Finaly got MWB to scan then Ransom page blocks all

[MoFooKiN]

At first I couldn't run MWB but I followed the FAQ and got it to scan using Chameleon. At the end of that scan a blue background filled the screen with a blank box in the middle asking me to enter in the original serial key for windows 10 and wont let me do anything. Ctrl-alt-delete brings up the list but up[on clicking task manager, nothing...  Alt-f4 does nothing also. Only thing I can do to get this to temp go away is reboot. Upon start up random appearing web pages open on browser.. followed by the detection of some spyware by win defender and then the fake blue screen.   Ive included the logs listed in FAQ with the exception of the MWB as I couldnbt get it due to the msg I mentioned. Although it did remove 97 threats....  So there it is... Im at a loss.

 

Thanx in advance and I wont be asking for help with this issue anywhere else.

Addition.txt

FRST.txt

[Aura]

Hi MoFooKiN

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

• As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
• As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
• The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
• If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
• If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
• Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
• I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
• In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
• I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
  This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
  

This being said, it's time to clean-up some malware, so let's get started, shall we?

Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.
 
https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/
 
If you manage to run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after. 

[MoFooKiN]

Ok it should be noted that After using chamelian I was able to scan and remove threats, but when I( tried to install updates it couldnt reach the server. So I got mbar-1.10.3.1001-nr.exe

but it said that an admin had blocked the file from running. So I ren chamelian AGFAIN RAN A SCAN AND HAD ALOT OF THREATS POP UP AGASIN sry for caps. but this time I made a report aND IT IS ATTATCHED, NOW i AM dlING THE ZIP FILE TO TRY IT. iLL BE BACK AFTER.. grrr caps...   Anyway where do I find the log file that you are asking for?

mwb.txt

[MoFooKiN]

ok I can not get any .exe file or .cmd file to run I click on it asnd a error pops up saying that an admin has prevented the file from running for my safety.  I can get the camelian version to run but it fails to update, finds the same threats and well... you have the log I ghot for that..  what should I do?

 

[Aura]

Download and unzip this zipped version of MBAR. From there, try to launch MBAR.exe to run a scan. Does it works?

https://support.malwarebytes.com/docs/DOC-1267

[MoFooKiN]

Yes I tried that before my last p[ost. the execution was blocked by an "admin" due to it being a malicious file type... Even though I am the only admin on the PC.

 

Wait are you talking about trying to run the file within the zip? cause I have been extracting it to my thumb drive and then running it from there on my broke machine..?

 

[Aura]

Extract the .zip, then try to run MBAR.exe (which should be inside) with Admin Rights. If it fails, try to run the mbar.cmd file instead (with Admin Rights as well).

[MoFooKiN]

Yes, thats how I have been doing it, I tried it again just to be sure...   No, neither of these will run. Ive done it exactly as you described. This time I took pictures. they are attached. Any more Ideas?   Note the 20171104_183124.jpg picture is when I attempted to run mbar.cmd.      Thanx for the help btw.

[Aura]

Alright, we'll go with FRST then!

You are really infected from head to toes.

Malicious Programs Warning!

I noticed that you have malicious programs installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up.

• AnonymizerGadget
• BeansPlayer version 1.0
• Chromium
• GameAsist 3.91
• NetMedia
• One System Care
• SCM
• SearchAwesome
• VidsqaurE
• WeatherBuddy
  

If you have an issue when uninstalling a program, please let me know.

Farbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
• Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Click on the Fix button
  
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
• Copy and paste its content in your next reply
  

fixlist.txt

[MoFooKiN]

Ok i started going down the list uninstalling the programs you listed (all of which seem to be there)  but every time i get to chromium it seems to stall,  just sitting there.  Then this blue screen covers the whole screen on top of everything,  saing that i must re enter my windows serial key and gives me no other option to get out of it,  making me restart to use the laptop at all.  alt tab nor alt f4 work and i can ctrl alt del to shut down but task manager doesnt show through this screen.  I took a picture to post here but now my phone says it cant complete the action because of low memory.!  so ill put it in my next post from the pc when i get to it...    also it does this weather or not im trying to uninstall chromium.  My question is,  do i need to uninstall these programs before i run the fix u sent?  Im thinking im not going to be able to but im going to try one more time.. 

[MoFooKiN]

Ok i started going down the list uninstalling the programs you listed (all of which seem to be there)  but every time i get to chromium it seems to stall,  just sitting there.  Then this blue screen covers the whole screen on top of everything,  saing that i must re enter my windows serial key and gives me no other option to get out of it,  making me restart to use the laptop at all.  alt tab nor alt f4 work and i can ctrl alt del to shut down but task manager doesnt show through this screen.  I took a picture to post here but now my phone says it cant complete the action because of low memory.!  so ill put it in my next post from the pc when i get to it...    also it does this weather or not im trying to uninstall chromium.  My question is,  do i need to uninstall these programs before i run the fix u sent?  Im thinking im not going to be able to but im going to try one more time.. 

 

well i tried it again,  this time chromium was gone so i moved to game assist and it said that there was an error that game assist

apeared to already be uninstalled would i like to remove it from the list?  then it did the windows serial thing again.. 

[Aura]

You can run the FRST fix before uninstalling all the programs and Chrome extensions I listed. This fix will also remove the fake Blue Screen you're getting, so it'll be easier to navigate around your system afterwards.

[MoFooKiN]

it did not fix the blue screen.     im going to try it again. 

[Aura]

Can you provide me the fixlog.txt that was created after you ran the FRST fix? It should be on your desktop.

[MoFooKiN]

Fix result of Farbar Recovery Scan Tool (x64) Version: 02-11-2017
Ran by MoFooKiN BizmaTek (05-11-2017 20:04:27) Run:1
Running from C:\Users\MoFooKiN BizmaTek\Desktop\New folder (2)
Loaded Profiles: MoFooKiN BizmaTek (Available Profiles: MoFooKiN BizmaTek)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

HKLM-x32\...\Run: [AnonymizerGadget] => C:\Users\MoFooKiN BizmaTek\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe [347784 2017-10-27] (Jetico ltd) <==== ATTENTION
HKLM-x32\...\Run: [AppleWebKit] => C:\Users\MoFooKiN BizmaTek\AppData\Roaming\SystemUpdate\client32.exe [105848 2016-12-06] (NetSupport Ltd)
HKLM\...\RunOnce: [MSIFOOKIN] => C:\WINDOWS\TEMP\gF915.tmp.exe [212992 2017-11-02] () <==== ATTENTION
HKLM-x32\...\RunOnce: [Cotesi] => C:\WINDOWS\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\MOFOOK~1\AppData\Roaming\Megag"
HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (FRISK Software International/F-Prot) <==== ATTENTION
HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (G DATA Software AG) <==== ATTENTION
HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== ATTENTION
HKLM\ DisallowedCertificates: 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F (Kaspersky Lab) <==== ATTENTION
HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== ATTENTION
HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (CURIOLAB S.M.B.A.) <==== ATTENTION
HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== ATTENTION
HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 (Kaspersky Lab) <==== ATTENTION
HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: DB77E5CFEC34459146748B667C97B185619251BA (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (Total Defense, Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== ATTENTION
HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== ATTENTION
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\...\Run: [Chromium] => c:\users\mofookin bizmatek\appdata\local\chromium\application\chrome.exe [1044480 2016-01-25] (The Chromium Authors)
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\...\Run: [WeatherBuddy] => C:\Users\MoFooKiN BizmaTek\AppData\Local\WeatherBuddy\WeatherBuddy.exe [3991552 2017-10-13] (ELLS LLC)
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\...\Run: [Win64svc] => RevoTemp.tmp
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\...\Run: [JVZGBBFDXH.exe] => C:\Users\MoFooKiN BizmaTek\AppData\Local\Temp\ba-9d9c9-671-4a4b3-20cdd50841ebc\JVZGBBFDXH.exe [135168 2017-10-27] () <==== ATTENTION
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\...\RunOnce: [windows] => C:\Users\MoFooKiN BizmaTek\AppData\Roaming\windows.exe [121344 2017-10-26] (RealVNC Ltd) <==== ATTENTION

ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => 127.0.0.1:8003
ProxyEnable: [S-1-5-19] => Proxy is enabled.
ProxyServer: [S-1-5-19] => 127.0.0.1:8003
ProxyEnable: [S-1-5-20] => Proxy is enabled.
ProxyServer: [S-1-5-20] => 127.0.0.1:8003
ProxyEnable: [S-1-5-21-4067184759-194431734-3307552434-1001] => Proxy is enabled.
ProxyServer: [S-1-5-21-4067184759-194431734-3307552434-1001] => 127.0.0.1:8003
ManualProxies: 1127.0.0.1:8003

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131536193403574783&GUID=A4A233F6-7B63-4FC7-AA0B-AEEFECB0DD9F
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131536193403584982&GUID=A4A233F6-7B63-4FC7-AA0B-AEEFECB0DD9F
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www-searching.com/?pid=s&s=HARzamobl20603BU,d290e000-95ce-4ad0-b00a-11cfeda08224,&vp=ch&prd=set_ie
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://oem17win10.msn.com/?pc=NMTE
SearchScopes: HKLM -> DefaultScope {A60FFDF8-6846-4BEC-BBA3-9ABE6DE82FA7} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM -> {A60FFDF8-6846-4BEC-BBA3-9ABE6DE82FA7} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> DefaultScope {A60FFDF8-6846-4BEC-BBA3-9ABE6DE82FA7} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> {A60FFDF8-6846-4BEC-BBA3-9ABE6DE82FA7} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKU\.DEFAULT -> DefaultScope {A60FFDF8-6846-4BEC-BBA3-9ABE6DE82FA7} URL = 
SearchScopes: HKU\S-1-5-21-4067184759-194431734-3307552434-1001 -> DefaultScope {A60FFDF8-6846-4BEC-BBA3-9ABE6DE82FA7} URL = 
SearchScopes: HKU\S-1-5-21-4067184759-194431734-3307552434-1001 -> {3881CA93-7596-4D7B-99F1-6206FA7FAF3A} URL = hxxp://www-searching.com/s.ashx?prd=opensearch&q={searchTerms}&s=HARzamobl20603BU,d290e000-95ce-4ad0-b00a-11cfeda08224,
SearchScopes: HKU\S-1-5-21-4067184759-194431734-3307552434-1001 -> {5e7797ae-5ca1-4b50-95d8-97e746340487} URL = hxxp://www.palikan.com/results.php?f=4&a=plk_coinisre_17_42_ssg01&cd=2XzuyEtN2Y1L1Qzuzy0E0ByC0DtDtCtD0E0CtCzyyEzyzztDtN0D0Tzu0StBtCtCzytN1L2XzutAtFtByBtFyEtFyDtAtN1L1Czu1BtAtN1L1G1B1V1N2Y1L1Qzu2StCtA0Dzz0AyBtDtAtGyDyD0AtAtGtAyD0DyCtGyCzy0AyCtGyByEyEtBtBtByE0FtCtAyDtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0DyCyByByBtCtBtG0AtD0FtAtGyEyE0F0BtG0AyCtDyEtGyC0C0FtD0DyDtA0FzztA0Dzy2QtN0A0LzuyE&cr=1662538094&ir=&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4067184759-194431734-3307552434-1001 -> {A60FFDF8-6846-4BEC-BBA3-9ABE6DE82FA7} URL = 

CHR HomePage: Default -> hxxp://www-searching.com/?pid=s&s=HARzamobl20603BU,d290e000-95ce-4ad0-b00a-11cfeda08224,&vp=ch&prd=set_ch
CHR StartupUrls: Default -> "hxxp://www-searching.com/?pid=s&s=HARzamobl20603BU,d290e000-95ce-4ad0-b00a-11cfeda08224,&vp=ch&prd=set_ch"
CHR DefaultSearchURL: Default -> hxxp://www-searching.com/search.aspx?site=shyos&prd=set_ch&q={searchTerms}&s=HARzamobl20603BU,d290e000-95ce-4ad0-b00a-11cfeda08224,
CHR DefaultSearchKeyword: Default -> www-searching.com
CHR DefaultSuggestURL: Default -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}

R2 84ada1afa7c167c2ece4358073ff9765; C:\Program Files\84ada1afa7c167c2ece4358073ff9765\b77c348bc31159007afbd7511aa499ed.exe [1189376 2017-10-26] () [File not signed] <==== ATTENTION
R2 EciZvBn5MomN Updater; C:\Program Files (x86)\EciZvBn5MomN Updater\EciZvBn5MomN Updater.exe [313344 2017-10-27] () [File not signed]
R2 NetMediaService; C:\Program Files\jetstrmedia\NetMedia\netmedia.exe [2131192 2017-10-26] ()
R2 srcsrv; C:\WINDOWS\src_srv\winsrcsrv.exe [17408 2017-10-07] () [File not signed] <==== ATTENTION
R1 cf7a54dc958ee2ea30fddb12c86c58b1; C:\WINDOWS\system32\drivers\cf7a54dc958ee2ea30fddb12c86c58b1.sys [109144 2017-10-26] (L00OHO) <==== ATTENTION

