Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

possible rootkit [Solved]

Started by JTug , Oct 02 2021 09:46 AM

  • This topic is locked This topic is locked

#1
JTug
Posted 02 October 2021 - 09:46 AM

JTug

    Member

  • Member
  • PipPip
  • 21 posts

Hello,

Need help please.

Attached the FSR logs.

 

Thank you!

 


  • 0

Advertisements

#2
DR M
Posted 02 October 2021 - 09:58 AM

DR M

    The Grecian Geek

  • Malware Removal
  • 4,107 posts

Hi, JTug.

 

Welcome to GTG Forums.

 

You didn't attached the logs. Why do you think you are infected by a rootkit?


  • 0

#3
JTug
Posted 02 October 2021 - 10:04 AM

JTug

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

sorry cant upload


Edited by JTug, 02 October 2021 - 04:38 PM.

  • 0

#4
DR M
Posted 02 October 2021 - 10:14 AM

DR M

    The Grecian Geek

  • Malware Removal
  • 4,107 posts

Thank you for the logs. I will review them and be back to you as soon as I can.

 

Here are the ground rules during the cleaning procedure:

 

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

4. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.
 


  • 1

#5
DR M
Posted 02 October 2021 - 10:32 AM

DR M

    The Grecian Geek

  • Malware Removal
  • 4,107 posts

Hello.

 

It seems that FRST ran in the COMODO virtual environment. As a result, we see a false image generated inside the Comodo sandbox.
 
Reboot the system and then run FRST again, outside the COMODO Sandbox. 

  • 0

#6
JTug
Posted 02 October 2021 - 11:15 AM

JTug

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

 

Hello.

 

It seems that FRST ran in the COMODO virtual environment. As a result, we see a false image generated inside the Comodo sandbox.
 
Reboot the system and then run FRST again, outside the COMODO Sandbox. 

 

Hi,

Thanks for your help and time.

 

I reboot and try to run FSR outside sandbox, but FSR crash all the time (Not Responding)!!!

Any idea or alternative tool?

 

Thank you


  • 0

#7
DR M
Posted 02 October 2021 - 11:25 AM

DR M

    The Grecian Geek

  • Malware Removal
  • 4,107 posts

Disable COMODO and try to run FRST again. 

 

This is from COMODO: Comodo Internet Security Enable / Disable AV, Firewall Auto-Sandbox and Viruscope

 

Let me know about the result. 


  • 1

#8
JTug
Posted 02 October 2021 - 11:41 AM

JTug

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

Logs attached.

 

Kindest Regards

Attached Files


  • 0

#9
DR M
Posted 02 October 2021 - 12:51 PM

DR M

    The Grecian Geek

  • Malware Removal
  • 4,107 posts

Hi, JTug.
 
Right now, there is no sign of active indection. However, I see that your files have been encrypted by TISC Ransomware. TISC is a file-encrypting ransomware infection that restricts access to data (documents, images, videos) by encrypting files with the “.tisc” extension. It then attempts to extort money from victims by asking for “ransom”, in the form of Bitcoin cryptocurrency, in exchange for access to data. 

The first thing you can do is to upload samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR). This service is strictly for identifying what ransomware may have encrypted your files. It will attempt to point you in the right direction, and let you know if there is a known way of decrypting your files.
 
After that, although I see from your logs that you have done a lot of checks with several tools, we can use some other tools to ensure that everything is clean.

 

Here are my comments/instructions: 

 
1. P2P program

You have uTorrent Web installed in your computer. This is a P2P program. P2P programs form a direct conduit on to a computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. If you don't uninstall it, your computer will probably get infected again, as soon as you use it again. But it is your computer and of course your decision.
 
If you decide to keep it, DON'T use it during the cleaning procedure.
 
If you decide to uninstall it:

  • Press the Windows Key + R.
  • Type appwiz.cpl in the Run box and click OK.
  • The Add/Remove Programs list will open. Locate the following program on the list:
uTorrent Web
  • Select the above program and click Uninstall.
  • Restart the computer.

 

2. Proxies
 
Have you intentionally enabled these proxies? 
 
ProxyEnable: [S-1-5-21-223814551-1140071388-4042786358-1001] => Proxy is enabled.
 
