[elzin]

At the FLock there are a few folders that are totally locked. I cannot access, elevate privileges or delete at all. I downloaded something that was diguised as something else and it put files and documents on the computer under different names, different processes etc. And it was replicating itself. Running Malware bytes, Super antimalware, spybot, adware cleaner I think I got most of it gone. But there is still folders under C:\ProgramData listed as AMDTools, TeamViewerStorage and WindowsTools. Everything that was caught was in those folders and there was another AMDControlPanelTools which I was able to end the tasks for that folder and thus have access and delete the folder. The malware/virus made it seem like they were legit processes but most of the files came up as being used on ASUS which I do not have, or Intel processes which nothing on my computer is intel and thus they came up as bad and quarantined/deleted. Anyways among some of the other errors listed on these documents, Is there a fixlist to use? And Anyways to force delete those folders?

 

Please advise.

Attached Files

•  FRST.txt   177.42KB   323 downloads
•  Addition.txt   48.99KB   297 downloads

Edited by elzin, 20 June 2019 - 05:22 PM.

[Advertisements]

Hi elzin, welcome to the Geeks to Go malware removal forum.

I am iMacg3 and will be helping you with your computer problems.

Please keep the following information in mind before we begin:

• Back up any important data before we continue.
  • Back up any important data on your computer to external media. I will not knowingly suggest any steps that will damage your computer; however, malware infections are often unpredictable and it may be necessary to reformat and reinstall your operating system depending on the infection.
• Do not run any fixes or tools on your system unless I request that you do so.
  • Running additional tools on your system can interfere with the clean-up process, or cause issues such as false positives.
• Please read all instructions carefully, and complete them in the order listed.
  • Items that are especially important will be highlighted in bold or red.
• If your computer seems to start working normally, please don't abandon the topic.
  • Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.
• If you have pirated or illegal software on your computer, uninstall it now before proceeding.
  • Using pirated/cracked software is an easy way to infect your computer - almost as easy as intentionally downloading malware. Therefore, please remove any, if present, before we begin the clean-up.
• If you don't respond to your topic in 4 days, it will be closed.
  • If your topic is closed and you still need assistance, send me or any Moderator a Private Message with a link to your topic.
• If you have questions at any time during the cleanup, feel free to ask.

---------------------------------------------------
Farbar Recovery Scan Tool - Fix

• Highlight the contents of the below code box and press Ctrl + C on your keyboard:
  