Task: {1FF014E5-2D75-417D-839E-94DEB56D6416} - System32\Tasks\One System Care Monitor => C:\Program Files (x86)\OneSystemCare\CleanupConsole.exe [2017-10-18] () <==== ATTENTION
Task: {201A8AD0-BB9C-45F2-85DE-C394C2FD53D1} - System32\Tasks\SMW_P => C:\ProgramData\smp2.exe [2017-10-27] () <==== ATTENTION
Task: {4184607C-072C-4D4B-8782-410E50BEDB60} - System32\Tasks\EciZvBn5MomN => ecizvbn5momn.exe
Task: {47C90924-902D-4F24-B76D-811AEB3F34DA} - System32\Tasks\5ef15c60a59549278130da19940e9560 => powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File "C:\WINDOWS\5ef15c60a59549278130da19940e9560.ps1" <==== ATTENTION
Task: {54F5DADC-CF72-4DCC-9055-F935C1507781} - System32\Tasks\One System CarePeriod => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe [2017-10-18] () <==== ATTENTION
Task: {5D9AB730-D4CB-4195-B2D9-60E032B4AE53} - System32\Tasks\{3DA2F7AE-E2B9-4759-D6C9-43BA0E8C3D15} => C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Kapihicus\updtask.exe [2013-05-01] () <==== ATTENTION
Task: {6F053D8C-56DF-4603-AFDF-2B5A7CC867F1} - System32\Tasks\DecMoFooKiN BizmaTek => C:\Users\MoFooKiN [Argument = BizmaTek\AppData\Local\Temp\RevoTemp.tmp] <==== ATTENTION
Task: {72D9B1FA-A578-40DB-B9B8-C09070B9D563} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\ReportErr => C:\\Users\\MoFooKiN BizmaTek\\AppData\\Roaming\\ReportErr\\mgrerr.exe [2017-10-27] ()
Task: {79DFE94B-6CA6-4403-BD1C-2B17CF2CE77E} - System32\Tasks\{2F05DD91-86B6-E05F-1952-81691A640B78} => C:\WINDOWS\system32\regsvr32.exe /s /n /i:"/rt" "C:\PROGRA~3\38eae574\36fef984.dll" <==== ATTENTION
Task: {878A2CEF-FD43-4CA8-B336-8B5CF716692E} - System32\Tasks\AGProxyCheck => C:\Program [Argument = Files (x86)\AnonymizerGadget\AGService.exe /recove]
Task: {8A90A4E7-6459-40E7-80D9-299438B7AC5B} - System32\Tasks\L2Hourly => C:\Program Files (x86)\L2VPN\updater.exe [2017-10-24] ()
Task: {951C8C1D-4E88-4DFF-B62C-6D0B75C45BD1} - System32\Tasks\SoftUpgrade => C:\Program Files (x86)\SoftUpgrade\softup.exe [2017-10-27] () <==== ATTENTION
Task: {A452A0B5-7188-40AF-883B-395F8189AE90} - System32\Tasks\{7A0B0B47-7E0C-097E-0511-78080F0D110C} => C:\WINDOWS\system32\WindowsPowershell\v1.0\powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand IAAgADsAOwAgACAAIAAgADsAIAA7ADsAOwAkAEUAcgByAG8AcgBBAGMAdABpAG8AbgBQAHIAZQBmAGUAcgBlAG4AYwBlAD0AIgBzAHQAbwBwACIAOwAkAHMAYwA9ACIAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAiADsAJABXAGEAcgBuAGkAbgBnAFAAcgBlAGYAZQByAGUA (the data entry has 10040 more characters). <==== ATTENTION
Task: {AAFE5462-04D0-4A45-B73B-5B001DAEDABE} - System32\Tasks\Checker64 => C:\Program Files\jetstrmedia\NetMedia\checker.exe [2017-10-25] ()
Task: {B2671CA8-A975-4185-B680-6DC79BCA6A16} - System32\Tasks\{47351B3C-F09E-AC97-F73A-AD90999BAD57} => C:\ProgramData\{2CA8E9B4-9B03-5E1F-DA56-99977EEC4810}\2B8D12FC-9C26-A557-3FC6-85D27FDDFA75.exe [2017-11-02] () <==== ATTENTION
Task: {B8D113E0-89C4-452B-B5F8-D5892B97E865} - System32\Tasks\running => C:\Users\MoFooKiN [Argument = BizmaTek\AppData\Roaming\weatherscr.exe] <==== ATTENTION
Task: {BF1B349D-9033-4343-90E1-8DF3285763E5} - System32\Tasks\One System Care Run Delay => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe [2017-10-18] () <==== ATTENTION
Task: {CB87629A-8489-4C73-AE4D-105AA68062B0} - System32\Tasks\84ada1afa7c167c2ece4358073ff9765 => sc start 84ada1afa7c167c2ece4358073ff9765 <==== ATTENTION
Task: {CBED7720-A8A7-4B50-941F-535107E410D0} - System32\Tasks\Optimize Start Menu Cache Files-S-EN => C:\ProgramData\403699fe59484dd3887b22601a3ac593\chipset.exe exec hide IANEFCCDSL.cmd 
Task: {DDEC1899-7A45-4139-8EE1-F923E0A9F986} - System32\Tasks\L2Onstart => C:\Program Files (x86)\L2VPN\updater.exe [2017-10-24] ()
Task: {E5F370AF-44F5-4183-AE39-3EEAE7DCFFAC} - System32\Tasks\AVObjit => C:\WINDOWS\system32\rundll32.exe "C:\Program Files\AVObjit\AVObjit.dll",CyJAVDOU <==== ATTENTION
Task: {E8EF9BC7-4813-40DD-9B0F-B77BD7079063} - System32\Tasks\OneSystemCare Task => C:\Program Files (x86)\OneSystemCare\SystemConsole.exe [2017-10-18] () <==== ATTENTION
Task: C:\WINDOWS\Tasks\One System CarePeriod.job => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\{3DA2F7AE-E2B9-4759-D6C9-43BA0E8C3D15}.job => C:\Users\MOFOOK~1\AppData\Roaming\KAPIHI~1\updtask.exe <==== ATTENTION

ShortcutWithArgument: C:\Users\MoFooKiN BizmaTek\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s=harzamobl20603bu,d290e000-95ce-4ad0-b00a-11cfeda08224,
ShortcutWithArgument: C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Videostream for Google Chromecastâ„¢.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s=harzamobl20603bu,d290e000-95ce-4ad0-b00a-11cfeda08224,
ShortcutWithArgument: C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www%2dsearching.com/?prd=set_epf&s=harzamobl20603bu,d290e000-95ce-4ad0-b00a-11cfeda08224,
ShortcutWithArgument: C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chromium.lnk -> C:\Users\MoFooKiN BizmaTek\AppData\Local\chromium\Application\chrome.exe (The Chromium Authors) -> hxxp://www%2dsearching.com/?prd=set_epf&s=harzamobl20603bu,d290e000-95ce-4ad0-b00a-11cfeda08224,
ShortcutWithArgument: C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s=harzamobl20603bu,d290e000-95ce-4ad0-b00a-11cfeda08224,
ShortcutWithArgument: C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> "microsoft-edge:hxxp://www%2dsearching.com/?prd=set_epe&s=HARzamobl20603BU,d290e000-95ce-4ad0-b00a-11cfeda08224,"
ShortcutWithArgument: C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk -> C:\program files\internet explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www%2dsearching.com/?prd=set_epf&s=harzamobl20603bu,d290e000-95ce-4ad0-b00a-11cfeda08224,
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s=harzamobl20603bu,d290e000-95ce-4ad0-b00a-11cfeda08224,
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s=harzamobl20603bu,d290e000-95ce-4ad0-b00a-11cfeda08224,

FirewallRules: [{91BEBEE6-45A7-4C4A-AE3B-4ADA11DF3531}] => (Allow) C:\Users\MoFooKiN BizmaTek\AppData\Local\Chromium\Application\chrome.exe
FirewallRules: [{21D6B1BE-4D46-496D-947D-86C7C721CC4A}] => (Allow) C:\Users\MoFooKiN BizmaTek\AppData\Roaming\SystemUpdate\client32.exe
FirewallRules: [{A9DA1F68-AB01-4B6C-9B5C-A48C784AAC82}] => (Allow) C:\Users\MoFooKiN BizmaTek\AppData\Roaming\SystemUpdate\CLIENT32.exe
FirewallRules: [{008E7A76-C080-4918-9A08-4962A2A155D8}] => (Allow) C:\Users\MoFooKiN BizmaTek\AppData\Roaming\SystemUpdate\CLIENT32.exe
FirewallRules: [{DAEB742B-B67B-448B-8A1D-A793E3BF174D}] => (Allow) C:\Program Files\jetstrmedia\NetMedia\netmedia.exe
FirewallRules: [{14112D2C-FD96-4A71-9CB5-239AE65447CE}] => (Allow) C:\Program Files\jetstrmedia\NetMedia\checker.exe

C:\Users\MoFooKiN BizmaTek\Desktop\Download Video and Audio Online.lnk
C:\Users\MoFooKiN BizmaTek\Desktop\Gоoglе Сhrоmе.lnk
C:\Users\MoFooKiN BizmaTek\Desktop\Сhrоmium.lnk
C:\Users\MoFooKiN BizmaTek\Desktop\VR\NаhimiÑ 2.lnk
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Сhrоmium.lnk
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Vidеostreаm for Gоogle ChromеÑastâ„¢.lnk
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget\ÐnоnymizеrGаdget.lnk
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Intеrnet Еxplоrer.lnk
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gоogle Chrоmе.lnk
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Сhromium.lnk
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gоoglе Chrоme.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооgle Сhrome.lnk
C:\Users\Public\Desktop\Gооgle Сhromе.lnk
C:\Users\Public\Desktop\Wоrld оf Wаrships.lnk

