Jump to content

Svchost.exe 50% Usage BSOD When Shutdown/Restart


Recommended Posts

So I have a problem I downloaded a hack for a free to play game and censoreded up the guy has like thousand subs but wtf? So the problem is I disabled windows update but the svchost still has 50% I also have tried other ways but nothing worked, I get bsods, sometimes when turning off , Restarting, My pc is normal in safe mode anyone could help me fix this :) ty

Link to post
Share on other sites

Hello Rickydapoc and welcome to Malwarebytes,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thanks,

Kevin

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
Ran by user (administrator) on USER-PC (27-03-2018 17:22:25)
Running from C:\Users\user\Downloads
Loaded Profiles: user &  (Available Profiles: user)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [303928 2017-07-14] (Apple Inc.)
HKLM\...\Run: [ShadowPlay] => "C:\Windows\system32\rundll32.exe" C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8497368 2015-07-07] (Realtek Semiconductor)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4174464 2017-05-23] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-4132738370-2700828500-1940265094-1000\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3198752 2018-03-27] (Valve Corporation)
HKU\S-1-5-21-4132738370-2700828500-1940265094-1000\...\Run: [uTorrent] => C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe [2148024 2018-02-26] (BitTorrent Inc.)
HKU\S-1-5-21-4132738370-2700828500-1940265094-1000\...\Policies\system: [EnableLUA] 1
HKU\S-1-5-21-4132738370-2700828500-1940265094-1000\...\MountPoints2: {d5ad9d17-68ab-11e6-9521-c7d8f70c1bfa} - E:\Run.exe
HKU\S-1-5-21-4132738370-2700828500-1940265094-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03272018172033353\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3198752 2018-03-27] (Valve Corporation)
HKU\S-1-5-21-4132738370-2700828500-1940265094-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03272018172033353\...\Run: [uTorrent] => C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe [2148024 2018-02-26] (BitTorrent Inc.)
HKU\S-1-5-21-4132738370-2700828500-1940265094-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03272018172033353\...\Policies\system: [EnableLUA] 1
HKU\S-1-5-21-4132738370-2700828500-1940265094-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03272018172033353\...\MountPoints2: {d5ad9d17-68ab-11e6-9521-c7d8f70c1bfa} - E:\Run.exe
Lsa: [Notification Packages] scecli C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter
BootExecute: autocheck autochk * Partizansdnclean64.exe
GroupPolicy: Restriction <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{B41E9DBE-B57B-4278-A429-F6F9DC205B8A}: [DhcpNameServer] 10.16.0.1
Tcpip\..\Interfaces\{D257E8C8-8985-4AC6-82F2-F8A8480254D8}: [DhcpNameServer] 172.20.10.1
Tcpip\..\Interfaces\{EF00E069-7E63-4D4F-978E-61FAFA8515C5}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ph.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_chtengin_17_24&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyEtDzz0DyD0C0F0CyC0ByDtAtB0EzztBtN0D0Tzu0StCzyzytAtN1L2XzutAtFtBzytFtAtFzzyBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyD0D0AyDzy0DyByCtGyE0A0EtDtGzzyByEzztGtBtDtD0AtG0DyDtA0ByEtDtDzytC0AtB0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0A0F0EzyyB0Ezy0AtGyB0AtBzztGyE0FyBzztGzytDtCtDtGyBtB0CyE0CtAyD0ByBtByE0C2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtAtDzyzz%26cr%3D862908922%26a%3Dwbf_chtengin_17_24%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://ph.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_chtengin_17_24&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyEtDzz0DyD0C0F0CyC0ByDtAtB0EzztBtN0D0Tzu0StCzyzytAtN1L2XzutAtFtBzytFtAtFzzyBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyD0D0AyDzy0DyByCtGyE0A0EtDtGzzyByEzztGtBtDtD0AtG0DyDtA0ByEtDtDzytC0AtB0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0A0F0EzyyB0Ezy0AtGyB0AtBzztGyE0FyBzztGzytDtCtDtGyBtB0CyE0CtAyD0ByBtByE0C2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtAtDzyzz%26cr%3D862908922%26a%3Dwbf_chtengin_17_24%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate
HKU\S-1-5-21-4132738370-2700828500-1940265094-1000\Software\Microsoft\Internet Explorer\Main,Start Page = 
HKU\S-1-5-21-4132738370-2700828500-1940265094-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/en-ph/?ocid=iehp
HKU\S-1-5-21-4132738370-2700828500-1940265094-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03272018172033353\Software\Microsoft\Internet Explorer\Main,Start Page = 
HKU\S-1-5-21-4132738370-2700828500-1940265094-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03272018172033353\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/en-ph/?ocid=iehp
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_chtengin_17_24&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyEtDzz0DyD0C0F0CyC0ByDtAtB0EzztBtN0D0Tzu0StCzyzytAtN1L2XzutAtFtBzytFtAtFzzyBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyD0D0AyDzy0DyByCtGyE0A0EtDtGzzyByEzztGtBtDtD0AtG0DyDtA0ByEtDtDzytC0AtB0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0A0F0EzyyB0Ezy0AtGyB0AtBzztGyE0FyBzztGzytDtCtDtGyBtB0CyE0CtAyD0ByBtByE0C2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtAtDzyzz%26cr%3D862908922%26a%3Dwbf_chtengin_17_24%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_chtengin_17_24&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyEtDzz0DyD0C0F0CyC0ByDtAtB0EzztBtN0D0Tzu0StCzyzytAtN1L2XzutAtFtBzytFtAtFzzyBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyD0D0AyDzy0DyByCtGyE0A0EtDtGzzyByEzztGtBtDtD0AtG0DyDtA0ByEtDtDzytC0AtB0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0A0F0EzyyB0Ezy0AtGyB0AtBzztGyE0FyBzztGzytDtCtDtGyBtB0CyE0CtAyD0ByBtByE0C2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtAtDzyzz%26cr%3D862908922%26a%3Dwbf_chtengin_17_24%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
SearchScopes: HKU\S-1-5-21-4132738370-2700828500-1940265094-1000 -> DefaultScope {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7B97147C6F-3981-4689-A55C-379D64A67BEE%7D&gp=811142
SearchScopes: HKU\S-1-5-21-4132738370-2700828500-1940265094-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_chtengin_17_24&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyEtDzz0DyD0C0F0CyC0ByDtAtB0EzztBtN0D0Tzu0StCzyzytAtN1L2XzutAtFtBzytFtAtFzzyBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyD0D0AyDzy0DyByCtGyE0A0EtDtGzzyByEzztGtBtDtD0AtG0DyDtA0ByEtDtDzytC0AtB0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0A0F0EzyyB0Ezy0AtGyB0AtBzztGyE0FyBzztGzytDtCtDtGyBtB0CyE0CtAyD0ByBtByE0C2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtAtDzyzz%26cr%3D862908922%26a%3Dwbf_chtengin_17_24%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
SearchScopes: HKU\S-1-5-21-4132738370-2700828500-1940265094-1000 -> {C70399D0-171B-4434-A87A-015D3679B33C} URL = hxxps://ph.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=677874&p={searchTerms}
SearchScopes: HKU\S-1-5-21-4132738370-2700828500-1940265094-1000 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7B97147C6F-3981-4689-A55C-379D64A67BEE%7D&gp=811142
SearchScopes: HKU\S-1-5-21-4132738370-2700828500-1940265094-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03272018172033353 -> DefaultScope {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7B97147C6F-3981-4689-A55C-379D64A67BEE%7D&gp=811142
SearchScopes: HKU\S-1-5-21-4132738370-2700828500-1940265094-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03272018172033353 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ph.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_chtengin_17_24&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dph%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyEtDzz0DyD0C0F0CyC0ByDtAtB0EzztBtN0D0Tzu0StCzyzytAtN1L2XzutAtFtBzytFtAtFzzyBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyD0D0AyDzy0DyByCtGyE0A0EtDtGzzyByEzztGtBtDtD0AtG0DyDtA0ByEtDtDzytC0AtB0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0A0F0EzyyB0Ezy0AtGyB0AtBzztGyE0FyBzztGzytDtCtDtGyBtB0CyE0CtAyD0ByBtByE0C2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtAtDzyzz%26cr%3D862908922%26a%3Dwbf_chtengin_17_24%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
SearchScopes: HKU\S-1-5-21-4132738370-2700828500-1940265094-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03272018172033353 -> {C70399D0-171B-4434-A87A-015D3679B33C} URL = hxxps://ph.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=677874&p={searchTerms}
SearchScopes: HKU\S-1-5-21-4132738370-2700828500-1940265094-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03272018172033353 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7B97147C6F-3981-4689-A55C-379D64A67BEE%7D&gp=811142
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2018-03-01] (Microsoft Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\URLREDIR.DLL [2018-03-01] (Microsoft Corporation)
BHO-x32: True Key Helper -> {0F4B8786-5502-4803-8EBC-F652A1153BB6} -> C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2016-10-07] (Intel Security)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2017-03-20] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\URLREDIR.DLL [2018-03-01] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2017-03-20] (Oracle Corporation)
Toolbar: HKLM-x32 - True Key - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2016-10-07] (Intel Security)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-01] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-01] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-01] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-01] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: y4egsq5l.default
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y4egsq5l.default [2018-03-26]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2017-03-20] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2017-03-20] (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll [No File]
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-03-01] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2018-01-24] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2018-01-24] (NVIDIA Corporation)
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [No File]
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [No File]
FF Plugin HKU\S-1-5-21-4132738370-2700828500-1940265094-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\user\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [No File]
FF Plugin HKU\S-1-5-21-4132738370-2700828500-1940265094-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03272018172033353: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\user\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [No File]

Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> msn.com
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default [2018-03-27]
CHR Extension: (Slides) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-13]
CHR Extension: (Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-13]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-03-20]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-03-20]
CHR Extension: (Steam Inventory Helper) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmeakgjggjdlcpncigglobpjbkabhmjl [2018-03-22]
CHR Extension: (Sheets) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-13]
CHR Extension: (Google Docs Offline) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-03-20]
CHR Extension: (Tom's Hardware - My Threads) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nddbmgcnelmmhlfibkmfnhnfeccaliip [2018-03-24]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-22]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-03-20]
CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-03-25]
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Guest Profile [2018-03-22]
CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4132738370-2700828500-1940265094-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4132738370-2700828500-1940265094-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4132738370-2700828500-1940265094-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03272018172033353\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4132738370-2700828500-1940265094-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03272018172033353\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bhjhnafpiilpffhglajcaepjbnbjemci] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hcadgijmedbfgciegjomfpjcdchlhnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kpdmjodecdegfglgaapafjleomjjlpnh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lhemechcanjmilllmccjbjldonmnnjjj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ligncphnohhjkgekjkghahajihclailj] - hxxps://clients2.google.com/service/update2/crx

Opera: 
=======
OPR Extension: (Tampermonkey) - C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2018-03-21]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-04-03] (Apple Inc.)
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [7002120 2018-02-24] ()
S2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [7962288 2018-03-12] (Microsoft Corporation)
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [372512 2017-04-29] (EasyAntiCheat Ltd)
S2 GarenaPlatform; C:\Program Files (x86)\Garena\Garena\2.0.1803.2016\gxxsvc.exe [319296 2018-03-20] (Garena Online )
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135488 2018-03-20] (SurfRight B.V.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6440736 2018-03-03] (Malwarebytes)
S2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [519992 2018-01-10] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [519992 2018-01-10] (NVIDIA Corporation)
S3 OpenVPNService; C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe [32384 2016-10-03] (The OpenVPN Project)
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1776864 2017-05-23] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2131760 2017-05-23] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [233936 2017-05-23] (Safer-Networking Ltd.)
S3 SophosVirusRemovalTool; C:\Program Files (x86)\Sophos\Sophos Virus Removal Tool\SVRTservice.exe [163680 2017-06-15] (Sophos Limited)
S4 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10803440 2017-07-27] (TeamViewer GmbH)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem" -r -p 30000
S2 NvTelemetryContainer; "C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe" -s NvTelemetryContainer -f "C:\ProgramData\NVIDIA\NvTelemetryContainer.log" -l 3 -d "C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\plugins" -r