  Start::
  CreateRestorePoint:
  EmptyTemp:
  CloseProcesses:
  HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
  GroupPolicy: Restriction ? <==== ATTENTION
  Task: {68AAC1DC-3915-4988-AC7E-C5A93F9AEE96} - System32\Tasks\deinstitutionalization => C:\Program Files (x86)\Sec\aboveboard.exe
  Task: {8A81805B-2886-48D1-A9F3-41B175E31F35} - System32\Tasks\deinstitutionalizationdeinstitutionalization => C:\Program Files (x86)\Sec\aboveboard.exe
  Task: {F318966A-D0D2-49C9-BAC7-3F3599673753} - System32\Tasks\{2A37FE43-6043-496F-9B18-743A2950AB5C} => C:\ProgramData\{2A3806D4-A9D4-4B93-9C2C-74C3B150ABA0}\{AA3806D4-A9D4-4B93-9C2D-74C3B550ABA0}\lbwwwjnpd.exe <==== ATTENTION
  SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
  SearchScopes: HKU\S-1-5-21-3181282482-3321046939-1998509028-1001 -> DefaultScope {092E70FB-7DD7-45C0-8FD2-2F09C220DDEE} URL = 
  SearchScopes: HKU\S-1-5-21-3181282482-3321046939-1998509028-1001 -> {092E70FB-7DD7-45C0-8FD2-2F09C220DDEE} URL = 
  FF user.js: detected! => C:\Users\MD\AppData\Roaming\Mozilla\Firefox\Profiles\ahur6mrs.default\user.js [2019-06-20]
  FF SearchPlugin: C:\Users\MD\AppData\Roaming\Mozilla\Firefox\Profiles\dupc4xje.default-release\searchplugins\bing-lavasoft-ff59.xml [2019-06-15]
  S4 atgsuw; System32\drivers\nvoxetus.sys [X]
  2019-06-16 14:39 - 2019-06-16 14:49 - 000000000 ____D C:\Users\MD\AppData\Roaming\MajorAV
  2019-06-15 19:51 - 2019-06-15 20:03 - 000000000 ____D C:\Users\MD\AppData\Roaming\netcache
  2019-06-15 19:51 - 2019-06-15 19:51 - 000000000 ____D C:\WINDOWS\system32\appmgmt
  2019-06-15 19:46 - 2019-06-18 16:11 - 000000000 ____D C:\WINDOWS\system32\iaivnek
  2019-06-15 19:46 - 2019-06-15 19:46 - 000000000 ____D C:\WINDOWS\SysWOW64\iaivnek
  2019-06-15 19:45 - 2019-06-18 19:06 - 000000000 _RSHD C:\ProgramData\AMDTools
  2019-06-15 19:45 - 2019-06-16 14:32 - 000000000 _RSHD C:\ProgramData\TeamViewerStorage
  2019-06-15 19:45 - 2019-06-15 20:03 - 000000000 _RSHD C:\ProgramData\WindowsTools
  2019-06-15 19:45 - 2019-06-15 19:45 - 000003390 _____ C:\WINDOWS\System32\Tasks\{2A37FE43-6043-496F-9B18-743A2950AB5C}
  2019-06-15 19:45 - 2019-06-15 19:45 - 000000000 ____D C:\Users\MD\AppData\Roaming\et
  2019-06-15 19:45 - 2019-06-15 19:45 - 000000000 ____D C:\ProgramData\{2A3806D4-A9D4-4B93-9C2C-74C3B150ABA0}
  2019-06-15 19:44 - 2019-06-18 16:40 - 000000000 ____D C:\Program Files (x86)\Sec
  2019-06-15 19:44 - 2019-06-15 20:03 - 000000000 ___HD C:\Program Files (x86)\weekdays
  2019-06-15 19:44 - 2019-06-15 20:03 - 000000000 ___HD C:\Program Files (x86)\Spineless
  2019-06-15 19:44 - 2019-06-15 20:03 - 000000000 ____D C:\Program Files (x86)\Innovates
  2019-06-15 19:44 - 2019-06-15 19:44 - 000126464 _____ C:\Users\MD\AppData\Local\lobby.dat
  2019-06-15 19:44 - 2019-06-15 19:44 - 000054272 _____ C:\Users\MD\AppData\Local\ApplicationHosting.dat
  2019-06-15 19:44 - 2019-06-15 19:44 - 000004106 _____ C:\WINDOWS\System32\Tasks\deinstitutionalization
  2019-06-15 19:44 - 2019-06-15 19:44 - 000003994 _____ C:\WINDOWS\System32\Tasks\deinstitutionalizationdeinstitutionalization
  2019-06-15 19:44 - 2019-06-15 19:44 - 000000012 _____ C:\WINDOWS\b42233278
  2019-06-15 19:44 - 2019-06-15 19:44 - 000000000 ____D C:\Users\MD\AppData\Local\PeerDistRepub
  2019-06-15 19:44 - 2019-06-15 19:44 - 000000000 ____D C:\ProgramData\8BP05XKK8CZ1X29C6IZDPZLC2
  2019-06-15 19:43 - 2019-06-15 19:53 - 000722944 _____ C:\Users\MD\AppData\Local\sha.db
  2019-06-15 19:43 - 2019-06-15 19:44 - 000000000 ____D C:\ProgramData\Optimizer
  2019-06-15 19:43 - 2019-06-15 19:43 - 000140800 _____ C:\Users\MD\AppData\Local\installer.dat
  2019-06-15 19:43 - 2019-06-15 19:43 - 000000000 ____D C:\Users\MD\AppData\Local\DBG
  2019-06-15 19:43 - 2019-06-15 19:43 - 000000000 ____D C:\ProgramData\Pader
  2018-09-15 03:28 - 2018-09-15 03:28 - 000314058 ___SH () C:\Users\MD\AppData\Roaming\hbswfra
  2018-09-15 03:28 - 2018-09-15 03:28 - 000000267 ___SH () C:\Users\MD\AppData\Roaming\wgwcehr
  FirewallRules: [{B214CD8E-90F1-44B7-8980-C27988E20A7D}] => (Allow) C:\Program Files\WindowsApps\SAMSUNGELECTRONICSCoLtd.SamsungFlux_3.5.14.0_x64__wyx1vj98g3asy\DesktopApp\SamsungFlowDesktop.exe No File
  FirewallRules: [{46B96569-9626-4B5F-B378-AD2407E1E61E}] => (Allow) C:\Program Files\WindowsApps\SAMSUNGELECTRONICSCoLtd.SamsungFlux_3.5.14.0_x64__wyx1vj98g3asy\DesktopApp\SamsungFlowDesktop.exe No File
  FirewallRules: [{5B0C698A-0719-4BFC-8F7C-CC4F5125E9A4}] => (Allow) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHost.exe No File
  FirewallRules: [{07914E43-E64B-47D0-848C-2478857D52CE}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe No File
  FirewallRules: [{B2FDF454-26F7-490B-8483-0D211BB4956D}] => (Allow) C:\Program Files (x86)\Innovates\Pitchers.exe No File
  FirewallRules: [{757BE30B-E6E5-41C6-B3EC-6875F5E7AC8F}] => (Allow) C:\Program Files (x86)\Spineless\Pitchers.exe No File
  FirewallRules: [{F32D02B1-DCCC-4C61-AA89-59DDA144397A}] => (Allow) C:\Program Files (x86)\deliciousness\Instructs.exe No File
  FirewallRules: [{3152C03F-798F-41BD-92AE-468AD3FB859C}] => (Allow) C:\Program Files (x86)\Spineless\Instructs.exe No File
  Folder: C:\fvbbk
  Folder: C:\ProgramData\bomgar-scc-0x5d0a6c6b
  Virustotal: C:\WINDOWS\system32\mcupdate_GenuineIntel.dll
  CMD: Bitsadmin /Reset /Allusers
  End::

