Jump to content

Recommended Posts

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know.

 

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

  1. Open Malwarebytes for Windows
  2. To the left, click Scan > Scan Types.
    image.png
  3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.
    image.png
  4. Click Start Scan

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  1. Double-click to run it. When the tool opens click Yes to the disclaimer.
  2. Press the Scan button.
    _frst_scan.jpg.d10e66dc03e35ede4fdcba12b
  3. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply and Follow this topic to get notified when an expert has replied. Click "Reveal Hidden Contents" below for details.

Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

_mb_attach.jpg.a0465aaafd6cae688aa38ab16

 

After posting your new post, make sure you click the Follow button near the top right of this page, and select the option "An email when new content is posted Change how the notification is sent" so that you're alerted by email when someone has replied to your post.

_mb_follow.jpg.7868cc281f66ac22e919c2c48

_mb_follow_options.jpg.dcb79fc10aa35beb0

Please Note the Following:

  • One of our expert helpers will give you one-on-one assistance when one becomes available.
  • Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
  • If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

step1.gif
Please download Malwarebytes Anti-Malware from here
 

  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.


Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

step2.gif
Please download AdwCleaner by Xplode onto your Desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.


IMPORTANT

step3.gif
Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions.

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12.05.2018
Ran by tommy (administrator) on MY-PC (13-05-2018 11:03:40)
Running from C:\Users\tommy\Desktop
Loaded Profiles: tommy (Available Profiles: tommy)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe
() C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\InputMethod\JPN\JpnIME.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe
(Microsoft Corporation) C:\Users\tommy\AppData\Roaming\Microsoft\Security\mcrstdio.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\32\WacomDesktopCenter.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(i-Funbox.com) C:\Program Files (x86)\i-Funbox DevTeam\iFunBox_x64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files\Microsoft Synchronization Services\9BGH6GV1PR425XGBI8\s6vPJvZ6SY.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel(R) Corporation) C:\Program Files (x86)\Intel\Intel(R) Extreme Tuning Utility\XtuService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [298296 2018-01-22] (Apple Inc.)
HKLM-x32\...\RunOnce: [Windows Update Service] => C:\Users\tommy\AppData\Roaming\Microsoft\Security\mcrstdio.exe [971808 2018-05-13] (Microsoft Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3541273722-2045522596-512499532-1001\...\Run: [iFunBox] => C:\Program Files (x86)\i-Funbox DevTeam\iFunBox_x64.exe [4873728 2017-03-18] (i-Funbox.com)
HKU\S-1-5-21-3541273722-2045522596-512499532-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3199776 2018-04-03] (Valve Corporation)
HKU\S-1-5-21-3541273722-2045522596-512499532-1001\...\Run: [mrjsrhfa] => "C:\Users\tommy\vcppsdvq.exe"
HKU\S-1-5-21-3541273722-2045522596-512499532-1001\...\Run: [s6vPJvZ6SY.exe] => C:\Program Files\Microsoft Synchronization Services\9BGH6GV1PR425XGBI8\s6vPJvZ6SY.exe [801792 2018-05-12] ()
HKU\S-1-5-21-3541273722-2045522596-512499532-1001\...\MountPoints2: {954394ce-0c8d-11e8-8250-104a7d09361f} - "D:\Startup.exe" 
Startup: C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rbghiugr.lnk [2018-05-13]
Startup: C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rtshteih.lnk [2018-05-12]
ShortcutTarget: rtshteih.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{4722B4F1-7A78-4B86-A2D5-15C083D6AF9E}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2018-04-29] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2018-04-29] (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2018-04-29] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-04-29] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-04-29] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-04-29] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-04-29] (Microsoft Corporation)

FireFox:
========
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2018-03-30] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-03-18] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-12-29] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-12-29] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-11-30] (VideoLAN)

Chrome: 
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://www.google.com","hxxps://www.google.com/","hxxps://www.google.com/"
CHR Profile: C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default [2018-05-13]
CHR Extension: (Google Drive) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-02-08]
CHR Extension: (YouTube) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-02-08]
CHR Extension: (Chrome Cleaner Pro) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccjleegmemocfpghkhpjmiccjcacackp [2018-05-13]
CHR Extension: (Adblock for Youtube™) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmedhionkhpnakcndndgjdbohmhepckk [2018-02-08]
CHR Extension: (Pixlr-o-matic) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehcibdjmpjlekgjhepbfmenfppliikcj [2018-02-08]
CHR Extension: (Kancolle Launcher) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\iiiimjljokaamhjooacjmdamnnblcjhc [2018-02-12]
CHR Extension: (Webcam Toy) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfbgimoladefibpklnfmkpknadbklade [2018-02-08]
CHR Extension: (pixiv Sketch Live) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\napfjmiijeemhknedjimfipkikceadoc [2018-04-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-04]
CHR Extension: (Adblocker for Youtube™) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\odcmcehfddfnnnbaifjhkikddagchieg [2018-05-12]
CHR Extension: (Gmail) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-02-08]
CHR Extension: (Chrome Media Router) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-05-10]
CHR HKLM-x32\...\Chrome\Extension: [ccjleegmemocfpghkhpjmiccjcacackp] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2018-01-05] (Apple Inc.)
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [6076936 2018-04-19] ()
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [8566440 2018-04-23] (Microsoft Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [355232 2015-08-09] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [523152 2018-03-14] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [523152 2018-03-14] (NVIDIA Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-13] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-13] (Microsoft Corporation)
R2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [1816520 2018-04-04] (Wacom Technology, Corp.)
R2 XTU3SERVICE; C:\Program Files (x86)\Intel\Intel(R) Extreme Tuning Utility\XtuService.exe [18816 2018-01-12] (Intel(R) Corporation)
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
R2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem"
R2 NvTelemetryContainer; "C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe" -s NvTelemetryContainer -f "C:\ProgramData\NVIDIA\NvTelemetryContainer.log" -l 3 -d "C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\plugins" -r

