How to remove cloudnet epicnet virus that keeps returning

[commegalife]

I used malwarebytes to scan my laptop and found 8 cloudnet epicnet malware and put it into quarantine, but the virus appeared again after I restart my laptop. Every-single-time *cries*. I scan it again using malwarebytes and you already know what'll happen after I restart my laptop 😭, yes, the virus keeps coming back! I read some instruction to unhide the hidden folders and files and boot into safe mode to uninstall the cloudnet.exe. I did it, booted into safemode, but I couldn't find the cloudnet app nor it friends in my program and features and in appdata\roaming or appdata\local. So I thought, they gone. When I boot into normal mode, and scan using malwarebytes, just in case, they reappeared . I'm afraid because it's trojan and it'll cause BSOD and break the HDD. 

So, please help me removing them 😭

malwarebytes report 20201106.txt

[kevinf80]

Hello commegalife and welcome to Malwarebytes, Continue with the following: If you do not have Malwarebytes installed do the following: Download Malwarebytes version 4 from the following link: https://www.malwarebytes.com/mwb-download/thankyou/ Double click on the installer and follow the prompts. When the install completes or Malwarebytes is already installed do the following: Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following:   Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror   Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans"   Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply... Thank you, Kevin....

[commegalife]

Hi, kevinf80!

Thank you for your instruction.

Here's the scan reports:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/6/20
Scan Time: 11:30 PM
Log File: 6ebb18cc-204d-11eb-9e0b-2cfda17fd2c7.json

-Software Information-
Version: 4.2.2.95
Components Version: 1.0.1096
Update Package Version: 1.0.32542
License: Trial

-System Information-
OS: Windows 10 (Build 19041.508)
CPU: x64
File System: NTFS
User: 5HINEE\ASUS

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 292414
Threats Detected: 8
Threats Quarantined: 8
Time Elapsed: 14 min, 35 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 8
Trojan.Glupteba.BITSRST, C:\Users\ASUS\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe\Protection Dir, Quarantined, 1167, 781247, , , , , , 
Trojan.Glupteba.BITSRST, C:\Users\ASUS\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe, Quarantined, 1167, 781247, , , , , , 
Trojan.Glupteba.BITSRST, C:\Users\ASUS\AppData\Roaming\EpicNet Inc\CloudNet, Quarantined, 1167, 781247, , , , , , 
Trojan.Glupteba.BITSRST, C:\USERS\ASUS\APPDATA\ROAMING\EPICNET INC, Quarantined, 1167, 781247, 1.0.32542, , ame, , , 
Trojan.Glupteba.BITSRST, C:\Users\ASUS\AppData\Local\EpicNet Inc\CloudNet\cloudnet.exe\Protection Dir, Quarantined, 1167, 781248, , , , , , 
Trojan.Glupteba.BITSRST, C:\Users\ASUS\AppData\Local\EpicNet Inc\CloudNet\cloudnet.exe, Quarantined, 1167, 781248, , , , , , 
Trojan.Glupteba.BITSRST, C:\Users\ASUS\AppData\Local\EpicNet Inc\CloudNet, Quarantined, 1167, 781248, , , , , , 
Trojan.Glupteba.BITSRST, C:\USERS\ASUS\APPDATA\LOCAL\EPICNET INC, Quarantined, 1167, 781248, 1.0.32542, , ame, , , 

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[commegalife]

# -------------------------------
# Malwarebytes AdwCleaner 8.0.8.0
# -------------------------------
# Build:    10-08-2020
# Database: 2020-09-29.1 (Local)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    11-06-2020
# Duration: 00:00:07
# OS:       Windows 10 Pro
# Cleaned:  6
# Failed:   0

***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted       C:\Windows\rss

***** [ Files ] *****

Deleted       C:\END

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted       HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|Web Companion
Deleted       HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
Deleted       HKCU\Software\Sunisoft
Deleted       HKLM\Software\Wow6432Node\Lavasoft\Web Companion

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.

*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1791 octets] - [06/11/2020 23:52:54]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########
 

[commegalife]

