMvQbfw8-RxoG8xBBcYpMrJyWMV5xouSIoc547F1zM0NOiz9bt8ByK4YtEWpBEkUciOGdv&q={searchTerms}
BHO: VKOKAdBlock -> {FF20459C-DA6E-41A7-80BC-8F4FEFD9C575} -> C:\Program Files (x86)\VKOKAblockIE\tBbFtlr.dll [2017-05-30] ()

CHR Extension: (VK+OK AdBlock) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkpmlagemdabhmalimnfcajhlohhkehb [2017-05-30]
CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx

S2 AdService; C:\Users\Jonathan\AppData\Local\AdService\AdService.dll [970240 2017-05-30] () [File not signed] <==== ATTENTION
S2 backlh; C:\ProgramData\Logic Cramble\set.exe [3780096 2017-05-30] () [File not signed]
S2 ByteFenceService; C:\Program Files\ByteFence\ByteFenceService.exe [145888 2017-04-19] (Byte Technologies LLC)
S2 Hotfresh; C:\ProgramData\\Hotfresh\\Hotfresh.exe [3448832 2017-05-30] (TODO: <Company name>) [File not signed]
S2 RuntimeBroker; C:\WINDOWS\jonathan-pc\RuntimeBroker.exe [349184 2017-04-25] (www.kdsmarketing.com) [File not signed]
S2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [37888 2013-03-03] () [File not signed]
S2 srcsrv; C:\WINDOWS\src_srv\winsrcsrv.exe [17920 2017-05-29] () [File not signed] <==== ATTENTION

CustomCLSID: HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Jonathan\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Jonathan\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Jonathan\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Jonathan\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Jonathan\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Jonathan\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Jonathan\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File

Task: {100B22F6-ECD7-43F3-B2EB-D944775CD86A} - System32\Tasks\WebDiscover Browser Launch Task => C:\Program Files\WebDiscoverBrowser\3.15.2\browser.exe [2017-05-01] () <==== ATTENTION
Task: {36A8F5C6-FC4F-44E2-874D-F0B6E240697F} - System32\Tasks\One System CarePeriod => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe [2016-12-26] () <==== ATTENTION
Task: {3F8D5F16-ED86-48E8-8139-D28227CE4E2F} - System32\Tasks\ByteFence => C:\Program Files\ByteFence\ByteFence.exe [2017-04-19] (Byte Technologies LLC) <==== ATTENTION
Task: {50263E6C-9583-4CC8-8DC6-65BCD682A362} - System32\Tasks\AGProxyCheck => C:\Program [Argument = Files (x86)\AnonymizerGadget\AGService.exe /recove]
Task: {805BD542-A5EF-407E-8E74-2154A217EB2A} - System32\Tasks\One System Care Task => C:\Program Files (x86)\OneSystemCare\SystemConsole.exe [2016-12-26] () <==== ATTENTION
Task: {B41C62D5-5569-4A3E-9404-80A76E29DF5C} - System32\Tasks\One System Care Run Delay => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe [2016-12-26] () <==== ATTENTION
Task: {C37F6530-66E6-4872-A511-1BAC09D84FC0} - System32\Tasks\WebDiscover Browser Update Task => C:\Program Files\WebDiscoverBrowser\3.15.2\browser.exe [2017-05-01] () <==== ATTENTION
Task: {E6FD7DEC-9F0C-42F3-94E7-E76737696E78} - \Kasperment Database Standard -> No File <==== ATTENTION
Task: {F81F8633-D6F7-4075-B230-D94FD3B4DA72} - System32\Tasks\One System Care Monitor => C:\Program Files (x86)\OneSystemCare\CleanupConsole.exe [2016-12-26] () <==== ATTENTION
Task: {F8486CAA-EF65-4570-92F8-677A0BC488E7} - System32\Tasks\{0F7A0E47-0D7E-780D-0E11-7D7F087A117F} => powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand IAA7ADsAOwAgADsAOwAgACAAOwA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAVwBhAHIAbgBpAG4AZwBQAHIAZQBmAGUAcgBlAG4A (the data entry has 10192 more characters). <==== ATTENTION
Task: C:\WINDOWS\Tasks\One System CarePeriod.job => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe <==== ATTENTION

