Kevin Zoll

Emsisoft Employee
  • Content Count

    18835
  • Joined

  • Last visited

  • Days Won

    178

Everything posted by Kevin Zoll

  1. Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in. Start:: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION HKU\S-1-5-21-1095538760-4157375823-701317930-1001\...\Policies\Explorer: [NoChangeStartMenu] 0 HKU\S-1-5-21-1095538760-4157375823-701317930-1001\...\Policies\Explorer: [NoStartMenuMFUprogramsList] 0 HKU\S-1-5-21-1095538760-4157375823-701317930-1001\...\Policies\Explorer: [NoRecentDocsMenu] 0 HKU\S-1-5-21-1095538760-4157375823-701317930-1001\...\Policies\Explorer: [NoFind] 0 HKU\S-1-5-21-1095538760-4157375823-701317930-1001\...\Policies\Explorer: [StartMenuRun] 1 HKU\S-1-5-21-1095538760-4157375823-701317930-1001\...\Policies\Explorer: [hideClock] 0 Task: {3FFA711B-7613-477A-B657-617FFF7F9BF2} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\AVAST Software\Overseer\overseer.exe [1873288 2019-09-22] (AVAST Software s.r.o. -> AVAST Software) Task: {AE6FBD30-B45F-44E6-96B0-D8B035EFB65E} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = SearchScopes: HKU\S-1-5-21-1095538760-4157375823-701317930-1001 -> {2A23ab71-4ac6-41f2-a955-ea576e553146} URL = SearchScopes: HKU\S-1-5-21-1095538760-4157375823-701317930-1001 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = SearchScopes: HKU\S-1-5-21-1095538760-4157375823-701317930-1001 -> {C0C3A6C6-03BC-4195-8FCB-AEA091301353} URL = S2 SegurazoIC; C:\Program Files (x86)\Segurazo\SegurazoIC.exe [4473448 2019-08-29] () [File not signed] <==== ATTENTION R2 SegurazoSvc; C:\Program Files (x86)\Segurazo\SegurazoService.exe [250984 2019-08-29] (Digital Communications Inc. -> Digital Communications Inc) <==== ATTENTION R2 WCAssistantService; C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe [28760 2019-09-06] (LAVASOFT SOFTWARE CANADA INC -> ) 2019-09-06 15:55 - 2019-09-24 22:13 - 000000000 ____D C:\Program Files (x86)\Segurazo 2019-09-06 15:55 - 2019-09-06 15:56 - 000000000 ____D C:\Users\User\AppData\Local\{C608F054-E2A0-9CEC-8F38-B904AB50459C} 2019-09-06 15:55 - 2019-09-06 15:56 - 000000000 ____D C:\ProgramData\dzfxc 2019-09-06 15:55 - 2019-09-06 15:55 - 000001358 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HowToRemove.lnk 2019-09-06 15:55 - 2019-09-06 15:55 - 000001117 _____ C:\Users\User\Desktop\Multi-Drive.lnk 2019-09-06 15:55 - 2019-09-06 15:55 - 000000000 ____D C:\Users\User\AppData\Roaming\segurazoclient 2019-09-06 15:55 - 2019-09-06 15:55 - 000000000 ____D C:\ProgramData\Segurazo 2019-09-06 15:55 - 2019-09-06 15:55 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Segurazo ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File AlternateDataStreams: C:\Users\Public\AppData:CSM [474] AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [468] End::