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-11-2020
Ran by ASUS (administrator) on 5HINEE (ASUSTeK COMPUTER INC. X441UVK) (07-11-2020 00:06:39)
Running from C:\Users\ASUS\Downloads
Loaded Profiles: ASUS
Platform: Windows 10 Pro Version 2004 19041.508 (X64) Language: English (United States)
Default browser: Chrome
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(FOXIT SOFTWARE INC. -> Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReaderUpdateService.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe <18>
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.32\GoogleCrashHandler.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.32\GoogleCrashHandler64.exe
(ICEpower a/s -> ICEpower A/S) C:\Windows\System32\ICEsoundService64.exe
(Intel Corporation -> Intel Corporation) C:\Windows\System32\Intel\DPTF\esif_uf.exe
(Intel Corporation -> Intel Corporation) C:\Windows\Temp\DPTF\esif_assist_64.exe
(Intel(R) pGFX -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_9f310939ec1eebf9\igfxCUIService.exe
(Intel(R) pGFX -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_9f310939ec1eebf9\igfxEM.exe
(Intel(R) pGFX -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_9f310939ec1eebf9\IntelCpHDCPSvc.exe
(Intel(R) pGFX -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_9f310939ec1eebf9\IntelCpHeciSvc.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Malwarebytes Inc -> Malwarebytes) C:\Users\ASUS\Downloads\adwcleaner_8.0.8.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\System32\CompatTelRunner.exe <2>
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2010.7621.0_x64__8wekyb3d8bbwe\Cortana.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
(NoVirusThanks Company Srl -> NoVirusThanks Company Srl) C:\Program Files\NoVirusThanks\Win Update Stop\WinUpdStopSvc.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe <2>
(Qualcomm Atheros -> Windows (R) Win 7 DDK provider) C:\Windows\System32\drivers\AdminService.exe
(Realtek Semiconductor Corp. -> Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor Corp. -> Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Smadsoft) [File not signed] C:\Program Files (x86)\SMADAV\SMΔRTP.exe
(Western Digital Technologies, Inc. -> Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(Western Digital Technologies, Inc. -> Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(Western Digital Technologies, Inc. -> Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
(Western Digital Technologies, Inc. -> Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [SMΔRT-Protection] => C:\Program Files (x86)\Smadav\SMΔRTP.exe [1932368 2020-10-18] (Smadsoft) [File not signed]
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1694080 2013-07-10] (Western Digital Technologies, Inc. -> Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5537136 2013-08-14] (Western Digital Technologies, Inc. -> Western Digital Technologies, Inc.)
HKU\S-1-5-21-1429262469-2834305963-1999796374-1001\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-1429262469-2834305963-1999796374-1001\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
HKU\S-1-5-21-1429262469-2834305963-1999796374-1001\...\Policies\Explorer\DisallowRun: [2] powershell.exe
HKU\S-1-5-21-1429262469-2834305963-1999796374-1001\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.183\Installer\chrmstp.exe [2020-11-03] (Google LLC -> Google LLC)
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0D25DE17-467F-43C3-8174-E6D8574FA8FD} - System32\Tasks\smadav => C:\Program Files (x86)\Smadav\SMΔRTP.exe [1932368 2020-10-18] (Smadsoft) [File not signed]
Task: {1E797CD6-2F70-44BD-B519-AFE615B50895} - System32\Tasks\Microsoft\Office\Office Feature Updates Logon => C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\sdxhelper.exe [91920 2020-11-04] (Microsoft Corporation -> Microsoft Corporation)
Task: {236042CC-9E55-4CB8-84C6-415833B826B9} - System32\Tasks\Agent Activation Runtime\S-1-5-21-1429262469-2834305963-1999796374-1001 => C:\WINDOWS\System32\AgentActivationRuntimeStarter.exe [13312 2020-08-31] (Microsoft Windows -> )
Task: {3664511D-3D32-47C3-9ABF-6017E24F516A} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [1395480 2020-11-04] (Microsoft Corporation -> Microsoft Corporation)
Task: {489C9EEF-D3B5-4924-8D89-FAAC73842F2C} - System32\Tasks\RtHDVBg_ListenToDevice => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1506384 2019-10-09] (Realtek Semiconductor Corp. -> Realtek Semiconductor)
Task: {5D04BAAD-32D3-42A8-B8DB-D46EEAB97791} - System32\Tasks\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\default-browser-agent.exe [124624 2020-06-03] (Mozilla Corporation -> Mozilla Foundation)
Task: {7A5108B6-D36B-40BD-8371-3DA0B49EF5EE} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2420640 2020-11-04] (Microsoft Corporation -> Microsoft Corporation)
Task: {AA6A1B7D-3C5C-4BBF-912B-74C9515C2BE4} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2020-06-14] (Google LLC -> Google LLC)
Task: {B3965C1D-F1EC-43B2-B2E5-33599FD76FC0} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1506384 2019-10-09] (Realtek Semiconductor Corp. -> Realtek Semiconductor)
Task: {C52CADFA-0253-40D0-BF0A-AEE48C869226} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2420640 2020-11-04] (Microsoft Corporation -> Microsoft Corporation)
Task: {C7C21D2B-3ADE-42CA-84A5-9F2FC5B87253} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [156104 2020-06-14] (Google LLC -> Google LLC)
Task: {E21BDD8A-34DC-401E-90A6-08116FA9ED6B} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [1395480 2020-11-04] (Microsoft Corporation -> Microsoft Corporation)
Task: {F4B995A9-1F09-47D9-B858-60DD6004730E} - System32\Tasks\Microsoft\Office\Office Feature Updates => C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\sdxhelper.exe [91920 2020-11-04] (Microsoft Corporation -> Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.44.1
Tcpip\..\Interfaces\{2e42116d-968b-4972-9813-f403bb95fd19}: [DhcpNameServer] 192.168.44.1
Tcpip\..\Interfaces\{e1b75c01-b675-427c-b127-1fe34d2260ff}: [DhcpNameServer] 192.168.43.1

Edge: 
======
DownloadDir: C:\Users\ASUS\Downloads
Edge HomeButtonPage: HKU\S-1-5-21-1429262469-2834305963-1999796374-1001 -> about:tabs
Edge Session Restore: HKU\S-1-5-21-1429262469-2834305963-1999796374-1001 -> is enabled.
Edge DefaultProfile: Default
Edge Profile: C:\Users\ASUS\AppData\Local\Microsoft\Edge\User Data\Default [2020-11-06]
Edge DownloadDir: C:\Users\ASUS\Downloads
Edge Notifications: Default -> hxxps://drive.google.com; hxxps://mail.google.com; hxxps://meet.google.com; hxxps://web.telegram.org
Edge HomePage: Default -> edge://newtab/
Edge DefaultSearchURL: Default -> hxxps://viu-static.akamaized.net/favicon/android-chrome-192x192.png
Edge Session Restore: Default -> is enabled.
Edge Extension: (Viu) - C:\Users\ASUS\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\daegohakgnkcblfeacnlbgagpngmaphb [2020-10-11]
Edge Extension: (Bausastra Jawa Jangkep) - C:\Users\ASUS\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\gnplfmhjpfagdmlogmpcjifnlkbcmiel [2020-10-19]
Edge Extension: (AdBlock — best ad blocker) - C:\Users\ASUS\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ndcileolkflehcjpmjnfbnaibdcgglog [2020-11-04]