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ausb3hub; C:\Windows\system32\drivers\ausb3hub.sys [404480 2015-08-20] (Intel Corporation)
S3 ausb3xhc; C:\Windows\system32\drivers\ausb3xhc.sys [817664 2015-08-20] (Intel Corporation)
S0 FACEIT; C:\Windows\System32\Drivers\FACEIT.sys [9369040 2018-02-09] ()
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [31144 2015-07-29] (Intel Corporation)
S4 IObitUnlocker; C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.sys [48672 2017-06-19] (IObit)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193248 2018-03-27] (Malwarebytes)
S3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [109800 2018-03-27] (Malwarebytes)
S3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [45960 2018-03-27] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253664 2018-03-27] (Malwarebytes)
S3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [92280 2018-03-27] (Malwarebytes)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [178976 2015-07-28] (Intel Corporation)
R3 Neo_VPN; C:\Windows\System32\DRIVERS\Neo_0119.sys [38432 2017-06-16] (SoftEther Corporation)
S3 Neo_VPN2; C:\Windows\System32\DRIVERS\Neo_0096.sys [38432 2017-11-12] (SoftEther Corporation)
S2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-03-01] (Riverbed Technology, Inc.)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [31024 2018-01-10] (NVIDIA Corporation)
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [59240 2017-12-15] (NVIDIA Corporation)
R3 nvvhci; C:\Windows\System32\DRIVERS\nvvhci.sys [58680 2018-01-10] (NVIDIA Corporation)
U0 Partizan; C:\Windows\SysWOW64\drivers\Partizan.sys [40304 2018-01-16] (Greatis Software)
S3 SEE; C:\Windows\System32\drivers\see.sys [50208 2017-11-04] (SoftEther Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2018-03-22] ()
S3 voxaldriver; C:\Windows\System32\DRIVERS\voxaldriverx64.sys [52976 2017-06-21] ()
S2 WinRing0_1_2_0; D:\Payday2\steamapps\common\EVGA PrecisionX\WinRing0\WinRing0x64.sys [14536 2017-12-18] (OpenLibSys.org)
S3 XSplit_Dummy; C:\Windows\System32\drivers\xspltspk.sys [26200 2016-06-15] (SplitmediaLabs Limited)
S3 BstkDrv; \??\C:\Program Files (x86)\BlueStacks\BstkDrv.sys [X]
S3 EsgScanner; system32\DRIVERS\EsgScanner.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [X]
S3 gkernel; \??\C:\Users\user\AppData\Local\Temp\gkernel.sys [X] <==== ATTENTION
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-03-27 17:22 - 2018-03-27 17:23 - 000025608 _____ C:\Users\user\Downloads\FRST.txt
2018-03-27 17:21 - 2018-03-27 17:22 - 000000000 ____D C:\FRST
2018-03-27 17:21 - 2018-03-27 17:21 - 002403328 _____ (Farbar) C:\Users\user\Downloads\FRST64.exe
2018-03-27 17:07 - 2018-03-27 17:08 - 020218272 _____ C:\Users\user\Downloads\PH_patch_20180321to20180323_y9aji7a3.exe
2018-03-26 16:57 - 2018-03-27 17:19 - 000045960 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-03-25 12:14 - 2018-03-27 17:19 - 000253664 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-03-25 11:46 - 2018-03-25 11:46 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\223204AE.sys
2018-03-25 11:43 - 2018-03-25 11:43 - 001032902 _____ C:\Users\user\Documents\cc_20180325_114347.reg
2018-03-25 07:55 - 2018-03-27 17:02 - 000000000 ___HD C:\Users\user\AppData\Local\Minidump
2018-03-24 19:21 - 2018-03-24 19:21 - 000000000 ____D C:\zoek_backup
2018-03-24 19:18 - 2018-03-24 19:21 - 001168896 _____ C:\Users\user\Downloads\zoek.exe
2018-03-24 18:42 - 2018-03-24 18:42 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\5CD302C6.sys
2018-03-24 18:41 - 2018-03-25 12:00 - 000000000 ____D C:\Users\user\Desktop\mbar
2018-03-24 18:41 - 2018-03-24 18:41 - 014178840 _____ (Malwarebytes Corp.) C:\Users\user\Downloads\mbar-1.10.3.1001.exe
2018-03-24 18:40 - 2018-03-24 19:35 - 000215844 _____ C:\TDSSKiller.3.1.0.16_24.03.2018_18.40.03_log.txt
2018-03-24 17:49 - 2018-03-24 17:49 - 000000000 ____D C:\Users\user\Documents\Modules
