Malware Removal Assistance Needed

Discussion in 'Malware Removal Assistance For Windows' started by Micheal salami, Jul 2, 2017.

Need Malware Removal Help?

We offer free malware removal assistance to our members. Sign Up now, and get free malware removal support.

  1. Micheal salami

    Micheal salami Level 1

    Jul 2, 2017
    6
    3
    Lagos State, Nigeria
    Windows 10
    Microsoft
    #1 Micheal salami, Jul 2, 2017
    Last edited by a moderator: Jul 2, 2017
    Operating System:
    Windows 10
    Are you using a 32-bit or 64-bit operating system?:
    64-bit (x64)
    Infection date and initial symptoms:
    Last week around 23rd or 27th June. I noticed that my UC browser pops up on its own with various ad websites and porn web pages without opening it
    Current issues and symptoms:
    I noticed that my UC browser pops up on its own with various ad websites and porn web pages without opening it, I decided to uninstall my UC browser but after doing that my internet explorer started doing same(poping up on its own without opening with same sites as seen in the UC browser in it)
    Steps taken in order to remove the infection:
    I have used the windows Defender scanned and deleted any Trojan found but it still does not stop. As i write 02 July i still have same issue while using my computer
    Logs added to help request:
    • FRST.txt
    • Addition.txt
    Code:
    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-06-2017
    Ran by Thollu (administrator) on DESKTOP-HV4MIBU (29-06-2017 22:11:41)
    Running from C:\Users\Thollu\Downloads
    Loaded Profiles: Thollu (Available Profiles: Thollu)
    Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: IE)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: [URL="http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/"]FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials[/URL]
    
    ==================== Processes (Whitelisted) =================
    
    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
    
    () C:\Program Files\Broadcom\CV\bin\UshUpgradeService.exe
    (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
    (Tanuki Software, Ltd.) C:\ManageEngine\PMP\bin\wrapper.exe
    (Oracle Corporation) C:\ManageEngine\PMP\jre\bin\java.exe
    (Microsoft Corporation) C:\Windows\System32\cmd.exe
    (PostgreSQL Global Development Group) C:\ManageEngine\PMP\pgsql\bin\postgres.exe
    (PostgreSQL Global Development Group) C:\ManageEngine\PMP\pgsql\bin\postgres.exe
    (PostgreSQL Global Development Group) C:\ManageEngine\PMP\pgsql\bin\postgres.exe
    (PostgreSQL Global Development Group) C:\ManageEngine\PMP\pgsql\bin\postgres.exe
    (PostgreSQL Global Development Group) C:\ManageEngine\PMP\pgsql\bin\postgres.exe
    (PostgreSQL Global Development Group) C:\ManageEngine\PMP\pgsql\bin\postgres.exe
    (PostgreSQL Global Development Group) C:\ManageEngine\PMP\pgsql\bin\postgres.exe
    (PostgreSQL Global Development Group) C:\ManageEngine\PMP\pgsql\bin\postgres.exe
    (Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
    (Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
    (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
    (PostgreSQL Global Development Group) C:\ManageEngine\PMP\pgsql\bin\postgres.exe
    (tuxler.com) C:\Program Files (x86)\Tuxler Proxy\TuxlerProxy.exe
    (Tencent) C:\Program Files (x86)\Tencent\QQIntl\Bin\QQ.exe
    (Tencent) C:\Program Files (x86)\Tencent\QQIntl\Bin\TXPlatform.exe
    () C:\ManageEngine\PMP\PMP.exe
    () C:\Program Files (x86)\Tuxler Proxy\privoxy\privoxy.exe
    (Tencent) C:\Program Files (x86)\Tencent\QQIntl\Bin\QQ.exe
    (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
    (Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    
    ==================== Registry (Whitelisted) ====================
    
    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
    
    HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-09] (IDT, Inc.)
    HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [303928 2017-05-09] (Apple Inc.)
    HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe
    HKU\S-1-5-21-694308185-4116531498-1042364220-1001\...\Run: [Tuxler] => C:\Program Files (x86)\Tuxler Proxy\TuxlerProxy.exe [2093056 2017-04-11] (tuxler.com)
    HKU\S-1-5-21-694308185-4116531498-1042364220-1001\...\Run: [QQ2009] => C:\Program Files (x86)\Tencent\QQIntl\Bin\QQ.exe [97976 2017-05-21] (Tencent)
    HKU\S-1-5-21-694308185-4116531498-1042364220-1001\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe
    HKU\S-1-5-21-694308185-4116531498-1042364220-1001\...\Run: [NSYBCV4OS03F6KS] => C:\Program Files\70M1O7OBD9\KPTGW7UCC.exe [1040384 2017-06-29] (1BZQ)
    HKU\S-1-5-21-694308185-4116531498-1042364220-1001\...\Run: [wenc0pexoba] => C:\Users\Thollu\AppData\Roaming\pjassdfnj0p\izpqsndqqpl.exe [8192 2017-06-29] ()
    Startup: C:\Users\Thollu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PMP Service Manager.lnk [2017-06-12]
    ShortcutTarget: PMP Service Manager.lnk -> C:\ManageEngine\PMP\PMP.exe ()
    