FireFox:
========
FF DefaultProfile: gxa4r248.default
FF ProfilePath: C:\Users\ASUS\AppData\Roaming\Mozilla\Firefox\Profiles\gxa4r248.default [2020-06-22]
FF NewTab: Mozilla\Firefox\Profiles\gxa4r248.default -> hxxps://securesearch.org/homepage?hp=2&pId=GR160102&iDate=2020-06-22 04:05:45&bName=
FF ProfilePath: C:\Users\ASUS\AppData\Roaming\Mozilla\Firefox\Profiles\2jiyeosw.default-release [2020-11-05]
FF Homepage: Mozilla\Firefox\Profiles\2jiyeosw.default-release -> hxxps://securesearch.org/homepage?hp=2&pId=GR160102&iDate=2020-06-22 04:05:45&bName=
FF NewTab: Mozilla\Firefox\Profiles\2jiyeosw.default-release -> hxxps://securesearch.org/homepage?hp=2&pId=GR160102&iDate=2020-06-22 04:05:45&bName=
FF Extension: (Avast SafePrice | Comparison, deals, coupons) - C:\Users\ASUS\AppData\Roaming\Mozilla\Firefox\Profiles\2jiyeosw.default-release\Extensions\sp@avast.com.xpi [2020-06-14]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2020-11-04] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2020-11-04] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=3.0.11 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2020-06-04] (VideoLAN -> VideoLAN)