ShortcutWithArgument: C:\Users\Jonathan\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
ShortcutWithArgument: C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
ShortcutWithArgument: C:\Users\Jonathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
ShortcutWithArgument: C:\Users\Jonathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
ShortcutWithArgument: C:\Users\Jonathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
ShortcutWithArgument: C:\Users\Jonathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%

FirewallRules: [{423F00BF-66B9-49A5-A784-D77158572FC7}] => (Allow) C:\Users\Jonathan\AppData\Local\Chromium\Application\chrome.exe

C:\ServiceLog.txt
C:\Program Files (x86)\AnonymizerGadget
C:\Program Files (x86)\KMSPico 10.2.1 Final
C:\Program Files (x86)\OneSystemCare
C:\Program Files (x86)\PRO PC Cleaner
C:\Program Files (x86)\VKOKAblockIE
C:\Program Files\ByteFence
C:\Program Files\d150c642f18be09d28e95b1310132ed9
C:\Program Files\KMSpico
C:\Program Files\WebDiscoverBrowser
C:\ProgramData\Hotfresh
C:\ProgramData\Hotfreshs
C:\ProgramData\Logic Cramble
C:\ProgramData\ntuser.pol
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HowToRemove.html.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\One System Care
C:\WINDOWS\jonathan-pc\RuntimeBroker.exe
C:\Users\Jonathan\Desktop\Chromium.lnk
C:\Users\Jonathan\Desktop\PRO PC Cleaner.lnk
C:\Users\Jonathan\Desktop\WeatherBuddy.lnk
C:\Users\Jonathan\AppData\Local\{0632D2FE-8531-4EAA-967E-CF02E0C3BC1D}
C:\Users\Jonathan\AppData\Local\{6252540E-46FA-38B6-2B62-1D5E0F0AE1C6}
C:\Users\Jonathan\AppData\Local\AdService
C:\Users\Jonathan\AppData\Local\CrashRpt
c:\users\jonathan\appdata\local\chromium
C:\Users\Jonathan\AppData\Local\Odxvics
C:\Users\Jonathan\AppData\Local\PRO_PC_Cleaner
C:\Users\Jonathan\AppData\Local\WeatherBuddy
C:\Users\Jonathan\AppData\Local\Ittough.exe
C:\Users\Jonathan\AppData\Local\pmpcrc.dll
C:\Users\Jonathan\AppData\Local\Softlab.exe
C:\Users\Jonathan\AppData\Local\uninstallro.exe
2017-05-30 21:29 - 2017-05-30 21:29 - 07306240 _____ C:\Users\Jonathan\AppData\Local\agent.dat
2017-05-30 21:29 - 2017-05-30 21:29 - 01896249 _____ C:\Users\Jonathan\AppData\Local\Ittough.tst
2017-05-30 21:29 - 2017-05-30 21:29 - 01895382 _____ C:\Users\Jonathan\AppData\Local\Zootouch.bin
2017-05-30 21:29 - 2017-05-30 21:29 - 00278509 _____ C:\Users\Jonathan\AppData\Local\Softlab.tst
2017-05-30 21:29 - 2017-05-30 21:29 - 00126464 _____ C:\Users\Jonathan\AppData\Local\noah.dat
2017-05-30 21:29 - 2017-05-30 21:29 - 00070800 _____ C:\Users\Jonathan\AppData\Local\Config.xml
2017-05-30 21:29 - 2017-05-30 21:29 - 00018432 _____ C:\Users\Jonathan\AppData\Local\Main.dat
2017-05-30 21:29 - 2017-05-30 21:29 - 00005568 _____ C:\Users\Jonathan\AppData\Local\md.xml
2017-05-30 21:28 - 2017-05-30 21:28 - 00140800 _____ C:\Users\Jonathan\AppData\Local\installer.dat
2017-05-30 21:28 - 2017-05-30 21:28 - 00016512 _____ C:\Users\Jonathan\AppData\Local\InstallationConfiguration.xml
2017-05-30 21:29 - 2017-05-30 21:29 - 0032038 _____ () C:\Users\Jonathan\AppData\Local\uninstall_temp.ico
C:\Users\Jonathan\AppData\LocalLow\VKOK
C:\Users\Jonathan\AppData\LocalLow\uTorrentControl_v2
C:\Users\Jonathan\AppData\Roaming\AGData
C:\Users\Jonathan\AppData\Roaming\AppTrailers
C:\Users\Jonathan\AppData\Roaming\Interstatnogui
C:\Users\Jonathan\AppData\Roaming\PRO PC Cleaner
C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AppTrailers
C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chromium.lnk
C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PRO PC Cleaner
C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WeatherBuddy
C:\WINDOWS\5bf2adb83a47848edb214e5335e43e33.exe
C:\WINDOWS\src_srv
C:\WINDOWS\shader.exe
C:\WINDOWS\2004_act.exe
C:\WINDOWS\unins000.exe
C:\WINDOWS\unins000.dat
C:\WINDOWS\uninstaller.dat
C:\WINDOWS\WeatherBuddy.INI