C:\Program Files\84ada1afa7c167c2ece4358073ff976
C:\Program Files\AVObjit
C:\Program Files\jetstrmedia
C:\Program Files\Common Files\Noobzo
C:\Program Files (x86)\AnonymizerGadget
C:\Program Files (x86)\Company
C:\Program Files (x86)\bnsplayer
C:\Program Files (x86)\BeansPlayer
C:\Program Files (x86)\EciZvBn5MomN
C:\Program Files (x86)\EciZvBn5MomN Updater
C:\Program Files (x86)\L2VPN
C:\Program Files (x86)\SoftUpgrade
C:\Program Files (x86)\OneSystemCare
2017-11-02 13:35 - 2017-11-02 13:35 - 000000000 ____D C:\ProgramData\69815218-2861-0
2017-11-02 13:35 - 2017-11-02 13:35 - 000000000 ____D C:\ProgramData\69815218-1777-1
2017-11-02 13:35 - 2017-11-02 13:35 - 000000000 ____D C:\ProgramData\38eae574
2017-11-02 13:35 - 2017-11-02 13:35 - 000000000 ____D C:\ProgramData\{6CF1C05A-DB5A-77F1-25CE-29904C39DD0D}
2017-11-02 13:35 - 2017-11-02 13:35 - 000000000 ____D C:\ProgramData\{60bf6030-412c-0}
2017-11-02 13:35 - 2017-11-02 13:35 - 000000000 ____D C:\ProgramData\{3a0f1d6a-012c-1}
2017-11-02 13:35 - 2017-11-02 13:35 - 000000000 ____D C:\ProgramData\{2CA8E9B4-9B03-5E1F-DA56-99977EEC4810}
2017-10-27 17:13 - 2017-11-02 13:36 - 000000000 ____D C:\ProgramData\494fa140-1c51-0
2017-10-27 17:13 - 2017-11-02 13:36 - 000000000 ____D C:\ProgramData\494fa140-0715-1
2017-10-27 17:12 - 2017-10-30 17:13 - 000000000 ____D C:\ProgramData\403699fe59484dd3887b22601a3ac593
C:\ProgramData\BSD
C:\ProgramData\TweakBit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\One System Care
C:\ProgramData\smp2.exe
C:\Users\MoFooKiN BizmaTek\Downloads\adobe_flash_setup_1371505745.exe
C:\Users\MoFooKiN BizmaTek\AppData\Local\{A13F9763-8597-FBDB-E80F-DE33CC6722AB}
C:\Users\MoFooKiN BizmaTek\AppData\Local\4e199afe3d574f909138b5b7d0506b84
C:\Users\MoFooKiN BizmaTek\AppData\Local\AdvinstAnalytics
c:\users\mofookin bizmatek\appdata\local\chromium
C:\Users\MoFooKiN BizmaTek\AppData\Local\NetSupport
C:\Users\MoFooKiN BizmaTek\AppData\Local\WeatherBuddy
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\f6eb09d47736462b8a45ef97fcede229
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\a9111e571d1f4067bbb4ee9be5dd98c2
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\AGData
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Browsers
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Kapihicus
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\One System Care
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\ReportErr
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\SPI
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\SystemUpdate
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\windows.exe
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\weatherscr.exe
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\wb_ni_23_139_c.exe
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
C:\Users\MOFOOK~1\AppData\Roaming\Megag
C:\Windows\src_srv
C:\WINDOWS\tang.exe
C:\WINDOWS\cross1467io.exe
C:\WINDOWS\Microsoft12.bmp
C:\WINDOWS\rsrcs.dll
C:\WINDOWS\5ef15c60a59549278130da19940e9560.ps1
C:\WINDOWS\c19cb907bdac8210b94900afb15783fd.exe
C:\WINDOWS\uninstaller.dat
C:\WINDOWS\unins000.exe
C:\WINDOWS\unins000.dat
C:\WINDOWS\WeatherBuddy.INI
C:\WINDOWS\system32\bi3.exe
C:\WINDOWS\system32\drivers\cf7a54dc958ee2ea30fddb12c86c58b1.sys
C:\WINDOWS\SysWOW64\SSL
C:\Windows\Temp\*.tmp.exe