Chrome: 
=======
CHR Profile: C:\Users\ASUS\AppData\Local\Google\Chrome\User Data\Default [2020-11-07]
CHR Notifications: Default -> hxxps://drive.google.com; hxxps://meet.google.com
CHR Session Restore: Default -> is enabled.
CHR Extension: (Slides) - C:\Users\ASUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2020-06-20]
CHR Extension: (Docs) - C:\Users\ASUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2020-06-20]
CHR Extension: (Google Drive) - C:\Users\ASUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2020-10-23]
CHR Extension: (Google Docs Offline) - C:\Users\ASUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2020-10-23]
CHR Extension: (Avast Online Security) - C:\Users\ASUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2020-06-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ASUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2020-06-20]
CHR Extension: (LINE) - C:\Users\ASUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjlpahpchlmihnnnihgmmeilfjmjjc [2020-10-12]
CHR Extension: (Chrome Media Router) - C:\Users\ASUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-10-11]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [9619824 2018-12-26] (Microsoft Corporation -> Microsoft Corporation)
R2 FoxitReaderUpdateService; C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReaderUpdateService.exe [1995184 2020-07-08] (FOXIT SOFTWARE INC. -> Foxit Software Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [7265328 2020-11-04] (Malwarebytes Inc -> Malwarebytes)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [5097896 2020-09-22] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1042808 2013-08-14] (Western Digital Technologies, Inc. -> Western Digital Technologies, Inc.)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [270704 2013-07-10] (Western Digital Technologies, Inc. -> Western Digital Technologies, Inc.)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2009.7-0\NisSrv.exe [2372048 2020-11-05] (Microsoft Windows Publisher -> Microsoft Corporation)
S3 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2009.7-0\MsMpEng.exe [128376 2020-11-05] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinUpdStopSvc; C:\Program Files\NoVirusThanks\Win Update Stop\WinUpdStopSvc.exe [2178280 2018-08-25] (NoVirusThanks Company Srl -> NoVirusThanks Company Srl)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AsusPTPDrv; C:\WINDOWS\System32\drivers\AsusPTPFilter.sys [108504 2019-04-24] (ASUSTek Computer Inc. -> ASUSTek COMPUTER INC.)
R1 ElRawDisk; C:\Windows\system32\drivers\rsdrvx64.sys [26024 2009-02-12] (EldoS Corporation -> EldoS Corporation)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [153312 2020-11-04] (Malwarebytes Corporation -> Malwarebytes)
R2 MBAMChameleon; C:\WINDOWS\System32\Drivers\MbamChameleon.sys [217600 2020-11-06] (Malwarebytes Inc -> Malwarebytes)
S0 MbamElam; C:\WINDOWS\System32\DRIVERS\MbamElam.sys [19912 2020-11-04] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\System32\DRIVERS\farflt.sys [197792 2020-11-06] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\DRIVERS\mbam.sys [74936 2020-11-06] (Malwarebytes Inc -> Malwarebytes)
R0 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [248968 2020-11-04] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMWebProtection; C:\WINDOWS\system32\DRIVERS\mwac.sys [134304 2020-11-06] (Malwarebytes Inc -> Malwarebytes)
S3 WdBoot; C:\WINDOWS\system32\drivers\wd\WdBoot.sys [48536 2020-11-05] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R3 WDC_SAM; C:\WINDOWS\System32\drivers\wdcsam64.sys [35584 2018-02-26] (WDKTestCert wdclab,130885612892544312 -> Western Digital Technologies, Inc.)
S3 WdFilter; C:\WINDOWS\system32\drivers\wd\WdFilter.sys [428264 2020-11-05] (Microsoft Windows -> Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [69864 2020-11-05] (Microsoft Windows -> Microsoft Corporation)
S3 HIDSwitch; \SystemRoot\System32\drivers\AsHIDSwitch64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One month (created) ===================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-11-07 00:06 - 2020-11-07 00:10 - 000017741 _____ C:\Users\ASUS\Downloads\FRST.txt
2020-11-07 00:04 - 2020-11-07 00:08 - 000000000 ____D C:\FRST
2020-11-06 23:58 - 2020-11-06 23:58 - 000000000 ____D C:\WINDOWS\rss
2020-11-06 23:58 - 2020-11-06 23:58 - 000000000 ____D C:\Users\ASUS\AppData\Roaming\EpicNet Inc
2020-11-06 23:58 - 2020-11-06 23:58 - 000000000 ____D C:\Users\ASUS\AppData\Local\EpicNet Inc
2020-11-06 23:57 - 2020-11-06 23:57 - 000074936 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2020-11-06 23:56 - 2020-11-06 23:56 - 000217600 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MbamChameleon.sys
2020-11-06 23:56 - 2020-11-06 23:56 - 000197792 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2020-11-06 23:56 - 2020-11-06 23:56 - 000134304 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2020-11-06 23:53 - 2020-11-06 23:53 - 000002199 _____ C:\Users\ASUS\Desktop\scanreport 1153.txt
2020-11-06 23:52 - 2020-11-06 23:53 - 000000000 ____D C:\AdwCleaner
2020-11-06 23:34 - 2020-11-06 23:35 - 002298368 _____ (Farbar) C:\Users\ASUS\Downloads\FRST64.exe
2020-11-06 23:11 - 2020-11-06 23:27 - 008447152 _____ (Malwarebytes) C:\Users\ASUS\Downloads\adwcleaner_8.0.8.exe
2020-11-06 21:53 - 2020-11-06 21:53 - 000002247 _____ C:\Users\ASUS\Desktop\malwarebytes report 20201106.txt
2020-11-06 19:50 - 2020-11-06 19:51 - 000000000 ____D C:\KVRT_Data
2020-11-06 19:26 - 2020-11-06 19:26 - 000000000 ____D C:\WINDOWS\SpeechsTracing
2020-11-06 17:58 - 2020-11-06 18:06 - 185196912 _____ (AO Kaspersky Lab) C:\Users\ASUS\Downloads\KVRT.exe
2020-11-06 17:17 - 2020-11-06 19:15 - 000277968 _____ C:\WINDOWS\ntbtlog.txt
2020-11-06 17:17 - 2020-11-06 17:17 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2020-11-06 13:44 - 2020-11-06 16:11 - 000067541 _____ C:\Users\ASUS\Downloads\Database WA External 2-1.xlsx
2020-11-06 13:17 - 2020-11-06 13:18 - 007319166 _____ C:\Users\ASUS\Downloads\(NEW) KPK_WhatsApp (1).xlsx
2020-11-06 08:49 - 2020-11-06 09:02 - 000000514 _____ C:\WINDOWS\system32\Drivers\etc\hosts.ics
2020-11-05 23:28 - 2020-11-05 23:28 - 000000000 ____D C:\WINDOWS\system32\Drivers\NVIDIA Corporation
2020-11-05 23:28 - 2020-11-05 23:28 - 000000000 ____D C:\WINDOWS\LastGood.Tmp
2020-11-05 23:26 - 2020-08-07 13:52 - 001780944 _____ C:\WINDOWS\system32\vulkaninfo-1-999-0-0-0.exe
2020-11-05 23:26 - 2020-08-07 13:52 - 001780944 _____ C:\WINDOWS\system32\vulkaninfo.exe
2020-11-05 23:26 - 2020-08-07 13:52 - 001371344 _____ C:\WINDOWS\SysWOW64\vulkaninfo-1-999-0-0-0.exe
2020-11-05 23:26 - 2020-08-07 13:52 - 001371344 _____ C:\WINDOWS\SysWOW64\vulkaninfo.exe
2020-11-05 23:26 - 2020-08-07 13:52 - 001086672 _____ C:\WINDOWS\system32\vulkan-1-999-0-0-0.dll
2020-11-05 23:26 - 2020-08-07 13:52 - 001086672 _____ C:\WINDOWS\system32\vulkan-1.dll
2020-11-05 23:26 - 2020-08-07 13:52 - 000946384 _____ C:\WINDOWS\SysWOW64\vulkan-1-999-0-0-0.dll