Hosts:
EmptyTemp:
*****************

Processes closed successfully.
Error: Restore point can only be created in normal mode.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\WebDiscoverBrowser => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AnonymizerGadget => value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AppTrailers => value not found.
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\03D22C9C66915D58C88912B64C1F984B8344EF09 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\0F684EC1163281085C6AF20528878103ACEFCAAB => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\1667908C9E22EFBD0590E088715CC74BE4C60884 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\18DEA4EFA93B06AE997D234411F3FD72A677EECE => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\249BDA38A611CD746A132FA2AF995A2D3C941264 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\31AC96A6C17C425222C46D55C3CCA6BA12E54DAF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\331E2046A1CCA7BFEF766724394BE6112B4CA3F7 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\3353EA609334A9F23A701B9159E30CB6C22D4C59 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\373C33726722D3A5D1EDD1F1585D5D25B39BEA1A => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\3D496FA682E65FC122351EC29B55AB94F3BB03FC => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\4420C99742DF11DD0795BC15B7B0ABF090DC84DF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\5240AB5B05D11B37900AC7712A3C6AE42F377C8C => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\5DD3D41810F28B2A13E9A004E6412061E28FA48D => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\7457A3793086DBB58B3858D6476889E3311E550E => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\76A9295EF4343E12DFC5FE05DC57227C1AB00D29 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\775B373B33B9D15B58BC02B184704332B97C3CAF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\872CD334B7E7B3C3D1C6114CD6B221026D505EAB => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\88AD5DFE24126872B33175D1778687B642323ACF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\9132E8B079D080E01D52631690BE18EBC2347C1E => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\982D98951CF3C0CA2A02814D474A976CBFF6BDB1 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\9C43F665E690AB4D486D4717B456C5554D4BCEB5 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\A5341949ABE1407DD7BF7DFE75460D9608FBC309 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\A59CC32724DD07A6FC33F7806945481A2D13CA2F => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\AD4C5429E10F4FF6C01840C20ABA344D7401209F => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\AD96BB64BA36379D2E354660780C2067B81DA2E0 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\CDC37C22FE9272D8F2610206AD397A45040326B8 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\DB303C9B61282DE525DC754A535CA2D6A9BD3D87 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\DB77E5CFEC34459146748B667C97B185619251BA => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\E22240E837B52E691C71DF248F12D27F96441C00 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\ED841A61C0F76025598421BC1B00E24189E68D54 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\F83099622B4A9F72CB5081F742164AD1B8D048C9 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\FBB42F089AF2D570F2BF6F493D107A3255A9BB1A => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 => key removed successfully
HKU\S-1-5-21-98057761-1509031509-3500754796-1001\Software\Microsoft\Windows\CurrentVersion\Run\\pmpcrc => value removed successfully
HKU\S-1-5-21-98057761-1509031509-3500754796-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Owsics => value removed successfully
HKU\S-1-5-21-98057761-1509031509-3500754796-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Interstatnogui => value removed successfully
HKU\S-1-5-21-98057761-1509031509-3500754796-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Chromium => value removed successfully
"C:\ProgramData\Hotfresh\TresSonsoft.dll" => Value data removed successfully.
"C:\ProgramData\Hotfresh\Konksing.dll" => Value data removed successfully.
C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WeatherBuddy.lnk => moved successfully
C:\Users\Jonathan\AppData\Local\WeatherBuddy\WeatherBuddy.exe => moved successfully
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-21-98057761-1509031509-3500754796-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value not found.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-98057761-1509031509-3500754796-1001\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully
HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\ielnksrch => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\ielnksrch => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKU\S-1-5-21-98057761-1509031509-3500754796-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch} => key removed successfully