  2. Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in. Start:: HKU\S-1-5-21-3615462294-2877540407-2494349180-1000\...\Policies\Explorer: [] HKLM\Software\...\AppCompatFlags\Custom\chrome.exe: [{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb] -> HKLM\Software\...\AppCompatFlags\Custom\explorer.zza: [{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb] -> HKLM\Software\...\AppCompatFlags\Custom\iexplore.exe: [{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb] -> HKLM\Software\...\Authentication\Credential Providers: [{503739d0-4c5e-4cfd-b3ba-d881334f0df2}] -> GroupPolicy: Restriction ? <==== ATTENTION FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION CHR HKU\S-1-5-21-3615462294-2877540407-2494349180-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION Task: {0590680B-7BC2-4685-8A1B-86722DE787EB} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION Task: {0C7AC884-8E72-43B6-8AF2-12C959BA6174} - System32\Tasks\Microsoft\Windows\SideShow\AutoWake => {E51DFD48-AA36-4B45-BB52-E831F02E8316} Task: {0ED1F4C2-82F7-4661-91DF-D29E9F9DE133} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {1696F9DC-F213-4601-BF66-0E3409A15471} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {178AC129-E863-4801-A8E2-886E6FE8EECF} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION Task: {30015613-8ECD-4B1B-8A99-0C33046A9C06} - System32\Tasks\Microsoft\Windows\SideShow\GadgetManager => {FF87090D-4A9A-4F47-879B-29A80C355D61} Task: {41E4C846-C0AC-48D9-88DC-5BD6D61744AC} - System32\Tasks\{88FD7D18-8FFE-498E-B892-FB3C5F00CFE7} => C:\Windows\system32\pcalua.exe -a C:\Users\User\Downloads\chromeinstall-8u45.exe -d C:\Users\User\Downloads Task: {427D630B-4E86-475D-98A7-496359AAAD36} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {486D715E-6AA2-44CF-BC48-B6990CBB53C6} - System32\Tasks\Microsoft\Windows\Shell\WindowsParentalControlsMigration => {343D770D-7788-47C2-B62A-B7C4CED925CB} Task: {5B42DD9C-5A26-4F27-BB95-34603F0997E5} - System32\Tasks\Microsoft\Windows\Shell\WindowsParentalControls => {DFA14C43-F385-4170-99CC-1B7765FA0E4A} Task: {62F2C4EA-7BAE-4890-8FEC-AB5FEECA9101} - System32\Tasks\Microsoft\Windows\SideShow\SessionAgent => {45F26E9E-6199-477F-85DA-AF1EDFE067B1} Task: {655F87E0-97F8-4DD5-B62A-0ED386F00058} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION Task: {6831C10D-B5AB-4D70-B866-68DB9259E8B1} - System32\Tasks\{700E24ED-628E-45AF-9AD4-F3D145A630D4} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\Steam\SteamApps\common\Call of Duty 4\pbsetup.exe" -d "C:\Program Files (x86)\Steam\SteamApps\common\Call of Duty 4" Task: {82C7ABAA-C83E-4898-881E-7F2C23C194A0} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {9AB79D83-08C6-4FB1-A448-D57D75EBD60F} - System32\Tasks\Microsoft\Windows\MobilePC\HotStart => {06DA0625-9701-43DA-BFD7-FBEEA2180A1E} Task: {AAC2CF52-65BF-4FD9-B39E-08011CEA28BC} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {B0CBAB43-44FC-469B-A4CE-87426761FDCE} - System32\Tasks\Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor => {EA9155A3-8A39-40B4-8963-D3C761B18371} Task: {B343C0EA-44D7-4C59-985F-772F8FF7DFD0} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {C039993C-0E13-4018-9267-3841570C04A2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {C1E4A1DA-54B3-442C-852C-447E21F9894F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {C23D395E-104A-4DA0-B30B-FAC662D4143C} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\AVAST Software\Overseer\overseer.exe [1873288 2019-09-19] (AVAST Software s.r.o. -> AVAST Software) Task: {C8EEDA29-3575-4D61-8744-8F86DAC9374C} - System32\Tasks\qmxggvjmvfczw => msiexec.exe /quiet /i "C:\Users\User\AppData\Roaming\jwonaylbydqr\wircouaracpcyie.msi" WEBID=STAGE2_PM_P1 TKNME=qmxggvjmvfczw Task: {E628051F-3B5B-4606-9430-5DC75892BADE} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION Task: {E8EECCC8-007D-480B-93A3-A8A51DE4C27A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {EB24E5B4-3DB4-4D3F-8E34-5B26FBD78AAF} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {F9D52545-D922-4826-83EB-9D37D817E3F6} - System32\Tasks\metwsvdadkuuras => msiexec.exe /quiet /i "C:\Users\User\AppData\Roaming\jwonaylbydqr\wircouaracpcyie.msi" WEBID=STAGE2_PM_P1 TKNME=metwsvdadkuuras Task: {F9E66F42-44D7-4940-88C4-AB9F0931A272} - System32\Tasks\Format Factory => C:\Users\User\AppData\Local\Temp\is-NRGA7.tmp\prsetup.exe <==== ATTENTION 2019-09-19 08:53 - 2019-09-19 08:53 - 000004036 _____ C:\WINDOWS\System32\Tasks\qmxggvjmvfczw 2019-09-19 08:53 - 2019-09-19 08:53 - 000003336 _____ C:\WINDOWS\System32\Tasks\metwsvdadkuuras 2019-08-29 17:30 - 2019-08-29 17:31 - 000002424 _____ C:\WINDOWS\System32\Tasks\{AEB0B1A2-83B5-40DE-A0DB-CEAED321E4AC} 2019-08-29 17:30 - 2019-08-29 17:31 - 000002424 _____ C:\WINDOWS\System32\Tasks\{700E24ED-628E-45AF-9AD4-F3D145A630D4} 2019-08-29 17:30 - 2019-08-29 17:31 - 000002274 _____ C:\WINDOWS\System32\Tasks\{F671ACEE-123F-402D-9569-6FA78514D210} 2019-08-29 17:30 - 2019-08-29 17:30 - 000002290 _____ C:\WINDOWS\System32\Tasks\{88FD7D18-8FFE-498E-B892-FB3C5F00CFE7} 2019-08-29 17:30 - 2019-08-29 17:30 - 000000000 ____D C:\WINDOWS\System32\Tasks\Avast Software 2019-08-29 17:30 - 2019-08-29 17:30 - 000000000 ____D C:\WINDOWS\System32\Tasks\{05393A74-2FD4-D7CB-9F69-4E99F3F244C5} 2019-08-30 03:58 - 2016-10-21 01:03 - 000000000 ____D C:\WINDOWS\system32\3b2af1a12ea79bc2e1bf91..bin 2019-08-30 03:58 - 2016-10-15 17:41 - 000000000 ____D C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿq 2019-08-30 03:58 - 2016-10-15 17:41 - 000000000 ____D C:\WINDOWS\system32\47735563807a935c5e6eed..bin 2019-08-30 03:58 - 2016-10-03 01:11 - 000000000 ____D C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿ8 2019-09-19 08:56 - 2019-09-21 01:22 - 000000004 _____ () C:\ProgramData\lock.dat 2019-09-19 08:56 - 2019-09-19 08:56 - 000000008 _____ () C:\ProgramData\ts.dat C:\Users\User\AppData\Roaming\jwonaylbydqr\wircouaracpcyie.msi C:\Users\User\AppData\Roaming\jwonaylbydqr ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} => -> No File End::
  3. Hello Ahmad, I need the scan reports from FRST. If you need the instructions, see below. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt Attach those logs to your reply.
  4. Let's take a fresh look. Run a fresh scan with FRST, attach the new FRST scan reports to your reply.
  5. The previous fix did not work. Let's try a different tool. Download AdwCleaner and save it on your Desktop. Close all open programs and Internet browsers (you may want to print out or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop. Attach that log file to your reply. NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
  6. Run a fresh scan with FRST. Attach the new FRST reports to your reply. I will check back tomorrow and look at the scan reports.