2020-11-05 23:26 - 2020-08-07 13:52 - 000946384 _____ C:\WINDOWS\SysWOW64\vulkan-1.dll
2020-11-05 23:26 - 2020-08-07 13:52 - 000456592 _____ (Khronos Group) C:\WINDOWS\system32\OpenCL.dll
2020-11-05 23:26 - 2020-08-07 13:52 - 000349928 _____ (Khronos Group) C:\WINDOWS\SysWOW64\OpenCL.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 006652816 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuvid.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 005883280 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuvid.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 003901672 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuda.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 002367720 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuda.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 002076568 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvFBC64.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 001722096 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispco6445167.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 001569688 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvFBC.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 001486744 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFR64.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 001482992 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispgenco6445167.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 001146264 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFR.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 000812440 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncodeAPI64.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 000674032 _____ C:\WINDOWS\system32\nvofapi64.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 000670616 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFROpenGL.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 000655600 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncodeAPI.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 000555928 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFROpenGL.dll
2020-11-05 23:26 - 2020-08-07 13:50 - 000541936 _____ C:\WINDOWS\SysWOW64\nvofapi.dll
2020-11-05 23:26 - 2020-08-07 13:48 - 004716168 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvapi.dll
2020-11-05 21:11 - 2020-11-06 12:58 - 000044935 _____ C:\Users\ASUS\Downloads\Database WA External 2.xlsx
2020-11-05 18:13 - 2020-11-05 18:13 - 000005702 _____ C:\Users\ASUS\Downloads\WuReset2.0.bat
2020-11-05 16:58 - 2020-11-05 16:59 - 006717838 _____ C:\Users\ASUS\Downloads\(NEW) KPK_WhatsApp.xlsx
2020-11-05 15:52 - 2020-11-05 15:52 - 000753302 _____ C:\Users\ASUS\Downloads\Kuesioner Internal SPI 2019 - 20 Agustus 2019-provinsi.pdf
2020-11-05 15:52 - 2020-11-05 15:52 - 000483309 _____ C:\Users\ASUS\Downloads\Kuesioner Eksternal SPI 2019 - 27 Agustus 2019.pdf
2020-11-04 16:06 - 2020-11-04 16:08 - 001523229 _____ C:\Users\ASUS\Downloads\Ceklis Revisi 041120.xlsx
2020-11-04 14:23 - 2020-11-04 14:23 - 000002033 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk
2020-11-04 14:23 - 2020-11-04 14:23 - 000002021 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2020-11-04 14:23 - 2020-11-04 14:23 - 000002021 _____ C:\ProgramData\Desktop\Malwarebytes.lnk
2020-11-04 14:21 - 2020-11-04 14:21 - 000248968 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2020-11-04 14:18 - 2020-11-04 14:13 - 000019912 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MbamElam.sys
2020-11-04 14:17 - 2020-11-04 14:13 - 000153312 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbae64.sys
2020-11-04 14:14 - 2020-11-04 14:14 - 000000000 ____D C:\ProgramData\Malwarebytes
2020-11-04 13:55 - 2020-11-04 13:55 - 000000000 ____D C:\Program Files\Malwarebytes
2020-11-04 13:51 - 2020-11-04 13:53 - 002062144 _____ (Malwarebytes) C:\Users\ASUS\Downloads\MBSetup.exe
2020-11-04 12:09 - 2020-11-04 12:09 - 000000165 ____H C:\Users\ASUS\Downloads\~$Database buat WA (Autosaved).xlsx
2020-11-04 11:04 - 2020-11-04 11:04 - 000000165 ____H C:\Users\ASUS\Downloads\~$Salinan dari KPK_WhatsApp (1).xlsx
2020-11-04 08:00 - 2020-11-04 08:00 - 000000165 ____H C:\Users\ASUS\Downloads\~$Database buat WA.xlsx
2020-11-04 07:38 - 2020-11-04 07:38 - 000000000 ____D C:\Program Files\Microsoft Office 15
2020-11-04 07:36 - 2020-11-04 07:36 - 000440120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvcp140.dll
2020-11-04 07:36 - 2020-11-04 07:36 - 000083784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vcruntime140.dll
2020-11-04 07:23 - 2020-11-05 16:01 - 000058036 _____ C:\Users\ASUS\Downloads\Database buat WA.xlsx
2020-11-03 14:54 - 2020-11-03 14:54 - 000000165 ____H C:\Users\ASUS\Downloads\~$KPK_WhatsApp (2).xlsx
2020-11-03 13:25 - 2020-11-03 13:27 - 001972524 _____ C:\WINDOWS\Minidump\110320-44953-01.dmp
2020-11-03 12:53 - 2020-11-03 12:53 - 000000165 ____H C:\Users\ASUS\Downloads\~$KPK_WhatsApp (1) (Autosaved).xlsx
2020-11-03 12:45 - 2020-11-03 13:25 - 000000000 ____D C:\WINDOWS\Minidump
2020-11-03 12:45 - 2020-11-03 12:55 - 001961596 _____ C:\WINDOWS\Minidump\110320-45421-01.dmp
2020-11-03 10:45 - 2020-11-03 10:47 - 052473621 _____ C:\Users\ASUS\Downloads\GMT20201102-153924_Chintya-Ra_1920x1030.mp4
2020-11-03 10:39 - 2020-11-03 10:39 - 000000165 ____H C:\Users\ASUS\Downloads\~$KPK_WhatsApp (1).xlsx
2020-11-03 10:34 - 2020-11-03 10:34 - 000000000 ___SD C:\Users\ASUS\Documents\My Data Sources
2020-11-02 18:39 - 2020-11-02 22:00 - 000001374 _____ C:\Users\ASUS\Documents\template kpk.txt
2020-11-02 16:50 - 2020-11-02 16:50 - 000289216 _____ C:\Users\ASUS\Downloads\Surat Pengantar SPI 2020.pdf
2020-11-02 13:55 - 2020-11-02 13:56 - 000002364 _____ C:\Users\ASUS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2020-10-24 18:42 - 2020-10-24 23:10 - 000855310 _____ C:\Users\ASUS\Downloads\Nurul Aisyah_Dokumen Persyaratan.pdf
2020-10-23 12:57 - 2020-10-23 12:57 - 000236909 _____ C:\Users\ASUS\Downloads\20201019-pengumuman-tenaga-pendukung-teknis-kemenko-bidang-perekonomian-gelombang-x-tahun-2020.pdf
2020-10-22 11:59 - 2020-10-22 12:24 - 061257487 _____ C:\Users\ASUS\Downloads\Emergency Couple by Despersa.pdf
2020-10-19 16:55 - 2020-10-19 16:55 - 000002928 _____ C:\Users\ASUS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bausastra Jawa Jangkep.lnk
2020-10-18 19:30 - 2020-10-18 19:31 - 001323422 _____ C:\Users\ASUS\Downloads\Partner In Love by Meccaila.pdf
2020-10-18 19:27 - 2020-10-18 19:28 - 008474295 _____ C:\Users\ASUS\Downloads\The Worker Machine by Meccaila.pdf
2020-10-16 23:01 - 2020-10-16 23:01 - 006630180 _____ C:\Users\ASUS\Downloads\Another Time by Cellestine.pdf
2020-10-12 15:58 - 2020-10-12 16:02 - 038657338 _____ C:\Users\ASUS\Documents\Musuh Bebuyutan by Sally Thorne.pdf
2020-10-11 16:13 - 2020-10-11 16:13 - 000002874 _____ C:\Users\ASUS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Viu.lnk
2020-10-10 20:26 - 2020-10-12 18:11 - 001377333 _____ C:\Users\ASUS\Documents\the-hating-game.pdf