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

• Double-click FRST.exe/FRST64.exe to run it.
• Press the Fix button just once and wait.
• Restart the computer if prompted.
• When the fix is complete FRST will generate a log in the same location it was run from (Fixlog.txt)
• Please copy and paste its contents into your reply.

---------------------------------------------------
AdwCleaner

Download AdwCleaner and save it to your desktop.

• Right-click on AdwCleaner.exe and select Run as Administrator
• Accept the EULA (I accept), then click on Scan.
• Let the scan complete. If no objects are detected, close the AdwCleaner window.
• If any objects are detected, uncheck any items you want to keep.
• Click on the Clean and Repair button.
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer. Allow it to do so.
• After the restart, an AdwCleaner window will open. Click on View Log File, and the log will open in notepad. Copy and paste the contents of the log into your next reply.
• Note: the AdwCleaner log is also saved to C:\AdwCleaner\Logs\AdwCleaner[CXX].txt (where XX is two numbers).

[iMacg3]

Hi elzin, welcome to the Geeks to Go malware removal forum.

I am iMacg3 and will be helping you with your computer problems.

Please keep the following information in mind before we begin:

• Back up any important data before we continue.
  • Back up any important data on your computer to external media. I will not knowingly suggest any steps that will damage your computer; however, malware infections are often unpredictable and it may be necessary to reformat and reinstall your operating system depending on the infection.
• Do not run any fixes or tools on your system unless I request that you do so.
  • Running additional tools on your system can interfere with the clean-up process, or cause issues such as false positives.
• Please read all instructions carefully, and complete them in the order listed.
  • Items that are especially important will be highlighted in bold or red.
• If your computer seems to start working normally, please don't abandon the topic.
  • Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.
• If you have pirated or illegal software on your computer, uninstall it now before proceeding.
  • Using pirated/cracked software is an easy way to infect your computer - almost as easy as intentionally downloading malware. Therefore, please remove any, if present, before we begin the clean-up.
• If you don't respond to your topic in 4 days, it will be closed.
  • If your topic is closed and you still need assistance, send me or any Moderator a Private Message with a link to your topic.
• If you have questions at any time during the cleanup, feel free to ask.

---------------------------------------------------
Farbar Recovery Scan Tool - Fix

• Highlight the contents of the below code box and press Ctrl + C on your keyboard:
  

