Closed Infected with Trojan:Win32/Socelars

[AOH]

Since yesterday, my PC has been infected with the virus mentioned in the title of the topic, according to Windows Defender. I deleted a couple of programs that were installed along with the virus but after a couple of restarts, command prompts and unknown programs seem to start along with Windows. In addition, there is a bunch of exclusions for certain programs in folders with made up names that Windows Defender is unable to scan. I never excluded those folders myself. What is more, these said folders are located in the Program Files (x86), ProgramData, AppData\Local\Temp, WINDOWS\Temp folders of my PC. I refrain from logging in in various sites and apps I used to, at least without creating a new password, since I'm terrified that my personal data will be compromised through the malicious program. I do not know whether they've already been compromised or the worst is yet to come. I will stand by, waiting for further instructions as to how to proceed on the matter. Thank you in advance.

scan_181011-012112.txt

Addition.txt

FRST.txt

[Kevin Zoll]

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

(Aztec Media Inc) C:\Program Files (x86)\Assets Manager\smdmf\SmdmFService.exe
HKLM-x32\...\Run: [WebP To PNG Converter Software.exe] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\...\MountPoints2: {87008795-8f8b-11e8-b9cc-5cf37067396f} - "G:\autorun.exe"
HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\...\MountPoints2: {87008f23-8f8b-11e8-b9cc-5cf37067396f} - "F:\autorun.exe"
AppInit_DLLs: C:\ProgramData\Quoteex\Triobam.dll => C:\ProgramData\Quoteex\Triobam.dll [342528 2018-10-10] ()
AppInit_DLLs-x32: C:\ProgramData\Quoteex\Vaia-Nix.dll => C:\ProgramData\Quoteex\Vaia-Nix.dll [460800 2018-10-10] ()
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.domaincentar.com
HKU\S-1-5-21-1508180704-3222819172-3449906844-1005\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
HKU\S-1-5-21-1508180704-3222819172-3449906844-1005\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXVV8dB2ZMCy3_E0fw4KWrB614p_Gs592vqm06BXT5-d2cFK79kTFGsEL3DIDW_A12IRLo9QHc9ZaAS2Tm6acNwLV_Ibscz
SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2503} URL = hxxp://www.default-search.net/search?sid=503&aid=112&itype=a&ver=15511&tm=504&src=ds&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
SearchScopes: HKLM-x32 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2503} URL = hxxp://www.default-search.net/search?sid=503&aid=112&itype=a&ver=15511&tm=504&src=ds&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1000 -> DefaultScope {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1000 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2503} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1000 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1005 -> DefaultScope {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1005 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
FF Homepage: Mozilla\Firefox\Profiles\i57slaKI.default -> file:///C:/ProgramData/Quoteexs/ff.HP
FF NewTab: Mozilla\Firefox\Profiles\i57slaKI.default -> file:///C:/ProgramData/Quoteexs/ff.NT
R1 F06DEFF2-5B9C-490D-910F-35D3A91196222; C:\Program Files (x86)\Assets Manager\smdmf\x64\smdmfmgrc3.cfg [45968 2015-01-28] (Aztec Media Inc)
S1 sqsxejxn; \??\C:\WINDOWS\system32\drivers\sqsxejxn.sys [X]
2018-10-10 00:42 - 2018-10-10 00:42 - 000003292 _____ C:\WINDOWS\System32\Tasks\MAAEe
2018-10-10 00:41 - 2018-10-10 00:41 - 000000000 ____D C:\ProgramData\Quoteexs
2018-10-10 00:40 - 2018-10-10 01:25 - 000000000 ____D C:\ProgramData\Quoteex
2018-10-10 00:40 - 2018-10-10 00:41 - 001413120 _____ C:\Users\Herc\AppData\Local\sham.db
2018-10-10 00:40 - 2018-10-10 00:40 - 007787008 _____ C:\Users\Herc\AppData\Local\agent.dat
2018-10-10 00:40 - 2018-10-10 00:40 - 002018690 _____ C:\Users\Herc\AppData\Local\Funcore.tst
2018-10-10 00:40 - 2018-10-10 00:40 - 000140800 _____ C:\Users\Herc\AppData\Local\installer.dat
2018-10-10 00:40 - 2018-10-10 00:40 - 000126464 _____ C:\Users\Herc\AppData\Local\noah.dat
2018-10-10 00:40 - 2018-10-10 00:40 - 000070896 _____ C:\Users\Herc\AppData\Local\Config.xml
2018-10-10 00:40 - 2018-10-10 00:40 - 000018432 _____ C:\Users\Herc\AppData\Local\Main.dat