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BstkDrv; C:\Program Files (x86)\BlueStacks\BstkDrv.sys [269408 2018-01-10] (Bluestack System Inc. )
R2 iocbios2; C:\Program Files (x86)\Intel\Intel(R) Extreme Tuning Utility\Drivers\IocDriver\64bit\iocbios2.sys [38424 2017-09-15] (Intel Corporation)
R0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2018-05-12] (Malwarebytes)
R3 NETwNb64; C:\Windows\system32\DRIVERS\NETwbw02.sys [3589600 2013-09-25] (Intel Corporation)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-19] (Intel Corporation)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [31632 2018-03-14] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [59240 2017-12-15] (NVIDIA Corporation)
R3 nvvhci; C:\Windows\System32\drivers\nvvhci.sys [59272 2018-03-14] (NVIDIA Corporation)
R3 RTCore64; C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [14024 2017-08-28] ()
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2014-03-07] (Synaptics Incorporated)
R3 SteamStreamingMicrophone; C:\Windows\system32\drivers\SteamStreamingMicrophone.sys [31392 2017-07-29] ()
R3 SteamStreamingSpeakers; C:\Windows\system32\drivers\SteamStreamingSpeakers.sys [31392 2017-07-21] ()
R3 WacHidRouterPro; C:\Windows\System32\drivers\wachidrouter.sys [115680 2018-01-13] (Wacom Technology, Corp.)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [46600 2017-02-11] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [274776 2017-01-13] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [117592 2017-01-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-05-13 11:02 - 2018-05-13 11:03 - 000035893 _____ C:\Users\tommy\Desktop\Addition.txt
2018-05-13 11:00 - 2018-05-13 11:03 - 000015323 _____ C:\Users\tommy\Desktop\FRST.txt
2018-05-13 11:00 - 2018-05-13 11:03 - 000000000 ____D C:\FRST
2018-05-13 10:57 - 2018-05-13 10:57 - 000001979 _____ C:\Users\tommy\Desktop\AdwCleaner[S01].txt
2018-05-13 10:52 - 2018-05-13 10:59 - 000003586 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 4086469641
2018-05-13 10:49 - 2018-05-13 10:49 - 000001401 _____ C:\Users\tommy\Desktop\malwarebytes report.txt
2018-05-13 10:48 - 2018-05-13 10:48 - 002404864 _____ (Farbar) C:\Users\tommy\Desktop\FRST64.exe
2018-05-13 10:48 - 2018-05-13 10:48 - 000000000 ____D C:\AdwCleaner
2018-05-13 10:47 - 2018-05-13 10:47 - 007271632 _____ (Malwarebytes) C:\Users\tommy\Downloads\adwcleaner_7.1.1.exe
2018-05-13 00:28 - 2018-05-13 00:28 - 000000819 _____ C:\Users\Public\Desktop\CLIP STUDIO.lnk
2018-05-13 00:28 - 2018-05-13 00:28 - 000000000 ____D C:\Program Files\CELSYS
2018-05-13 00:15 - 2018-05-13 00:16 - 304416720 _____ (CELSYS) C:\Users\tommy\Downloads\CSP_174w_setup.exe
2018-05-12 23:42 - 2018-05-12 23:49 - 000421190 _____ C:\TDSSKiller.3.1.0.17_12.05.2018_23.42.53_log.txt
2018-05-12 23:41 - 2018-05-12 23:41 - 000000000 ____D C:\TDSSKiller_Quarantine
2018-05-12 23:40 - 2018-05-12 23:41 - 000219174 _____ C:\TDSSKiller.3.1.0.17_12.05.2018_23.40.20_log.txt
2018-05-12 23:40 - 2018-05-12 23:40 - 000000000 ____D C:\Users\tommy\AppData\Local\NpWACWMSLj
2018-05-12 23:39 - 2018-05-12 23:40 - 004858305 _____ C:\Users\tommy\Downloads\tdsskiller.zip
2018-05-12 23:31 - 2018-05-12 23:41 - 155659032 _____ C:\Users\tommy\Downloads\m4t3ri4ls.zip (1).crdownload
2018-05-12 23:30 - 2018-05-13 10:50 - 000000000 __SHD C:\Users\tommy\AppData\Roaming\Yl9dVUAx
2018-05-12 23:30 - 2018-05-12 23:41 - 174210710 _____ C:\Users\tommy\Downloads\masterkreatif.com-8kjldjskalf6tv.rar (1).crdownload
2018-05-12 23:26 - 2018-05-12 23:26 - 000353912 _____ C:\Windows\Minidump\051218-25296-01.dmp
2018-05-12 23:24 - 2018-05-12 23:24 - 008125496 _____ C:\Users\tommy\Downloads\m4t3ri4ls.zip.crdownload
2018-05-12 23:22 - 2018-05-12 23:22 - 040091286 _____ C:\Users\tommy\Downloads\masterkreatif.com-8kjldjskalf6tv.rar.crdownload
2018-05-12 23:11 - 2018-05-12 23:11 - 000000000 ____D C:\Users\tommy\AppData\Local\ElevatedDiagnostics
2018-05-12 23:00 - 2018-05-12 23:04 - 000000258 __RSH C:\ProgramData\ntuser.pol
2018-05-12 22:54 - 2018-05-12 22:54 - 000000000 ____D C:\Users\tommy\AppData\LocalLow\iAiaDuTGfHtGg
2018-05-12 22:46 - 2018-05-12 22:59 - 000000000 ____D C:\Program Files (x86)\VfXyqasRzlGpJFtgwyR
2018-05-12 22:46 - 2018-05-12 22:59 - 000000000 ____D C:\Program Files (x86)\SvnSzzIscGyUC
2018-05-12 22:46 - 2018-05-12 22:59 - 000000000 ____D C:\Program Files (x86)\JAcqddADqIE
2018-05-12 22:46 - 2018-05-12 22:59 - 000000000 ____D C:\Program Files (x86)\EPVqpVJyVSWU2
2018-05-12 22:46 - 2018-05-12 22:46 - 000278509 _____ C:\Users\tommy\AppData\Local\IndigoHottrax.bin
2018-05-12 22:46 - 2018-05-12 22:46 - 000002850 _____ C:\Windows\System32\Tasks\RuvZlWnxKNkmGuM2
2018-05-12 22:46 - 2018-05-12 22:46 - 000000000 ____D C:\Program Files (x86)\NExnNAYCpUUn
2018-05-12 22:46 - 2018-05-12 22:46 - 000000000 ____D C:\Program Files (x86)\KCGHGVOnU
2018-05-12 22:43 - 2018-05-12 22:47 - 000003776 _____ C:\Windows\System32\Tasks\update64
2018-05-12 22:43 - 2018-05-12 22:43 - 000070896 _____ C:\Users\tommy\AppData\Local\Config.xml
2018-05-12 22:43 - 2018-05-12 22:40 - 002136576 _____ (TODO: <Company name>) C:\Users\tommy\AppData\Local\Geosoft.exe
2018-05-12 22:42 - 2018-05-12 22:42 - 000278509 _____ C:\Users\tommy\AppData\Local\U--Trax.bin
2018-05-12 22:41 - 2018-05-12 22:41 - 000000000 ____D C:\Users\tommy\AppData\Roaming\SystemaRev
2018-05-12 22:41 - 2018-05-12 22:41 - 000000000 ____D C:\Program Files\My Program
2018-05-12 22:40 - 2018-05-12 22:40 - 000140800 _____ C:\Users\tommy\AppData\Local\installer.dat
2018-05-12 22:40 - 2018-05-12 22:40 - 000001103 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ScreenRecorder.lnk
2018-05-12 22:40 - 2018-05-12 22:40 - 000000035 _____ C:\ProgramData\config.dat
2018-05-12 22:40 - 2018-05-12 22:40 - 000000000 ____D C:\Users\tommy\AppData\Local\betterworld
2018-05-12 22:40 - 2018-05-12 22:40 - 000000000 ____D C:\Users\tommy\AppData\Local\b91ffeca472a458798fd9fbf1641ae8d
2018-05-12 22:40 - 2018-05-12 22:40 - 000000000 ____D C:\Program Files (x86)\ScreenRecorder
2018-05-12 22:38 - 2018-05-12 23:42 - 000000000 ____D C:\Windows\SysWOW64\rwoxwmkf
2018-05-12 22:38 - 2018-05-12 22:38 - 000000003 _____ C:\Users\tommy\AppData\Local\wbem.ini
2018-05-12 22:38 - 2018-05-12 22:38 - 000000000 _RSHD C:\Users\tommy\AppData\Roaming\DE25E01C-A553-C0F0-1FF2-A9F4C346ED68
2018-05-12 11:35 - 2018-05-12 11:35 - 050551198 _____ C:\Users\tommy\Downloads\Derby01anima.hikarinoakari.zip
2018-05-12 11:17 - 2018-05-12 11:19 - 080066558 _____ C:\Users\tommy\Downloads\CrosswalkRewind_ .hikarinoakariost.zip