    ==================== Internet (Whitelisted) ====================
    
    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
    
    ProxyEnable: [S-1-5-21-694308185-4116531498-1042364220-1001] => Proxy is enabled.
    ProxyServer: [S-1-5-21-694308185-4116531498-1042364220-1001] => http=127.0.0.1:54321;https=127.0.0.1:54321;socks=127.0.0.1:12345
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 192.168.43.1
    Tcpip\..\Interfaces\{384595c0-cf1d-48ca-b657-fe423262bd73}: [DhcpNameServer] 192.168.43.1
    ManualProxies: 1http=127.0.0.1:54321;https=127.0.0.1:54321;socks=127.0.0.1:12345
    
    Internet Explorer:
    ==================
    HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = hxxp://go.microsoft.com/fwlink/?linkid=42826
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = hxxp://go.microsoft.com/fwlink/?linkid=42826
    
    FireFox:
    ========
    FF DefaultProfile: bb82mb5q.default
    FF ProfilePath: C:\Users\Thollu\AppData\Roaming\Mozilla\Firefox\Profiles\bb82mb5q.default [2017-06-29]
    FF NetworkProxy: Mozilla\Firefox\Profiles\bb82mb5q.default -> socks", "209.122.193.17"
    FF NetworkProxy: Mozilla\Firefox\Profiles\bb82mb5q.default -> socks_port", 14203
    FF NetworkProxy: Mozilla\Firefox\Profiles\bb82mb5q.default -> type", 0
    FF Extension: (Fast search) - C:\Users\Thollu\AppData\Roaming\Mozilla\Firefox\Profiles\bb82mb5q.default\Extensions\amcontextmenu@loucypher [2017-06-29]
    FF Plugin-x32: @qq.com/npchrome -> C:\Program Files (x86)\Common Files\Tencent\Npchrome\npchrome.dll [2017-05-21] (Tencent)
    FF Plugin-x32: @qq.com/npqscall -> C:\Program Files (x86)\Common Files\Tencent\NPQSCALL\npqscall.dll [2017-05-21] (Tencent)
    FF Plugin-x32: @qq.com/TXSSO -> C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.2.1\Bin\npSSOAxCtrlForPTLogin.dll [2013-04-08] (Tencent)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-29] (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-29] (Google Inc.)
    FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
    FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-05] (Adobe Systems Inc.)
    
    Chrome:
    =======
    CHR Profile: C:\Users\Thollu\AppData\Local\Google\Chrome\User Data\Default [2017-06-29]
    CHR Extension: (Google Docs) - C:\Users\Thollu\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-04-02]
    CHR Extension: (Chrome Web Store Payments) - C:\Users\Thollu\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-02]
    CHR Extension: (Chrome Media Router) - C:\Users\Thollu\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-06]
    
    ==================== Services (Whitelisted) ====================
    
    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
    
    S2 AESTFilters; C:\WINDOWS\System32\DriverStore\FileRepository\stwrt64.inf_amd64_e085d3cd5b474ba6\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
    R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-04-03] (Apple Inc.)
    S2 hostcontrolsvc; C:\Program Files\Broadcom\CV\bin\HostControlService.exe [1045736 2016-07-20] (Broadcom Corporation)
    S2 hoststoragesvc; C:\Program Files\Broadcom\CV\bin\HostStorageService.exe [42216 2016-07-20] (Broadcom Corporation)
    R2 PMP; C:\ManageEngine\PMP\bin\wrapper.exe [636184 2017-06-02] (Tanuki Software, Ltd.)
    S2 STacSV; C:\WINDOWS\System32\DriverStore\FileRepository\stwrt64.inf_amd64_e085d3cd5b474ba6\STacSV64.exe [244736 2010-03-09] (IDT, Inc.)
    R2 ushupgradesvc; C:\Program Files\Broadcom\CV\bin\UshUpgradeService.exe [257760 2016-07-20] ()
    R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2016-10-25] (Microsoft Corporation)
    R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2017-03-28] (Microsoft Corporation)
    S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe [X]
    