  Start::
  CreateRestorePoint:
  EmptyTemp:
  CloseProcesses:
  HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
  GroupPolicy: Restriction ? <==== ATTENTION
  Task: {68AAC1DC-3915-4988-AC7E-C5A93F9AEE96} - System32\Tasks\deinstitutionalization => C:\Program Files (x86)\Sec\aboveboard.exe
  Task: {8A81805B-2886-48D1-A9F3-41B175E31F35} - System32\Tasks\deinstitutionalizationdeinstitutionalization => C:\Program Files (x86)\Sec\aboveboard.exe
  Task: {F318966A-D0D2-49C9-BAC7-3F3599673753} - System32\Tasks\{2A37FE43-6043-496F-9B18-743A2950AB5C} => C:\ProgramData\{2A3806D4-A9D4-4B93-9C2C-74C3B150ABA0}\{AA3806D4-A9D4-4B93-9C2D-74C3B550ABA0}\lbwwwjnpd.exe <==== ATTENTION
  SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
  SearchScopes: HKU\S-1-5-21-3181282482-3321046939-1998509028-1001 -> DefaultScope {092E70FB-7DD7-45C0-8FD2-2F09C220DDEE} URL = 
  SearchScopes: HKU\S-1-5-21-3181282482-3321046939-1998509028-1001 -> {092E70FB-7DD7-45C0-8FD2-2F09C220DDEE} URL = 
  FF user.js: detected! => C:\Users\MD\AppData\Roaming\Mozilla\Firefox\Profiles\ahur6mrs.default\user.js [2019-06-20]
  FF SearchPlugin: C:\Users\MD\AppData\Roaming\Mozilla\Firefox\Profiles\dupc4xje.default-release\searchplugins\bing-lavasoft-ff59.xml [2019-06-15]
  S4 atgsuw; System32\drivers\nvoxetus.sys [X]
  2019-06-16 14:39 - 2019-06-16 14:49 - 000000000 ____D C:\Users\MD\AppData\Roaming\MajorAV
  2019-06-15 19:51 - 2019-06-15 20:03 - 000000000 ____D C:\Users\MD\AppData\Roaming\netcache
  2019-06-15 19:51 - 2019-06-15 19:51 - 000000000 ____D C:\WINDOWS\system32\appmgmt
  2019-06-15 19:46 - 2019-06-18 16:11 - 000000000 ____D C:\WINDOWS\system32\iaivnek
  2019-06-15 19:46 - 2019-06-15 19:46 - 000000000 ____D C:\WINDOWS\SysWOW64\iaivnek
  2019-06-15 19:45 - 2019-06-18 19:06 - 000000000 _RSHD C:\ProgramData\AMDTools
  2019-06-15 19:45 - 2019-06-16 14:32 - 000000000 _RSHD C:\ProgramData\TeamViewerStorage
  2019-06-15 19:45 - 2019-06-15 20:03 - 000000000 _RSHD C:\ProgramData\WindowsTools
  2019-06-15 19:45 - 2019-06-15 19:45 - 000003390 _____ C:\WINDOWS\System32\Tasks\{2A37FE43-6043-496F-9B18-743A2950AB5C}
  2019-06-15 19:45 - 2019-06-15 19:45 - 000000000 ____D C:\Users\MD\AppData\Roaming\et
  2019-06-15 19:45 - 2019-06-15 19:45 - 000000000 ____D C:\ProgramData\{2A3806D4-A9D4-4B93-9C2C-74C3B150ABA0}
  2019-06-15 19:44 - 2019-06-18 16:40 - 000000000 ____D C:\Program Files (x86)\Sec
  2019-06-15 19:44 - 2019-06-15 20:03 - 000000000 ___HD C:\Program Files (x86)\weekdays
  2019-06-15 19:44 - 2019-06-15 20:03 - 000000000 ___HD C:\Program Files (x86)\Spineless
  2019-06-15 19:44 - 2019-06-15 20:03 - 000000000 ____D C:\Program Files (x86)\Innovates
  2019-06-15 19:44 - 2019-06-15 19:44 - 000126464 _____ C:\Users\MD\AppData\Local\lobby.dat
  2019-06-15 19:44 - 2019-06-15 19:44 - 000054272 _____ C:\Users\MD\AppData\Local\ApplicationHosting.dat
  2019-06-15 19:44 - 2019-06-15 19:44 - 000004106 _____ C:\WINDOWS\System32\Tasks\deinstitutionalization
  2019-06-15 19:44 - 2019-06-15 19:44 - 000003994 _____ C:\WINDOWS\System32\Tasks\deinstitutionalizationdeinstitutionalization
  2019-06-15 19:44 - 2019-06-15 19:44 - 000000012 _____ C:\WINDOWS\b42233278
  2019-06-15 19:44 - 2019-06-15 19:44 - 000000000 ____D C:\Users\MD\AppData\Local\PeerDistRepub
  2019-06-15 19:44 - 2019-06-15 19:44 - 000000000 ____D C:\ProgramData\8BP05XKK8CZ1X29C6IZDPZLC2
  2019-06-15 19:43 - 2019-06-15 19:53 - 000722944 _____ C:\Users\MD\AppData\Local\sha.db
  2019-06-15 19:43 - 2019-06-15 19:44 - 000000000 ____D C:\ProgramData\Optimizer
  2019-06-15 19:43 - 2019-06-15 19:43 - 000140800 _____ C:\Users\MD\AppData\Local\installer.dat
  2019-06-15 19:43 - 2019-06-15 19:43 - 000000000 ____D C:\Users\MD\AppData\Local\DBG
  2019-06-15 19:43 - 2019-06-15 19:43 - 000000000 ____D C:\ProgramData\Pader
  2018-09-15 03:28 - 2018-09-15 03:28 - 000314058 ___SH () C:\Users\MD\AppData\Roaming\hbswfra
  2018-09-15 03:28 - 2018-09-15 03:28 - 000000267 ___SH () C:\Users\MD\AppData\Roaming\wgwcehr
  FirewallRules: [{B214CD8E-90F1-44B7-8980-C27988E20A7D}] => (Allow) C:\Program Files\WindowsApps\SAMSUNGELECTRONICSCoLtd.SamsungFlux_3.5.14.0_x64__wyx1vj98g3asy\DesktopApp\SamsungFlowDesktop.exe No File
  FirewallRules: [{46B96569-9626-4B5F-B378-AD2407E1E61E}] => (Allow) C:\Program Files\WindowsApps\SAMSUNGELECTRONICSCoLtd.SamsungFlux_3.5.14.0_x64__wyx1vj98g3asy\DesktopApp\SamsungFlowDesktop.exe No File
  FirewallRules: [{5B0C698A-0719-4BFC-8F7C-CC4F5125E9A4}] => (Allow) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHost.exe No File
  FirewallRules: [{07914E43-E64B-47D0-848C-2478857D52CE}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe No File
  FirewallRules: [{B2FDF454-26F7-490B-8483-0D211BB4956D}] => (Allow) C:\Program Files (x86)\Innovates\Pitchers.exe No File
  FirewallRules: [{757BE30B-E6E5-41C6-B3EC-6875F5E7AC8F}] => (Allow) C:\Program Files (x86)\Spineless\Pitchers.exe No File
  FirewallRules: [{F32D02B1-DCCC-4C61-AA89-59DDA144397A}] => (Allow) C:\Program Files (x86)\deliciousness\Instructs.exe No File
  FirewallRules: [{3152C03F-798F-41BD-92AE-468AD3FB859C}] => (Allow) C:\Program Files (x86)\Spineless\Instructs.exe No File
  Folder: C:\fvbbk
  Folder: C:\ProgramData\bomgar-scc-0x5d0a6c6b
  Virustotal: C:\WINDOWS\system32\mcupdate_GenuineIntel.dll
  CMD: Bitsadmin /Reset /Allusers
  End::