2018-05-12 11:14 - 2018-05-12 11:15 - 009561219 _____ C:\Users\tommy\Downloads\Na Kokoro.hikarinoakari.zip
2018-05-12 11:10 - 2018-05-12 11:10 - 045496297 _____ C:\Users\tommy\Downloads\Hinamatsuri ED.hikarinoakariost.zip
2018-05-12 11:09 - 2018-05-12 11:09 - 025543664 _____ C:\Users\tommy\Downloads\To see the future.hikarinoakariost.zip
2018-05-12 11:06 - 2018-05-12 11:06 - 027571789 _____ C:\Users\tommy\Downloads\Symbol_.hikarinoakariost.zip
2018-05-12 11:06 - 2018-05-12 11:06 - 010421483 _____ C:\Users\tommy\Downloads\Ryuusei.hikarinoakar.zip
2018-05-12 11:05 - 2018-05-12 11:06 - 061535955 _____ C:\Users\tommy\Downloads\UPDATE.hikarinoaskari.zip
2018-05-12 11:02 - 2018-05-12 11:02 - 035103095 _____ C:\Users\tommy\Downloads\nanatsuFED2.hikarinoakari.zip
2018-05-10 12:42 - 2018-05-10 12:42 - 000010512 _____ C:\Users\tommy\Downloads\Lenovo-y50-7-FHD.icm
2018-05-10 12:30 - 2018-05-10 12:30 - 000000000 ____D C:\Users\tommy\Documents\My ICC Profiles
2018-05-10 12:27 - 2018-05-10 12:27 - 001212187 _____ (Colorjinn ) C:\Users\tommy\Downloads\calibrize_2_setup.exe
2018-05-10 11:48 - 2018-05-10 11:49 - 000000000 ____D C:\Users\tommy\AppData\Local\NVIDIA
2018-05-10 11:48 - 2018-05-10 11:48 - 000004146 _____ C:\Windows\System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-05-10 11:48 - 2018-05-10 11:48 - 000003922 _____ C:\Windows\System32\Tasks\NvBatteryBoostCheckOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-05-10 11:48 - 2018-05-10 11:48 - 000003814 _____ C:\Windows\System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-05-10 11:48 - 2018-05-10 11:48 - 000003798 _____ C:\Windows\System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-05-10 11:48 - 2018-05-10 11:48 - 000001428 _____ C:\Users\Public\Desktop\GeForce Experience.lnk
2018-05-10 11:48 - 2018-05-10 11:48 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2018-05-10 11:48 - 2018-03-14 23:01 - 002480520 _____ (NVIDIA Corporation) C:\Windows\system32\nvspcap64.dll
2018-05-10 11:48 - 2018-03-14 23:01 - 002137488 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspcap.dll
2018-05-10 11:48 - 2018-03-14 23:01 - 001310608 _____ (NVIDIA Corporation) C:\Windows\system32\NvRtmpStreamer64.dll
2018-05-10 11:47 - 2018-05-10 11:47 - 000003738 _____ C:\Windows\System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-05-10 11:47 - 2018-05-10 11:47 - 000003738 _____ C:\Windows\System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-05-10 11:47 - 2018-05-10 11:47 - 000003730 _____ C:\Windows\System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-05-10 11:47 - 2018-05-10 11:47 - 000003494 _____ C:\Windows\System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-05-10 11:47 - 2018-03-14 23:01 - 000059272 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvhci.sys
2018-05-10 11:47 - 2018-03-14 22:44 - 000001951 _____ C:\Windows\NvTelemetryContainerRecovery.bat
2018-05-10 11:47 - 2018-03-05 16:18 - 000189784 _____ (NVIDIA Corporation) C:\Windows\system32\nvaudcap64v.dll
2018-05-10 11:47 - 2018-03-05 16:18 - 000152408 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
2018-05-10 11:47 - 2017-12-15 12:03 - 000059240 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys
2018-05-10 11:44 - 2018-05-10 11:46 - 091075776 _____ (NVIDIA Corporation) C:\Users\tommy\Downloads\GeForce_Experience_v3.13.1.30.exe
2018-05-05 16:56 - 2018-05-04 05:45 - 1499360134 _____ C:\Users\tommy\Downloads\[Pradja DJ] Inori Minase 1st LIVE 'Ready Steady Go!' [BD 720p].mp4
2018-05-05 16:46 - 2018-05-05 16:49 - 002951024 _____ (BitTorrent Inc.) C:\Users\tommy\Downloads\uTorrent.exe
2018-05-05 16:45 - 2018-05-05 16:45 - 000026705 _____ C:\Users\tommy\Downloads\0A7169525D57FCFA50CD0FB397C1A40DD8946C3B.torrent
2018-05-05 16:44 - 2018-05-05 16:52 - 1496671110 _____ C:\Users\tommy\Downloads\[Pradja DJ] Inori Minase 1st LIVE 'Ready Steady Go!' [BD 720p].zip
2018-05-04 18:04 - 2018-05-04 18:04 - 004522019 _____ C:\Users\tommy\Downloads\jpg2pdf.pdf
2018-05-03 14:03 - 2018-05-03 14:03 - 000169194 _____ C:\Users\tommy\Downloads\MZB125-PST1.pdf
2018-04-26 11:04 - 2018-04-26 11:04 - 125265436 _____ C:\Users\tommy\Downloads\Durarara 24 [720p miniHD BD] [522D02A3][Coalgirls].mkv
2018-04-26 11:03 - 2018-04-26 11:03 - 125538647 _____ C:\Users\tommy\Downloads\Durarara 21 [720p miniHD BD] [B517AA06][Coalgirls].mkv
2018-04-26 11:02 - 2018-04-26 11:02 - 125425324 _____ C:\Users\tommy\Downloads\Durarara 20 [720p miniHD BD] [74DC2C5A][Coalgirls].mkv
2018-04-26 11:01 - 2018-04-26 11:01 - 126872230 _____ C:\Users\tommy\Downloads\Durarara 09 [720p miniHD BD] [D1B816BD][Coalgirls].mkv
2018-04-26 11:01 - 2018-04-26 11:01 - 126793994 _____ C:\Users\tommy\Downloads\Durarara 16 [720p miniHD BD] [E17D9C38][Coalgirls].mkv
2018-04-26 11:00 - 2018-04-26 11:00 - 105366110 _____ C:\Users\tommy\Downloads\Durarara!!x2 Shou - 12 [720p][Vivid][Zii].mkv
2018-04-26 10:59 - 2018-04-26 10:59 - 139247217 _____ C:\Users\tommy\Downloads\Durarara!!x2 Shou - 10 [720p][Vivid][Henz].mkv
2018-04-26 10:58 - 2018-04-26 10:58 - 126799163 _____ C:\Users\tommy\Downloads\Durarara 01 [720p miniHD BD] [537A4BA3][Coalgirls].mkv
2018-04-26 10:58 - 2018-04-26 10:58 - 089648146 _____ C:\Users\tommy\Downloads\Durarara!!x2 Shou - 06 [720p][Vivid][Zii].mkv
2018-04-26 10:57 - 2018-04-26 10:57 - 122870136 _____ C:\Users\tommy\Downloads\Durarara!!x2 Shou - 04 [720p][Vivid][Zii].mkv
2018-04-26 10:57 - 2018-04-26 10:57 - 112283405 _____ C:\Users\tommy\Downloads\Durarara!!x2 Shou - 05 [720p][Vivid][Zii].mkv
2018-04-26 10:55 - 2018-04-26 10:55 - 108611119 _____ C:\Users\tommy\Downloads\Durarara!!x2 Shou - 03 [720p][Vivid][Zii].mkv
2018-04-26 10:55 - 2017-04-24 09:22 - 000000000 ____D C:\Users\tommy\Desktop\Durarara_X2_Ten_BD_720p
2018-04-26 10:51 - 2018-04-29 21:34 - 000000000 ____D C:\Users\tommy\Desktop\Durarara
2018-04-26 10:50 - 2018-04-26 11:00 - 000000000 ____D C:\Users\tommy\Desktop\Durarara 2
2018-04-26 10:49 - 2017-04-24 08:30 - 000000000 ____D C:\Users\tommy\Desktop\Durarara_x2_Ketsu_BD_720p
2018-04-26 00:26 - 2018-04-26 00:28 - 3280702249 _____ C:\Users\tommy\Downloads\Durarara.zip
2018-04-25 23:20 - 2018-04-25 23:21 - 1364892136 _____ C:\Users\tommy\Downloads\Durarara 2.zip
2018-04-25 22:51 - 2018-04-25 23:11 - 1816211827 _____ C:\Users\tommy\Downloads\Durarara_x2_Ketsu_BD_720p.rar
2018-04-25 22:50 - 2018-04-25 23:10 - 1821373649 _____ C:\Users\tommy\Downloads\Durarara_X2_Ten_BD_720p.rar