2018-10-10 00:40 - 2018-10-10 00:40 - 000016416 _____ C:\Users\Herc\AppData\Local\InstallationConfiguration.xml
2018-10-10 00:40 - 2018-10-10 00:40 - 000005568 _____ C:\Users\Herc\AppData\Local\md.xml
2018-10-11 00:24 - 2015-02-04 14:36 - 000000000 ____D C:\ProgramData\smdmf
2018-10-10 01:19 - 2013-03-11 01:04 - 000724992 _____ (Electronic Arts Inc.) C:\Users\Herc\AppData\Local\Temp\AutoRun.exe
2018-10-10 01:19 - 2013-03-11 01:04 - 000942080 _____ (Electronic Arts Inc.) C:\Users\Herc\AppData\Local\Temp\AutoRunGUI.dll
2018-10-07 22:39 - 2018-04-12 02:35 - 000607840 _____ (Microsoft Corporation) C:\Users\Herc\AppData\Local\Temp\kernel32.dll
2018-09-05 01:33 - 2018-08-21 13:24 - 000641336 _____ (NVIDIA Corporation) C:\Users\Herc\AppData\Local\Temp\nvSCPAPI.dll
2018-09-05 01:33 - 2018-08-21 13:24 - 000730936 _____ (NVIDIA Corporation) C:\Users\Herc\AppData\Local\Temp\nvSCPAPI64.dll
2018-10-06 03:25 - 2018-08-21 13:24 - 000395576 _____ (NVIDIA Corporation) C:\Users\Herc\AppData\Local\Temp\nvStInst.exe
2018-10-10 00:41 - 2018-10-10 00:41 - 000375522 _____ (                                                            ) C:\Users\Herc\AppData\Local\Temp\p121eyvclzl.exe
2018-10-09 13:37 - 2018-10-09 13:37 - 011990292 _____ () C:\Users\Herc\AppData\Local\Temp\setup.dll
2002-08-31 20:07 - 2002-08-31 20:07 - 000270336 _____ () C:\Users\Herc\AppData\Local\Temp\tdll.dll
2018-10-11 00:27 - 2018-10-11 00:27 - 000010725 _____ () C:\Users\Herc\AppData\Local\Temp\wcupdater.exe
ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ContextMenuHandlers1: [###MegaContextMenuExt] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ContextMenuHandlers1-x32-x32: [ZFAdd] -> {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} => C:\Users\Herc\Downloads\Νέος φάκελος (2)\Νέος φάκελος\Νέος φάκελος\arcext.dll -> No File
ContextMenuHandlers4: [###MegaContextMenuExt] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
ContextMenuHandlers4-x32: [ZFAdd] -> {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} => C:\Users\Herc\Downloads\Νέος φάκελος (2)\Νέος φάκελος\Νέος φάκελος\arcext.dll -> No File
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
Task: {0C2F2F0F-5259-4830-B641-BB967E1A29F2} - System32\Tasks\RegistryDr_Popup => C:\Program Files (x86)\Registry Dr\Splash.exe <==== ATTENTION
Task: {1222B2A6-2D52-495B-80FB-46327649449D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {150755D0-136C-452D-B091-5C180275D9D3} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {1AB724ED-71E9-4AFB-A258-6632304C431B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {1FB0339D-2F49-485E-9615-FD4CDF2DD045} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {253E6B98-EFE1-4DF0-A7A8-E8FB9AF8F03B} - System32\Tasks\{32BAC0C2-C312-4DD0-B323-421956B8EE4A} => C:\Windows\system32\pcalua.exe -a C:\WINDOWS\st6unst.exe -c -n "H:\TestDrive\ST6UNST.LOG"
Task: {276E8E1C-5ECD-4949-8522-3BB6A126F8D4} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {4BEED759-A77C-441A-AAB3-2D8F68BEDE7C} - System32\Tasks\{7E437A21-476C-4974-96A1-4515102C4C8F} => C:\WINDOWS\system32\pcalua.exe -a F:\AutoRunLauncher.exe -d F:\
Task: {4C1587FC-89FD-4F32-8B62-A87614F355D4} - System32\Tasks\Start Corsair Link => H:\CorsairLINK.exe
Task: {623A466B-926A-4F37-8CC2-5D916E8C5CE8} - System32\Tasks\{D7054C00-64F9-44E7-9527-BA504BEF4891} => C:\Windows\system32\pcalua.exe -a E:\LeagueOfLegends\!\PS\mbig\露出プレ\Install.exe -d E:\LeagueOfLegends\!\PS\mbig\露出プレ
Task: {6A5D9B69-3FD2-4FCB-928C-CE8170C11C54} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {7936610A-D3FF-40EB-9FC7-7D895EDCFAC7} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {81AA7FE7-80EF-4C65-9395-B8743EC9CEA7} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {86F82812-A1DA-47F1-8F48-CAD6CD6D8E7B} - System32\Tasks\Online Application V2G5 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: {87656B93-89F9-4D01-B1D2-27B12298802E} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
Task: {8B690231-322A-449B-8A1C-85A51FA58834} - \Microsoft\Windows\Setup\EOONotify -> No File <==== ATTENTION