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

• Double-click FRST.exe/FRST64.exe to run it.
• Press the Fix button just once and wait.
• Restart the computer if prompted.
• When the fix is complete FRST will generate a log in the same location it was run from (Fixlog.txt)
• Please copy and paste its contents into your reply.

---------------------------------------------------
AdwCleaner

Download AdwCleaner and save it to your desktop.

• Right-click on AdwCleaner.exe and select Run as Administrator
• Accept the EULA (I accept), then click on Scan.
• Let the scan complete. If no objects are detected, close the AdwCleaner window.
• If any objects are detected, uncheck any items you want to keep.
• Click on the Clean and Repair button.
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer. Allow it to do so.
• After the restart, an AdwCleaner window will open. Click on View Log File, and the log will open in notepad. Copy and paste the contents of the log into your next reply.
• Note: the AdwCleaner log is also saved to C:\AdwCleaner\Logs\AdwCleaner[CXX].txt (where XX is two numbers).

[elzin]

Upon each restart, right before loading it would say scanning and repairing volume very briefly and continue. It did it on each of the restarts. I turned it off and back on after doing all this to see if it did it again and it continued. Very minor and only a quick second but I wanted to let you know that as well.

 

Thank you for the help it does appear the problems are no more but let me know what you think.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 19-06-2019
Ran by MD (21-06-2019 13:41:11) Run:1
Running from C:\Users\MD\Downloads
Loaded Profiles: MD (Available Profiles: MD)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Task: {68AAC1DC-3915-4988-AC7E-C5A93F9AEE96} - System32\Tasks\deinstitutionalization => C:\Program Files (x86)\Sec\aboveboard.exe
Task: {8A81805B-2886-48D1-A9F3-41B175E31F35} - System32\Tasks\deinstitutionalizationdeinstitutionalization => C:\Program Files (x86)\Sec\aboveboard.exe
Task: {F318966A-D0D2-49C9-BAC7-3F3599673753} - System32\Tasks\{2A37FE43-6043-496F-9B18-743A2950AB5C} => C:\ProgramData\{2A3806D4-A9D4-4B93-9C2C-74C3B150ABA0}\{AA3806D4-A9D4-4B93-9C2D-74C3B550ABA0}\lbwwwjnpd.exe <==== ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3181282482-3321046939-1998509028-1001 -> DefaultScope {092E70FB-7DD7-45C0-8FD2-2F09C220DDEE} URL =
SearchScopes: HKU\S-1-5-21-3181282482-3321046939-1998509028-1001 -> {092E70FB-7DD7-45C0-8FD2-2F09C220DDEE} URL =
FF user.js: detected! => C:\Users\MD\AppData\Roaming\Mozilla\Firefox\Profiles\ahur6mrs.default\user.js [2019-06-20]
FF SearchPlugin: C:\Users\MD\AppData\Roaming\Mozilla\Firefox\Profiles\dupc4xje.default-release\searchplugins\bing-lavasoft-ff59.xml [2019-06-15]
S4 atgsuw; System32\drivers\nvoxetus.sys [X]
2019-06-16 14:39 - 2019-06-16 14:49 - 000000000 ____D C:\Users\MD\AppData\Roaming\MajorAV
2019-06-15 19:51 - 2019-06-15 20:03 - 000000000 ____D C:\Users\MD\AppData\Roaming\netcache
2019-06-15 19:51 - 2019-06-15 19:51 - 000000000 ____D C:\WINDOWS\system32\appmgmt
2019-06-15 19:46 - 2019-06-18 16:11 - 000000000 ____D C:\WINDOWS\system32\iaivnek
2019-06-15 19:46 - 2019-06-15 19:46 - 000000000 ____D C:\WINDOWS\SysWOW64\iaivnek
2019-06-15 19:45 - 2019-06-18 19:06 - 000000000 _RSHD C:\ProgramData\AMDTools