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-11-07 00:02 - 2020-06-14 02:17 - 000000000 ____D C:\Users\ASUS\AppData\Roaming\Smadav
2020-11-06 23:58 - 2019-12-07 16:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2020-11-06 23:57 - 2020-06-14 01:27 - 000000000 __SHD C:\Users\ASUS\IntelGraphicsProfiles
2020-11-06 23:56 - 2020-08-30 14:30 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2020-11-06 23:56 - 2020-08-30 13:30 - 000008192 ___SH C:\DumpStack.log.tmp
2020-11-06 23:56 - 2020-06-21 11:47 - 000008192 _____ C:\WINDOWS\SysWOW64\WDPABKP.dat
2020-11-06 23:56 - 2020-06-14 01:26 - 000000000 ____D C:\ProgramData\NVIDIA
2020-11-06 23:56 - 2019-12-07 16:14 - 000000000 ____D C:\WINDOWS\ServiceState
2020-11-06 23:55 - 2019-12-07 16:03 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2020-11-06 23:28 - 2020-08-30 13:31 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2020-11-06 19:40 - 2020-06-21 12:25 - 000000000 ____D C:\Users\ASUS\AppData\Local\CrashDumps
2020-11-06 17:13 - 2020-08-30 13:38 - 000000000 ____D C:\Users\ASUS
2020-11-06 16:54 - 2019-12-07 16:13 - 000000000 ____D C:\WINDOWS\INF
2020-11-06 11:41 - 2020-06-14 01:26 - 000000000 ____D C:\ProgramData\NVIDIA Corporation
2020-11-06 08:54 - 2020-08-31 02:35 - 000489734 _____ C:\WINDOWS\system32\perfh011.dat
2020-11-06 08:54 - 2020-08-31 02:35 - 000133410 _____ C:\WINDOWS\system32\perfc011.dat
2020-11-06 08:54 - 2020-08-31 02:11 - 000499778 _____ C:\WINDOWS\system32\perfh012.dat
2020-11-06 08:54 - 2020-08-31 02:11 - 000133434 _____ C:\WINDOWS\system32\perfc012.dat
2020-11-06 08:54 - 2020-08-30 13:50 - 002072138 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2020-11-05 23:30 - 2019-12-07 16:14 - 000000000 ____D C:\WINDOWS\Help
2020-11-05 23:29 - 2020-06-14 01:27 - 000000000 ____D C:\Program Files (x86)\VulkanRT
2020-11-05 23:29 - 2020-06-14 01:26 - 000000000 ____D C:\Program Files\NVIDIA Corporation
2020-11-05 23:29 - 2020-06-14 01:26 - 000000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2020-11-05 19:50 - 2019-12-07 16:03 - 000000000 ____D C:\WINDOWS\CbsTemp
2020-11-05 18:16 - 2019-12-07 16:03 - 000032768 _____ C:\WINDOWS\system32\config\ELAM
2020-11-05 17:13 - 2019-12-07 16:14 - 000000000 ____D C:\WINDOWS\AppReadiness
2020-11-05 09:56 - 2020-06-13 23:48 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2020-11-05 09:49 - 2020-06-22 12:03 - 000795000 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2020-11-05 05:27 - 2020-06-20 22:43 - 000000000 ____D C:\Users\ASUS\AppData\Local\ElevatedDiagnostics
2020-11-05 04:54 - 2020-06-14 02:16 - 000000000 ____D C:\ProgramData\Avast Software
2020-11-05 03:54 - 2019-12-07 16:14 - 000000000 ___HD C:\Program Files\WindowsApps
2020-11-05 03:44 - 2020-06-14 02:15 - 000000000 ____D C:\ProgramData\KMSAutoS
2020-11-04 17:56 - 2020-06-20 22:26 - 000002421 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2020-11-04 14:18 - 2019-12-07 16:14 - 000000000 ___HD C:\WINDOWS\ELAMBKUP
2020-11-04 08:11 - 2020-06-14 01:30 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2020-11-04 07:37 - 2019-12-07 16:14 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2020-11-04 07:29 - 2020-07-03 11:48 - 000000000 ____D C:\Users\ASUS\AppData\Local\Spotify
2020-11-04 07:19 - 2020-07-02 12:21 - 000000000 ____D C:\Users\ASUS\AppData\Roaming\Spotify
2020-11-04 07:03 - 2020-08-30 14:30 - 000003408 _____ C:\WINDOWS\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA
2020-11-04 07:03 - 2020-08-30 14:30 - 000003346 _____ C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineUA
2020-11-04 07:03 - 2020-08-30 14:30 - 000003184 _____ C:\WINDOWS\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore
2020-11-04 07:03 - 2020-08-30 14:30 - 000003122 _____ C:\WINDOWS\system32\Tasks\GoogleUpdateTaskMachineCore
2020-11-04 07:03 - 2020-08-30 14:30 - 000002862 _____ C:\WINDOWS\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1429262469-2834305963-1999796374-1001
2020-11-04 07:03 - 2020-08-30 14:30 - 000002416 _____ C:\WINDOWS\system32\Tasks\smadav
2020-11-04 07:03 - 2020-08-30 14:30 - 000002346 _____ C:\WINDOWS\system32\Tasks\RtHDVBg_ListenToDevice
2020-11-04 07:03 - 2020-08-30 14:30 - 000002302 _____ C:\WINDOWS\system32\Tasks\RTKCPL
2020-11-03 15:39 - 2020-06-14 01:41 - 000002301 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2020-11-03 15:39 - 2020-06-14 01:41 - 000002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2020-11-03 15:39 - 2020-06-14 01:41 - 000002260 _____ C:\ProgramData\Desktop\Google Chrome.lnk
2020-11-02 18:36 - 2020-09-11 19:31 - 000000000 ____D C:\Users\ASUS\Downloads\Telegram Desktop
2020-11-02 18:32 - 2020-09-10 16:58 - 000000000 ____D C:\Users\ASUS\AppData\Roaming\Telegram Desktop
2020-11-02 15:19 - 2019-12-07 16:14 - 000000000 ____D C:\WINDOWS\system32\NDF
2020-11-02 13:57 - 2020-06-14 00:03 - 000000000 ___RD C:\Users\ASUS\OneDrive
2020-11-01 22:00 - 2020-08-13 13:07 - 000000000 ____D C:\Users\ASUS\AppData\Roaming\vlc
2020-10-31 12:16 - 2020-06-13 23:59 - 000000000 ____D C:\Users\ASUS\AppData\Local\Packages
2020-10-26 20:06 - 2020-06-14 00:16 - 000000000 ____D C:\ProgramData\Packages
2020-10-25 22:30 - 2020-06-20 23:40 - 000000000 ____D C:\Users\ASUS\AppData\Local\PlaceholderTileLogoFolder
2020-10-22 19:31 - 2020-06-14 02:17 - 000000000 __SHD C:\[Smad-Cage]
2020-10-20 17:53 - 2020-06-14 02:17 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SMADAV Antivirus
2020-10-20 17:53 - 2020-06-14 02:17 - 000000000 ____D C:\Program Files (x86)\SMADAV
2020-10-12 15:53 - 2020-08-12 21:33 - 000000000 ____D C:\Users\ASUS\AppData\Roaming\Foxit Software