Hosts:
EmptyTemp:
*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AnonymizerGadget => value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AppleWebKit => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\MSIFOOKIN => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Cotesi => value not found.
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\03D22C9C66915D58C88912B64C1F984B8344EF09 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\0F684EC1163281085C6AF20528878103ACEFCAAB => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\1667908C9E22EFBD0590E088715CC74BE4C60884 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\18DEA4EFA93B06AE997D234411F3FD72A677EECE => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\249BDA38A611CD746A132FA2AF995A2D3C941264 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\31AC96A6C17C425222C46D55C3CCA6BA12E54DAF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\331E2046A1CCA7BFEF766724394BE6112B4CA3F7 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\3353EA609334A9F23A701B9159E30CB6C22D4C59 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\373C33726722D3A5D1EDD1F1585D5D25B39BEA1A => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\3D496FA682E65FC122351EC29B55AB94F3BB03FC => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\4420C99742DF11DD0795BC15B7B0ABF090DC84DF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\5240AB5B05D11B37900AC7712A3C6AE42F377C8C => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\5DD3D41810F28B2A13E9A004E6412061E28FA48D => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\7457A3793086DBB58B3858D6476889E3311E550E => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\76A9295EF4343E12DFC5FE05DC57227C1AB00D29 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\775B373B33B9D15B58BC02B184704332B97C3CAF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\872CD334B7E7B3C3D1C6114CD6B221026D505EAB => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\88AD5DFE24126872B33175D1778687B642323ACF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\9132E8B079D080E01D52631690BE18EBC2347C1E => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\982D98951CF3C0CA2A02814D474A976CBFF6BDB1 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\9C43F665E690AB4D486D4717B456C5554D4BCEB5 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\A5341949ABE1407DD7BF7DFE75460D9608FBC309 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\A59CC32724DD07A6FC33F7806945481A2D13CA2F => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\AD4C5429E10F4FF6C01840C20ABA344D7401209F => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\AD96BB64BA36379D2E354660780C2067B81DA2E0 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\CDC37C22FE9272D8F2610206AD397A45040326B8 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\DB303C9B61282DE525DC754A535CA2D6A9BD3D87 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\DB77E5CFEC34459146748B667C97B185619251BA => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\E22240E837B52E691C71DF248F12D27F96441C00 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\ED841A61C0F76025598421BC1B00E24189E68D54 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\F83099622B4A9F72CB5081F742164AD1B8D048C9 => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\FBB42F089AF2D570F2BF6F493D107A3255A9BB1A => key removed successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 => key removed successfully
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Chromium => value removed successfully
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\Microsoft\Windows\CurrentVersion\Run\\WeatherBuddy => value removed successfully
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Win64svc => value removed successfully
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\Microsoft\Windows\CurrentVersion\Run\\JVZGBBFDXH.exe => value removed successfully
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\windows => value not found.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A60FFDF8-6846-4BEC-BBA3-9ABE6DE82FA7} => key removed successfully
HKLM\Software\Classes\CLSID\{A60FFDF8-6846-4BEC-BBA3-9ABE6DE82FA7} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A60FFDF8-6846-4BEC-BBA3-9ABE6DE82FA7} => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{A60FFDF8-6846-4BEC-BBA3-9ABE6DE82FA7} => key not found. 
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3881CA93-7596-4D7B-99F1-6206FA7FAF3A} => key not found. 
HKLM\Software\Classes\CLSID\{3881CA93-7596-4D7B-99F1-6206FA7FAF3A} => key not found. 
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5e7797ae-5ca1-4b50-95d8-97e746340487} => key not found. 
HKLM\Software\Classes\CLSID\{5e7797ae-5ca1-4b50-95d8-97e746340487} => key not found. 
HKU\S-1-5-21-4067184759-194431734-3307552434-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A60FFDF8-6846-4BEC-BBA3-9ABE6DE82FA7} => key removed successfully
HKLM\Software\Classes\CLSID\{A60FFDF8-6846-4BEC-BBA3-9ABE6DE82FA7} => key not found. 
Chrome HomePage => removed successfully
Chrome StartupUrls => removed successfully
Chrome DefaultSearchURL => removed successfully
Chrome DefaultSearchKeyword => removed successfully
Chrome DefaultSuggestURL => removed successfully
84ada1afa7c167c2ece4358073ff9765 => Unable to stop service.
HKLM\System\CurrentControlSet\Services\84ada1afa7c167c2ece4358073ff9765 => key removed successfully
84ada1afa7c167c2ece4358073ff9765 => service removed successfully
HKLM\System\CurrentControlSet\Services\EciZvBn5MomN Updater => key removed successfully
EciZvBn5MomN Updater => service removed successfully
HKLM\System\CurrentControlSet\Services\NetMediaService => key removed successfully
NetMediaService => service removed successfully
HKLM\System\CurrentControlSet\Services\srcsrv => key removed successfully
srcsrv => service removed successfully
cf7a54dc958ee2ea30fddb12c86c58b1 => Unable to stop service.
HKLM\System\CurrentControlSet\Services\cf7a54dc958ee2ea30fddb12c86c58b1 => key removed successfully
cf7a54dc958ee2ea30fddb12c86c58b1 => service removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1FF014E5-2D75-417D-839E-94DEB56D6416} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1FF014E5-2D75-417D-839E-94DEB56D6416} => key removed successfully
C:\WINDOWS\System32\Tasks\One System Care Monitor => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System Care Monitor => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{201A8AD0-BB9C-45F2-85DE-C394C2FD53D1} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{201A8AD0-BB9C-45F2-85DE-C394C2FD53D1} => key removed successfully
C:\WINDOWS\System32\Tasks\SMW_P => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SMW_P => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4184607C-072C-4D4B-8782-410E50BEDB60} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4184607C-072C-4D4B-8782-410E50BEDB60} => key removed successfully
C:\WINDOWS\System32\Tasks\EciZvBn5MomN => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\EciZvBn5MomN => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47C90924-902D-4F24-B76D-811AEB3F34DA} => key not found. 
C:\WINDOWS\System32\Tasks\5ef15c60a59549278130da19940e9560 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\5ef15c60a59549278130da19940e9560 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{54F5DADC-CF72-4DCC-9055-F935C1507781} => key not found. 
C:\WINDOWS\System32\Tasks\One System CarePeriod => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System CarePeriod => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5D9AB730-D4CB-4195-B2D9-60E032B4AE53} => key not found. 
C:\WINDOWS\System32\Tasks\{3DA2F7AE-E2B9-4759-D6C9-43BA0E8C3D15} => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{3DA2F7AE-E2B9-4759-D6C9-43BA0E8C3D15} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6F053D8C-56DF-4603-AFDF-2B5A7CC867F1} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6F053D8C-56DF-4603-AFDF-2B5A7CC867F1} => key not found. 
C:\WINDOWS\System32\Tasks\DecMoFooKiN BizmaTek => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DecMoFooKiN BizmaTek => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{72D9B1FA-A578-40DB-B9B8-C09070B9D563} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72D9B1FA-A578-40DB-B9B8-C09070B9D563} => key removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\Windows Error Reporting\ReportErr => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Error Reporting\ReportErr => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{79DFE94B-6CA6-4403-BD1C-2B17CF2CE77E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{79DFE94B-6CA6-4403-BD1C-2B17CF2CE77E} => key removed successfully
C:\WINDOWS\System32\Tasks\{2F05DD91-86B6-E05F-1952-81691A640B78} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{2F05DD91-86B6-E05F-1952-81691A640B78} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{878A2CEF-FD43-4CA8-B336-8B5CF716692E} => key not found. 
C:\WINDOWS\System32\Tasks\AGProxyCheck => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AGProxyCheck => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8A90A4E7-6459-40E7-80D9-299438B7AC5B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8A90A4E7-6459-40E7-80D9-299438B7AC5B} => key removed successfully
C:\WINDOWS\System32\Tasks\L2Hourly => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\L2Hourly => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{951C8C1D-4E88-4DFF-B62C-6D0B75C45BD1} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{951C8C1D-4E88-4DFF-B62C-6D0B75C45BD1} => key removed successfully
C:\WINDOWS\System32\Tasks\SoftUpgrade => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SoftUpgrade => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A452A0B5-7188-40AF-883B-395F8189AE90} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A452A0B5-7188-40AF-883B-395F8189AE90} => key removed successfully
C:\WINDOWS\System32\Tasks\{7A0B0B47-7E0C-097E-0511-78080F0D110C} => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7A0B0B47-7E0C-097E-0511-78080F0D110C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AAFE5462-04D0-4A45-B73B-5B001DAEDABE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AAFE5462-04D0-4A45-B73B-5B001DAEDABE} => key removed successfully
C:\WINDOWS\System32\Tasks\Checker64 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Checker64 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B2671CA8-A975-4185-B680-6DC79BCA6A16} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B2671CA8-A975-4185-B680-6DC79BCA6A16} => key removed successfully
C:\WINDOWS\System32\Tasks\{47351B3C-F09E-AC97-F73A-AD90999BAD57} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{47351B3C-F09E-AC97-F73A-AD90999BAD57} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B8D113E0-89C4-452B-B5F8-D5892B97E865} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B8D113E0-89C4-452B-B5F8-D5892B97E865} => key removed successfully
C:\WINDOWS\System32\Tasks\running => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\running => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BF1B349D-9033-4343-90E1-8DF3285763E5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BF1B349D-9033-4343-90E1-8DF3285763E5} => key removed successfully
C:\WINDOWS\System32\Tasks\One System Care Run Delay => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System Care Run Delay => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{CB87629A-8489-4C73-AE4D-105AA68062B0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CB87629A-8489-4C73-AE4D-105AA68062B0} => key removed successfully
C:\WINDOWS\System32\Tasks\84ada1afa7c167c2ece4358073ff9765 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\84ada1afa7c167c2ece4358073ff9765 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CBED7720-A8A7-4B50-941F-535107E410D0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CBED7720-A8A7-4B50-941F-535107E410D0} => key removed successfully
C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-EN => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-S-EN => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{DDEC1899-7A45-4139-8EE1-F923E0A9F986} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DDEC1899-7A45-4139-8EE1-F923E0A9F986} => key removed successfully
C:\WINDOWS\System32\Tasks\L2Onstart => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\L2Onstart => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{E5F370AF-44F5-4183-AE39-3EEAE7DCFFAC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5F370AF-44F5-4183-AE39-3EEAE7DCFFAC} => key removed successfully
C:\WINDOWS\System32\Tasks\AVObjit => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AVObjit => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E8EF9BC7-4813-40DD-9B0F-B77BD7079063} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E8EF9BC7-4813-40DD-9B0F-B77BD7079063} => key removed successfully
C:\WINDOWS\System32\Tasks\OneSystemCare Task => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OneSystemCare Task => key removed successfully
C:\WINDOWS\Tasks\One System CarePeriod.job => not found.
C:\WINDOWS\Tasks\{3DA2F7AE-E2B9-4759-D6C9-43BA0E8C3D15}.job => not found.
C:\Users\MoFooKiN BizmaTek\Desktop\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Videostream for Google Chromecastâ„¢.lnk => Shortcut argument removed successfully.
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk => Shortcut argument removed successfully.
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chromium.lnk => not found.
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk => Shortcut argument removed successfully.
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk => Shortcut argument removed successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\Public\Desktop\Google Chrome.lnk => Shortcut argument removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{91BEBEE6-45A7-4C4A-AE3B-4ADA11DF3531} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{21D6B1BE-4D46-496D-947D-86C7C721CC4A} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A9DA1F68-AB01-4B6C-9B5C-A48C784AAC82} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{008E7A76-C080-4918-9A08-4962A2A155D8} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{DAEB742B-B67B-448B-8A1D-A793E3BF174D} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{14112D2C-FD96-4A71-9CB5-239AE65447CE} => value removed successfully
C:\Users\MoFooKiN BizmaTek\Desktop\Download Video and Audio Online.lnk => moved successfully
C:\Users\MoFooKiN BizmaTek\Desktop\Gоoglе Сhrоmе.lnk => moved successfully
C:\Users\MoFooKiN BizmaTek\Desktop\Сhrоmium.lnk => moved successfully
C:\Users\MoFooKiN BizmaTek\Desktop\VR\NаhimiÑ 2.lnk => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Сhrоmium.lnk => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Vidеostreаm for Gоogle ChromеÑastâ„¢.lnk => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget\ÐnоnymizеrGаdget.lnk => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Intеrnet Еxplоrer.lnk => moved successfully
"C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gоogle Chrоmе.lnk" => not found.
"C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Сhromium.lnk" => not found.
"C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gоoglе Chrоme.lnk" => not found.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооgle Сhrome.lnk => moved successfully
C:\Users\Public\Desktop\Gооgle Сhromе.lnk => moved successfully
C:\Users\Public\Desktop\Wоrld оf Wаrships.lnk => moved successfully
"C:\Program Files\84ada1afa7c167c2ece4358073ff976" => not found.
C:\Program Files\AVObjit => moved successfully
C:\Program Files\jetstrmedia => moved successfully
C:\Program Files\Common Files\Noobzo => moved successfully
C:\Program Files (x86)\AnonymizerGadget => moved successfully
C:\Program Files (x86)\Company => moved successfully
C:\Program Files (x86)\bnsplayer => moved successfully
"C:\Program Files (x86)\BeansPlayer" => not found.
C:\Program Files (x86)\EciZvBn5MomN => moved successfully
C:\Program Files (x86)\EciZvBn5MomN Updater => moved successfully
C:\Program Files (x86)\L2VPN => moved successfully
C:\Program Files (x86)\SoftUpgrade => moved successfully
"C:\Program Files (x86)\OneSystemCare" => not found.
C:\ProgramData\69815218-2861-0 => moved successfully
C:\ProgramData\69815218-1777-1 => moved successfully
C:\ProgramData\38eae574 => moved successfully
C:\ProgramData\{6CF1C05A-DB5A-77F1-25CE-29904C39DD0D} => moved successfully
C:\ProgramData\{60bf6030-412c-0} => moved successfully
C:\ProgramData\{3a0f1d6a-012c-1} => moved successfully
C:\ProgramData\{2CA8E9B4-9B03-5E1F-DA56-99977EEC4810} => moved successfully
C:\ProgramData\494fa140-1c51-0 => moved successfully
C:\ProgramData\494fa140-0715-1 => moved successfully
C:\ProgramData\403699fe59484dd3887b22601a3ac593 => moved successfully
C:\ProgramData\BSD => moved successfully
C:\ProgramData\TweakBit => moved successfully
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\One System Care" => not found.
C:\ProgramData\smp2.exe => moved successfully
C:\Users\MoFooKiN BizmaTek\Downloads\adobe_flash_setup_1371505745.exe => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Local\{A13F9763-8597-FBDB-E80F-DE33CC6722AB} => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Local\4e199afe3d574f909138b5b7d0506b84 => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Local\AdvinstAnalytics => moved successfully
c:\users\mofookin bizmatek\appdata\local\chromium => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Local\NetSupport => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Local\WeatherBuddy => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\f6eb09d47736462b8a45ef97fcede229 => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\a9111e571d1f4067bbb4ee9be5dd98c2 => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\AGData => moved successfully
"C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Browsers" => not found.
"C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Kapihicus" => not found.
"C:\Users\MoFooKiN BizmaTek\AppData\Roaming\One System Care" => not found.
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\ReportErr => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\SPI => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\SystemUpdate => moved successfully
"C:\Users\MoFooKiN BizmaTek\AppData\Roaming\windows.exe" => not found.
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\weatherscr.exe => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\wb_ni_23_139_c.exe => moved successfully
C:\Users\MoFooKiN BizmaTek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget => moved successfully
"C:\Users\MOFOOK~1\AppData\Roaming\Megag" => not found.
C:\Windows\src_srv => moved successfully
C:\WINDOWS\tang.exe => moved successfully
C:\WINDOWS\cross1467io.exe => moved successfully
C:\WINDOWS\Microsoft12.bmp => moved successfully
C:\WINDOWS\rsrcs.dll => moved successfully
C:\WINDOWS\5ef15c60a59549278130da19940e9560.ps1 => moved successfully
C:\WINDOWS\c19cb907bdac8210b94900afb15783fd.exe => moved successfully
C:\WINDOWS\uninstaller.dat => moved successfully
C:\WINDOWS\unins000.exe => moved successfully
C:\WINDOWS\unins000.dat => moved successfully
C:\WINDOWS\WeatherBuddy.INI => moved successfully
C:\WINDOWS\system32\bi3.exe => moved successfully
C:\WINDOWS\system32\drivers\cf7a54dc958ee2ea30fddb12c86c58b1.sys => moved successfully