    ===================== Drivers (Whitelisted) ======================
    
    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
    
    S3 blackberryncm; C:\WINDOWS\System32\drivers\blackberryncm6_AMD64.sys [36360 2016-04-06] (BlackBerry)
    R1 MpKsl53a34beb; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{30148130-E750-454E-9832-734D78EF9E59}\MpKsl53a34beb.sys [44928 2017-06-29] (Microsoft Corporation)
    R2 npf; C:\WINDOWS\System32\drivers\npf.sys [35344 2011-02-11] (CACE Technologies, Inc.)
    S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
    R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
    S3 wdm_usb; C:\WINDOWS\system32\DRIVERS\usb2ser.sys [151184 2016-07-15] (MBB)
    R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
    
    ==================== NetSvcs (Whitelisted) ===================
    
    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
    
    
    ==================== One Month Created files and folders ========
    
    (If an entry is included in the fixlist, the file/folder will be moved.)
    
    2017-06-29 22:11 - 2017-06-29 22:12 - 00010180 _____ C:\Users\Thollu\Downloads\FRST.txt
    2017-06-29 22:11 - 2017-06-29 22:11 - 00000000 ____D C:\FRST
    2017-06-29 22:10 - 2017-06-29 22:10 - 02440704 _____ (Farbar) C:\Users\Thollu\Downloads\FRST64.exe
    2017-06-29 16:07 - 2017-06-29 21:15 - 00000000 ____D C:\ProgramData\Avg
    2017-06-29 16:07 - 2017-06-29 21:14 - 00000000 ____D C:\Users\Thollu\AppData\Local\AvgSetupLog
    2017-06-29 16:07 - 2017-06-29 16:07 - 00000000 ____D C:\Users\Thollu\AppData\Local\Avg
    2017-06-29 16:06 - 2017-06-29 16:07 - 03449448 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Thollu\Downloads\Antivirus_Free_1856.exe
    2017-06-29 10:44 - 2017-06-29 10:44 - 00000004 _____ C:\ProgramData\_lg.3sap
    2017-06-29 10:40 - 2017-06-29 10:40 - 00000000 ____D C:\Users\Thollu\AppData\Roaming\pjassdfnj0p
    2017-06-29 10:39 - 2017-06-29 10:40 - 00000000 ____D C:\Program Files\70M1O7OBD9
    2017-06-29 10:37 - 2017-06-29 10:43 - 00004318 _____ C:\ProgramData\_lg.1sap
    2017-06-29 10:37 - 2017-06-29 10:43 - 00000128 _____ C:\ProgramData\_lg.2sap
    2017-06-25 21:53 - 2017-06-25 21:59 - 00000000 ____D C:\Users\Thollu\Desktop\New folder (2)
    2017-06-25 21:51 - 2017-06-25 21:52 - 00000000 ____D C:\Users\Thollu\Desktop\New folder
    2017-06-23 06:37 - 2017-06-23 06:41 - 00000000 ____D C:\Users\Thollu\Desktop\site pics
    2017-06-23 06:31 - 2017-06-23 06:34 - 136668472 _____ (Apple Inc.) C:\Users\Thollu\Downloads\iCloudSetup.exe
    2017-06-12 14:23 - 2017-06-29 20:07 - 00004168 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{7CC7FA45-8F64-47D3-846F-6DCCA7346F25}
    2017-06-12 14:22 - 2017-06-12 14:22 - 00000000 ____D C:\ProgramData\Oracle
    2017-06-12 14:18 - 2017-06-12 14:18 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
    2017-06-12 14:18 - 2017-06-12 14:18 - 00000000 ____D C:\Users\Thollu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ManageEngine Password Manager Pro