2018-04-25 17:31 - 2018-04-25 17:28 - 200619254 ____N C:\Users\tommy\Desktop\yowa16hd.mp4
2018-04-25 17:18 - 2018-04-25 17:28 - 220789044 _____ C:\Users\tommy\Downloads\[AnimeOut] Yowamushi Pedal - Glory Line - 15 [720p][HorribleSubs][RapidBot].mkv
2018-04-25 15:06 - 2018-04-25 15:06 - 000059093 _____ C:\Users\tommy\Downloads\SIU B VOLLEY BALL FEES.pdf
2018-04-25 14:59 - 2018-04-25 14:59 - 000391615 _____ C:\Users\tommy\Downloads\INV-000352.pdf
2018-04-23 15:16 - 2018-05-13 11:03 - 000003016 _____ C:\Windows\System32\Tasks\MSIAfterburner
2018-04-23 15:14 - 2018-04-23 15:14 - 000001098 _____ C:\Users\tommy\Desktop\MSI Afterburner.lnk
2018-04-23 15:14 - 2018-04-23 15:14 - 000000000 ____D C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MSI Afterburner
2018-04-23 15:13 - 2018-04-23 15:15 - 000000000 ____D C:\Program Files (x86)\MSI Afterburner
2018-04-23 15:07 - 2018-04-23 15:07 - 039281471 _____ C:\Users\tommy\Downloads\MSIAfterburnerSetup.zip
2018-04-23 15:05 - 2018-04-23 15:05 - 000000000 ____D C:\Users\tommy\AppData\Local\Intel Telemetry
2018-04-23 15:05 - 2018-04-23 15:05 - 000000000 ____D C:\ProgramData\Intel Telemetry
2018-04-23 15:03 - 2018-04-23 15:03 - 000000000 ____D C:\ProgramData\Intel
2018-04-23 12:20 - 2018-04-23 12:20 - 000002685 _____ C:\Users\Public\Desktop\Intel(R) Extreme Tuning Utility.lnk
2018-04-23 12:20 - 2018-04-23 12:20 - 000000000 ____D C:\Windows\System32\Tasks\Intel
2018-04-23 12:20 - 2018-04-23 12:20 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel
2018-04-23 12:20 - 2010-05-26 11:41 - 002526056 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_43.dll
2018-04-23 12:20 - 2010-05-26 11:41 - 002401112 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_43.dll
2018-04-23 12:20 - 2010-05-26 11:41 - 002106216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_43.dll
2018-04-23 12:20 - 2010-05-26 11:41 - 001998168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_43.dll
2018-04-23 12:19 - 2018-05-12 22:39 - 000000000 ____D C:\Program Files\Microsoft Synchronization Services
2018-04-23 12:19 - 2018-04-23 12:19 - 000000000 ____D C:\Program Files\Microsoft SQL Server Compact Edition
2018-04-23 12:19 - 2018-04-23 12:19 - 000000000 ____D C:\Program Files (x86)\Microsoft Synchronization Services
2018-04-23 12:19 - 2018-04-23 12:19 - 000000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2018-04-23 12:17 - 2018-04-23 12:17 - 035641792 _____ (Intel Corporation) C:\Users\tommy\Downloads\xtu-setup.exe
2018-04-19 23:24 - 2018-05-10 12:25 - 000000000 ____D C:\Users\tommy\AppData\Local\NVIDIA Corporation
2018-04-19 23:24 - 2018-04-19 23:24 - 000000000 ____D C:\Users\tommy\AppData\Local\UnrealEngine
2018-04-19 23:24 - 2018-04-19 23:24 - 000000000 ____D C:\Users\tommy\AppData\Local\TslGame
2018-04-19 20:56 - 2018-04-19 20:56 - 000000222 _____ C:\Users\tommy\Desktop\PLAYERUNKNOWN'S BATTLEGROUNDS.url
2018-04-19 16:23 - 2018-04-19 16:24 - 042213484 _____ C:\Users\tommy\Downloads\[2010.06.02] RiP'D - C - eimusics.com.zip
2018-04-19 13:50 - 2018-04-19 13:50 - 000321136 _____ C:\Users\tommy\Downloads\Playerunknowns Battlegrounds.exe
2018-04-19 13:13 - 2018-04-19 13:13 - 012880384 _____ C:\Users\tommy\Downloads\playerunknowns-battlegrounds-installshield-wizard.exe
2018-04-19 10:58 - 2018-04-19 10:59 - 014469002 _____ C:\Users\tommy\Downloads\PlayerUnknowns.Battlegrounds.Crack.CPYGAMES.COM.rar
2018-04-18 21:27 - 2018-04-18 21:27 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wacom Tablet
2018-04-18 21:21 - 2018-05-12 22:47 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-04-18 21:18 - 2018-05-12 23:26 - 622824619 _____ C:\Windows\MEMORY.DMP
2018-04-18 21:18 - 2018-05-12 23:26 - 000000000 ____D C:\Windows\Minidump
2018-04-18 21:18 - 2018-04-18 21:19 - 001544440 _____ C:\Windows\Minidump\041818-34406-01.dmp
2018-04-18 21:15 - 2018-04-18 21:15 - 000000000 ____D C:\Users\tommy\AppData\Local\SCE
2018-04-18 20:24 - 2018-04-18 20:24 - 003367424 _____ C:\Users\tommy\Downloads\Playerunknowns Battlegrounds - InstallShield Wizard.exe
2018-04-18 20:12 - 2018-04-18 20:12 - 000000222 _____ C:\Users\tommy\Desktop\H1Z1.url
2018-04-17 10:53 - 2018-04-17 11:13 - 201740918 _____ C:\Users\tommy\Downloads\yowa15hd.mp4
2018-04-14 12:20 - 2018-04-14 12:20 - 147246646 _____ C:\Users\tommy\Downloads\Konomi Suzuki -Colorful Gift-.rar
2018-04-14 12:20 - 2015-11-08 13:36 - 000000000 ____D C:\Users\tommy\Downloads\Konomi Suzuki  -Colorful Gift-
2018-04-14 12:15 - 2018-04-14 12:16 - 000000000 ____D C:\Users\tommy\Downloads\Konomi Suzuki - lead
2018-04-14 12:13 - 2018-04-14 12:13 - 138246731 _____ C:\Users\tommy\Downloads\lead.hikarinoakariost.info.7z
2018-04-14 12:09 - 2018-04-14 12:10 - 162628878 _____ C:\Users\tommy\Downloads\LIFE of DASH.[www.hikarinoakariost.info].zip
2018-04-13 23:30 - 2018-04-13 23:32 - 000000000 ____D C:\Users\tommy\Desktop\No Game No Life
2018-04-13 23:28 - 2018-04-13 23:30 - 1684411021 _____ C:\Users\tommy\Downloads\No Game No Life.zip
2018-04-13 16:07 - 2018-04-13 16:07 - 038621810 _____ C:\Users\tommy\Downloads\DARLINGxxEdings1[hikarinoakariost.info].zip
2018-04-13 14:48 - 2018-04-13 14:55 - 180269511 _____ C:\Users\tommy\Downloads\[AnimeOut] Yowamushi Pedal - Glory Line - 14 [720p][HorribleSubs][RapidBot].mkv
2018-04-13 14:44 - 2018-04-13 14:55 - 230037331 _____ C:\Users\tommy\Downloads\[AnimeOut] Yowamushi Pedal - Glory Line - 12 [720p][HorribleSubs][RapidBot].mkv
2018-04-13 14:44 - 2018-04-13 14:54 - 187371077 _____ C:\Users\tommy\Downloads\[AnimeOut] Yowamushi Pedal - Glory Line - 13 [720p][HorribleSubs][RapidBot].mkv
2018-04-13 13:19 - 2018-04-13 13:31 - 236354287 _____ C:\Users\tommy\Downloads\[AnimeOut] Yowamushi Pedal - Glory Line - 10 [720p][HorribleSubs][RapidBot].mkv
2018-04-13 13:18 - 2018-04-13 13:53 - 229513202 _____ C:\Users\tommy\Downloads\[AnimeOut] Yowamushi Pedal - Glory Line - 09 [720p][HorribleSubs][RapidBot].mkv
2018-04-13 12:54 - 2018-04-13 13:04 - 226530198 _____ C:\Users\tommy\Downloads\[AnimeOut] Yowamushi Pedal - Glory Line - 08 [720p][HorribleSubs][RapidBot].mkv
2018-04-13 12:54 - 2018-04-13 13:00 - 148825527 _____ C:\Users\tommy\Downloads\[AnimeOut] Yowamushi Pedal - Glory Line - 07 [720p][HorribleSubs][RapidBot].mkv
2018-04-13 12:05 - 2018-04-13 12:42 - 237694200 _____ C:\Users\tommy\Downloads\[AnimeOut] Yowamushi Pedal - Glory Line - 05 [720p][HorribleSubs][RapidBot].mkv
2018-04-13 12:05 - 2018-04-13 12:41 - 162138048 _____ C:\Users\tommy\Downloads\[AnimeOut] Yowamushi Pedal - Glory Line - 06 [720p][HorribleSubs][RapidBot].mkv