  7. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\Software\...\AppCompatFlags\Custom\chrome.exe: [{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb] -> HKLM\Software\...\AppCompatFlags\Custom\chrome.exe: [{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb] -> HKLM\Software\...\AppCompatFlags\Custom\explorer.xxx: [{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb] -> HKLM\Software\...\AppCompatFlags\Custom\explorer.zza: [{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb] -> HKLM\Software\...\AppCompatFlags\Custom\firefox.exe: [{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb] -> HKLM\Software\...\AppCompatFlags\Custom\iexplore.exe: [{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb] -> HKLM\Software\...\AppCompatFlags\Custom\iexplore.exe: [{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb] -> HKLM\Software\...\AppCompatFlags\Custom\software_removal_tool.exe: [{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb] -> HKLM\Software\...\AppCompatFlags\Custom\software_reporter_tool.exe: [{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb] -> GroupPolicy: Restriction ? <==== ATTENTION FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION CHR HKU\S-1-5-21-3615462294-2877540407-2494349180-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION Task: {0590680B-7BC2-4685-8A1B-86722DE787EB} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION Task: {0C7AC884-8E72-43B6-8AF2-12C959BA6174} - System32\Tasks\Microsoft\Windows\SideShow\AutoWake => {E51DFD48-AA36-4B45-BB52-E831F02E8316} Task: {0ED1F4C2-82F7-4661-91DF-D29E9F9DE133} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {1696F9DC-F213-4601-BF66-0E3409A15471} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {178AC129-E863-4801-A8E2-886E6FE8EECF} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION Task: {2705A2A9-8BFE-4377-9320-0ABCA024C5C7} - System32\Tasks\Online Application V2G6 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe [199864 2017-11-02] (MICROLEAVES LTD -> ) <==== ATTENTION Task: {30015613-8ECD-4B1B-8A99-0C33046A9C06} - System32\Tasks\Microsoft\Windows\SideShow\GadgetManager => {FF87090D-4A9A-4F47-879B-29A80C355D61} Task: {41E4C846-C0AC-48D9-88DC-5BD6D61744AC} - System32\Tasks\{88FD7D18-8FFE-498E-B892-FB3C5F00CFE7} => C:\Windows\system32\pcalua.exe -a C:\Users\User\Downloads\chromeinstall-8u45.exe -d C:\Users\User\Downloads Task: {427D630B-4E86-475D-98A7-496359AAAD36} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {486D715E-6AA2-44CF-BC48-B6990CBB53C6} - System32\Tasks\Microsoft\Windows\Shell\WindowsParentalControlsMigration => {343D770D-7788-47C2-B62A-B7C4CED925CB} Task: {5B42DD9C-5A26-4F27-BB95-34603F0997E5} - System32\Tasks\Microsoft\Windows\Shell\WindowsParentalControls => {DFA14C43-F385-4170-99CC-1B7765FA0E4A} Task: {62F2C4EA-7BAE-4890-8FEC-AB5FEECA9101} - System32\Tasks\Microsoft\Windows\SideShow\SessionAgent => {45F26E9E-6199-477F-85DA-AF1EDFE067B1} Task: {655F87E0-97F8-4DD5-B62A-0ED386F00058} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION Task: {6831C10D-B5AB-4D70-B866-68DB9259E8B1} - System32\Tasks\{700E24ED-628E-45AF-9AD4-F3D145A630D4} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\Steam\SteamApps\common\Call of Duty 4\pbsetup.exe" -d "C:\Program Files (x86)\Steam\SteamApps\common\Call of Duty 4" Task: {81985162-81DE-429C-911E-EC973933C56E} - System32\Tasks\Microsoft\Windows\SideShow\SystemDataProviders => {7CCA6768-8373-4D28-8876-83E8B4E3A969} Task: {82C7ABAA-C83E-4898-881E-7F2C23C194A0} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {8F4F5D57-A813-493A-B4CD-EE936FE9046A} - System32\Tasks\Online Application V2G4 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe [199864 2017-11-02] (MICROLEAVES LTD -> ) <==== ATTENTION Task: {9AA81D01-C256-4964-81F4-150B44E103E1} - System32\Tasks\Online Application V2G3 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe [199864 2017-11-02] (MICROLEAVES LTD -> ) <==== ATTENTION Task: {9AB79D83-08C6-4FB1-A448-D57D75EBD60F} - System32\Tasks\Microsoft\Windows\MobilePC\HotStart => {06DA0625-9701-43DA-BFD7-FBEEA2180A1E} Task: {AAC2CF52-65BF-4FD9-B39E-08011CEA28BC} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {B0CBAB43-44FC-469B-A4CE-87426761FDCE} - System32\Tasks\Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor => {EA9155A3-8A39-40B4-8963-D3C761B18371} Task: {B343C0EA-44D7-4C59-985F-772F8FF7DFD0} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {C039993C-0E13-4018-9267-3841570C04A2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {C1E4A1DA-54B3-442C-852C-447E21F9894F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {C47A76A5-7DCC-4726-8997-6033444F2326} - System32\Tasks\Online Application V2G2 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe [199864 2017-11-02] (MICROLEAVES LTD -> ) <==== ATTENTION Task: {C8EEDA29-3575-4D61-8744-8F86DAC9374C} - System32\Tasks\qmxggvjmvfczw => msiexec.exe /quiet /i "C:\Users\User\AppData\Roaming\jwonaylbydqr\wircouaracpcyie.msi" WEBID=STAGE2_PM_P1 TKNME=qmxggvjmvfczw Task: {E2E0DF33-6EE8-49B8-81D6-89666D676BD6} - System32\Tasks\LaunchPreSignup => C:\Program Files (x86)\OLBPre\OLBPre.exe <==== ATTENTION Task: {E628051F-3B5B-4606-9430-5DC75892BADE} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION Task: {E6546341-5E14-4C0C-869C-C7C1EC4E6591} - System32\Tasks\Updater_Online_Application => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe [908144 2017-11-02] (MICROLEAVES LTD -> Microleaves) <==== ATTENTION Task: {E8EECCC8-007D-480B-93A3-A8A51DE4C27A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {EB24E5B4-3DB4-4D3F-8E34-5B26FBD78AAF} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {F9D52545-D922-4826-83EB-9D37D817E3F6} - System32\Tasks\metwsvdadkuuras => msiexec.exe /quiet /i "C:\Users\User\AppData\Roaming\jwonaylbydqr\wircouaracpcyie.msi" WEBID=STAGE2_PM_P1 TKNME=metwsvdadkuuras Task: {F9E66F42-44D7-4940-88C4-AB9F0931A272} - System32\Tasks\Format Factory => C:\Users\User\AppData\Local\Temp\is-NRGA7.tmp\prsetup.exe <==== ATTENTION Task: {FA81AE38-395F-4D4F-A660-46A4719877A3} - System32\Tasks\Online Application V2G5 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe [199864 2017-11-02] (MICROLEAVES LTD -> ) <==== ATTENTION Task: {FF32AF3E-7DCF-40AF-ABE8-3CCEED1E224B} - System32\Tasks\Online Application V2G1 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe [199864 2017-11-02] (MICROLEAVES LTD -> ) <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G1.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G2.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G3.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G4.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G5.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G6.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Updater_Online_Application.job => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== ATTENTION SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = S2 WIFIService; C:\ProgramData\WIFIService\WIFIService.exe [X] <==== ATTENTION R1 YSDrv; C:\Program Files (x86)\Bignox\BigNoxVM\RT\YSDrv.sys [270608 2017-12-21] (Beijing Duodian Online Science and Technology Co.,Ltd -> BigNox Corporation) 2019-09-19 08:53 - 2019-09-19 08:53 - 000004036 _____ C:\WINDOWS\System32\Tasks\qmxggvjmvfczw 2019-09-19 08:53 - 2019-09-19 08:53 - 000003336 _____ C:\WINDOWS\System32\Tasks\metwsvdadkuuras 2019-09-19 08:48 - 2019-09-19 08:55 - 000000362 _____ C:\WINDOWS\Tasks\Online Application V2G6.job 2019-09-19 08:48 - 2019-09-19 08:55 - 000000362 _____ C:\WINDOWS\Tasks\Online Application V2G5.job 2019-09-19 08:48 - 2019-09-19 08:55 - 000000362 _____ C:\WINDOWS\Tasks\Online Application V2G4.job 2019-09-19 08:48 - 2019-09-19 08:55 - 000000362 _____ C:\WINDOWS\Tasks\Online Application V2G3.job 2019-09-19 08:48 - 2019-09-19 08:55 - 000000362 _____ C:\WINDOWS\Tasks\Online Application V2G2.job 2019-09-19 08:48 - 2019-09-19 08:55 - 000000362 _____ C:\WINDOWS\Tasks\Online Application V2G1.job 2019-09-19 08:48 - 2019-09-19 08:48 - 000003252 _____ C:\WINDOWS\System32\Tasks\Online Application V2G6 2019-09-19 08:48 - 2019-09-19 08:48 - 000003252 _____ C:\WINDOWS\System32\Tasks\Online Application V2G5 2019-09-19 08:48 - 2019-09-19 08:48 - 000003252 _____ C:\WINDOWS\System32\Tasks\Online Application V2G4 2019-09-19 08:48 - 2019-09-19 08:48 - 000003252 _____ C:\WINDOWS\System32\Tasks\Online Application V2G3 2019-09-19 08:48 - 2019-09-19 08:48 - 000003252 _____ C:\WINDOWS\System32\Tasks\Online Application V2G2 2019-09-19 08:48 - 2019-09-19 08:48 - 000003252 _____ C:\WINDOWS\System32\Tasks\Online Application V2G1 2019-09-19 08:48 - 2019-09-19 08:48 - 000000000 ____D C:\Users\User\AppData\Roaming\Microleaves 2019-09-19 08:48 - 2019-09-19 08:48 - 000000000 ____D C:\Users\User\AppData\Local\AdvinstAnalytics 2019-09-19 08:48 - 2019-09-19 08:48 - 000000000 ____D C:\Program Files (x86)\Microleaves 2019-08-29 17:30 - 2019-08-29 17:31 - 000002424 _____ C:\WINDOWS\System32\Tasks\{AEB0B1A2-83B5-40DE-A0DB-CEAED321E4AC} 2019-08-29 17:30 - 2019-08-29 17:31 - 000002424 _____ C:\WINDOWS\System32\Tasks\{700E24ED-628E-45AF-9AD4-F3D145A630D4} 2019-08-29 17:30 - 2019-08-29 17:31 - 000002274 _____ C:\WINDOWS\System32\Tasks\{F671ACEE-123F-402D-9569-6FA78514D210} 2019-08-29 17:30 - 2019-08-29 17:30 - 000002290 _____ C:\WINDOWS\System32\Tasks\{88FD7D18-8FFE-498E-B892-FB3C5F00CFE7} 2019-08-29 17:30 - 2019-08-29 17:30 - 000000000 ____D C:\WINDOWS\System32\Tasks\Avast Software 2019-08-29 17:30 - 2019-08-29 17:30 - 000000000 ____D C:\WINDOWS\System32\Tasks\{05393A74-2FD4-D7CB-9F69-4E99F3F244C5} 2019-08-30 03:58 - 2016-10-21 01:03 - 000000000 ____D C:\WINDOWS\system32\3b2af1a12ea79bc2e1bf91..bin 2019-08-30 03:58 - 2016-10-15 17:41 - 000000000 ____D C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿq 2019-08-30 03:58 - 2016-10-15 17:41 - 000000000 ____D C:\WINDOWS\system32\47735563807a935c5e6eed..bin 2019-08-30 03:58 - 2016-10-03 01:11 - 000000000 ____D C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿ8 C:\Users\User\AppData\Roaming\jwonaylbydqr\wircouaracpcyie.msi C:\Users\User\AppData\Roaming\jwonaylbydqr C:\Program Files (x86)\OLBPre\OLBPre.exe C:\Program Files (x86)\OLBPre C:\Users\User\AppData\Local\Temp\is-NRGA7.tmp\prsetup.exe C:\Users\User\AppData\Local\Temp\is-NRGA7.tmp HKU\S-1-5-21-3615462294-2877540407-2494349180-1000\...\ChromeHTML: -> <==== ATTENTION ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} => -> No FileClose Notepad. NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version.
  8. Thread ClosedPM either Kevin, Elise, or Arthur to have this thread reopened.The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  9. Thread ClosedReason: ResolvedPM either Kevin, Elise, or Arthur to have this thread reopened.The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  10. Yes, do the reset first, then install your anti-virus and scan the system.
  11. No AV solution will work during a reset. You will have to install it and run a scan to find out if the system is clean or not.
  12. Everything looks good. Now to remove most of the tools that we have used in fixing your machine: Download Delfix from here and save it to your Desktop. Double-Click on Delfix to run it. Ensure Remove disinfection tools is checked. Also place a checkmark next to: Create registry backup Purge system restore Click the Run button. When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad. Empty the Recycle Bin You can delete and uninstall any programs I had you download, that you do not wish to keep on the system. To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK Run Windows Update and update your Windows Operating System. That should take care of everything. Safe Surfing!
  13. You can download the trial version from https://www.emsisoft.com/en/home/antimalware/
  14. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Close Notepad. NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version.
  15. Copy the files you want to keep to an external hard drive or a USB stick. If one of the files contains a virus Emsisoft should detect it when the file is copied to the external drive or USB stick.