    2017-06-12 14:18 - 2017-06-12 14:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ManageEngine Password Manager Pro
    2017-06-12 14:18 - 2017-06-12 14:18 - 00000000 ____D C:\ManageEngine
    2017-06-12 13:57 - 2017-06-12 14:14 - 156035160 _____ (ZOHO Corp.) C:\Users\Thollu\Downloads\ManageEngine_PMP_64bit.exe
    2017-06-10 02:27 - 2017-06-29 10:50 - 00000000 ___HD C:\Users\Thollu\Desktop\pic
    2017-06-10 00:43 - 2017-06-10 00:43 - 00000654 _____ C:\Users\Public\Desktop\UDC Output Files.lnk
    2017-06-10 00:43 - 2017-06-10 00:43 - 00000000 ___RD C:\Users\Thollu\Documents\UDC Output Files
    2017-06-10 00:43 - 2017-06-10 00:43 - 00000000 ____D C:\Users\Thollu\AppData\Roaming\UDC Profiles
    2017-06-10 00:43 - 2017-06-10 00:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Universal Document Converter
    2017-06-10 00:43 - 2017-06-10 00:43 - 00000000 ____D C:\Program Files (x86)\Universal Document Converter
    2017-06-10 00:43 - 2016-11-05 13:58 - 00042456 _____ (fCoder Group, Inc.) C:\WINDOWS\system32\udcpm.dll
    2017-06-10 00:43 - 2015-02-04 19:00 - 01576448 _____ (Microsoft Corporation) C:\WINDOWS\system32\xpssvcs.dll
    2017-06-10 00:42 - 2017-06-10 00:43 - 24290480 _____ (fCoder SIA ) C:\Users\Thollu\Downloads\udc.exe
    2017-06-10 00:27 - 2017-06-10 00:27 - 01130328 _____ (Google Inc.) C:\Users\Thollu\Downloads\ChromeSetup(1).exe
    2017-06-10 00:14 - 2017-06-10 00:14 - 00064078 _____ C:\Users\Thollu\Downloads\p1.html
    2017-06-09 23:28 - 2017-06-09 23:28 - 01316354 _____ C:\Users\Thollu\Downloads\jv020ssw.zip
    2017-06-08 04:54 - 2017-06-08 04:54 - 00000000 ____D C:\Users\Thollu\Downloads\KPortScan 3.0
    2017-06-08 04:45 - 2017-06-08 11:35 - 05124905 _____ C:\Users\Thollu\Downloads\KPortScan 3.0.zip
    2017-06-08 04:14 - 2017-06-08 04:14 - 00000000 ____D C:\Users\Thollu\Downloads\DUBrute.2.2 with private user and pass list
    2017-06-08 03:58 - 2017-06-08 03:58 - 00002532 _____ C:\Users\Thollu\Downloads\new1.txt
    2017-06-08 02:17 - 2017-06-12 14:56 - 00000000 ____D C:\Users\Thollu\.zenmap
    2017-06-08 02:17 - 2017-06-08 03:33 - 00001032 _____ C:\Users\Thollu\Desktop\Nmap - Zenmap GUI.lnk
    2017-06-08 02:17 - 2017-06-08 02:17 - 00000000 ____D C:\Users\Thollu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Nmap
    2017-06-08 02:15 - 2017-06-08 02:15 - 00000000 ____D C:\Users\Thollu\Downloads\Dubrute + VNC + Nmap ( pass = loveyou )
    2017-06-08 02:13 - 2017-06-08 02:14 - 24475972 _____ C:\Users\Thollu\Downloads\Dubrute + VNC + Nmap ( pass = loveyou ).rar
    2017-06-08 00:54 - 2017-06-08 00:54 - 00000000 _____ C:\Users\Thollu\Downloads\vnc1.txt
    2017-06-08 00:44 - 2017-06-08 00:44 - 00000000 ____D C:\Program Files\WinPcap
    2017-06-08 00:42 - 2017-06-08 02:17 - 00000000 ____D C:\Program Files (x86)\Nmap
    2017-06-08 00:15 - 2017-06-13 21:18 - 00002240 ____H C:\Users\Thollu\Documents\Default.rdp
    2017-06-07 21:37 - 2017-06-07 22:02 - 00000000 ____D C:\Users\Thollu\AppData\Roaming\Apple Computer
    2017-06-07 21:37 - 2017-06-07 21:37 - 00000000 ____D C:\Users\Thollu\AppData\Local\Apple Computer