HKLM\Software\Classes\CLSID\{ielnksrch} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF20459C-DA6E-41A7-80BC-8F4FEFD9C575} => key removed successfully
HKLM\Software\Classes\CLSID\{FF20459C-DA6E-41A7-80BC-8F4FEFD9C575} => key removed successfully
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkpmlagemdabhmalimnfcajhlohhkehb => moved successfully
HKLM\SOFTWARE\Google\Chrome\Extensions\pilplloabdedfmialnfchjomjmpjcoej => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pilplloabdedfmialnfchjomjmpjcoej => key removed successfully
HKLM\System\CurrentControlSet\Services\AdService => key removed successfully
AdService => service removed successfully
HKLM\System\CurrentControlSet\Services\backlh => key removed successfully
backlh => service removed successfully
ByteFenceService => service not found.
Hotfresh => service not found.
HKLM\System\CurrentControlSet\Services\RuntimeBroker => key removed successfully
RuntimeBroker => service removed successfully
Service KMSELDI => service not found.
HKLM\System\CurrentControlSet\Services\srcsrv => key removed successfully
srcsrv => service removed successfully
HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448} => key removed successfully
HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1} => key removed successfully
HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98} => key removed successfully
HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A} => key removed successfully
HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2} => key removed successfully
HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9} => key removed successfully
HKU\S-1-5-21-98057761-1509031509-3500754796-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{100B22F6-ECD7-43F3-B2EB-D944775CD86A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{100B22F6-ECD7-43F3-B2EB-D944775CD86A} => key removed successfully
C:\WINDOWS\System32\Tasks\WebDiscover Browser Launch Task => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WebDiscover Browser Launch Task => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{36A8F5C6-FC4F-44E2-874D-F0B6E240697F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{36A8F5C6-FC4F-44E2-874D-F0B6E240697F} => key removed successfully
C:\WINDOWS\System32\Tasks\One System CarePeriod => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System CarePeriod => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3F8D5F16-ED86-48E8-8139-D28227CE4E2F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F8D5F16-ED86-48E8-8139-D28227CE4E2F} => key removed successfully
C:\WINDOWS\System32\Tasks\ByteFence => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ByteFence => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{50263E6C-9583-4CC8-8DC6-65BCD682A362} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{50263E6C-9583-4CC8-8DC6-65BCD682A362} => key removed successfully
C:\WINDOWS\System32\Tasks\AGProxyCheck => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AGProxyCheck => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{805BD542-A5EF-407E-8E74-2154A217EB2A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{805BD542-A5EF-407E-8E74-2154A217EB2A} => key removed successfully
C:\WINDOWS\System32\Tasks\One System Care Task => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System Care Task => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B41C62D5-5569-4A3E-9404-80A76E29DF5C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B41C62D5-5569-4A3E-9404-80A76E29DF5C} => key removed successfully
C:\WINDOWS\System32\Tasks\One System Care Run Delay => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System Care Run Delay => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C37F6530-66E6-4872-A511-1BAC09D84FC0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C37F6530-66E6-4872-A511-1BAC09D84FC0} => key removed successfully
C:\WINDOWS\System32\Tasks\WebDiscover Browser Update Task => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WebDiscover Browser Update Task => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{E6FD7DEC-9F0C-42F3-94E7-E76737696E78} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E6FD7DEC-9F0C-42F3-94E7-E76737696E78} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Kasperment Database Standard => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F81F8633-D6F7-4075-B230-D94FD3B4DA72} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F81F8633-D6F7-4075-B230-D94FD3B4DA72} => key removed successfully
C:\WINDOWS\System32\Tasks\One System Care Monitor => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System Care Monitor => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F8486CAA-EF65-4570-92F8-677A0BC488E7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F8486CAA-EF65-4570-92F8-677A0BC488E7} => key removed successfully
C:\WINDOWS\System32\Tasks\{0F7A0E47-0D7E-780D-0E11-7D7F087A117F} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{0F7A0E47-0D7E-780D-0E11-7D7F087A117F} => key removed successfully