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================

Addition.txt

[kevinf80]

Hiya commegalife,

Thanks for those logs, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from. NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied:   Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Please download Zemana AntiMalware and save it to your Desktop.   Install the program and once the installation is complete it will start automatically. Without changing any options, press Scan to begin. After the short scan is finished, if threats are detected press Next to remove them. Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually. Open Zemana again then do the following to get the latest report Open Reports > select the report in question to highlight > select "Ctrl - A" keys together to highlight full report message > then "Ctrl - C" keys to copy to clipboard > then open notepad and select paste to copy the report there, then attach to reply.... Let me see those logs.... Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system.... https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply... Thank you, Kevin..

fixlist.txt

[commegalife]

Hi, Kevin!

Thank you! I will follow your next instruction, but before, I'd like to ask FRST won't delete the files in the download folder, will it? I just want to make sure since I ran FRST64 from there 🥺

[kevinf80]

Nothing will be removed from your downloads folder.....

[commegalife]

Kevin, the computer restarted, but the FRST tool didn't run after restart. Is that okay? Or it should've run again after restart? I check my folder, your fixlist.txt is gone, and there's fixlog.txt

[commegalife]

Fix result of Farbar Recovery Scan Tool (x64) Version: 06-11-2020
Ran by ASUS (07-11-2020 05:13:46) Run:1
Running from C:\Users\ASUS\Downloads
Loaded Profiles: ASUS
Boot Mode: Normal
==============================================

fixlist content:
*****************
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-1429262469-2834305963-1999796374-1001\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-1429262469-2834305963-1999796374-1001\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
HKU\S-1-5-21-1429262469-2834305963-1999796374-1001\...\Policies\Explorer\DisallowRun: [2] powershell.exe
HKU\S-1-5-21-1429262469-2834305963-1999796374-1001\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION 
S3 HIDSwitch; \SystemRoot\System32\drivers\AsHIDSwitch64.sys [X] 
2020-11-06 23:58 - 2020-11-06 23:58 - 000000000 ____D C:\Users\ASUS\AppData\Roaming\EpicNet Inc
2020-11-06 23:58 - 2020-11-06 23:58 - 000000000 ____D C:\Users\ASUS\AppData\Local\EpicNet Inc
2020-11-06 08:54 - 2020-08-31 02:35 - 000489734 _____ C:\WINDOWS\system32\perfh011.dat
2020-11-06 08:54 - 2020-08-31 02:35 - 000133410 _____ C:\WINDOWS\system32\perfc011.dat
2020-11-06 08:54 - 2020-08-31 02:11 - 000499778 _____ C:\WINDOWS\system32\perfh012.dat
2020-11-06 08:54 - 2020-08-31 02:11 - 000133434 _____ C:\WINDOWS\system32\perfc012.dat
2020-11-06 08:54 - 2020-08-30 13:50 - 002072138 _____ C:\WINDOWS\system32\PerfStringBackup.INI
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
CMD: winmgmt /verifyrepository
cmd: sfc /scannow
Hosts:
EmptyTemp:

*****************

SystemRestore: On => completed
Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-1429262469-2834305963-1999796374-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\DisallowRun" => removed successfully
"HKU\S-1-5-21-1429262469-2834305963-1999796374-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\1" => removed successfully
"HKU\S-1-5-21-1429262469-2834305963-1999796374-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\2" => removed successfully
"HKU\S-1-5-21-1429262469-2834305963-1999796374-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\3" => removed successfully
HKLM\SOFTWARE\Policies\Mozilla => removed successfully
HKLM\SOFTWARE\Policies\Google => removed successfully
HKLM\System\CurrentControlSet\Services\HIDSwitch => removed successfully
HIDSwitch => service removed successfully
"C:\Users\ASUS\AppData\Roaming\EpicNet Inc" => not found
"C:\Users\ASUS\AppData\Local\EpicNet Inc" => not found
C:\WINDOWS\system32\perfh011.dat => moved successfully
C:\WINDOWS\system32\perfc011.dat => moved successfully
C:\WINDOWS\system32\perfh012.dat => moved successfully
C:\WINDOWS\system32\perfc012.dat => moved successfully
C:\WINDOWS\system32\PerfStringBackup.INI => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully

========= winmgmt /verifyrepository =========

WMI repository is consistent

========= End of CMD: =========

========= sfc /scannow =========

Beginning system scan.  This process will take some time.