2018-03-24 17:05 - 2018-03-24 17:05 - 000536128 _____ (Neuber Software) C:\Users\user\Downloads\SvchostAnalyzer.exe
2018-03-23 17:32 - 2018-03-27 16:54 - 000109800 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-03-22 21:09 - 2018-03-22 21:15 - 000216230 _____ C:\TDSSKiller.3.1.0.16_22.03.2018_21.09.21_log.txt
2018-03-22 21:08 - 2018-03-22 21:09 - 004944584 _____ (AO Kaspersky Lab) C:\Users\user\Downloads\tdsskiller.exe
2018-03-22 21:02 - 2018-03-27 16:56 - 000092280 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-03-22 20:16 - 2018-03-22 20:19 - 000000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2018-03-22 20:16 - 2018-03-22 20:16 - 000001343 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2018-03-22 20:16 - 2018-03-22 20:16 - 000000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2018-03-22 20:16 - 2017-05-23 09:22 - 000032240 _____ (Safer-Networking Ltd.) C:\Windows\system32\sdnclean64.exe
2018-03-22 20:14 - 2017-05-01 07:25 - 001458856 _____ (Sysinternals - www.sysinternals.com) C:\Users\user\Desktop\procexp64.exe
2018-03-22 20:12 - 2018-03-22 20:14 - 051725936 _____ (Safer-Networking Ltd. ) C:\Users\user\Downloads\spybotsd-2.6.46.exe
2018-03-22 19:50 - 2018-03-22 19:50 - 001931969 _____ C:\Users\user\Downloads\ProcessExplorer.zip
2018-03-22 18:35 - 2018-03-22 18:35 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2018-03-22 18:32 - 2018-03-22 18:34 - 027005512 _____ (Adlice Software) C:\Users\user\Downloads\RogueKiller_portable64.exe
2018-03-22 18:13 - 2018-03-27 17:20 - 000193248 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-03-22 18:12 - 2018-03-22 18:12 - 000001827 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-03-22 18:12 - 2018-03-22 18:12 - 000000000 ____D C:\Program Files\Malwarebytes
2018-03-22 18:12 - 2018-01-18 09:03 - 000076200 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-03-22 18:10 - 2018-03-22 18:12 - 070931976 _____ (Malwarebytes ) C:\Users\user\Downloads\mb3-setup-consumer-3.4.4.2398-1.0.322-1.0.4434.exe
2018-03-22 17:41 - 2018-03-22 18:05 - 000000000 ____D C:\Program Files\Enigma Software Group
2018-03-22 17:39 - 2018-03-22 17:39 - 000410192 _____ C:\Windows\Minidump\032218-29671-01.dmp
2018-03-22 17:38 - 2018-03-22 17:38 - 005189808 _____ (Enigma Software Group USA, LLC.) C:\Users\user\Downloads\SpyHunter-Installer.exe
2018-03-22 17:36 - 2018-03-22 17:36 - 000000000 ____D C:\Program Files (x86)\GUM8F92.tmp
2018-03-22 17:34 - 2018-03-22 17:35 - 000001658 _____ C:\Users\user\Desktop\Rkill.txt
2018-03-22 17:33 - 2018-03-22 17:33 - 000841241 _____ C:\Users\user\Downloads\rkill.zip
2018-03-22 17:20 - 2018-03-22 17:20 - 000002759 _____ C:\Users\Public\Desktop\Sophos Virus Removal Tool.lnk
2018-03-22 17:20 - 2018-03-22 17:20 - 000000000 ____D C:\Program Files (x86)\Sophos
2018-03-22 17:04 - 2018-03-22 17:15 - 194728152 _____ (Sophos Limited) C:\Users\user\Downloads\Sophos Virus Removal Tool.exe
2018-03-21 22:03 - 2018-03-21 22:03 - 000410176 _____ C:\Windows\Minidump\032118-25365-01.dmp
2018-03-20 22:52 - 2018-03-20 22:52 - 000404208 _____ C:\Windows\Minidump\032018-26192-01.dmp
2018-03-20 20:23 - 2018-03-20 20:23 - 000404992 _____ C:\Windows\Minidump\032018-35427-01.dmp
2018-03-20 20:07 - 2018-03-20 20:07 - 000012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2018-03-20 19:34 - 2018-03-20 19:34 - 000000670 _____ C:\Windows\system32\.crusader
2018-03-20 19:31 - 2018-03-20 19:31 - 000001857 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2018-03-20 19:31 - 2018-03-20 19:31 - 000000000 ____D C:\Program Files\HitmanPro
2018-03-20 19:29 - 2018-03-20 19:30 - 011605440 _____ (SurfRight B.V.) C:\Users\user\Downloads\HitmanPro_x64.exe
2018-03-20 19:10 - 2018-03-20 19:10 - 000000044 _____ C:\Users\user\Documents\unhacks.txt
2018-03-20 19:06 - 2017-12-14 21:21 - 000001860 _____ C:\Users\user\Desktop\ReadME.txt