2019-06-15 19:45 - 2019-06-16 14:32 - 000000000 _RSHD C:\ProgramData\TeamViewerStorage
2019-06-15 19:45 - 2019-06-15 20:03 - 000000000 _RSHD C:\ProgramData\WindowsTools
2019-06-15 19:45 - 2019-06-15 19:45 - 000003390 _____ C:\WINDOWS\System32\Tasks\{2A37FE43-6043-496F-9B18-743A2950AB5C}
2019-06-15 19:45 - 2019-06-15 19:45 - 000000000 ____D C:\Users\MD\AppData\Roaming\et
2019-06-15 19:45 - 2019-06-15 19:45 - 000000000 ____D C:\ProgramData\{2A3806D4-A9D4-4B93-9C2C-74C3B150ABA0}
2019-06-15 19:44 - 2019-06-18 16:40 - 000000000 ____D C:\Program Files (x86)\Sec
2019-06-15 19:44 - 2019-06-15 20:03 - 000000000 ___HD C:\Program Files (x86)\weekdays
2019-06-15 19:44 - 2019-06-15 20:03 - 000000000 ___HD C:\Program Files (x86)\Spineless
2019-06-15 19:44 - 2019-06-15 20:03 - 000000000 ____D C:\Program Files (x86)\Innovates
2019-06-15 19:44 - 2019-06-15 19:44 - 000126464 _____ C:\Users\MD\AppData\Local\lobby.dat
2019-06-15 19:44 - 2019-06-15 19:44 - 000054272 _____ C:\Users\MD\AppData\Local\ApplicationHosting.dat
2019-06-15 19:44 - 2019-06-15 19:44 - 000004106 _____ C:\WINDOWS\System32\Tasks\deinstitutionalization
2019-06-15 19:44 - 2019-06-15 19:44 - 000003994 _____ C:\WINDOWS\System32\Tasks\deinstitutionalizationdeinstitutionalization
2019-06-15 19:44 - 2019-06-15 19:44 - 000000012 _____ C:\WINDOWS\b42233278
2019-06-15 19:44 - 2019-06-15 19:44 - 000000000 ____D C:\Users\MD\AppData\Local\PeerDistRepub
2019-06-15 19:44 - 2019-06-15 19:44 - 000000000 ____D C:\ProgramData\8BP05XKK8CZ1X29C6IZDPZLC2
2019-06-15 19:43 - 2019-06-15 19:53 - 000722944 _____ C:\Users\MD\AppData\Local\sha.db
2019-06-15 19:43 - 2019-06-15 19:44 - 000000000 ____D C:\ProgramData\Optimizer
2019-06-15 19:43 - 2019-06-15 19:43 - 000140800 _____ C:\Users\MD\AppData\Local\installer.dat
2019-06-15 19:43 - 2019-06-15 19:43 - 000000000 ____D C:\Users\MD\AppData\Local\DBG
2019-06-15 19:43 - 2019-06-15 19:43 - 000000000 ____D C:\ProgramData\Pader
2018-09-15 03:28 - 2018-09-15 03:28 - 000314058 ___SH () C:\Users\MD\AppData\Roaming\hbswfra
2018-09-15 03:28 - 2018-09-15 03:28 - 000000267 ___SH () C:\Users\MD\AppData\Roaming\wgwcehr
FirewallRules: [{B214CD8E-90F1-44B7-8980-C27988E20A7D}] => (Allow) C:\Program Files\WindowsApps\SAMSUNGELECTRONICSCoLtd.SamsungFlux_3.5.14.0_x64__wyx1vj98g3asy\DesktopApp\SamsungFlowDesktop.exe No File
FirewallRules: [{46B96569-9626-4B5F-B378-AD2407E1E61E}] => (Allow) C:\Program Files\WindowsApps\SAMSUNGELECTRONICSCoLtd.SamsungFlux_3.5.14.0_x64__wyx1vj98g3asy\DesktopApp\SamsungFlowDesktop.exe No File
FirewallRules: [{5B0C698A-0719-4BFC-8F7C-CC4F5125E9A4}] => (Allow) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHost.exe No File
FirewallRules: [{07914E43-E64B-47D0-848C-2478857D52CE}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe No File
FirewallRules: [{B2FDF454-26F7-490B-8483-0D211BB4956D}] => (Allow) C:\Program Files (x86)\Innovates\Pitchers.exe No File
FirewallRules: [{757BE30B-E6E5-41C6-B3EC-6875F5E7AC8F}] => (Allow) C:\Program Files (x86)\Spineless\Pitchers.exe No File
FirewallRules: [{F32D02B1-DCCC-4C61-AA89-59DDA144397A}] => (Allow) C:\Program Files (x86)\deliciousness\Instructs.exe No File
FirewallRules: [{3152C03F-798F-41BD-92AE-468AD3FB859C}] => (Allow) C:\Program Files (x86)\Spineless\Instructs.exe No File
Folder: C:\fvbbk
Folder: C:\ProgramData\bomgar-scc-0x5d0a6c6b
Virustotal: C:\WINDOWS\system32\mcupdate_GenuineIntel.dll
CMD: Bitsadmin /Reset /Allusers