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-05-13 11:04 - 2018-02-08 16:28 - 000003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3541273722-2045522596-512499532-1001
2018-05-13 11:02 - 2018-02-08 16:25 - 000000000 ___RD C:\Users\tommy\OneDrive
2018-05-13 11:01 - 2018-02-14 14:29 - 000000000 ____D C:\Program Files (x86)\Steam
2018-05-13 10:59 - 2018-02-08 17:03 - 000000000 ____D C:\Users\tommy\AppData\Roaming\WTablet
2018-05-13 10:59 - 2013-08-22 23:25 - 000293636 _____ C:\Windows\win.ini
2018-05-13 10:58 - 2018-02-08 17:59 - 000000000 __SHD C:\Users\tommy\IntelGraphicsProfiles
2018-05-13 10:58 - 2018-02-08 17:35 - 000000000 ____D C:\ProgramData\NVIDIA
2018-05-13 10:58 - 2013-08-23 00:45 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-05-13 10:53 - 2018-02-08 16:38 - 002424832 ___SH C:\Users\tommy\Downloads\Thumbs.db
2018-05-13 10:48 - 2018-02-08 16:28 - 000003914 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{288FD1B3-241F-4DAC-A21B-F37BCE5B6BDE}
2018-05-13 00:34 - 2013-08-23 01:36 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-05-13 00:18 - 2018-03-08 02:00 - 000000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2018-05-12 23:26 - 2018-02-08 16:21 - 000000000 ____D C:\Users\tommy
2018-05-12 23:24 - 2013-08-22 23:36 - 000000000 ____D C:\Windows\Inf
2018-05-12 23:11 - 2013-08-23 01:36 - 000000000 ____D C:\Windows\system32\NDF
2018-05-12 23:10 - 2018-02-08 18:46 - 000000000 ____D C:\Users\tommy\AppData\Local\CrashDumps
2018-05-12 22:54 - 2018-02-08 16:28 - 000000000 __SHD C:\Users\tommy\AppData\Local\EmieUserList
2018-05-12 22:54 - 2018-02-08 16:28 - 000000000 __SHD C:\Users\tommy\AppData\Local\EmieSiteList
2018-05-12 22:49 - 2018-02-25 16:55 - 000002036 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-05-12 22:41 - 2013-08-23 01:36 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2018-05-12 22:39 - 2018-02-08 16:23 - 000000000 ____D C:\Users\tommy\AppData\Local\VirtualStore
2018-05-12 22:39 - 2013-08-23 01:36 - 000000000 __SHD C:\Program Files\Windows Sidebar
2018-05-12 22:38 - 2018-02-08 16:29 - 000000000 ____D C:\Program Files (x86)\Google
2018-05-12 11:06 - 2018-02-08 16:30 - 000002244 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-05-12 11:06 - 2018-02-08 16:30 - 000002203 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-05-10 15:51 - 2013-08-22 23:25 - 000262144 ___SH C:\Windows\system32\config\BBI
2018-05-10 11:51 - 2018-03-08 02:21 - 000483806 _____ C:\Windows\system32\perfh011.dat
2018-05-10 11:51 - 2018-03-08 02:21 - 000131974 _____ C:\Windows\system32\perfc011.dat
2018-05-10 11:51 - 2014-11-21 18:44 - 001416534 _____ C:\Windows\system32\PerfStringBackup.INI
2018-05-10 11:48 - 2018-02-08 17:35 - 000000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2018-05-10 11:48 - 2018-02-08 17:34 - 000000000 ____D C:\ProgramData\NVIDIA Corporation
2018-05-10 11:48 - 2018-02-08 17:34 - 000000000 ____D C:\Program Files\NVIDIA Corporation
2018-05-08 22:27 - 2018-02-25 16:51 - 000004468 _____ C:\Windows\System32\Tasks\Adobe Flash Player PPAPI Notifier
2018-05-08 22:27 - 2018-02-25 16:51 - 000004324 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2018-05-08 22:26 - 2013-08-23 01:36 - 000000000 ____D C:\Windows\system32\Macromed
2018-05-07 20:23 - 2018-02-08 17:41 - 000000000 ____D C:\Users\tommy\AppData\Roaming\vlc
2018-05-07 15:41 - 2018-02-08 16:23 - 000000000 ____D C:\Users\tommy\AppData\Local\Packages
2018-05-06 21:05 - 2018-02-08 18:05 - 000290816 ___SH C:\Users\tommy\Desktop\Thumbs.db
2018-05-05 10:54 - 2013-08-23 01:36 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-05-05 10:52 - 2018-03-11 23:05 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools
2018-05-05 10:52 - 2018-03-11 23:00 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2018-05-01 11:07 - 2018-03-12 12:19 - 000003166 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-3541273722-2045522596-512499532-1001
2018-05-01 11:06 - 2018-03-20 10:18 - 000002333 _____ C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive for Business.lnk
2018-04-25 17:29 - 2018-04-11 15:44 - 000000000 ____D C:\Users\tommy\Desktop\弱虫ペダル Glory Line
2018-04-23 12:20 - 2018-02-08 17:40 - 000000000 ____D C:\Program Files (x86)\Intel
2018-04-23 12:19 - 2018-02-08 17:02 - 000000000 ____D C:\ProgramData\Package Cache
2018-04-19 20:56 - 2018-02-14 15:41 - 000000000 ____D C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2018-04-18 21:26 - 2018-02-08 17:02 - 000000000 ____D C:\Program Files\Tablet
2018-04-14 12:16 - 2017-12-21 18:12 - 000000000 ____D C:\Users\tommy\Downloads\LIFE of DASH