Task: {9A18556F-D048-4EF5-A204-91E7A3A23B48} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {9CBE21DB-6B5F-46DA-9D0F-2459C85A9486} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {ACEF10B5-DA30-4B74-BD93-91D1E1AAFBFA} - System32\Tasks\Online Application V2G6 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: {AD04F6D4-8791-426C-8000-773C8721B035} - System32\Tasks\Online Application V2G3 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: {AE94A6EB-DC4D-4678-8A10-270AD980F0EB} - System32\Tasks\Online Application V2G1 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: {B8EAC04F-E630-46F3-94C5-23E6867FE6C4} - System32\Tasks\MAAEe => C:\Users\Herc\AppData\Roaming\SSjMN\MAAEe.vbs
Task: {BAD864BB-6925-4A77-8619-FBA1BDA56857} - System32\Tasks\{E22BEDF7-76D4-48C4-9735-41B54F562D5D} => C:\Windows\system32\pcalua.exe -a E:\LeagueOfLegends\!\PS\2000rpg\RPG2000RTP.exe -d E:\LeagueOfLegends\!\PS\2000rpg
Task: {BB1BDBD1-D288-4B9B-AD34-3C227483518F} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {BDBAC117-C5FF-4523-9B87-350D9787922F} - System32\Tasks\RegistryDr_Start => C:\Program Files (x86)\Registry Dr\RegistryDr.exe <==== ATTENTION
Task: {C1FEF1EE-D645-4C20-956D-37C670E65B7B} - System32\Tasks\Online Application V2G4 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: {C6CE1C33-3EFB-4A79-9493-765AF07F57BB} - System32\Tasks\{607A26D3-DA85-4BBD-8C18-EF83FF9AFC05} => C:\WINDOWS\system32\pcalua.exe -a F:\AutoRunLauncher.exe -d F:\
Task: {D2E79D05-EA5E-4772-A723-FF7DCC8FA8B4} - System32\Tasks\{2E411731-3882-4750-BD41-72E046285F79} => C:\WINDOWS\system32\pcalua.exe -a "C:\Users\Herc\Downloads\Castle Attack 2.exe" -d C:\Users\Herc\Downloads
Task: {D3925812-34CF-410A-A314-4AB48E098346} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {D9A7D8D5-0819-46DD-A4C2-E1491843287F} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
Task: {DC46A632-19EB-44B3-9450-45FBA88EF150} - System32\Tasks\Updater_Online_Application => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== ATTENTION
Task: {E45A7DD1-7496-4E9F-BC22-01969C416E95} - System32\Tasks\{AF04CA07-98F1-4624-AF44-23A94E6F80D7} => C:\Windows\system32\pcalua.exe -a "C:\Users\Herc\Desktop\Νέος φάκελος\Mafia\Setup.exe" -d "C:\Users\Herc\Desktop\Νέος φάκελος\Mafia"
Task: {EA55A283-9264-4DF2-AB12-BEFFF5D5743B} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {F5D0775E-7796-484E-889D-DDCB1F5E8AA0} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {FE46BC80-7C11-4546-8CE9-7617D6E46D76} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G1.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G2.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G3.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G4.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G5.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G6.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Updater_Online_Application.job => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT [40]
AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT2 [432]
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [134]
C:\Program Files (x86)\Assets Manager\smdmf\SmdmFService.exe
C:\ProgramData\Quoteex\Triobam.dll
C:\WINDOWS\TEMP\Smartbar
C:\Users\Herc\AppData\Roaming\OpenCandy
C:\ProgramData\simplitec
C:\ProgramData\smdmf
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\11598763487076930564" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\IEDLL.DLL" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\{6A7CD9EC-D8BD-4340-BCD0-77C09A282921}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\LINKEY.LINKEY" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\LINKEY" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\LINKEY" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1000\SOFTWARE\LINKEY" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SMDMF" /f
Reg: reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\SMDMF" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1000\SOFTWARE\SMDMF" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SMDMFSERVICE" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1000_CLASSES\WOW6432NODE\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1005_CLASSES\WOW6432NODE\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1000\SOFTWARE\WEBAPP" /f
C:\ProgramData\Quoteex
C:\Users\Herc\AppData\Local\Temp\is-5LLP8.tmp
C:\Users\Herc\AppData\Local\Temp\is-NCK9V.tmp
C:\Users\Herc\Downloads\CyberLink PowerDVD Ultra 16.0.1713.60 Multilingual + Keygen [SadeemPC]
C:\Users\Herc\Downloads\CyberLink PowerDVD Ultra 17.0.1523.60 Final + Crack-Keygen