"C:\WINDOWS\SysWOW64\SSL" folder move:

Could not move "C:\WINDOWS\SysWOW64\SSL" => Scheduled to move on reboot.

=========== "C:\Windows\Temp\*.tmp.exe" ==========

C:\Windows\Temp\gBDF7.tmp.exe => moved successfully
C:\Windows\Temp\gFBEC.tmp.exe => moved successfully
C:\Windows\Temp\gFBED.tmp.exe => moved successfully

========= End -> "C:\Windows\Temp\*.tmp.exe" ========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 123522 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 115739356 B
Java, Flash, Steam htmlcache => 342793810 B
Windows/system/drivers => 66563690 B
Edge => 38597991 B
Chrome => 360056538 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 6807214 B
systemprofile32 => 1737694 B
LocalService => 22508 B
NetworkService => 36810 B
MoFooKiN BizmaTek => 1943067903 B

RecycleBin => 115686 B
EmptyTemp: => 2.7 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 05-11-2017 20:06:32)

C:\WINDOWS\SysWOW64\SSL => Is moved successfully

==== End of Fixlog 20:06:32 ====

 

 

Still the blue screen persists...  This is driving me crazy! To top it off my other machine just threw a BSOD and now will not start up!!!  Npne of the repair options are working for it either... I believe its infected as well.. Might have to start another ticket after this one.. good thing i paid for two licenses!