C:\WINDOWS\Tasks\One System CarePeriod.job => moved successfully
C:\Users\Jonathan\Desktop\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => Shortcut argument removed successfully.
C:\Users\Jonathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\Jonathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => Shortcut argument removed successfully.
C:\Users\Jonathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\Jonathan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk => Shortcut argument removed successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\Public\Desktop\Google Chrome.lnk => Shortcut argument removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{423F00BF-66B9-49A5-A784-D77158572FC7} => value not found.
C:\ServiceLog.txt => moved successfully
C:\Program Files (x86)\AnonymizerGadget => moved successfully
C:\Program Files (x86)\KMSPico 10.2.1 Final => moved successfully
"C:\Program Files (x86)\OneSystemCare" => not found.
"C:\Program Files (x86)\PRO PC Cleaner" => not found.
C:\Program Files (x86)\VKOKAblockIE => moved successfully
"C:\Program Files\ByteFence" => not found.
"C:\Program Files\d150c642f18be09d28e95b1310132ed9" => not found.
C:\Program Files\KMSpico => moved successfully
C:\Program Files\WebDiscoverBrowser => moved successfully
"C:\ProgramData\Hotfresh" => not found.
C:\ProgramData\Hotfreshs => moved successfully
C:\ProgramData\Logic Cramble => moved successfully
C:\ProgramData\ntuser.pol => moved successfully
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HowToRemove.html.lnk" => not found.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\One System Care" => not found.
C:\WINDOWS\jonathan-pc\RuntimeBroker.exe => moved successfully
"C:\Users\Jonathan\Desktop\Chromium.lnk" => not found.
"C:\Users\Jonathan\Desktop\PRO PC Cleaner.lnk" => not found.
C:\Users\Jonathan\Desktop\WeatherBuddy.lnk => moved successfully
C:\Users\Jonathan\AppData\Local\{0632D2FE-8531-4EAA-967E-CF02E0C3BC1D} => moved successfully
"C:\Users\Jonathan\AppData\Local\{6252540E-46FA-38B6-2B62-1D5E0F0AE1C6}" => not found.
C:\Users\Jonathan\AppData\Local\AdService => moved successfully
C:\Users\Jonathan\AppData\Local\CrashRpt => moved successfully
"c:\users\jonathan\appdata\local\chromium" => not found.
C:\Users\Jonathan\AppData\Local\Odxvics => moved successfully
C:\Users\Jonathan\AppData\Local\PRO_PC_Cleaner => moved successfully
C:\Users\Jonathan\AppData\Local\WeatherBuddy => moved successfully
C:\Users\Jonathan\AppData\Local\Ittough.exe => moved successfully
C:\Users\Jonathan\AppData\Local\pmpcrc.dll => moved successfully
C:\Users\Jonathan\AppData\Local\Softlab.exe => moved successfully
C:\Users\Jonathan\AppData\Local\uninstallro.exe => moved successfully
C:\Users\Jonathan\AppData\Local\agent.dat => moved successfully
C:\Users\Jonathan\AppData\Local\Ittough.tst => moved successfully
C:\Users\Jonathan\AppData\Local\Zootouch.bin => moved successfully
C:\Users\Jonathan\AppData\Local\Softlab.tst => moved successfully
C:\Users\Jonathan\AppData\Local\noah.dat => moved successfully
C:\Users\Jonathan\AppData\Local\Config.xml => moved successfully
C:\Users\Jonathan\AppData\Local\Main.dat => moved successfully
C:\Users\Jonathan\AppData\Local\md.xml => moved successfully
C:\Users\Jonathan\AppData\Local\installer.dat => moved successfully
C:\Users\Jonathan\AppData\Local\InstallationConfiguration.xml => moved successfully
C:\Users\Jonathan\AppData\Local\uninstall_temp.ico => moved successfully
C:\Users\Jonathan\AppData\LocalLow\VKOK => moved successfully
C:\Users\Jonathan\AppData\LocalLow\uTorrentControl_v2 => moved successfully
C:\Users\Jonathan\AppData\Roaming\AGData => moved successfully
"C:\Users\Jonathan\AppData\Roaming\AppTrailers" => not found.
C:\Users\Jonathan\AppData\Roaming\Interstatnogui => moved successfully
C:\Users\Jonathan\AppData\Roaming\PRO PC Cleaner => moved successfully
C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget => moved successfully
"C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AppTrailers" => not found.
"C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chromium.lnk" => not found.
"C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PRO PC Cleaner" => not found.
C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WeatherBuddy => moved successfully
C:\WINDOWS\5bf2adb83a47848edb214e5335e43e33.exe => moved successfully
C:\WINDOWS\src_srv => moved successfully
C:\WINDOWS\shader.exe => moved successfully
C:\WINDOWS\2004_act.exe => moved successfully
"C:\WINDOWS\unins000.exe" => not found.
"C:\WINDOWS\unins000.dat" => not found.
C:\WINDOWS\uninstaller.dat => moved successfully
C:\WINDOWS\WeatherBuddy.INI => moved successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 17356653 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 69724185 B
Edge => 0 B
Chrome => 64777632 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 149679 B
systemprofile32 => 128 B
LocalService => 73109 B
NetworkService => 17449182 B
Jonathan => 692790015 B
UpdatusUser => 0 B