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[AOH]

When I try to save the file, a warning pops up regarding the fact that Unicode characters are bound to be lost if the file is encoded in ANSI. Should I encode it in Unicode?

[Kevin Zoll]

Yes, use Unicode.

[AOH]

Afterwards, I soon as I place the file in the same folder as FRST64, all I have to do is run the program and click Fix?
Should I also post the new FRST and Addition logs?

[Kevin Zoll]

Just send the fixlog.  I will most likely have you run another tool to find and remove things that are not shown in tehFRST and EEK scans.

[AOH]

Here is the fixlog, as requested:

Fixlog.txt

[Kevin Zoll]

Please download AdwCleaner and save it on your desktop.

1. Close all open programs and Internet browsers (you may want to print out or write down these instructions first).
2. Double click on the AdwCleaner icon to run it.
3. You will need to accept the license agreement from Malwarebytes in order to continue.
4. Click on the Scan button in the lower-left.
5. When the scan is done, a log will open in Notepad. You can close this Notepad window before continuing.
6. If something was found on your computer, then click on the Clean button in the lower-left (where the "Scan" button was earlier).
7. AdwCleaner will warn you that it will close all running processes (programs). Click OK to continue when ready.
8. After the cleaning process is done, you will be prompted to restart your computer. Please click Reboot now when ready to restart your computer.
9. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
10. Please attach that log file to a reply for me to review.
11. If you lose that log file for any reason, you can find it at C:\AdwCleaner[C0] on your computer.
    

[AOH]

AdwCleaner prompted me to an updated version on this site: https://www.malwarebytes.com/adwcleaner/?channel=release
Should I download it?

[Kevin Zoll]

Yes, update the version.