    2017-06-07 21:36 - 2017-06-07 21:36 - 00001822 _____ C:\Users\Public\Desktop\iTunes.lnk
    2017-06-07 21:36 - 2017-06-07 21:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
    2017-06-07 21:33 - 2017-06-07 21:36 - 00000000 ____D C:\Program Files\iTunes
    2017-06-07 21:33 - 2017-06-07 21:33 - 00000000 ____D C:\ProgramData\Apple Computer
    2017-06-07 21:33 - 2017-06-07 21:33 - 00000000 ____D C:\Program Files\iPod
    2017-06-07 21:30 - 2017-06-07 21:30 - 00002535 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
    2017-06-07 21:30 - 2017-06-07 21:30 - 00000000 ____D C:\WINDOWS\System32\Tasks\Apple
    2017-06-07 21:30 - 2017-06-07 21:30 - 00000000 ____D C:\Users\Thollu\AppData\Local\Apple
    2017-06-07 21:30 - 2017-06-07 21:30 - 00000000 ____D C:\Program Files\Bonjour
    2017-06-07 21:30 - 2017-06-07 21:30 - 00000000 ____D C:\Program Files (x86)\Bonjour
    2017-06-07 21:30 - 2017-06-07 21:30 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
    2017-06-07 21:29 - 2017-06-07 21:30 - 00000000 ____D C:\Program Files\Common Files\Apple
    2017-06-07 21:28 - 2017-06-07 21:30 - 00000000 ____D C:\ProgramData\Apple
    2017-06-07 20:59 - 2017-06-07 21:25 - 259195720 _____ (Apple Inc.) C:\Users\Thollu\Downloads\iTunes64Setup.exe
    2017-06-07 00:12 - 2017-06-07 00:38 - 229151198 _____ C:\Users\Thollu\Downloads\Journey-to-the-West_-The-Demons-Strike-Back--2017----HDRip----mycoolmoviez.net.mp4
    2017-06-05 02:28 - 2017-06-05 02:43 - 188165558 _____ C:\Users\Thollu\Downloads\Drone--2017----HDRip----mycoolmoviez.net.mp4
    2017-06-02 20:48 - 2017-06-02 20:49 - 00003129 _____ C:\Users\Thollu\Downloads\Quickteller -GoTV
    2017-06-01 20:05 - 2017-06-13 19:19 - 00000000 ____D C:\Program Files (x86)\BlueStacks
    2017-06-01 20:05 - 2017-06-08 01:13 - 00000000 ____D C:\ProgramData\BlueStacks
    2017-06-01 19:18 - 2017-06-01 20:05 - 339047640 _____ (BlueStack Systems Inc.) C:\Users\Thollu\Downloads\BlueStacks2_native.exe
    2017-05-30 18:18 - 2017-06-03 09:20 - 00004562 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
    2017-05-30 18:18 - 2017-05-30 18:18 - 00000000 ____D C:\Users\Thollu\AppData\LocalLow\Adobe
    2017-05-30 18:18 - 2017-05-30 18:18 - 00000000 ____D C:\Users\Thollu\AppData\Local\CEF
    2017-05-30 18:17 - 2017-05-30 18:20 - 00000000 ____D C:\ProgramData\Adobe
    2017-05-30 18:17 - 2017-05-30 18:17 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
    2017-05-30 18:17 - 2017-05-30 18:17 - 00002124 _____ C:\Users\Public\Desktop\Acrobat Reader DC.lnk
    2017-05-30 18:17 - 2017-05-30 18:17 - 00000000 ____D C:\Program Files (x86)\Adobe
    2017-05-30 18:14 - 2017-05-30 18:14 - 00000000 ____D C:\Users\Public\Thunder Network
    2017-05-30 18:14 - 2017-05-30 18:14 - 00000000 ____D C:\ProgramData\Thunder Network
    2017-05-30 17:46 - 2017-06-13 19:19 - 00000000 ____D C:\Program Files\TrueKey
    2017-05-30 17:41 - 2017-05-30 18:18 - 00000000 ____D C:\Users\Thollu\AppData\Local\Adobe
    2017-05-30 17:32 - 2017-05-30 17:33 - 01677255 _____ C:\Users\Thollu\Downloads\CE_TUMAsia_UndergraduateProgrammes_AY1416.pdf
    