  16. I am going to have you run a tool that aggressively targets adware and PUPs. Download AdwCleaner and save it on your Desktop. Close all open programs and Internet browsers (you may want to print out or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop. Attach that log file to your reply. NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
  17. Yes, backup all your files before doing a reset.
  18. At this point it looks like it may be a permissions issue. Doing a reset may be necessary.
  19. Close all programs and disconnect any USB or external drives before running the tool. Double-click RogueKiller.exe to run the tool again. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished". Select the following items: [PUP.InnovativeSolutions (Potentiellement Malicieux)] (X86) HKEY_LOCAL_MACHINE\Software\Innovative Solutions -- N/A -> Trouvé(e) [PUP.InnovativeSolutions (Potentiellement Malicieux)] (X64) HKEY_USERS\S-1-5-21-1652379323-4117330753-2859149145-1000\Software\Innovative Solutions -- N/A -> Trouvé(e) [PUP.InnovativeSolutions (Potentiellement Malicieux)] (folder) Innovative Solutions -- C:\Users\Client\AppData\Roaming\Innovative Solutions -> Trouvé(e) [PUP.Popcorn (Potentiellement Malicieux)] (shortcut) Popcorn-Time.lnk -- C:\Users\Client\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Popcorn-Time.lnk => C:\Users\Client\AppData\Local\POPCOR~1\POPCOR~1.EXE -> Trouvé(e) [PUP.Popcorn (Potentiellement Malicieux)] (shortcut) Popcorn-Time.lnk -- C:\Users\Client\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Popcorn-Time\Popcorn-Time.lnk => C:\Users\Client\AppData\Local\POPCOR~1\POPCOR~1.EXE -> Trouvé(e) [PUP.Popcorn (Potentiellement Malicieux)] (shortcut) Uninstall Popcorn-Time.lnk -- C:\Users\Client\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Popcorn-Time\Uninstall Popcorn-Time.lnk => C:\Users\Client\AppData\Local\POPCOR~1\UNINST~1.EXE -> Trouvé(e) [PUP.InnovativeSolutions (Potentiellement Malicieux)] (folder) Innovative solutions -- C:\Users\Client\AppData\Local\Innovative solutions -> Trouvé(e) [PUP.Popcorn (Potentiellement Malicieux)] (folder) Popcorn-Time -- C:\Users\Client\AppData\Local\Popcorn-Time -> Trouvé(e) [PUP.InnovativeSolutions (Potentiellement Malicieux)] (shortcut) Uninstall DriverMax.lnk -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverMax\Uninstall DriverMax.lnk => C:\PROGRA~2\Innovative Solutions\DriverMax\unins000.exe -> Trouvé(e) [PUP.InnovativeSolutions (Potentiellement Malicieux)] (shortcut) DriverMax.lnk -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverMax\DriverMax.lnk => C:\PROGRA~2\Innovative Solutions\DriverMax\DRIVER~1.EXE -> Trouvé(e) [PUP.InnovativeSolutions (Potentiellement Malicieux)] (folder) Innovative Solutions -- C:\Program Files (x86)\Innovative Solutions -> Trouvé(e) Click the Delete button. Attach the RogueKiller report to your next reply. The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex.txt) The highest number of [X], is the most recent Delete log.
  20. Sorry for the late reply. I overlooked this for some reason. Other that the Alternate Data Stream you logs look fine. Still have issues with greyed out areas?
  21. Thread ClosedReason: Lack of ResponsePM either Kevin, Elise, or Arthur to have this thread reopened.The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  22. Let's try a different tool. Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop. Double-click on setup.exe to install RogueKiller. Close all programs and disconnect any USB or external drives before running the tool. Right-click RogueKiller.exe and select Run As Administrator to run the tool. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.
  23. Everything looks good. How are things running?
  24. Jeff, Do the following: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Close Notepad. NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version.
  25. Hi haydan, There could be a conflict between McAFee and Emsisoft. Thou we do are best to be compatible with other security software the same cannot be said of the competition. Software conflicts between security software, especially those with a firewall component, and Emsisoft is the main reason that we suggest that users only install one anti-virus application. I would like to get two reports from a third-party tool we use to help with diagnosing issues with systems.