There is a system repair pending which requires reboot to complete.  Restart
Windows and run sfc again.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 10248192 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 748478639 B
Java, Flash, Steam htmlcache => 1083 B
Windows/system/drivers => 110702221 B
Edge => 2834255 B
Chrome => 301581563 B
Firefox => 37540094 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 264156 B
NetworkService => 11193042 B
ASUS => 197738230 B

RecycleBin => 0 B
EmptyTemp: => 1.3 GB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 05:20:53 ====

[commegalife]

Scan Information

Product Name	:	Zemana AntiMalware
Scan Status	:	Completed
Scan Date	:	11/7/2020 5:59:39 AM
Scan Type	:	Smart Scan
Scan Duration	:	00:01:53
Scanned Objects	:	1885
Detected Objects	:	3
Excluded Objects	:	0
Auto Upload	:	True
OS	:	Windows 10 x64
Processor	:	4X Intel(R) Core(TM) i3-7100U CPU @ 2.40GHz
BIOS Mode	:	UEFI
Domain Info	:	WORKGROUP,False,NetSetupWorkgroupName
CUID	:	12FFBE897A77DBCD7E0904

 

Detections

MD5	:
Status	:	Scanned
Object	:	https://securesearch.org/homepage?hp
Publisher	:
Size	:	0
Detection	:	Hijack:Browser/FirefoxHomepage
Action	:	Delete
-----------------------------------------------------------------------
MD5	:
Status	:	Scanned
Object	:	https://securesearch.org/homepage?hp
Publisher	:
Size	:	0
Detection	:	Hijack:Browser/FirefoxNewtab
Action	:	Delete
-----------------------------------------------------------------------
MD5	:
Status	:	Scanned
Object	:	default search engine - http://securesearch.org
Publisher	:
Size	:	0
Detection	:	Hijack:Browser/FirefoxSearch
Action	:	Delete
-----------------------------------------------------------------------

[commegalife]

---------------------------------------------------------------------------------------

Microsoft Safety Scanner v1.0, (build 1.327.458.0)
Started On Sat Nov 07 06:12:35 2020
->Scan ERROR: resource process://pid:100,ProcessStart:132491773885493814 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:388,ProcessStart:132491773978656659 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:624,ProcessStart:132491774261430951 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:724,ProcessStart:132491774269809174 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:744,ProcessStart:132491774269910525 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:792,ProcessStart:132491774270441670 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2428,ProcessStart:132491774287625670 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4048,ProcessStart:132491774312948898 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:5092,ProcessStart:132491774325346910 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:1248,ProcessStart:132491775280274159 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:9712,ProcessStart:132491775527442990 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:6776,ProcessStart:132491775716964856 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:10692,ProcessStart:132491776416944288 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:8232,ProcessStart:132491778663502601 (code 0x0000012B (299))
->Scan ERROR: resource process://pid:7836,ProcessStart:132491779452674405 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:9712,ProcessStart:132491775527442990 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4048,ProcessStart:132491774312948898 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:1248,ProcessStart:132491775280274159 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:6776,ProcessStart:132491775716964856 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:10692,ProcessStart:132491776416944288 (code 0x00000005 (5))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33))
->Scan ERROR: resource process://pid:4048,ProcessStart:132491774312948898 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4048,ProcessStart:132491774312948898 (code 0x00000005 (5))

Quick Scan Results for 1EE93A40-7CF2-4B6F-9B22-FA1ACD617999:
----------------
Threat detected: VirTool:Win32/DefenderTamperingRestore
    regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware
        SigSeq: 0x0000055555C57273

Quick Scan Removal Results
----------------
Start 'remove' for regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware
Operation succeeded !

Results Summary:
----------------
Found VirTool:Win32/DefenderTamperingRestore and Removed!
Microsoft Safety Scanner Finished On Sat Nov 07 06:41:27 2020

Return code: 6 (0x6)
 

[commegalife]

Hi, Kevin!

I've finished the steps in your instruction and those are the logs.

Thank you!

[kevinf80]

Hello commegalife,

Thanks for those logs, what is happening with your system now, any remaining issues or concerns...?

Thank you,

Kevin...

[commegalife]

The virus is still there 😭

[kevinf80]

How does this virus return, is it after a reboot? or after opening any specific Program or Browser

[commegalife]

After reboot

Please don't tell me to reinstall the windows 😭

[kevinf80]

Hiya commegalife, Please download Malwarebytes Anti-Rootkit from here Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable) Open the folder where the contents were unzipped and run mbar.exe Follow the instructions in the wizard to update and allow the program to scan your computer for threats. Click on the Cleanup button to remove any threats and reboot if prompted to do so. Wait while the system shuts down and the cleanup process is performed. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process. When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Thank you,

Kevin...

[commegalife]

Hi, Kevin

Here's the log from MBAR.system-log.txt.. 

 

Thank you

mbar-log-2020-11-07 (17-43-27).txt mbar-log-2020-11-07 (19-26-30).txt mbar-log-2020-11-07 (20-07-39).txt

[commegalife]

And this is the sytem-log

Thank you, Kevin

system-log.txt

[kevinf80]

Any improvement...?

[commegalife]

No, even after MBAR removed them, when I reboot my laptop, and rescan it again before opening any application (except the startup ones) using MBAR, the virus keeps coming back 😅

[kevinf80]

Reset your router, instructons available at the following link: http://setuprouter.com/networking/how-to-reset-your-router/ Follow those instructions very carefully. Next, Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary. Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper   Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool, For XP just double click to run. rom the left hand pane select "Flush DNS" From the main interface select the dropdown under "Choose a DNS Server" From the list select either "Google Public DNS" or "Open DNS" From the left hand pane select "Apply DNS" When done re-boot your system.... Next, Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following:   Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Reboot your PC then do another scan with Malwarebytes, has it returned again..? Thanks, Kevin..

[commegalife]

Hi, Kevin,

I'm not using any router. I'm using hotspot or bluetooth tethering from my phone 🙈

 

[kevinf80]

Set windows up for "Clean Boot" mode, full instructions here: https://support.microsoft.com/en-gb/kb/929135 Basically all none MS services are disabled, see how your system runs in that mode. With your system in clean boot mode remove the issues with Malwarebytes, reboot and see if they return..