    ==================== One Month Modified files and folders ========
    
    (If an entry is included in the fixlist, the file/folder will be moved.)
    
    2017-06-29 15:53 - 2017-04-03 04:50 - 00000000 ____D C:\WINDOWS\AppReadiness
    2017-06-29 15:37 - 2017-04-02 11:02 - 00000000 ____D C:\Users\Thollu\AppData\LocalLow\Mozilla
    2017-06-29 15:36 - 2017-05-21 23:22 - 00000000 ____D C:\Users\Thollu\Documents\Tencent Files
    2017-06-29 12:28 - 2017-04-03 04:50 - 00000000 ___HD C:\Program Files\WindowsApps
    2017-06-29 10:41 - 2017-04-03 05:18 - 00000000 ____D C:\Users\Thollu
    2017-06-29 10:41 - 2017-04-03 05:11 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
    2017-06-29 10:41 - 2017-04-03 05:07 - 00009900 _____ C:\WINDOWS\system32\CVFirmwareUpgradeLog.txt
    2017-06-29 10:41 - 2017-04-03 04:39 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
    2017-06-29 10:33 - 2017-04-02 10:53 - 00002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
    2017-06-29 10:33 - 2017-04-02 10:53 - 00002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
    2017-06-28 09:13 - 2017-05-27 18:53 - 00001023 _____ C:\Users\Thollu\Desktop\VirtualDJ 8.lnk
    2017-06-27 23:37 - 2017-04-02 11:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2017-06-27 23:37 - 2017-04-02 11:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2017-06-25 22:57 - 2017-05-27 18:53 - 00000000 ____D C:\Users\Thollu\Documents\VirtualDJ
    2017-06-24 23:22 - 2017-04-03 04:49 - 00000000 ____D C:\WINDOWS\INF
    2017-06-23 06:43 - 2017-04-03 05:22 - 00879220 _____ C:\WINDOWS\system32\PerfStringBackup.INI
    2017-06-22 22:09 - 2017-04-03 04:43 - 00000000 ____D C:\WINDOWS\CbsTemp
    2017-06-22 16:13 - 2017-04-02 01:14 - 00000000 ____D C:\WINDOWS\system32\MRT
    2017-06-22 16:11 - 2017-04-02 01:14 - 133627792 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
    2017-06-20 17:47 - 2017-04-24 01:25 - 00003292 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
    2017-06-20 17:47 - 2017-04-03 05:21 - 00002366 _____ C:\Users\Thollu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
    2017-06-20 17:47 - 2017-04-03 05:21 - 00000000 ___RD C:\Users\Thollu\OneDrive
    2017-06-14 22:48 - 2017-04-03 04:50 - 00000000 ____D C:\WINDOWS\system32\NDF
    2017-06-12 14:50 - 2017-04-03 07:46 - 00000000 ____D C:\Users\Thollu\.android
    2017-06-08 01:12 - 2017-04-03 04:50 - 00000000 __RHD C:\Users\Public\Libraries
    2017-06-08 01:10 - 2017-05-19 08:27 - 00000000 ____D C:\Users\Thollu\AppData\Local\Bluestacks
    2017-06-06 21:30 - 2017-04-02 11:02 - 00000000 ____D C:\Users\Thollu\AppData\Roaming\vlc
    2017-06-04 21:14 - 2017-05-27 18:53 - 00000000 ____D C:\Program Files (x86)\VirtualDJ
    2017-06-03 04:07 - 2017-04-03 04:52 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
    2017-06-03 04:07 - 2017-04-03 04:52 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
    2017-06-01 20:10 - 2017-04-03 07:42 - 00000000 ____D C:\ProgramData\BlueStacksSetup
    2017-05-31 09:03 - 2017-04-03 04:57 - 00000000 ___DC C:\WINDOWS\Panther
    2017-05-30 21:45 - 2017-04-02 01:18 - 00565416 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
    2017-05-30 18:18 - 2017-04-03 05:18 - 00000000 ____D C:\Users\Thollu\AppData\Roaming\Adobe
    
    ==================== Files in the root of some directories =======
    
    2017-06-29 10:37 - 2017-06-29 10:43 - 0004318 _____ () C:\ProgramData\_lg.1sap
    2017-06-29 10:37 - 2017-06-29 10:43 - 0000128 _____ () C:\ProgramData\_lg.2sap
    2017-06-29 10:44 - 2017-06-29 10:44 - 0000004 _____ () C:\ProgramData\_lg.3sap
    
    Some files in TEMP:
    ====================
    2017-06-08 01:10 - 2017-05-24 07:56 - 0785464 _____ (BlueStack Systems, Inc.) C:\Users\Thollu\AppData\Local\Temp\HD-Common.dll
    2017-06-08 01:10 - 2017-05-24 07:57 - 0464952 _____ (BlueStack Systems, Inc.) C:\Users\Thollu\AppData\Local\Temp\HD-InstallerUtils.dll
    2017-06-08 01:10 - 2017-05-24 07:54 - 0187416 _____ (BlueStack Systems) C:\Users\Thollu\AppData\Local\Temp\HD-LibraryHandler.dll
    2017-05-19 08:27 - 2017-05-24 07:53 - 0246808 _____ (BlueStack Systems) C:\Users\Thollu\AppData\Local\Temp\HD-Logger-Native.dll
    2017-05-19 08:27 - 2016-01-07 08:52 - 0128536 _____ (BlueStack Systems) C:\Users\Thollu\AppData\Local\Temp\HD-ShortcutHandler.dll
    2017-06-08 01:10 - 2017-05-24 07:56 - 0385080 _____ (BlueStack Systems, Inc.) C:\Users\Thollu\AppData\Local\Temp\HD-Uninstaller.exe
    2017-04-02 11:35 - 2017-04-02 11:35 - 0469256 _____ (Microsoft Corporation) C:\Users\Thollu\AppData\Local\Temp\InstallManager_GEN_GEN.exe
    2017-06-29 10:36 - 2017-06-29 10:36 - 0382144 _____ () C:\Users\Thollu\AppData\Local\Temp\msclean.exe
    2017-05-24 02:42 - 2017-05-24 02:42 - 0031096 _____ (Tencent) C:\Users\Thollu\AppData\Local\Temp\qqsafeud.exe
    2017-05-19 08:27 - 2016-01-07 04:26 - 0495128 _____ (BlueStack Systems, Inc.) C:\Users\Thollu\AppData\Local\Temp\uninstall.exe
    2017-06-04 21:13 - 2017-06-04 21:13 - 0084216 _____ () C:\Users\Thollu\AppData\Local\Temp\VirtualDJ New Version.exe
    
    ==================== Bamital & volsnap ======================
    
    (There is no automatic fix for files that do not pass verification.)
    