2018-03-20 19:06 - 2017-10-06 03:12 - 000000000 ____D C:\Users\user\Desktop\Crack
2018-03-20 19:05 - 2018-03-20 19:06 - 019058984 _____ C:\Users\user\Downloads\UnHackMe 9.50 Build 650 Multilingual + _ [JsPC4u].rar
2018-03-20 19:05 - 2018-03-20 19:05 - 000003713 _____ C:\Users\user\Downloads\UnHackMe 9.50 Build 650 _ [JsPC4u].rar
2018-03-20 18:48 - 2018-03-20 18:48 - 000847486 _____ ( ) C:\Users\user\Downloads\UnHackMe_Crack_9.60_Build_660_With_Registration_Code.exe
2018-03-20 18:47 - 2018-03-20 18:47 - 000847486 _____ ( ) C:\Users\user\Downloads\UnHackMe_Crack_9.60_Build_660_With_Registration_Code (1).exe
2018-03-20 18:01 - 2018-03-20 18:01 - 000410208 _____ C:\Windows\Minidump\032018-24242-01.dmp
2018-03-20 17:33 - 2018-03-20 17:33 - 000003618 _____ C:\Windows\System32\Tasks\{C1888135-8A5F-4833-B5A4-44FB99A8BBCA}
2018-03-20 17:33 - 2018-03-20 17:33 - 000003380 _____ C:\Windows\System32\Tasks\{198AE7DD-FE8D-47BE-9B6F-781560F34FEF}
2018-03-20 17:32 - 2018-03-20 17:32 - 000003606 _____ C:\Windows\System32\Tasks\diffiticnetjka
2018-03-19 18:11 - 2018-03-19 18:11 - 001027220 ____N C:\Windows\Minidump\032018-24460-01.dmp
2018-03-18 08:45 - 2018-03-18 08:45 - 000001192 _____ C:\Users\user\Desktop\Auslogics BoostSpeed 10.lnk
2018-03-18 08:41 - 2018-03-18 08:42 - 012157760 _____ (Auslogics ) C:\Users\user\Downloads\disk-defrag-setup (1).exe
2018-03-16 21:08 - 2018-03-16 21:08 - 001196342 ____N C:\Windows\Minidump\031718-25147-01.dmp
2018-03-15 20:33 - 2018-03-15 20:33 - 001075812 ____N C:\Windows\Minidump\031618-23883-01.dmp
2018-03-10 17:53 - 2018-03-26 17:13 - 000001313 _____ C:\Users\user\Desktop\Roblox Player.lnk
2018-03-10 17:51 - 2018-03-26 17:13 - 000000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox
2018-03-10 17:51 - 2018-03-26 17:10 - 000001132 _____ C:\Users\user\Desktop\Roblox Studio.lnk
2018-03-10 17:51 - 2018-03-10 18:04 - 000000252 _____ C:\Users\user\AppData\LocalLow\rbxcsettings.rbx
2018-03-10 17:51 - 2018-03-10 17:59 - 000000000 ____D C:\Users\user\AppData\Local\Roblox
2018-03-10 17:50 - 2018-03-10 17:50 - 000822328 _____ (Roblox Corporation) C:\Users\user\Downloads\RobloxPlayerLauncher.exe
2018-03-10 17:11 - 2018-03-27 17:18 - 000000248 _____ C:\Windows\SysWOW64\PARTIZAN.TXT
2018-03-10 09:11 - 2018-03-10 09:13 - 000000000 ____D C:\Program Files (x86)\OpenVPN
2018-03-10 09:11 - 2018-03-10 09:12 - 000000000 ____D C:\Program Files\TAP-Windows
2018-03-10 09:11 - 2018-03-10 09:11 - 000001988 _____ C:\Users\Public\Desktop\Betternet.lnk
2018-03-10 09:11 - 2018-03-10 09:11 - 000000000 ____D C:\Program Files (x86)\Betternet
2018-03-10 09:09 - 2018-03-10 09:10 - 010670000 _____ C:\Users\user\Downloads\BetternetForWindows3100.exe
2018-03-09 21:57 - 2018-03-09 21:57 - 000900076 ____N C:\Windows\Minidump\031018-24398-01.dmp
2018-03-04 17:23 - 2018-03-04 17:24 - 009800416 _____ C:\Users\user\Desktop\Cheat engine 4 (Extract to desktop).rar
2018-03-04 17:21 - 2018-03-04 17:26 - 000000000 ____D C:\Program Files (x86)\Cheat Engine 6.7
2018-03-04 17:21 - 2018-03-04 17:21 - 000001049 _____ C:\Users\user\Desktop\Cheat Engine.lnk
2018-03-03 22:43 - 2018-03-24 19:20 - 000000042 _____ C:\Users\user\Documents\pass.txt
2018-03-03 20:03 - 2018-03-03 20:03 - 009800416 _____ C:\Users\user\Downloads\Cheat Engine 4.rar
2018-03-03 19:57 - 2017-07-30 05:11 - 000000000 ____D C:\Users\user\Desktop\Cheat Engine 4
2018-03-02 19:33 - 2018-03-02 19:33 - 000990755 ____N C:\Windows\Minidump\030318-24039-01.dmp
2018-03-01 17:22 - 2018-03-01 17:25 - 055639568 _____ C:\Users\user\Downloads\GrowtopiaInstaller (1).exe
2018-02-26 22:19 - 2018-02-26 22:19 - 000089212 _____ C:\Users\user\Downloads\Beyound-Hack.zip
2018-02-25 16:29 - 2018-02-25 16:31 - 053641208 _____ C:\Users\user\Downloads\GrowtopiaInstaller.exe
2018-02-25 14:55 - 2018-02-25 14:55 - 000000000 ____D C:\Users\user\Documents\Subvert Games
2018-02-25 14:50 - 2018-02-25 14:50 - 000000222 _____ C:\Users\user\Desktop\Of Guards And Thieves.url