FF NetworkProxy: Mozilla\Firefox\Profiles\l8xjodc1.default-release -> type", 0
FF Extension: (Proxy Failover) - C:\Users\JTug\AppData\Roaming\Mozilla\Firefox\Profiles\l8xjodc1.default-release\features\{82eb8f34-4d71-4c32-887a-de1fe73455db}\[email protected] [2021-09-30]
 
 
3. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Start::
CreateRestorePoint:
CloseProcesses:
ContextMenuHandlers1: [CLVDShellExt] -> {3E2A0A32-6E14-4BAD-AA87-BBB6A75EBFF2} =>  -> No File
ContextMenuHandlers1: [SHAREit.FileContextMenuExt] -> {430BD134-576D-4E75-87CD-0F5C6221A82B} =>  -> No File
ContextMenuHandlers2: [CLVDShellExt] -> {3E2A0A32-6E14-4BAD-AA87-BBB6A75EBFF2} =>  -> No File
ContextMenuHandlers4: [SHAREit.FileContextMenuExt] -> {430BD134-576D-4E75-87CD-0F5C6221A82B} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-223814551-1140071388-4042786358-1001 -> DefaultScope {58A62C29-8274-4A96-9D1A-261431BDBAEA} URL = 
SearchScopes: HKU\S-1-5-21-223814551-1140071388-4042786358-1001 -> {58A62C29-8274-4A96-9D1A-261431BDBAEA} URL = 
FirewallRules: [{B7C9703F-89BB-46A6-B572-1E81741F6338}] => (Allow) C:\Program Files (x86)\Lenovo\SHAREit\SHAREit.exe => No File
FirewallRules: [{B70742A6-3CA1-4246-8167-1B7D931296AD}] => (Allow) C:\Program Files (x86)\Lenovo\SHAREit\SHAREit.exe => No File
FirewallRules: [{AB73E184-BE4D-4643-8EA2-C91DD11F59FA}] => (Allow) C:\Program Files (x86)\Lenovo\Lenovo Photo Master\PhotoPlus.exe => No File
FirewallRules: [{6095FCF1-45A4-45E2-896E-F78952F7B5EF}] => (Allow) C:\Program Files (x86)\Lenovo\Lenovo Photo Master\subsys\AdvPhotoEditor\PhotoDirector5.exe => No File
FirewallRules: [{FD299C02-28F3-4529-8132-B2FE2F6B3490}] => (Allow) C:\Program Files\Lenovo PhotoMasterImport\PhotoMasterImport.exe => No File
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
S2 0161891631361214mcinstcleanup; C:\WINDOWS\TEMP\016189~1.EXE -cleanup -nolog [X]
S2 CCSDK; C:\Program Files (x86)\Lenovo\CCSDK\CCSDK.exe [X]
S2 Lenovo System Agent Service; "C:\Program Files\Lenovo\iMController\SystemAgentService.exe" [X]
S2 LUService; C:\Program Files (x86)\Lenovo\Lenovo Updates\LUService.exe [X]
S1 amsdk; \??\C:\WINDOWS\system32\drivers\amsdk.sys [X]
2021-10-02 15:22 - 2021-10-02 15:23 - 000153320 _____ C:\TDSSKiller.2.8.16.0_02.10.2021_15.22.43_log.txt
2021-10-02 15:22 - 2021-10-02 15:22 - 002237968 _____ (Kaspersky Lab ZAO) C:\Users\JTug\Downloads\tdsskiller.exe
2021-10-02 15:20 - 2021-10-02 15:21 - 005198336 _____ (AVAST Software) C:\Users\JTug\Downloads\aswMBR.exe
2021-10-02 10:54 - 2021-10-02 16:37 - 000000000 ____D C:\Users\JTug\AppData\Local\FSDART
2021-10-02 10:54 - 2021-10-02 12:42 - 000000000 ____D C:\ProgramData\F-Secure
2021-10-02 10:54 - 2021-10-02 10:54 - 000000000 ____D C:\Users\JTug\AppData\Local\F-Secure