    C:\WINDOWS\system32\winlogon.exe => File is digitally signed
    C:\WINDOWS\system32\wininit.exe => File is digitally signed
    C:\WINDOWS\explorer.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
    C:\WINDOWS\system32\svchost.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
    C:\WINDOWS\system32\services.exe => File is digitally signed
    C:\WINDOWS\system32\User32.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
    C:\WINDOWS\system32\userinit.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
    C:\WINDOWS\system32\rpcss.dll => File is digitally signed
    C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
    
    LastRegBack: 2017-06-24 18:43
    
    ==================== End of FRST.txt ============================
     
  2. TwinHeadedEagle

    TwinHeadedEagle Removal Expert
    Staff Member

    Mar 8, 2013
    21,195
    2,608
    Malware Removal, Gaming
    Windows 7
    ESET
    Hello,


    Please attach both reports, not copy, but upload as a file.
     
  3. Micheal salami

    Micheal salami Level 1

    Jul 2, 2017
    6
    3
    Lagos State, Nigeria
    Windows 10
    Microsoft
    I had to copy and paste because it seems like the files are not uploading. I have tried a lot of times but i do not know why it is not working.
     
  4. TwinHeadedEagle

    TwinHeadedEagle Removal Expert
    Staff Member

    Mar 8, 2013
    21,195
    2,608
    Malware Removal, Gaming
    Windows 7
    ESET
  5. Micheal salami

    Micheal salami Level 1

    Jul 2, 2017
    6
    3
    Lagos State, Nigeria
    Windows 10
    Microsoft
  6. TwinHeadedEagle

    TwinHeadedEagle Removal Expert
    Staff Member

    Mar 8, 2013
    21,195
    2,608
    Malware Removal, Gaming
    Windows 7
    ESET
    [​IMG] Fix with AdwCleaner

    Please download AdwCleaner by Xplode and save the file to your Desktop.
    • Right-click on [​IMG] icon and select [​IMG] Run as Administrator to start the tool.
    • Accept the Terms of use.
    • Wait until the database is updated.
    • Click Scan.
    • When finished, please click Clean.
    • Your PC should reboot now.
    • After reboot, logfile will be opened. Copy its content into your next reply.

    Note: Reports will be saved in your system partition, usually at C:\Adwcleaner
     
  7. Micheal salami

    Micheal salami Level 1

    Jul 2, 2017
    6
    3
    Lagos State, Nigeria
    Windows 10
    Microsoft
    # AdwCleaner v6.047 - Logfile created 02/07/2017 at 18:40:27
    # Updated on 19/05/2017 by Malwarebytes
    # Database : 2017-06-29.3 [Server]
    # Operating System : Windows 10 Pro (X64)
    # Username : Thollu - DESKTOP-HV4MIBU
    # Running from : C:\Users\Thollu\Downloads\AdwCleaner.exe
    # Mode: Clean
    # Support : Customer Support & Help Center



    ***** [ Services ] *****



    ***** [ Folders ] *****

    [-] Folder deleted: C:\Users\Thollu\AppData\Roaming\Tencent
    [-] Folder deleted: C:\ProgramData\IObit\ASCDownloader
    [#] Folder deleted on reboot: C:\ProgramData\Application Data\IObit\ASCDownloader
    [-] Folder deleted: C:\Users\Public\Documents\Tencent
    [-] Folder deleted: C:\Program Files (x86)\Tencent
    [-] Folder deleted: C:\Program Files (x86)\Common Files\Tencent
    [-] Folder deleted: C:\Users\Thollu\AppData\Local\Temp\Tencent
    [-] Folder deleted: C:\Users\Thollu\AppData\Roaming\Mozilla\Firefox\Profiles\bb82mb5q.default\extensions\amcontextmenu@loucypher