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-03-27 17:20 - 2018-01-20 07:30 - 002766406 _____ C:\Windows\ntbtlog.txt
2018-03-27 17:15 - 2017-11-21 19:26 - 000000000 ____D C:\Users\user\AppData\Roaming\uTorrent
2018-03-27 17:09 - 2009-07-14 12:45 - 000026352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-03-27 17:09 - 2009-07-14 12:45 - 000026352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-03-27 17:05 - 2017-12-16 13:55 - 000003412 _____ C:\Windows\System32\Tasks\gxx speed launcher
2018-03-27 17:02 - 2018-01-19 21:49 - 000153088 _____ C:\Windows\SysWOW64\conhost64.exe
2018-03-27 16:59 - 2016-12-17 09:49 - 000000000 ____D C:\Program Files (x86)\Steam
2018-03-27 16:55 - 2016-08-22 14:51 - 000000000 ____D C:\Program Files (x86)\SMADAV
2018-03-27 16:54 - 2017-11-21 19:26 - 000000000 ____D C:\Users\user\AppData\LocalLow\uTorrent
2018-03-27 16:52 - 2009-07-14 13:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-03-26 22:05 - 2017-07-07 18:07 - 000000000 ____D C:\Users\user\AppData\LocalLow\Mozilla
2018-03-25 23:21 - 2017-12-17 09:23 - 000355049 ____N C:\Windows\Minidump\032518-20014-01.dmp
2018-03-25 23:21 - 2017-09-02 21:25 - 000000000 ____D C:\Windows\Minidump
2018-03-25 22:08 - 2017-03-20 18:20 - 000000000 ____D C:\Users\user\AppData\Roaming\discord
2018-03-25 12:12 - 2017-12-17 09:23 - 000355049 ____N C:\Windows\Minidump\032518-25833-01.dmp
2018-03-25 12:04 - 2017-03-20 17:31 - 000120704 _____ C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
2018-03-25 12:04 - 2009-07-14 12:45 - 005120280 _____ C:\Windows\system32\FNTCACHE.DAT
2018-03-25 12:01 - 2017-07-07 18:07 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-03-25 11:53 - 2018-01-14 20:08 - 000000000 ____D C:\AdwCleaner
2018-03-25 11:51 - 2017-07-07 18:07 - 000000000 ____D C:\Users\user\AppData\Roaming\Mozilla
2018-03-25 11:51 - 2017-07-07 18:06 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-03-25 08:50 - 2017-12-17 09:23 - 000355049 ____N C:\Windows\Minidump\032518-43165-01.dmp
2018-03-25 08:03 - 2017-06-14 12:51 - 000000000 ____D C:\Users\user\AppData\Local\CrashDumps
2018-03-24 19:13 - 2018-01-16 20:01 - 000000000 ____D C:\Users\Public\Documents\regruninfo
2018-03-24 19:09 - 2018-01-16 20:02 - 000000000 ____D C:\Users\user\Documents\RegRun2
2018-03-24 18:31 - 2017-12-17 09:23 - 000355049 ____N C:\Windows\Minidump\032418-31543-01.dmp
2018-03-22 21:56 - 2017-12-17 09:23 - 000355049 ____N C:\Windows\Minidump\032218-21325-01.dmp
2018-03-22 20:14 - 2017-06-10 22:11 - 000007640 _____ C:\Users\user\AppData\Local\Resmon.ResmonCfg
2018-03-22 19:43 - 2018-01-16 20:02 - 000003280 _____ C:\Windows\System32\Tasks\UnHackMe Task Scheduler
2018-03-22 19:42 - 2018-01-16 20:01 - 000000554 _____ C:\Users\user\Desktop\UnHackMe.lnk
2018-03-22 17:36 - 2017-03-19 20:37 - 000000000 ____D C:\Users\user\AppData\Local\Google
2018-03-22 17:36 - 2016-08-22 14:12 - 000003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2018-03-22 17:36 - 2016-08-22 14:12 - 000003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2018-03-22 16:59 - 2009-07-14 10:34 - 000000541 _____ C:\Windows\win.ini
2018-03-20 18:59 - 2009-07-14 13:08 - 000032656 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2018-03-20 17:33 - 2018-01-13 15:48 - 000000002 _____ C:\Users\user\AppData\Local\WMI.ini
2018-03-20 17:30 - 2017-12-27 14:42 - 000000000 ____D C:\Users\user\Documents\redeye
2018-03-20 17:00 - 2018-01-12 17:27 - 000003168 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-4132738370-2700828500-1940265094-1000
2018-03-20 17:00 - 2018-01-11 17:53 - 000002119 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk
2018-03-20 17:00 - 2018-01-11 17:53 - 000000000 ___RD C:\Users\user\OneDrive
2018-03-18 08:52 - 2017-03-25 17:34 - 000000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2018-03-18 08:47 - 2018-01-16 20:02 - 000000002 RSHOT C:\Windows\winstart.bat
2018-03-18 08:47 - 2018-01-16 20:02 - 000000002 RSHOT C:\Windows\SysWOW64\CONFIG.NT
2018-03-18 08:47 - 2018-01-16 20:02 - 000000002 RSHOT C:\Windows\SysWOW64\AUTOEXEC.NT
2018-03-18 08:41 - 2017-06-10 10:32 - 000000000 ____D C:\Users\user\AppData\Roaming\FACEIT
2018-03-17 07:48 - 2016-08-22 14:29 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2018-03-13 19:25 - 2017-05-17 14:40 - 000000000 ____D C:\Users\user\AppData\Local\Growtopia
2018-03-13 17:43 - 2017-06-18 14:30 - 000004470 _____ C:\Windows\System32\Tasks\Adobe Flash Player PPAPI Notifier
2018-03-13 17:43 - 2017-06-13 19:33 - 000804352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-03-13 17:43 - 2017-06-13 19:33 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2018-03-13 17:43 - 2017-06-13 19:33 - 000004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2018-03-13 17:43 - 2016-10-04 19:06 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-03-13 17:43 - 2016-10-04 19:06 - 000000000 ____D C:\Windows\system32\Macromed
2018-03-11 13:27 - 2017-03-25 21:43 - 000000222 _____ C:\Users\user\Desktop\Unturned.url
2018-03-10 18:29 - 2017-09-26 21:07 - 000004044 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1506431250
2018-03-10 09:11 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\inf
2018-03-04 10:45 - 2018-01-04 12:05 - 000000000 ____D C:\Users\user\AppData\Roaming\CC
2018-03-03 20:12 - 2017-07-26 12:27 - 000000000 ____D C:\GarenaDownload
2018-03-01 19:35 - 2016-08-23 18:10 - 000000000 ____D C:\Program Files (x86)\GarenaLoLPH
2018-03-01 17:53 - 2017-05-17 14:40 - 000000939 _____ C:\Users\user\Desktop\Growtopia.lnk
2018-03-01 17:53 - 2017-03-19 20:32 - 000000000 ____D C:\Users\user\.gimp-2.8
2018-02-28 19:27 - 2018-02-03 14:57 - 000000000 ____D C:\ros
2018-02-25 21:31 - 2017-07-28 12:10 - 000000000 ____D C:\Users\user\AppData\LocalLow\DefaultCompany
2018-02-25 16:31 - 2017-03-19 20:32 - 000000000 ____D C:\Users\user\.oracle_jre_usage