==================== Files in the root of some directories =======

2018-05-12 22:40 - 2018-05-12 22:40 - 000000035 _____ () C:\ProgramData\config.dat
1601-01-03 21:33 - 1601-01-03 21:33 - 000197120 ____N (Microsoft Corporation) C:\Program Files (x86)\EoYdanmAjqyyA.exe
1601-01-03 21:33 - 1601-01-03 21:33 - 000059904 ____N (Microsoft Corporation) C:\Program Files (x86)\MurAiaeyoWi.exe
1601-01-03 21:33 - 1601-01-03 21:33 - 000059904 ____N (Microsoft Corporation) C:\Program Files (x86)\Common Files\ooOtOwocineD.exe
2018-05-12 22:43 - 2018-05-12 22:43 - 000070896 _____ () C:\Users\tommy\AppData\Local\Config.xml
2018-05-12 22:43 - 2018-05-12 22:40 - 002136576 _____ (TODO: <Company name>) C:\Users\tommy\AppData\Local\Geosoft.exe
2018-05-12 22:46 - 2018-05-12 22:46 - 000278509 _____ () C:\Users\tommy\AppData\Local\IndigoHottrax.bin
2018-05-12 22:40 - 2018-05-12 22:40 - 000140800 _____ () C:\Users\tommy\AppData\Local\installer.dat
2018-05-12 22:42 - 2018-05-12 22:42 - 000278509 _____ () C:\Users\tommy\AppData\Local\U--Trax.bin
2018-05-12 22:38 - 2018-05-12 22:38 - 000000003 _____ () C:\Users\tommy\AppData\Local\wbem.ini

Some files in TEMP:
====================
2018-04-19 23:25 - 2018-05-11 21:26 - 000000000 _____ () C:\Users\tommy\AppData\Local\Temp\00e481b5e22dbe1f649fcddd505d3eb7.dll
2018-05-12 22:37 - 2018-05-12 22:41 - 028216895 _____ (Softplicity Inc.) C:\Users\tommy\AppData\Local\Temp\482477.exe
2018-05-12 22:39 - 2018-05-12 22:39 - 000202240 _____ (Apple Inc.) C:\Users\tommy\AppData\Local\Temp\517E.tmp.exe
2018-05-12 22:37 - 2018-05-12 22:37 - 000976896 _____ () C:\Users\tommy\AppData\Local\Temp\Audio.exe
2018-04-19 23:25 - 2018-05-11 21:27 - 000000017 _____ () C:\Users\tommy\AppData\Local\Temp\c0db3faa1b91f96c66f8a357094ade92.dll
2018-05-12 22:37 - 2018-05-12 22:38 - 000386997 _____ (ZRFXRD                                                      ) C:\Users\tommy\AppData\Local\Temp\Package.exe
2018-05-12 22:39 - 2018-05-12 22:39 - 006519109 _____ (ScreenRecorder                                              ) C:\Users\tommy\AppData\Local\Temp\screenrecorderscreenrecorder.exe
2018-02-08 17:01 - 2018-02-08 17:01 - 058944440 _____ () C:\Users\tommy\AppData\Local\Temp\Setup-Wacom.exe
2018-05-12 22:42 - 2018-05-12 22:54 - 002064847 _____ () C:\Users\tommy\AppData\Local\Temp\xmrig.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-05-08 11:32

==================== End of FRST.txt ============================

AdwCleaner[S01].txt

malwarebytes report.txt

Addition.txt

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Windows Firewall is disabled.
Restore your Firewall.
https://www.computerhope.com/issues/ch000551.htm
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Run the AdwCleaner and Malwarebytes and delete all the items found.