 

[AOH]

Here is AdwCleaner's fixlog, as requested:

AdwCleaner[C00].txt

[Kevin Zoll]

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

[AOH]

A command prompt window popped up for a brief moment right after restarting my PC as requested by AdwCleaner, which did not happen before the "infection". However, I am now able to remove the excluded folders with made up names in Windows Defender.
Other than that, everything else seems to be running smoothly.
Here are the requested logs:

scan_181011-033009.txt

FRST.txt

[Kevin Zoll]

Still a few things that need to be cleaned up.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Startup.lnk [2016-11-28]
ShortcutTarget: Windows Startup.lnk -> C:\Windows\Windows_startup.bat ()
S1 F06DEFF2-5B9C-490D-910F-35D3A91196222; \??\C:\Program Files (x86)\Assets Manager\smdmf\x64\smdmfmgrc3.cfg [X]
2018-10-11 03:06 - 2018-10-11 03:06 - 000000000 ____D C:\ProgramData\simplitec
2018-10-11 03:05 - 2015-02-04 14:36 - 000000000 ____D C:\ProgramData\smdmf
C:\ProgramData\simplitec
C:\ProgramData\smdmf
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SMDMF" /f
C:\Users\Herc\Downloads\CyberLink PowerDVD Ultra 17.0.1523.60 Final + Crack-Keygen

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[AOH]

Here is the new fixlog, as requested:

Fixlog.txt

[Kevin Zoll]

Because I keep seeing Unicode characters in the log after you run the fix.

Changing tools.

Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop.

• Double-click on setup.exe to install RogueKiller.

Close all programs and disconnect any USB or external drives before running the tool.

• Right-click RogueKiller.exe and select Run As Administrator to run the tool.
• Once the Prescan has finished, click Scan.
• Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.

This may take a while to run.  I'll check the scan report tomorrow after I come back online.

[AOH]

Should I disconnect my external hard drive?

[AOH]

Here's RogueKiller's report, as requested:

Report.txt

[Kevin Zoll]

Run RogueKiller again, press scan and this time select everything it finds and let RogueKiller remove it.

[AOH]

Everything found in the second scan has been removed by RogueKiller. Should I send you the scan log, now that the removal is finished?

[Kevin Zoll]

Yes, send me the RogueKiller Clean log, and run fresh scans with Emsisoft and FRST.

[AOH]

Here you go:

RogueKiller Report.txt

scan_181013-020800.txt

FRST.txt

[Kevin Zoll]

Run the Google Chrome CleanUp Tool.

You can also check for malware manually.

1. Open Chrome.
2. At the top right, click More  Settings.
3. At the bottom, click Advanced.
4. Under “Reset and clean up,” click Clean up computer.
5. Click Find.

If you're asked to remove unwanted software, click Remove.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackUpdateChecker.lnk [2014-10-19]
FF NewTab: Mozilla\Firefox\Profiles\i57slaKI.default -> file:///C:/ProgramData/Quoteexs/ff.NT
FF SearchPlugin: C:\Users\Herc\AppData\Roaming\Mozilla\Firefox\Profiles\i57slaKI.default\searchplugins\yahoo-lavasoft-ff59.xml [2018-05-09]
FF Plugin: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelogx64.dll [No File]
FF Plugin-x32: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelog.dll [No File]
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Office14\NPSPWRAP.DLL [No File]
FF Plugin HKU\S-1-5-21-1508180704-3222819172-3449906844-1000: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [No File]
S3 Disc Soft Ultra Bus Service; H:\Mi Games\Daemon Tools Ultra 5.2.0.0644 + Pre-Cracked - [CrackzSoft]\DAEMON Tools Ultra\DiscSoftBusServiceUltra.exe [5680320 2017-10-26] (Disc Soft Ltd)
2018-10-12 04:00 - 2018-10-12 04:00 - 000000000 ____D C:\ProgramData\simplitec
C:\ProgramData\simplitec

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

 

[AOH]

I checked manually for malware through Chrome and nothing was found. Here's FRST's fixlog:

Fixlog.txt

[Kevin Zoll]

OK, let's take a fresh look.

Run a fresh scan with Emsisoft and FRST, attach the new Emsisoft and FRST scan logs to your reply.

[AOH]

Here you go:

scan_181013-024858.txt

FRST.txt

[Kevin Zoll]

Your logs look fine how are things running?

[AOH]

Everything seems fine. My only concern is whether I should change my log in passwords or not. Is it possible that they could have been intercepted? What would you suggest?

[Kevin Zoll]

What was installed was adware.  Normally, adware does not intercept login credentials but is not outside the realm of possibles.  If you are concerned that your login information was compromised, then go ahead and change your passwords.

[AOH]

Thank you very much for being so helpful and analytical throughout this whole process. I truly appreciate your help and advice. You're doing a great job in maintaining this forum as one of the best one should visit when seeking malware removal expertise. Keep it up. Thank you very much once again.

[Kevin Zoll]

You are welcome and thank you for the vote of confidence.

You can delete any tool I had you download.

[AOH]

Will do. Thank you once again for your help.

[Kevin Zoll]

You are welcome.

[AOH]

Actually, before deleting the programs I decided to run a final scan and it looks like a PUP named "Application.AppInstall(A)" and located in C:\ProgramData\simplitec is still there. I remember it showing up in two of the last scans before the logs were finally clean. Could it be coming back after I terminate and start my PC? Here are the logs of the most recent scans:

scan_181016-134513.txt

Addition.txt

FRST.txt

[Kevin Zoll]

This is the most likely culprit:

H:\Mi Games\Daemon Tools Ultra 5.2.0.0644 + Pre-Cracked - [CrackzSoft]\DAEMON Tools Ultra\DiscSoftBusServiceUltra.exe

Software piracy is not a victimless activity, in fact, most cracks and keygens are malware.

Our company policy is to provide no assistance to users whose systems show the presence of pirated or otherwise improperly licensed and activated software. 

[AOH]

Thank you for bringing this to my attention. I proceeded to completely remove the pirated software from my computer. Here are the new scans:
 

FRST.txt

scan_181017-032814.txt

[Kevin Zoll]

Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

Start::
HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\...\MountPoints2: {d713b006-cbe1-11e8-b9e4-5cf37067396f} - "F:\Autorun.exe"
S3 Disc Soft Ultra Bus Service; "H:\Mi Games\Daemon Tools Ultra 5.2.0.0644 + Pre-Cracked - [CrackzSoft]\DAEMON Tools Ultra\DiscSoftBusServiceUltra.exe" [X]
2018-10-13 14:00 - 2018-10-13 14:00 - 000000000 ____D C:\ProgramData\simplitec
2018-10-10 01:17 - 2018-10-10 01:17 - 000000000 ____D C:\ProgramData\DAEMON Tools Ultra
2018-10-10 01:11 - 2018-10-10 01:11 - 000000000 ____D C:\Users\Public\Documents\Daemon Tools Images
2018-10-10 01:17 - 2018-07-25 02:04 - 000000000 ____D C:\ProgramData\DAEMON Tools Pro
C:\ProgramData\simplitec
End::

[AOH]

Here you are:

Fixlog.txt

[Kevin Zoll]

OK,

Restart the computer and log back on.

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

[AOH]

The problem seems to persist. Here are the new logs:

scan_181018-030652.txt

FRST.txt

[Kevin Zoll]

I do not see anything else in your logs that would be related to Simplitec and any of their software.

Navigate to C:\ProgramData\simplitec and tell me if the folder is empty and if not a list of what is in the folder.

[AOH]

The folder is indeed empty.

[Kevin Zoll]

Since the folder is empty, it likely is not something to overly concerned about.  You can most likely safely ignore the folder.

[AOH]

Should I try to delete the PUP through EEK, restart my PC and run some fresh scans?

[Kevin Zoll]

You can try.  If it doesn't delete then there is something preventing the folder from being deleted, like not gaining permission over the folder.

[AOH]

Someone under the name "CREATOR OWNER" has rights to that very folder. I managed to remove those rights as well as the PUP through EEK, but after restarting my systerm, the PUP still exists along with the folder. "CREATOR OWNER" still has rights to the folder.

[Kevin Zoll]

Run a scan with RogueKiller and delete anything simplitec related it finds.

[AOH]

After running a scan with RogueKiller and deleting the findings, both the folder and the PUP are present, according to EEK's scan that I ran after restarting my system. Here are the logs:

RogueKiller Report.txt

scan_181018-050058.txt

FRST.txt

[Kevin Zoll]

OK,

Let's try running AdwCleaner again.

Since the folder is empty it posses no threat.

[AOH]

Should I run new scans with EEK and FRST? Here's AdwCleaner' log:

AdwCleaner[S01].txt