2021-10-02 10:52 - 2021-10-02 10:52 - 012401864 _____ (F-Secure Corporation) C:\Users\JTug\Downloads\F-SecureOnlineScanner.exe
2021-10-02 10:50 - 2021-10-02 10:55 - 000000000 ____D C:\KVRT2020_Data
2021-10-02 10:49 - 2021-10-02 10:49 - 107072880 _____ (AO Kaspersky Lab) C:\Users\JTug\Downloads\KVRT.exe
2021-10-02 10:48 - 2021-10-02 10:48 - 003333936 _____ (Trend Micro Inc.) C:\Users\JTug\Downloads\HousecallLauncher64.exe
2021-10-02 10:48 - 2021-10-02 10:48 - 000000036 _____ C:\Users\JTug\AppData\Local\housecall.guid.cache
2021-10-02 10:34 - 2021-10-02 12:48 - 000910523 _____ C:\WINDOWS\ZAM.krnl.trace
2021-10-02 10:34 - 2021-10-02 10:34 - 000000000 ____D C:\Users\JTug\AppData\Local\Zemana
2021-10-02 10:33 - 2021-10-02 12:48 - 000000000 ____D C:\Users\JTug\AppData\Local\AMSDK
2021-10-02 10:00 - 2021-10-02 10:00 - 000000000 ____D C:\Program Files\Malwarebytes
2021-10-02 09:55 - 2021-10-02 17:32 - 000000000 ____D C:\Users\JTug\Desktop\comboF
2021-10-01 19:30 - 2021-10-01 19:30 - 000000000 ___HD C:\$AV_ASW
2021-10-01 19:26 - 2021-10-01 19:26 - 000000000 ____D C:\Users\JTug\AppData\Local\CEF
2021-10-01 19:10 - 2021-10-01 19:10 - 000000000 ____D C:\ProgramData\SProvide
2021-10-01 19:09 - 2021-10-02 16:37 - 000000000 ____D C:\ProgramData\Avast Software
2021-10-01 19:03 - 2021-10-01 19:03 - 000000108 _____ C:\Users\João
2021-10-01 19:00 - 2021-10-01 19:30 - 012134044 _____ C:\ProgramData\zohplghndapsm.tmp
2021-10-01 18:58 - 2021-10-01 18:58 - 000000000 ____D C:\ProgramData\Posse
2021-10-01 18:51 - 2021-10-01 18:51 - 000000000 ____D C:\Users\JTug\AppData\Roaming\calaba
2021-10-01 18:30 - 2021-10-01 18:44 - 000000000 ____D C:\ProgramData\Systemd
2021-10-01 18:30 - 2021-10-01 18:31 - 000000000 ____D C:\ProgramData\LKV6C095U2AXBTSQAKA51HXZH
2021-10-01 18:29 - 2021-10-01 18:29 - 000000000 ____D C:\Users\JTug\AppData\Local\Yandex
2021-10-01 18:28 - 2021-10-01 18:28 - 003265024 _____ C:\Users\JTug\AppData\Roaming\2323329.scr
2021-10-01 18:28 - 2021-10-01 18:28 - 002788864 _____ C:\Users\JTug\AppData\Roaming\2280703.scr
2021-10-01 18:28 - 2021-10-01 18:28 - 000216064 _____ (jfasdjk) C:\Users\JTug\AppData\Roaming\2366582.scr
2021-10-01 18:28 - 2021-10-01 18:28 - 000206848 _____ (jfasdjk) C:\Users\JTug\AppData\Roaming\4514659.scr
2021-10-01 18:28 - 2021-10-01 18:28 - 000068608 _____ (Hoting) C:\Users\JTug\AppData\Roaming\6999437.scr
2021-10-01 18:48 - 2017-05-31 10:48 - 000000000 ____D C:\AdwCleaner
2021-10-01 18:40 - 2018-11-06 16:01 - 000000000 ____D C:\Saft
2021-10-01 18:40 - 2018-06-13 08:09 - 000000000 ____D C:\Astor
2021-10-01 18:40 - 2017-06-19 14:35 - 000000000 ____D C:\SiLabs
2021-09-13 16:48 - 2015-06-18 19:56 - 000000000 ____D C:\Program Files\Common Files\McAfee
2021-09-12 00:19 - 2015-06-18 19:56 - 000000000 ____D C:\ProgramData\McAfee
EmptyTemp: 
End::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.