Restart the computer and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x64) Version: 12.05.2018
Ran by tommy (13-05-2018 23:34:27) Run:1
Running from C:\Users\tommy\Desktop
Loaded Profiles: tommy (Available Profiles: tommy)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

() C:\Program Files\Microsoft Synchronization Services\9BGH6GV1PR425XGBI8\s6vPJvZ6SY.exe
(Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
HKLM-x32\...\RunOnce: [Windows Update Service] => C:\Users\tommy\AppData\Roaming\Microsoft\Security\mcrstdio.exe [971808 2018-05-13] (Microsoft Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3541273722-2045522596-512499532-1001\...\Run: [mrjsrhfa] => "C:\Users\tommy\vcppsdvq.exe"
HKU\S-1-5-21-3541273722-2045522596-512499532-1001\...\Run: [s6vPJvZ6SY.exe] => C:\Program Files\Microsoft Synchronization Services\9BGH6GV1PR425XGBI8\s6vPJvZ6SY.exe [801792 2018-05-12] ()
Startup: C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rbghiugr.lnk [2018-05-13]
Startup: C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rtshteih.lnk [2018-05-12]
ShortcutTarget: rtshteih.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [No File]
CHR Extension: (Chrome Cleaner Pro) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccjleegmemocfpghkhpjmiccjcacackp [2018-05-13]
CHR HKLM-x32\...\Chrome\Extension: [ccjleegmemocfpghkhpjmiccjcacackp] - hxxps://clients2.google.com/service/update2/crx
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]


CustomCLSID: HKU\S-1-5-21-3541273722-2045522596-512499532-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\tommy\AppData\Local\Microsoft\OneDrive\17.3.6743.1212\amd64\FileCoAuthLib64.dll => No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Task: {2145B9F1-EEE9-4F68-A906-5565D01C4A68} - \Yl9dVUAx -> No File <==== ATTENTION
Task: {C6380539-AA1C-439F-9E65-91E4EEDFA123} - System32\Tasks\update64 => C:\Program Files\SystemaRev\RevServicesX\updaterev.exe
Task: {E64C230C-F613-4DAA-AB85-9FBB5BD8375B} - System32\Tasks\RuvZlWnxKNkmGuM2 => rundll32 "C:\Program Files (x86)\KCGHGVOnU\eAuPoq.dll",#1
Task: {F061FD55-785A-4884-B441-4EE6EFCEB6C1} - System32\Tasks\Opera scheduled Autoupdate 4086469641 => C:\Windows\system32\cmd.exe /c start "" "C:\Users\tommy\AppData\Roaming\Microsoft\Windows\rbghiugr\stbergtr.exe"

FirewallRules: [{53C8F445-C207-49E9-9638-9D49ABA294AE}] => (Allow) C:\Users\tommy\AppData\Roaming\Yl9dVUAx\uu.exe
FirewallRules: [{9D81C86D-032F-4B42-8A11-10BA9750A094}] => (Allow) C:\Users\tommy\AppData\Roaming\Yl9dVUAx\uu.exe
FirewallRules: [{AE7FC032-74CA-4BBC-917E-AD90387F18DC}] => (Allow) C:\Users\tommy\AppData\Roaming\Yl9dVUAx\uu.exe

C:\Windows\System32\Tasks\update64
C:\Windows\System32\Tasks\RuvZlWnxKNkmGuM2
C:\WindowsSystem32\Tasks\Opera scheduled Autoupdate 4086469641
C:\Program Files\Microsoft Synchronization Services\9BGH6GV1PR425XGBI8\
C:\Users\tommy\AppData\Roaming\Microsoft\Security\mcrstdio.exe
C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rbghiugr.lnk
C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rtshteih.lnk
C:\Program Files\SystemaRev\RevServicesX
C:\Program Files (x86)\KCGHGVOnU
C:\Users\tommy\AppData\Roaming\Microsoft\Windows\rbghiugr

End

*****************

C:\Program Files\Microsoft Synchronization Services\9BGH6GV1PR425XGBI8\s6vPJvZ6SY.exe => Could not close process
C:\Windows\SysWOW64\explorer.exe => Could not close process
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Windows Update Service" => not found
"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" => removed successfully
"HKU\S-1-5-21-3541273722-2045522596-512499532-1001\Software\Microsoft\Windows\CurrentVersion\Run\\mrjsrhfa" => not found
"HKU\S-1-5-21-3541273722-2045522596-512499532-1001\Software\Microsoft\Windows\CurrentVersion\Run\\s6vPJvZ6SY.exe" => removed successfully
Could not move "C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rbghiugr.lnk" => Scheduled to move on reboot.
C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rtshteih.lnk => moved successfully
C:\Windows\System32\cmd.exe => moved successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3" => removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9" => removed successfully
CHR Extension: (Chrome Cleaner Pro) - C:\Users\tommy\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccjleegmemocfpghkhpjmiccjcacackp [2018-05-13] => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ccjleegmemocfpghkhpjmiccjcacackp" => removed successfully
"HKLM\System\CurrentControlSet\Services\gupdate" => removed successfully
gupdate => service removed successfully
"HKLM\System\CurrentControlSet\Services\gupdatem" => removed successfully
gupdatem => service removed successfully
"HKU\S-1-5-21-3541273722-2045522596-512499532-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}" => removed successfully
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui" => removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2145B9F1-EEE9-4F68-A906-5565D01C4A68}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2145B9F1-EEE9-4F68-A906-5565D01C4A68}" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Yl9dVUAx => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C6380539-AA1C-439F-9E65-91E4EEDFA123}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C6380539-AA1C-439F-9E65-91E4EEDFA123}" => removed successfully
C:\Windows\System32\Tasks\update64 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\update64" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E64C230C-F613-4DAA-AB85-9FBB5BD8375B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E64C230C-F613-4DAA-AB85-9FBB5BD8375B}" => removed successfully
C:\Windows\System32\Tasks\RuvZlWnxKNkmGuM2 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RuvZlWnxKNkmGuM2" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F061FD55-785A-4884-B441-4EE6EFCEB6C1} => not found
C:\Windows\System32\Tasks\Opera scheduled Autoupdate 4086469641 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Opera scheduled Autoupdate 4086469641" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{53C8F445-C207-49E9-9638-9D49ABA294AE}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9D81C86D-032F-4B42-8A11-10BA9750A094}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{AE7FC032-74CA-4BBC-917E-AD90387F18DC}" => removed successfully
"C:\Windows\System32\Tasks\update64" => not found
"C:\Windows\System32\Tasks\RuvZlWnxKNkmGuM2" => not found
"C:\WindowsSystem32\Tasks\Opera scheduled Autoupdate 4086469641" => not found
C:\Program Files\Microsoft Synchronization Services\9BGH6GV1PR425XGBI8 => moved successfully
"C:\Users\tommy\AppData\Roaming\Microsoft\Security\mcrstdio.exe" => not found
Could not move "C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rbghiugr.lnk" => Scheduled to move on reboot.
"C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rtshteih.lnk" => not found
"C:\Program Files\SystemaRev\RevServicesX" => not found
C:\Program Files (x86)\KCGHGVOnU => moved successfully

"C:\Users\tommy\AppData\Roaming\Microsoft\Windows\rbghiugr" folder move:

Could not move "C:\Users\tommy\AppData\Roaming\Microsoft\Windows\rbghiugr" => Scheduled to move on reboot.


Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 13-05-2018 23:35:44)

C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rbghiugr.lnk => Is moved successfully
C:\Users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rbghiugr.lnk => Is moved successfully
C:\Users\tommy\AppData\Roaming\Microsoft\Windows\rbghiugr => Is moved successfully

==== End of Fixlog 23:35:44 ====

Fixlog.txt

Edited by realll
Link to post
Share on other sites

Hi,

Now, im just using the ctfmon.exe manually, it seems like an older version of the language bar and pretty hard to use

Lets find out more about this file.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
ctfmon.exe 
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====

Link to post
Share on other sites

Farbar Recovery Scan Tool (x64) Version: 16.05.2018 01
Ran by tommy (20-05-2018 11:13:49)
Running from C:\Users\tommy\Desktop
Boot Mode: Normal

================== Search Registry: "ctfmon.exe" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{85fc331e-bb64-4c53-ba25-3d8a956c02fd}]
"AppName"="ctfmon.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\win32k\1706]
"\Device\HarddiskVolume2\Windows\System32\ctfmon.exe"="131072"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\win32k\1706]
"\Device\HarddiskVolume2\Windows\WinSxS\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.3.9600.17415_none_8e3b87ba644efd23\ctfmon.exe"="131072"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Run]
"New Value #1"="“ctfmon”=”CTFMON.EXE”"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{85fc331e-bb64-4c53-ba25-3d8a956c02fd}]
"AppName"="ctfmon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\SysProcs]
"ctfmon.exe"="0"
[HKEY_USERS\S-1-5-21-3541273722-2045522596-512499532-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Windows\System32\ctfmon.exe.FriendlyAppName"="CTF Loader"
[HKEY_USERS\S-1-5-21-3541273722-2045522596-512499532-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Windows\System32\ctfmon.exe.ApplicationCompany"="Microsoft Corporation"

====== End of Search ======

Link to post
Share on other sites

Hi,

I need more information.

Run the Farbar program .exe as an Administrator.

This time use the File Search button.

In the Search text area, copy and paste the following:
ctfmon.exe
Once done, click on the Search File search button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
===

Link to post
Share on other sites

Farbar Recovery Scan Tool (x64) Version: 16.05.2018 01
Ran by tommy (21-05-2018 19:48:33)
Running from C:\Users\tommy\Desktop
Boot Mode: Normal

================== Search Files: "ctfmon.exe" =============

C:\Windows\WinSxS\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.3.9600.17415_none_321cec36abf18bed\ctfmon.exe
[2014-11-21 19:15][2014-11-21 19:15] 000009728 _____ (Microsoft Corporation) BE80808B5FE1D9C9351653EEC814A75A [File is digitally signed]

C:\Windows\WinSxS\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.3.9600.17415_none_8e3b87ba644efd23\ctfmon.exe
[2014-11-21 19:16][2014-11-21 19:16] 000010240 _____ (Microsoft Corporation) 9929D83891B1C86F4E12C0C90BD8632E [File is digitally signed]

C:\Windows\SysWOW64\ctfmon.exe
[2014-11-21 19:15][2014-11-21 19:15] 000009728 _____ (Microsoft Corporation) BE80808B5FE1D9C9351653EEC814A75A [File is digitally signed]

C:\Windows\System32\ctfmon.exe
[2014-11-21 19:16][2014-11-21 19:16] 000010240 _____ (Microsoft Corporation) 9929D83891B1C86F4E12C0C90BD8632E [File is digitally signed]


====== End of Search ======

Link to post
Share on other sites


Hi,

All the copies of CTFMON.EXE are signed and good.

This entry New Value in the Run key is suspicious.
Will remove it.

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Run]
"New Value #1"=-

Restart the computer when completed.

You can delete the fixme.reg file when done.
===

Let me know if the issue is solved.

Link to post
Share on other sites

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Run]
"New Value #1"=-

 

so this is what i copy to notepad? I have done it but nothing has changed...Did the merge, did the restart but...

 

Link to post
Share on other sites

Hi,

That file is in your SysWOW64 folder.
C:\Windows\WinSxS\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.3.9600.17415_none_321cec36abf18bed\ctfmon.exe
[2014-11-21 19:15][2014-11-21 19:15] 000009728 _____ (Microsoft Corporation) BE80808B5FE1D9C9351653EEC814A75A [File is digitally signed]

C:\Windows\SysWOW64\ctfmon.exe
[2014-11-21 19:15][2014-11-21 19:15] 000009728 _____ (Microsoft Corporation) BE80808B5FE1D9C9351653EEC814A75A [File is digitally signed]

===

The file that the registry is using is this one in the System32 folder.
C:\Windows\System32\ctfmon.exe
[2014-11-21 19:16][2014-11-21 19:16] 000010240 _____ (Microsoft Corporation) 9929D83891B1C86F4E12C0C90BD8632E [File is digitally signed]

There is also a backup copy in this folder.
C:\Windows\WinSxS\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.3.9600.17415_none_8e3b87ba644efd23\ctfmon.exe
[2014-11-21 19:16][2014-11-21 19:16] 000010240 _____ (Microsoft Corporation) 9929D83891B1C86F4E12C0C90BD8632E [File is digitally signed]

Open this version in the backup folder.
C:\Windows\WinSxS\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.3.9600.17415_none_8e3b87ba644efd23\ctfmon.exe

I the issue is solved run this fix.
IF THE ISSUE PERSISTS STOP AND LET ME KNOW.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x64) Version: 16.05.2018 01
Ran by tommy (24-05-2018 11:44:21) Run:2
Running from C:\Users\tommy\Desktop
Loaded Profiles: tommy (Available Profiles: tommy)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
CloseProcesses:

Replace: C:\Windows\WinSxS\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.3.9600.17415_none_8e3b87ba644efd23\ctfmon.exe C:\Windows\System32\ctfmon.exe

End

*****************

Restore point was successfully created.
Processes closed successfully.
C:\Windows\System32\ctfmon.exe => moved successfully
C:\Windows\WinSxS\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.3.9600.17415_none_8e3b87ba644efd23\ctfmon.exe copied successfully to C:\Windows\System32\ctfmon.exe


The system needed a reboot.

==== End of Fixlog 11:44:58 ====

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.