==================== Files in the root of some directories =======

2017-12-10 09:13 - 2017-12-10 09:13 - 001204720 _____ (Adobe Systems Incorporated) C:\Users\user\adobe.exe
2018-01-13 15:48 - 2010-11-21 11:24 - 000186368 _____ (Microsoft Corporation) C:\Users\user\XFijuaUAU.exe
2018-01-04 11:43 - 2018-01-05 09:15 - 000066790 _____ () C:\Program Files (x86)\hyxd_license.htm
2018-01-13 15:48 - 2010-11-21 11:24 - 000073216 _____ (Microsoft Corporation) C:\Program Files (x86)\Common Files\BAuuSiNe.exe
2018-01-13 15:48 - 2009-07-14 09:14 - 000000045 _____ () C:\Program Files (x86)\Common Files\PUrFYON
2009-07-14 09:14 - 2009-07-14 09:14 - 000000045 _____ () C:\Program Files (x86)\Common Files\PUrFYON.bat
2017-04-29 12:01 - 2017-04-29 12:01 - 000003584 _____ () C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2017-06-10 22:11 - 2018-03-22 20:14 - 000007640 _____ () C:\Users\user\AppData\Local\Resmon.ResmonCfg
2018-01-13 15:48 - 2018-03-20 17:33 - 000000002 _____ () C:\Users\user\AppData\Local\WMI.ini

Some files in TEMP:
====================
2018-03-02 14:56 - 2018-03-02 14:56 - 000450880 _____ (Garena Online                   ) C:\Users\user\AppData\Local\Temp\Garena.exe
2018-03-22 20:32 - 2018-03-22 20:32 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180322123242167.dll
2018-03-22 21:02 - 2018-03-22 21:02 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180322130219512.dll
2018-03-22 21:06 - 2018-03-22 21:06 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180322130619397.dll
2018-03-22 21:41 - 2018-03-22 21:41 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180322134120992.dll
2018-03-23 17:36 - 2018-03-23 17:36 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180323093630185.dll
2018-03-24 16:40 - 2018-03-24 16:40 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180324084022376.dll
2018-03-24 16:44 - 2018-03-24 16:44 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180324084445365.dll
2018-03-24 16:51 - 2018-03-24 16:51 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180324085118261.dll
2018-03-24 17:06 - 2018-03-24 17:06 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180324090651483.dll
2018-03-24 17:19 - 2018-03-24 17:19 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180324091955493.dll
2018-03-24 17:36 - 2018-03-24 17:36 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180324093639559.dll
2018-03-24 17:52 - 2018-03-24 17:52 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180324095209060.dll
2018-03-24 17:52 - 2018-03-24 17:52 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180324095238739.dll
2018-03-24 17:52 - 2018-03-24 17:52 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180324095239010.dll
2018-03-24 17:52 - 2018-03-24 17:52 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180324095239393.dll
2018-03-24 17:52 - 2018-03-24 17:52 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180324095241229.dll
2018-03-24 17:52 - 2018-03-24 17:52 - 001857024 _____ (Opera Software) C:\Users\user\AppData\Local\Temp\Opera_installer_180324095247144.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-02-17 12:16

==================== End of FRST.txt ============================

Addition.txt

Link to post
Share on other sites

Hello Rickydapoc,

Thanks for those logs, Continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware again.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin...