    ***** [ Files ] *****



    ***** [ DLL ] *****



    ***** [ WMI ] *****



    ***** [ Shortcuts ] *****



    ***** [ Scheduled Tasks ] *****



    ***** [ Registry ] *****

    [-] Key deleted: HKU\S-1-5-21-694308185-4116531498-1042364220-1001\Software\Classes\Tencent
    [#] Key deleted on reboot: HKCU\Software\Classes\Tencent
    [-] Key deleted: HKLM\SOFTWARE\Classes\metnsd
    [-] Key deleted: HKLM\SOFTWARE\Classes\Tencent
    [#] Key deleted on reboot: [x64] HKCU\Software\Classes\Tencent
    [#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\metnsd
    [#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Tencent
    [-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}
    [-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
    [-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchy
    [-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24F5E422-6A70-4FAA-8CAD-E23D5DC1DAE6}
    [-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DD0688A5-FC8B-4E93-A485-CBF606A56D49}
    [-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
    [-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\fromdoctopdf.dl.tb.ask.com
    [-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\gamingwonderland.dl.tb.ask.com
    [-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\howtosimplified.dl.tb.ask.com
    [-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\staticimgfarm.com
    [-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ttdetect.staticimgfarm.com
    [-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\videodownloadconverter.dl.tb.ask.com
    [#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
    [#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\fromdoctopdf.dl.tb.ask.com
    [#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\gamingwonderland.dl.tb.ask.com
    [#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\howtosimplified.dl.tb.ask.com
    [#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\staticimgfarm.com
    [#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ttdetect.staticimgfarm.com
    [#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\videodownloadconverter.dl.tb.ask.com
    [-] Value deleted: HKU\S-1-5-21-694308185-4116531498-1042364220-1001\Software\Microsoft\Windows\CurrentVersion\Run [QQ2009]
    [#] Value deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Run [QQ2009]
    [#] Value deleted on reboot: [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Run [QQ2009]
    [-] Key deleted: HKLM\SOFTWARE\Classes\AppID\DownloadProxy.EXE
    [-] Key deleted: HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO
    [-] Key deleted: HKLM\SOFTWARE\MozillaPlugins\@qq.com/npqscall
    [-] Key deleted: HKLM\SOFTWARE\MozillaPlugins\@qq.com/npchrome


    ***** [ Web browsers ] *****



    *************************

    :: "Tracing" keys deleted
    :: Winsock settings cleared

    *************************

    C:\AdwCleaner\AdwCleaner[C0].txt - [4398 Bytes] - [02/07/2017 18:40:27]
    C:\AdwCleaner\AdwCleaner[S0].txt - [4434 Bytes] - [02/07/2017 18:38:29]

    ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [4544 Bytes] ##########
     
  8. TwinHeadedEagle

    TwinHeadedEagle Removal Expert
    Staff Member

    Mar 8, 2013
    21,195
    2,608
    Malware Removal, Gaming
    Windows 7
    ESET
    [​IMG] Scan with Farbar Recovery Scan Tool

    Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
    • Right-click on [​IMG] icon and select [​IMG] Run as Administrator to start the tool.
      (XP users click run after receipt of Windows Security Warning - Open File).
    • Make sure that Addition.txt option is checked.

      [​IMG]
    • Press Scan button and wait.
    • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
    Please attach report into your next reply.
     
  9. Micheal salami

    Micheal salami Level 1

    Jul 2, 2017
    6
    3
    Lagos State, Nigeria
    Windows 10
    Microsoft
    FRST.txt

    Addition.txt

    That is the new scan you requested. Just so you should know i still get the pop ups from the internet explorer to different websites
     
  10. TwinHeadedEagle

    TwinHeadedEagle Removal Expert
    Staff Member

    Mar 8, 2013
    21,195
    2,608
    Malware Removal, Gaming
    Windows 7
    ESET
    [​IMG] Fix with Farbar Recovery Scan Tool

    [​IMG] This fix was created for this user for use on that particular machine. [​IMG]
    [​IMG] Running it on another one may cause damage and render the system unstable. [​IMG]

    Download attached fixlist.txt file and save it to the Desktop:

    Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

    • Right-click on [​IMG] icon and select [​IMG] Run as Administrator to start the tool.
      (XP users click run after receipt of Windows Security Warning - Open File).
    • Press the Fix button just once and wait.
    • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    • When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

    Please attach it to your reply.
     

    Attached Files:

    Sunshine-boy likes this.
  11. Micheal salami

    Micheal salami Level 1

    Jul 2, 2017
    6
    3
    Lagos State, Nigeria
    Windows 10
    Microsoft
  12. TwinHeadedEagle

    TwinHeadedEagle Removal Expert
    Staff Member

    Mar 8, 2013
    21,195
    2,608
    Malware Removal, Gaming
    Windows 7
    ESET
    How is the situation now?
     
Loading...
Similar Threads Forum Date
CMD pop-up topics not to be posted in Malware Removal Assistance Malware Removal Assistance For Windows May 29, 2017
Need assistance with malware removal. Malware Removal Assistance For Windows Dec 29, 2015
Members asking for Malware Removal Assistance Community Feedback Nov 14, 2015