[Aura]

Can you run a new scan with FRST and provide me a fresh set of logs (FRST.txt and Addition.txt)? I'll see what I missed.

[MoFooKiN]

Sure, here you go.

Addition.txt

FRST.txt

[Aura]

Alright, run the following FRST fix using the attached fixlist.txt and attach the resulting fixlog.txt that will be created on your desktop afterwards.

fixlist.txt

[MoFooKiN]

Ok, I was able to run the fix, and this time it did stop the blue screen, so I deleted the rest of the lisat of programs and I attempted to run the mwb.cmd and I got the same error that the .dll file wasnt there or something, so I ran the mwb.exe in that same zip file and it ran and scanned and removed maulware. I have attached both logs.   I hope I didnt jump the gun running mwb.exe.  Sorry if I did, I wont jump ahead again..

Fixlog.txt

mbar-log-2017-11-06 (19-30-16).txt

[Aura]

It's all good, no worries Now you should be able to run a scan with Malwarebytes too.

Malwarebytes - Clean Mode

• Download and install the free version of Malwarebytes
  Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
• Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
• Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
• Let the scan run, the time required to complete the scan depends of your system and computer specs
• Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
  
  • If it asks you to restart your computer to complete the removal, do so
    
• Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply
  

[MoFooKiN]

Im not sure which of these you want, but upon restarting my machine a new version of mwb wanted to install. I suspect because I activated it... Anyway the new install is scanning now.

Ok they are xml documents and I cant attach them so im going to paste them...

 

<?xml version="1.0" encoding="UTF-16"?>

-<mbam-log>

-<header>

<date>2017/11/06 21:47:10 -0600</date>

<logfile>mbam-log-2017-11-06 (21-30-46).xml</logfile>

<isadmin>yes</isadmin>

</header>

-<engine>

<version>0.0.0.0000</version>

<malware-database>v2017.11.07.02</malware-database>

<rootkit-database>v2017.10.14.01</rootkit-database>

<license>premium</license>

<file-protection>enabled</file-protection>

<web-protection>enabled</web-protection>

<self-protection>disabled</self-protection>

</engine>

-<system>

<hostname>MSIFOOKIN</hostname>

<ip>10.0.0.77</ip>

<osversion>Windows 10</osversion>

<arch>x64</arch>

<username>MoFooKiN BizmaTek</username>

<filesys>NTFS</filesys>

</system>

-<summary>

<type>threat</type>

<result>completed</result>

<objects>319499</objects>

<time>397</time>

<processes>0</processes>

<modules>0</modules>

<keys>0</keys>

<values>0</values>

<datas>0</datas>

<folders>0</folders>

<files>0</files>

<sectors>0</sectors>

</summary>

-<options>

<memory>enabled</memory>

<startup>enabled</startup>

<filesystem>enabled</filesystem>

<archives>enabled</archives>

<rootkits>disabled</rootkits>

<deeprootkit>disabled</deeprootkit>

<heuristics>enabled</heuristics>

<pup>enabled</pup>

<pum>enabled</pum>

</options>

<items> </items>

</mbam-log>

 

 

And here is the second one

 

 

<?xml version="1.0" encoding="UTF-8"?>

-<logs>

<record toVersion="2017.11.6.1" name="IP Database" last_modified_tag="a2ccb38b-b159-43a3-8e80-67807ba5ea9d" fromVersion="2017.11.3.2" systemname="MSIFOOKIN" username="SYSTEM" type="Update" source="Manual" datetime="2017-11-06T21:20:45.383532-06:00" LoggingEventType="1" severity="debug"/>

<record toVersion="2017.11.6.8" name="Domain Database" last_modified_tag="48dfaa19-6eb1-44c5-a7ad-93e5cfd2d274" fromVersion="2016.2.16.8" systemname="MSIFOOKIN" username="SYSTEM" type="Update" source="Manual" datetime="2017-11-06T21:20:48.624153-06:00" LoggingEventType="1" severity="debug"/>

<record toVersion="2017.11.7.1" name="Malware Database" last_modified_tag="b76b3b09-adfc-489d-9df9-31510cb9add5" fromVersion="2016.2.16.6" systemname="MSIFOOKIN" username="SYSTEM" type="Update" source="Manual" datetime="2017-11-06T21:20:53.780809-06:00" LoggingEventType="1" severity="debug"/>

<record last_modified_tag="38975ff5-277a-4d79-8a7f-03868b78e0e9" systemname="MSIFOOKIN" username="SYSTEM" type="Error" source="Protection" datetime="2017-11-06T21:28:40.941061-06:00" LoggingEventType="4" severity="debug" message="ServiceCanRun" code="13"/>

<record last_modified_tag="38ab8b92-72b1-4940-b509-d25b591c83f3" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:28:40.958281-06:00" LoggingEventType="2" severity="debug" subtype="Malware Protection" result="Stopping"/>

<record last_modified_tag="83304afe-6c87-47ea-8fa6-21f65e81a737" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:28:40.958281-06:00" LoggingEventType="2" severity="debug" subtype="Malware Protection" result="Stopped"/>

<record last_modified_tag="04953f21-2de8-442a-b769-b669f0cbb347" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:28:45.414714-06:00" LoggingEventType="2" severity="debug" subtype="Malware Protection" result="Starting"/>

<record last_modified_tag="65b936b7-a7a8-4ce5-926b-9e24076509a9" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:28:45.420729-06:00" LoggingEventType="2" severity="debug" subtype="Malware Protection" result="Started"/>

<record last_modified_tag="ed9d3b80-2a90-4560-a4c1-e859ba571b8e" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:28:45.437273-06:00" LoggingEventType="2" severity="debug" subtype="Malicious Website Protection" result="Starting"/>

<record last_modified_tag="12f9fa22-72ac-4997-9de5-adcb01c8c17e" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:28:47.594558-06:00" LoggingEventType="2" severity="debug" subtype="Malicious Website Protection" result="Started"/>

<record toVersion="3.3.1.0" name="program" last_modified_tag="f68bc469-53d8-4798-abf4-660e72655c53" fromVersion="2.2.1.1043" systemname="MSIFOOKIN" username="SYSTEM" type="Update" source="Manual" datetime="2017-11-06T21:32:09.418838-06:00" LoggingEventType="1" severity="debug"/>

<record toVersion="2017.11.7.2" name="Malware Database" last_modified_tag="0683dbce-72d2-4f62-a408-f13894d5c220" fromVersion="2017.11.7.1" systemname="MSIFOOKIN" username="SYSTEM" type="Update" source="Scheduler" datetime="2017-11-06T21:47:10.382835-06:00" LoggingEventType="1" severity="debug"/>

<record last_modified_tag="f3f9691a-819b-4587-ba5e-1bd056be41ae" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:47:10.404856-06:00" LoggingEventType="2" severity="debug" subtype="Refresh" result="Starting"/>

<record last_modified_tag="ddfd3946-fcd8-4ef1-93d8-3c807f4a398c" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:47:10.410371-06:00" LoggingEventType="2" severity="debug" subtype="Malicious Website Protection" result="Stopping"/>

<record last_modified_tag="413daaf1-05bf-49e7-9462-eee98bc2c741" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:47:11.415043-06:00" LoggingEventType="2" severity="debug" subtype="Malicious Website Protection" result="Stopped"/>

<record last_modified_tag="fd17c60a-2928-4719-859a-6694251e63b0" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:47:14.335737-06:00" LoggingEventType="2" severity="debug" subtype="Refresh" result="Success"/>