*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => could not remove, key could be protected
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{68AAC1DC-3915-4988-AC7E-C5A93F9AEE96}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{68AAC1DC-3915-4988-AC7E-C5A93F9AEE96}" => removed successfully
C:\WINDOWS\System32\Tasks\deinstitutionalization => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\deinstitutionalization" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8A81805B-2886-48D1-A9F3-41B175E31F35}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8A81805B-2886-48D1-A9F3-41B175E31F35}" => removed successfully
C:\WINDOWS\System32\Tasks\deinstitutionalizationdeinstitutionalization => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\deinstitutionalizationdeinstitutionalization" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F318966A-D0D2-49C9-BAC7-3F3599673753}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F318966A-D0D2-49C9-BAC7-3F3599673753}" => removed successfully
C:\WINDOWS\System32\Tasks\{2A37FE43-6043-496F-9B18-743A2950AB5C} => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{2A37FE43-6043-496F-9B18-743A2950AB5C}" => not found
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKU\S-1-5-21-3181282482-3321046939-1998509028-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
HKU\S-1-5-21-3181282482-3321046939-1998509028-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{092E70FB-7DD7-45C0-8FD2-2F09C220DDEE} => removed successfully
HKLM\Software\Classes\CLSID\{092E70FB-7DD7-45C0-8FD2-2F09C220DDEE} => not found
C:\Users\MD\AppData\Roaming\Mozilla\Firefox\Profiles\ahur6mrs.default\user.js => moved successfully
C:\Users\MD\AppData\Roaming\Mozilla\Firefox\Profiles\dupc4xje.default-release\searchplugins\bing-lavasoft-ff59.xml => moved successfully
HKLM\System\CurrentControlSet\Services\atgsuw => removed successfully
atgsuw => service removed successfully
C:\Users\MD\AppData\Roaming\MajorAV => moved successfully
C:\Users\MD\AppData\Roaming\netcache => moved successfully
C:\WINDOWS\system32\appmgmt => moved successfully
C:\WINDOWS\system32\iaivnek => moved successfully
C:\WINDOWS\SysWOW64\iaivnek => moved successfully
C:\ProgramData\AMDTools => moved successfully
C:\ProgramData\TeamViewerStorage => moved successfully
C:\ProgramData\WindowsTools => moved successfully
"C:\WINDOWS\System32\Tasks\{2A37FE43-6043-496F-9B18-743A2950AB5C}" => not found
C:\Users\MD\AppData\Roaming\et => moved successfully
C:\ProgramData\{2A3806D4-A9D4-4B93-9C2C-74C3B150ABA0} => moved successfully
C:\Program Files (x86)\Sec => moved successfully
C:\Program Files (x86)\weekdays => moved successfully
C:\Program Files (x86)\Spineless => moved successfully
C:\Program Files (x86)\Innovates => moved successfully
C:\Users\MD\AppData\Local\lobby.dat => moved successfully
C:\Users\MD\AppData\Local\ApplicationHosting.dat => moved successfully
"C:\WINDOWS\System32\Tasks\deinstitutionalization" => not found
"C:\WINDOWS\System32\Tasks\deinstitutionalizationdeinstitutionalization" => not found
C:\WINDOWS\b42233278 => moved successfully
C:\Users\MD\AppData\Local\PeerDistRepub => moved successfully
C:\ProgramData\8BP05XKK8CZ1X29C6IZDPZLC2 => moved successfully
C:\Users\MD\AppData\Local\sha.db => moved successfully
C:\ProgramData\Optimizer => moved successfully
C:\Users\MD\AppData\Local\installer.dat => moved successfully
C:\Users\MD\AppData\Local\DBG => moved successfully
C:\ProgramData\Pader => moved successfully
C:\Users\MD\AppData\Roaming\hbswfra => moved successfully
C:\Users\MD\AppData\Roaming\wgwcehr => moved successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B214CD8E-90F1-44B7-8980-C27988E20A7D}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{46B96569-9626-4B5F-B378-AD2407E1E61E}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5B0C698A-0719-4BFC-8F7C-CC4F5125E9A4}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{07914E43-E64B-47D0-848C-2478857D52CE}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B2FDF454-26F7-490B-8483-0D211BB4956D}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{757BE30B-E6E5-41C6-B3EC-6875F5E7AC8F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F32D02B1-DCCC-4C61-AA89-59DDA144397A}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3152C03F-798F-41BD-92AE-468AD3FB859C}" => removed successfully