RecycleBin => 139211973 B
EmptyTemp: => 955.1 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 21:56:39 ====

[Aura]

Good. It's alright, we'll remove all of them one way or another. Now, you should be able to install and run a scan with Malwarebytes,

Malwarebytes - Clean Mode

• Download and install the free version of Malwarebytes
  Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
• Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so;
• Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
• Let the scan run, the time required to complete the scan depends of your system and computer specs;
• Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button;
  
  • If it asks you to restart your computer to complete the removal, do so;
    
• Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply;
  

[JonathanCarson]

Hi,

I completed the scan as above and the software requested a system restart, I now cannot find the report to export for you! It did detect and quarantine 304 threats, which are showing in the quarantine list, however when I go to the reports section of the program, there are still no reports to export.

[Aura]

There are no "Scan Report" listed under the "Reports" section of Malwarebytes?

[JonathanCarson]

No scan reports I am afraid, however, you can see that it has carried out a scan and quarantined items. 

 

[Aura]

That's fine too. Now we can do a sweep with JRT and AdwCleaner.

Junkware Removal Tool (JRT)

• Download Junkware Removal Tool (JRT) and move it to your Desktop;
• Right-click on JRT.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
• Press on any key to launch the scan and let it complete;
  
  Credits : BleepingComputer.com
• Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
  

AdwCleaner - Fix Mode

• Download AdwCleaner and move it to your Desktop;
• Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
• Accept the EULA (I accept), let the database update, then click on Scan;
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
  
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
• After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
  

Your next reply(ies) should therefore contain:

• Copy/pasted JRT log;
• Copy/pasted AdwCleaner clean log;
  

[JonathanCarson]

Hi,

 

JRT Report

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 8.1 Pro x64 
Ran by Jonathan (Limited) on 19/06/2017 at 20:23:40.61
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 1 

Successfully deleted: C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\chgdeabpmphfhkoemjjglmilajldekbp (Folder) 