<record last_modified_tag="7dd82a84-52d0-46bf-8be7-5cbbba45a9cc" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:47:14.347268-06:00" LoggingEventType="2" severity="debug" subtype="Malicious Website Protection" result="Starting"/>

<record last_modified_tag="04c5c04c-2651-4283-b9eb-d959c67433ad" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:47:16.581291-06:00" LoggingEventType="2" severity="debug" subtype="Malicious Website Protection" result="Started"/>

<record last_modified_tag="77fcfdfd-3f30-45dc-a5a2-8f2b7783f478" systemname="MSIFOOKIN" username="SYSTEM" type="Scan" source="Manual" datetime="2017-11-06T21:52:17.665868-06:00" LoggingEventType="6" severity="debug" scanresult="completed" nonmalwaredetections="88" malwaredetections="0" duration="397" starttime="2017-11-06T21:32:09-06:00" scantype="threat"/>

<record last_modified_tag="d023991b-e69d-4289-a8a3-129ec17d4c29" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:53:16.395714-06:00" LoggingEventType="2" severity="debug" subtype="Malware Protection" result="Starting"/>

<record last_modified_tag="96c6e3d0-49e5-4e57-bf3b-b694d8e5f098" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:53:16.411325-06:00" LoggingEventType="2" severity="debug" subtype="Malware Protection" result="Started"/>

<record last_modified_tag="0c549907-db9e-4cda-992f-142dba1f83ae" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:53:16.426952-06:00" LoggingEventType="2" severity="debug" subtype="Malicious Website Protection" result="Starting"/>

<record last_modified_tag="110774f0-731e-460e-bdec-532a438bb2db" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:53:18.958468-06:00" LoggingEventType="2" severity="debug" subtype="Malicious Website Protection" result="Started"/>

<record last_modified_tag="a794619c-8d99-4058-af3a-5a3ccad4aa8c" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:53:44.406138-06:00" LoggingEventType="2" severity="debug" subtype="Malicious Website Protection" result="Stopping"/>

<record last_modified_tag="e06bbdee-60a0-4952-926f-ff339745f870" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:53:45.960770-06:00" LoggingEventType="2" severity="debug" subtype="Malicious Website Protection" result="Stopped"/>

<record last_modified_tag="bff26452-c7a1-4683-8009-1782a9890bfd" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:53:45.969795-06:00" LoggingEventType="2" severity="debug" subtype="Malware Protection" result="Stopping"/>

<record last_modified_tag="6ac6c8f6-20c8-4052-8e00-77c499a59c86" systemname="MSIFOOKIN" username="SYSTEM" type="Protection" source="Protection" datetime="2017-11-06T21:53:46.316717-06:00" LoggingEventType="2" severity="debug" subtype="Malware Protection" result="Stopped"/>

</logs>

 

 

 

 

And here is the log from the newly installed version:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/6/17
Scan Time: 9:59 PM
Log File: 0b91bc0c-c370-11e7-8547-9cb6d010ec1a.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.236
Update Package Version: 1.0.3193
License: Premium

-System Information-
OS: Windows 10 (Build 14393.1770)
CPU: x64
File System: NTFS
User: MSIFOOKIN\MoFooKiN BizmaTek

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 408867
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 1 min, 3 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

Edited November 7, 2017 by MoFooKiN
New log

[Aura]

No detection, good Now let's do a sweep with AdwCleaner and RogueKiller.

AdwCleaner - Fix Mode

• Download AdwCleaner and move it to your Desktop
• Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Accept the EULA (I accept), then click on Scan
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
  
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
• After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply
  

RogueKiller

• Download the right version of RogueKiller for your Windows version (32 or 64-bit)
• Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
• Wait for the scan to complete
• On completion, the results will be displayed
• Check every single entry (threat found), and click on the Remove Selected button
• On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
• This will open the report in Notepad. Copy/paste its content in your next reply
  

Your next reply(ies) should therefore contain:

• Copy/pasted AdwCleaner clean log
• Copy/pasted RogueKiller clean log
  

[MoFooKiN]

# AdwCleaner 7.0.4.0 - Logfile created on Tue Nov 07 16:33:37 2017
# Updated on 2017/27/10 by Malwarebytes 
# Running on Windows 10 Home (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

No malicious folders deleted.

***** [ Files ] *****

Deleted: C:\END

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\CoinisRevShare
Deleted: [Key] - HKCU\Software\CoinisRevShare
Deleted: [Key] - HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\ELLS LLC
Deleted: [Key] - HKCU\Software\ELLS LLC
Deleted: [Key] - HKLM\SOFTWARE\mbs_install
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}
Deleted: [Key] - HKLM\SOFTWARE\BSD
Deleted: [Key] - HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\BSD
Deleted: [Key] - HKCU\Software\BSD
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemHealer_is1
Deleted: [Key] - HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\PRODUCTSETUP
Deleted: [Key] - HKCU\Software\PRODUCTSETUP
Deleted: [Key] - HKU\S-1-5-21-4067184759-194431734-3307552434-1001\Software\Microsoft\Etsy
Deleted: [Key] - HKCU\Software\Microsoft\Etsy

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

Plugin deleted: Highlight to Search - 
Plugin deleted: Amazon Assistant for Chrome - 
SearchProvider deleted: Ask Search - websearch.ask.com
SearchProvider deleted: TheFreeGames Customized Web Search - search.conduit.com

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0

*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [2854 B] - [2017/11/7 16:32:56]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########

 

 

 

 

 

rougekiller

 

 

RogueKiller V12.11.23.0 (x64) [Nov  6 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : MoFooKiN BizmaTek [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 11/07/2017 10:41:19 (Duration : 00:37:29)

¤¤¤ Processes : 1 ¤¤¤
[VT.Unknown] Dragon Center.exe(8436) -- C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe[7] -> Found

¤¤¤ Registry : 4 ¤¤¤
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) :   -> Found
[Adw.DNSUnlocker] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{242614b1-10f7-43a8-bb62-04fe018699de} | DHCPNameServer : 82.163.143.176 ([GB])  -> Found
[Adw.DNSUnlocker] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b46c7351-40b3-444c-b8cf-c5962f38c276} | DHCPNameServer : 82.163.143.176 ([GB])  -> Found
[Adw.DNSUnlocker] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{d89ed064-ab14-4a21-a0e2-0620c9118ed6} | DHCPNameServer : 82.163.143.176 ([GB])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS721010A9E630 +++++
--- User ---
[MBR] bf1cb7a693acddb42acb4b3ff9771efe
[BSP] b388edfefc66ea5ec0f01fbd550b2cd3 : Empty|VT.Unknown MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 2048 | Size: 935504 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1915914240 | Size: 18364 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Intel Raid 0 Volume +++++
--- User ---
[MBR] 930494fed18d558e3a9c127177a9f260
[BSP] 3172880cce65e09a5bc8ef7f116cfe1f : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 300 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 616448 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 878592 | Size: 487062 MB
3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 998381568 | Size: 900 MB
User = LL1 ... OK
Error reading LL2 MBR! NOT VALID!

+++++ PhysicalDrive2: SMI USB DISK USB Device +++++
--- User ---
[MBR] f1d4fde723e13c3bf58f9fd4c0ba5f24
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 120 | Size: 7536 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

[Aura]

Good! Now run a new scan with FRST and provide me a fresh set of logs, as we'll look for remnants.

[MoFooKiN]

Well something is up because the maulwarebytes website keeps throwing up DNS not found on that machine.. heres the logs.

Addition.txt

FRST.txt