 

 

 

fixlist.txt

Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/27/18
Scan Time: 8:58 PM
Log File: 9456022b-31be-11e8-b358-00ffb41e9dbe.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4508
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: user-PC\user

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 281968
Threats Detected: 6
Threats Quarantined: 6
Time Elapsed: 13 min, 42 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 3
Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{3B4E483A-21D5-43FD-9454-A8B58470453C}, Quarantined, [6166], [503825],1.0.4508
Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{3B4E483A-21D5-43FD-9454-A8B58470453C}, Quarantined, [6166], [503825],1.0.4508
Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\diffiticnetjka, Quarantined, [6166], [503825],1.0.4508

Registry Value: 1
Adware.StartPage.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{3B4E483A-21D5-43FD-9454-A8B58470453C}|PATH, Quarantined, [6166], [503824],1.0.4508

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
RiskWare.BitCoinMiner, C:\USERS\USER\APPDATA\LOCAL\MINIDUMP\000001N.ZIP, Quarantined, [913], [467508],1.0.4508
PUP.Optional.GameHack, C:\USERS\USER\DESKTOP\CHEAT ENGINE 4\STANDALONEPHASE1.DAT, Quarantined, [8186], [393793],1.0.4508

Physical Sector: 0
(No malicious items detected)


(end)

Fixlog.txt

Link to post
Share on other sites

# AdwCleaner 7.0.8.0 - Logfile created on Tue Mar 27 13:28:04 2018
# Updated on 2018/08/02 by Malwarebytes 
# Database: 2018-03-26.1
# Running on Windows 7 Ultimate (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group


***** [ Files ] *****

PUP.Optional.SpyHunter, C:\Users\user\Downloads\SpyHunter-Installer.exe


***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.SpyHunter, [Key] - HKLM\SOFTWARE\EnigmaSoftwareGroup
PUP.Optional.SpyHunter, [Key] - HKLM\SOFTWARE\EnigmaSoftwareGroup


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [1224 B] - [2018/1/19 13:14:58]
C:/AdwCleaner/AdwCleaner[C1].txt - [7527 B] - [2018/3/22 9:43:14]
C:/AdwCleaner/AdwCleaner[C2].txt - [1539 B] - [2018/3/22 10:7:20]
C:/AdwCleaner/AdwCleaner[S0].txt - [7983 B] - [2018/1/14 12:10:30]
C:/AdwCleaner/AdwCleaner[S1].txt - [1219 B] - [2018/1/19 13:13:47]
C:/AdwCleaner/AdwCleaner[S2].txt - [1152 B] - [2018/1/20 1:19:52]
C:/AdwCleaner/AdwCleaner[S3].txt - [9942 B] - [2018/3/22 9:42:24]
C:/AdwCleaner/AdwCleaner[S4].txt - [2350 B] - [2018/3/22 10:6:50]
C:/AdwCleaner/AdwCleaner[S5].txt - [1762 B] - [2018/3/25 3:53:9]


########## EOF - C:\AdwCleaner\AdwCleaner[S6].txt ##########

 


---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.58, March 2018 (build 5.58.14622.1)
Started On Tue Mar 27 21:29:34 2018

Engine: 1.1.14600.4
Signatures: 1.263.2.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Tue Mar 27 21:33:23 2018


Return code: 0 (0x0)
:)

Link to post
Share on other sites

Ok, run the following:

Please download Malwarebytes Anti-Rootkit from here
 
  • Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Thanks,

Kevin...

 

Link to post
Share on other sites

I seem to have found the malware and it is stored on my appdata and it changes folder name everytime, you need to change the security settings to open that folder, inside that folder is msiexec64 and more winrar files, it is always detected by malware bytes as a bitcoin malware , It disguised itself as svchost.exe and tcpip and takes up 25-50cpu usage! after deleting the folder that contained msiexec I can end task the svchost or tcpip with no bsod

Link to post
Share on other sites
Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Users\user\Downloads\x264vfw_full_44_2851bm_44825.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.


Next,

Zip up and attach this folder: C:\Windows\minidump you will probably have to copy the folder to your Desktop then zip and attach to your reply...

Next,

I see from the Programs list that you have uninstalled Malwarebytes, it is very worthwhile using the clean up tool to ensure all remnants of Malwarebytes are removed...

Totally Remove Malwarebytes from your system:

Download the latest version of MB-Clean by clicking this link: https://downloads.malwarebytes.com/file/mb_clean save to your Desktop, or a folder of your choice.
 
  • Close all open applications
  • Double-click and run mb-clean.exe
  • A prompt with an option to clean up the system will appear:



Yes - will proceed with backing up the license key (Malwarebytes 3.x only) and initiating the cleanup process. (Recommended)
No - will exit the utility

Once the cleanup process is completed, a prompt will appear:

Yes – will proceed and post reboot you will be prompted to continue with the downloading, installation and activation of latest version of Malwarebytes 3.x (Recommended)
No – will exit the utility and you will not be prompted (post reboot) to download, reinstall and re-activate (Not Recommended)

We recommend rebooting immediately. Additionally, stopping at this step is not recommended and will most likely not resolve your issue(s).

Upon reboot, a prompt will appear:

Yes - will download, install and activate the latest version of Malwarebytes 3.x (Recommended) <---- this your choice if you want to reinstall Malwarebytes
No - will exit the utility and the cleanup process is complete...

A log file ("mb-clean-results.txt") will be on your desktop...

Thank you,

Kevin..

Link to post
Share on other sites

Have the crashes ceased since you have the premium version of Malwarebytes..?

Select the Windows key and X key together, from the winx menu select "Command Prompt (Admin)"

At the prompt type or copy/paste :- DISM /Online /Cleanup-Image /CheckHealth then hit the enter key. What results do you get..?

Thanks,

Kevin

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.