Registry: 3 

Successfully deleted: HKLM\Software\Google\Chrome\Extensions\chgdeabpmphfhkoemjjglmilajldekbp (Registry Key) 
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\\BrowserPlugInHelper (Registry Value) 
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl\\Default (Registry Value) 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 19/06/2017 at 20:25:09.64
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

And AdWare Report

 

# AdwCleaner v6.047 - Logfile created 19/06/2017 at 20:28:39
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-06-19.1 [Server]
# Operating System : Windows 8.1 Pro  (X64)
# Username : Jonathan - JONATHAN-PC
# Running from : C:\Users\Jonathan\Desktop\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

Folder Found:  F:\Documents\PROPCCleaner
Folder Found:  F:\Documents\PROPCCleaner

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious keys found.

***** [ Shortcuts ] *****

No infected shortcut found.

***** [ Scheduled Tasks ] *****

No malicious task found.

***** [ Registry ] *****

Key Found:  HKU\S-1-5-21-98057761-1509031509-3500754796-1001\Software\ELLS LLC
Key Found:  HKCU\Software\ELLS LLC
Key Found:  HKLM\SOFTWARE\mtApService
Key Found:  HKLM\SOFTWARE\mtHotfresh
Key Found:  HKLM\SOFTWARE\betterads
Key Found:  [x64] HKCU\Software\ELLS LLC
Key Found:  HKU\S-1-5-21-98057761-1509031509-3500754796-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Data Found:  HKU\S-1-5-21-98057761-1509031509-3500754796-1001\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - 
Key Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Data Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - 
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Data Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - 
Key Found:  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Hotfresh.exe
Key Found:  HKCU\Software\Classes\Applications\interstatnogui.exe

***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - oadboiipflhobonjjffjbfekfjcgkhco

[!] You may need to disable the Chrome synchronization from your Google account in order to fully remove the malicious preferences. Please consult this Google help: https://support.google.com/chrome/answer/3097271?hl=en [!]

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [19739 Bytes] - [30/05/2017 18:30:58]
C:\AdwCleaner\AdwCleaner[S0].txt - [18136 Bytes] - [30/05/2017 18:26:55]
C:\AdwCleaner\AdwCleaner[S1].txt - [2593 Bytes] - [19/06/2017 20:28:39]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2666 Bytes] ##########
 

[Aura]

I assume that you clicked on the "Clean" button to delete the threats AdwCleaner detected, right? Asking this since the log you provided me is a scan log, not a clean log.

[JonathanCarson]

Hi, yes I clicked clean, and it asked for a system restart, however on restarting I encountered a BSOD again for 'bad pool caller',  when I managed to boot up again this was the only log I could find, should the clean log be saved somewhere?

[Aura]

It should be this one:

C:\AdwCleaner\AdwCleaner[C0].txt

 

[JonathanCarson]

cool, thanks. Here you go 

 

# AdwCleaner v6.047 - Logfile created 19/06/2017 at 20:29:15
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-06-19.1 [Server]
# Operating System : Windows 8.1 Pro  (X64)
# Username : Jonathan - JONATHAN-PC
# Running from : C:\Users\Jonathan\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder deleted: F:\Documents\PROPCCleaner
[#] Folder deleted on reboot: F:\Documents\PROPCCleaner

***** [ Files ] *****

***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

[-] Key deleted: HKU\S-1-5-21-98057761-1509031509-3500754796-1001\Software\ELLS LLC
[#] Key deleted on reboot: HKCU\Software\ELLS LLC
[-] Key deleted: HKLM\SOFTWARE\mtApService
[-] Key deleted: HKLM\SOFTWARE\mtHotfresh
[-] Key deleted: HKLM\SOFTWARE\betterads
[#] Key deleted on reboot: [x64] HKCU\Software\ELLS LLC
[-] Key deleted: HKU\S-1-5-21-98057761-1509031509-3500754796-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: HKU\S-1-5-21-98057761-1509031509-3500754796-1001\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[#] Key deleted on reboot: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Hotfresh.exe
[-] Key deleted: HKCU\Software\Classes\Applications\interstatnogui.exe