 

4. Eset Online Scanner

Download ESET Online Scanner and save it to your desktop.

  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • When the tool opens, click Get Started.
  • Read and accept the license agreement.
  • At the Welcome to ESET Online Scanner window, click Get Started.
  • Select whether you would like to send anonymous data to ESET.
  • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
  • Click on the Full Scan option.
  • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

 

In your next reply please post:

  • What did you do with the P2P program
  • Your reply about proxies
  • The fixlog.txt
  • The eset.txt

  • 0

#10
JTug
Posted 02 October 2021 - 04:36 PM

JTug

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

Hi DR M,

 

"What did you do with the P2P program" --> I will remove later.

 

"Your reply about proxies" --> I dont do that with the proxies, should be the malware.

 

Attached the logs.

 

I upload file to id-ransomware, you can see: https://id-ransomwar...98eb43f2f07dd65

 

Thanks

Attached Files


  • 0

Advertisements

#11
DR M
Posted 03 October 2021 - 12:40 AM

DR M

    The Grecian Geek

  • Malware Removal
  • 4,107 posts

Good day to you, JTug.
 
Unfortunately, in most cases, it’s not possible to recover the files encrypted by the TISC ransomware because the private key which is needed to unlock the encrypted files is only available through the cybercriminals. But you can use Emsisoft decryptor and check if you can do something: Emsisoft releases new decryptor for STOP Djvu ransomware - Emsisoft | Security Blog
 

Let's see fresh FRST logs now. 


  • 0

#12
JTug
Posted 03 October 2021 - 04:19 AM

JTug

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

Hello and good day to you,

No luck with emisoft. I do some research and reading (https://geeksadvice....nsomware-virus/), do you trust on this info?

 

Attached the logs.

Regards,

ps: im gonna unistall p2p now

Attached Files


  • 0

#13
DR M
Posted 03 October 2021 - 04:43 AM

DR M

    The Grecian Geek

  • Malware Removal
  • 4,107 posts

You forgot the Addition.txt . :)

 

Since you are going to uninstall the P2P program, run the FRST after the uninstall and attach both logs here. 

 

I would also like to remind you the second ground rule:

 

Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

 

Also please DO NOT edit your posts after they are being answered.

 

You make the procedure more difficult and complicated to me. 

 

Thanks. 


  • 0

#14
JTug
Posted 03 October 2021 - 04:58 AM

JTug

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

done.

thanks

Attached Files


  • 0

#15
DR M
Posted 03 October 2021 - 06:38 AM

DR M

    The Grecian Geek

  • Malware Removal
  • 4,107 posts

Hi, JTug.
 
Have you removed elsewhere most of the encrypted files?
 
It seems that unfortunately Emsisoft could not decrypted them and there is nothing to do about this, rather than keep the files hoping for a method to decrypt them one day. 
 
Let's continue.
 
1. Move FRST on to the Desktop
 
Please move FRST tool on to your Desktop. Just drag it from the ComboF folder on to the Desktop.
 
2. Uninstall Lenovo App Services
 
This pre-installed program by SweetLabs is considered as a PUP, meaning a potentially unwanted application. Please uninstall it.

  • Press the Windows Key + R.
  • Type appwiz.cpl in the Run box and click OK.
  • The Add/Remove Programs list will open. Locate the following program on the list:
Lenovo App Services
  • Select the above program and click Uninstall.
  • Restart the computer.

 