========================= Folder: C:\fvbbk ========================

C:\fvbbk => File

====== End of Folder: ======


========================= Folder: C:\ProgramData\bomgar-scc-0x5d0a6c6b ========================

2019-06-19 13:10 - 2019-02-12 14:55 - 000060656 ____A [87E89FC48D5D656F9658F8C1157A0A55] (bomgar) C:\ProgramData\bomgar-scc-0x5d0a6c6b\remove.exe

====== End of Folder: ======

VirusTotal: C:\WINDOWS\system32\mcupdate_GenuineIntel.dll => https://www.virustot...sis/1560397381/

========= Bitsadmin /Reset /Allusers =========


BITSADMIN version 3.0
BITS administration utility.
© Copyright Microsoft Corp.

0 out of 0 jobs canceled.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 6053888 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7379062 B
Java, Flash, Steam htmlcache => 1124 B
Windows/system/drivers => 1090214 B
Edge => 4586 B
Chrome => 0 B
Firefox => 177409528 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
LocalService => 0 B
NetworkService => 1188 B
NetworkService => 0 B
MD => 26209370 B

RecycleBin => 100689179 B
EmptyTemp: => 304.1 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 21-06-2019 13:42:41)


Result of scheduled keys to remove after reboot:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => could not remove, key could be protected

==== End of Fixlog 13:42:41 ====

 

 

Here is from adwcleaner

 

# -------------------------------
# Malwarebytes AdwCleaner 7.3.0.0
# -------------------------------
# Build:    04-04-2019
# Database: 2019-06-18.1 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    06-21-2019
# Duration: 00:00:00
# OS:       Windows 10 Pro
# Cleaned:  2
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted       HKLM\Software\Wow6432Node\\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Deleted       HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [4626 octets] - [18/06/2019 16:12:52]
AdwCleaner[C00].txt - [2733 octets] - [18/06/2019 16:14:38]
AdwCleaner[S01].txt - [3092 octets] - [18/06/2019 16:16:42]
AdwCleaner[S02].txt - [1432 octets] - [18/06/2019 17:38:01]
AdwCleaner[S03].txt - [1493 octets] - [18/06/2019 19:00:07]
AdwCleaner[C03].txt - [1679 octets] - [18/06/2019 19:05:08]
AdwCleaner[S04].txt - [1854 octets] - [21/06/2019 13:50:23]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C04].txt ##########

[iMacg3]

Hi,

Some remnants to clean up:

---------------------------------------------------
Farbar Recovery Scan Tool - Fix

• Highlight the contents of the below code box and press Ctrl + C on your keyboard:
  

  Start::
  CreateRestorePoint:
  Closeprocesses:
  VirusTotal: C:\ProgramData\bomgar-scc-0x5d0a6c6b\remove.exe;C:\fvbbk
  Unlock: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
  DeleteKey: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
  Reboot:
  End::
  

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

• Double-click FRST.exe/FRST64.exe to run it.
• Press the Fix button just once and wait.
• Restart the computer if prompted.
• When the fix is complete FRST will generate a log in the same location it was run from (Fixlog.txt)
• Please copy and paste its contents into your reply.

[iMacg3]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[iMacg3]

User returned

[elzin]

What is now happening, upon each restart / power on, it will say "fixing and repairing volume" with some other random things characters across the bottom. It only appears very briefly and then goes away. I have done the chkdsk command, and checked for errors under C:\ Clicked properties \ tools  \ check for errors and nothing was coming up so I am not sure why it says it is fixing and repairing every time I restart. I thought it would do it maybe once while in the process of fixing everything else however it does it every time. Please advise. Thank you.

[iMacg3]

Hi,

---------------------------------------------------
FRST scan

• Double-click FRST.exe/FRST64.exe to run it.
• Press the Scan button.
• When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
• Please copy and paste the logs in your next reply.

---------------------------------------------------

In your next reply, please include:

• FRST.txt
• Addition.txt

[iMacg3]

Hi,

Do you still need help?

[iMacg3]

Due to lack of feedback, this topic has been closed.If you need this topic reopened, please contact a staff member.This applies only to the original topic starter.Everyone else please begin a New Topic.