***** [ Web browsers ] *****

[-] [C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: oadboiipflhobonjjffjbfekfjcgkhco

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [19739 Bytes] - [30/05/2017 18:30:58]
C:\AdwCleaner\AdwCleaner[C2].txt - [2391 Bytes] - [19/06/2017 20:29:15]
C:\AdwCleaner\AdwCleaner[S0].txt - [18136 Bytes] - [30/05/2017 18:26:55]
C:\AdwCleaner\AdwCleaner[S1].txt - [2757 Bytes] - [19/06/2017 20:28:39]

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [2611 Bytes] ##########
 

[Aura]

Thank you! Now, please run a new FRST scan, and provide me a fresh set of logs (FRST.txt and Addition.txt) as I'll look for remnants to be removed if there are any.

[JonathanCarson]

Files attached, thanks

Addition 2.txt

FRST 2.txt

[Aura]

Hi Jonathan,

Sorry for the delay. I'm currently away from home and didn't have the time to review your logs yet. I'll get to it as soon as I get back home tonight (late) otherwise it'll be tomorrow morning.

[JonathanCarson]

Hey, 

No worries, take your time, I appreciate all the help! :-) 

[Aura]

Only a few things left to remove.

Farbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
• Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
• Click on the Fix button;
  
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Copy and paste its content in your next reply;
  

How's your system behaving? Are there any other issues left to address?

fixlist.txt

[JonathanCarson]

Hi,

 

I still haven't been able to have my computer boot up properly, keep encountering BSOD with various reasons such as 'bad pool header' 'sysem service exception' 'ntfs file system' and I am sure one said 'bad pool cleaner'. :-(

 

FRST log below, thanks.

Jonathan

Fix result of Farbar Recovery Scan Tool (x64) Version: 25-06-2017 01
Ran by Jonathan (25-06-2017 23:54:43) Run:2
Running from F:\Downloads
Loaded Profiles: Jonathan (Available Profiles: Jonathan & UpdatusUser)
Boot Mode: Safe Mode (with Networking)
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

FirewallRules: [{54146092-0547-4852-90F9-6FF25139C977}] => (Allow) C:\WINDOWS\system32\cmd.exe
FirewallRules: [{F83E8681-4163-424F-836F-CBDE6A2035C0}] => (Allow) C:\WINDOWS\system32\cmd.exe
FirewallRules: [{25111E4F-EE6E-4184-9A72-A7391BD16BA5}] => (Allow) C:\WINDOWS\system32\cmd.exe
FirewallRules: [{EDE4D672-5959-48CE-A831-67BF9A882E91}] => (Allow) C:\WINDOWS\system32\cmd.exe

C:\ProgramData\ntuser.pol
C:\WINDOWS\src_srv_2

EmptyTemp:
*****************

Processes closed successfully.
Error: Restore point can only be created in normal mode.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{54146092-0547-4852-90F9-6FF25139C977} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F83E8681-4163-424F-836F-CBDE6A2035C0} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{25111E4F-EE6E-4184-9A72-A7391BD16BA5} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EDE4D672-5959-48CE-A831-67BF9A882E91} => value removed successfully
C:\ProgramData\ntuser.pol => moved successfully
C:\WINDOWS\src_srv_2 => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 24150096 B
Java, Flash, Steam htmlcache => 291 B
Windows/system/drivers => 68668 B
Edge => 0 B
Chrome => 91319468 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 0 B
Jonathan => 17104061 B
UpdatusUser => 0 B

RecycleBin => 0 B
EmptyTemp: => 126.5 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 23:54:49 ====

 

 

[Aura]

Can you .zip the C:\Windows\Minidump folder and attach it here?

[JonathanCarson]

Attached, thanks :-)

 

 

Minidump.zip

Edited June 27, 2017 by JonathanCarson

[Aura]

Your minidumps all show different reasons, drivers, etc. for the BSODs. If you configure a clean boot and try to boot normally afterwards, does it works?

http://www.thewindowsclub.com/what-is-clean-boot-state-in-windows