3. FRST fix
Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Start::
CreateRestorePoint:
CloseProcesses:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\amsdk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\amsdk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKU\S-1-5-21-223814551-1140071388-4042786358-1001\...\StartupApproved\Run: => "utweb"
FirewallRules: [{DD133BAD-4018-4615-B392-6F4564916935}] => (Allow) C:\Users\JTug\AppData\Roaming\uTorrent Web\utweb.exe => No File
FirewallRules: [{3DD26CA3-1F63-40DE-AEC3-7E4528CB2C6F}] => (Allow) C:\Users\JTug\AppData\Roaming\uTorrent Web\utweb.exe => No File
HKU\S-1-5-21-223814551-1140071388-4042786358-1001\...\Run: [utweb] => "C:\Users\JTug\AppData\Roaming\uTorrent Web\utweb.exe" /MINIMIZED
FF NetworkProxy: Mozilla\Firefox\Profiles\l8xjodc1.default-release -> type", 0
Task: {F080E6AE-B1C4-495E-93EE-EBAC5ACE2DA0} - System32\Tasks\Lenovo App Services => C:\ProgramData\Lenovo App Services\Engine\LenovoAppServices.exe [7657160 2020-12-31] (SweetLabs Inc. -> Lenovo)
Task: {044B8B59-15B0-4D90-A17B-BD41584A4048} - System32\Tasks\Lenovo\Experience Improvement Logon => C:\Program Files\Lenovo\ExperienceImprovement\LenovoExperienceImprovement.exe
Task: {3C7D0669-1011-4889-9FFB-51ED57F37630} - System32\Tasks\Lenovo\Dependency Package Auto Update => C:\Program Files\Lenovo\iMController\AutoUpdate.exe
2021-10-03 09:11 - 2021-10-03 09:42 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GridinSoft Anti-Malware
2021-10-03 09:11 - 2021-10-03 09:11 - 000000000 ____D C:\ProgramData\GridinSoft
2021-10-03 09:10 - 2021-10-03 09:42 - 000000000 ____D C:\Program Files\GridinSoft Anti-Malware
2021-10-03 09:04 - 2021-10-03 09:04 - 000989584 _____ (GridinSoft LLC) C:\Users\JTug\Downloads\install-antimalware-gsa.exe
2021-10-02 15:27 - 2021-10-02 15:41 - 000000000 ____D C:\Users\JTug\Desktop\mbar
2021-10-02 15:27 - 2021-10-02 15:41 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2021-10-02 15:27 - 2021-10-02 15:27 - 000255928 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\1443A1E9.sys
2021-10-02 15:27 - 2021-10-02 15:27 - 000192952 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2021-10-02 15:27 - 2021-10-02 15:27 - 000000000 ____D C:\ProgramData\Malwarebytes
2021-10-02 10:54 - 2021-10-02 16:37 - 000000000 ____D C:\Users\JTug\AppData\Local\FSDART
2021-10-02 10:54 - 2021-10-02 10:54 - 000000000 ____D C:\Users\JTug\AppData\Local\F-Secure
2021-10-02 10:48 - 2021-10-02 10:48 - 000000036 _____ C:\Users\JTug\AppData\Local\housecall.guid.cache
2021-10-02 10:34 - 2021-10-02 10:34 - 000000000 ____D C:\Users\JTug\AppData\Local\Zemana
2021-10-02 10:33 - 2021-10-02 12:48 - 000000000 ____D C:\Users\JTug\AppData\Local\AMSDK
2021-10-02 09:55 - 2021-10-03 08:39 - 000000000 ____D C:\Users\JTug\Desktop\comboF
2021-10-01 19:26 - 2021-10-01 19:26 - 000000000 ____D C:\Users\JTug\AppData\Local\CEF
2021-10-01 18:55 - 2021-10-01 19:37 - 000000000 ____D C:\Users\JTug\AppData\Roaming\Intel Rapid
2021-10-01 18:51 - 2021-10-01 18:51 - 000000000 ____D C:\Users\JTug\AppData\Roaming\calaba
2021-10-01 18:30 - 2021-10-01 19:37 - 000000000 ____D C:\ProgramData\Microsoft Network
2021-10-01 18:30 - 2021-10-01 18:30 - 000000001 _____ C:\ProgramData\check.txt
2021-10-01 18:30 - 2021-10-01 18:30 - 000000000 ____D C:\ProgramData\Data
2021-10-01 18:29 - 2021-10-02 20:35 - 000000000 ____D C:\Users\JTug\AppData\Local\e9c329ea-2afc-41e9-92cf-f5eb6febe253
2021-10-01 18:29 - 2021-10-01 19:32 - 000000000 ____D C:\Users\JTug\AppData\Local\aab6d2d4-4ebf-4bee-bef7-007a986d6986
2021-10-01 18:29 - 2021-10-01 18:30 - 000000000 ____D C:\SystemID
2021-10-01 18:29 - 2021-10-01 18:29 - 000000559 _____ C:\Users\JTug\AppData\Local\bowsakkdestx.txt
2021-10-01 18:29 - 2021-10-01 18:29 - 000000000 ____D C:\Users\JTug\AppData\Local\Yandex
2021-10-01 18:28 - 2021-10-01 19:37 - 000000000 ___HD C:\Users\JTug\AppData\Roaming\WinHost
2021-10-01 18:28 - 2021-10-01 18:28 - 000068608 _____ (Hoting) C:\Users\JTug\AppData\Roaming\6999437.scr
2021-10-01 18:40 - 2021-10-01 18:40 - 000001110 _____ C:\Users\JTug\_readme.txt
2021-09-12 07:38 - 2021-10-01 18:06 - 000000000 ____D C:\Users\JTug\AppData\Local\BitTorrentHelper
2021-09-11 17:09 - 2021-09-11 17:09 - 000001874 _____ C:\Users\JTug\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\uTorrent Web.lnk
2021-09-11 17:09 - 2021-09-11 17:09 - 000000000 ____D C:\Users\JTug\AppData\Local\UTW008
2021-10-02 09:39 - 2015-06-18 19:52 - 000000000 ____D C:\ProgramData\Lenovo App Services
C:\Users\JTug\AppData\Roaming\uTorrent Web
C:\ProgramData\Lenovo App Services
C:\Program Files\Lenovo\ExperienceImprovement
C:\Program Files\Lenovo\iMController
RestoreQuarantine: C:\FRST\Quarantine\C\Saft
RestoreQuarantine: C:\FRST\Quarantine\C\SiLabs
RestoreQuarantine: C:\FRST\Quarantine\C\Astor
RemoveProxy:
EmptyTemp: 
End::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP