Hello everyone, could someone help me with this error that occurred today? Does anyone know the solution or has already encountered this problem?

Windows 10 Windows Script Host: Error 80070002 : CCM

Réponse 1 / 10

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711

Hello,

This Windows Script Host error is related to a USB infection.

To check the computer, I invite you to perform this FRST scan and return the reports:

Follow the FRST tutorial. ( take the time to read carefully - everything is well explained ).

Download and run the FRST scan,
Wait for the scan to finish, a message will indicate that the analysis is complete.

Three FRST reports will be generated:

FRST.txt
Shortcut.txt
Additionnal.txt

Send these 3 reports to the site https://pjjoint.malekal.com/ to share them.
In return, provide the 3 pjjoint links leading to the reports here in a new response so that we can consult them.

--
Please press any key to continue the disinfection...

Réponse 2 / 10

Anonymous user

Here they are!!!
https://pjjoint.malekal.com/files.php?id=20180823_p8v5k12g12z10

https://pjjoint.malekal.com/files.php?id=FRST_20180823_l12h1011e13e9

https://pjjoint.malekal.com/files.php?id=20180823_11g8k10b13v6

Réponse 3 / 10

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711

Uninstall Avast Secure Browser, it's useless.
CCleaner isn't really useful, even though it's recommended everywhere.
If you want to keep it, disable CCleaner's monitoring, unnecessary, it starts up with Windows and slows it down with its incessant cleanings, see: https://www.malekal.com/supprimer-ccleaner-demarrage-windows/

Here are the corrections to make with FRST. You can refer to this explanatory note with screenshots.
Restart FRST and then press the CTRL + Y key on your keyboard.
The notepad will open, copy/paste this.

CreateRestorePoint:
CloseProcesses:
2018-08-22 12:56 - 2018-08-22 12:56 - 000003708 _____ () C:\Program Files\Common Files\AppLoaderPM.xml
2018-08-22 12:55 - 2018-08-22 12:55 - 000000000 _____ () C:\Users\yapap\AppData\Roaming\y0n1xkRhpsSdsjI.db
2018-08-22 08:39 - 2018-08-22 08:39 - 000140800 _____ () C:\Users\yapap\AppData\Local\installer.dat
InternetURL: C:\Users\yapap\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BznMMQqmAG.url ->
Startup: C:\Users\yapap\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JUplwUQDOu.vbs [2018-08-22] ()
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION 
 R2 WCAssistantService; C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe [25888 2018-08-22] ()
S4 knqeybfa; C:\Windows\SysWOW64\knqeybfa\kreehskf.exe [X]
 2018-08-22 08:41 - 2018-08-22 09:47 - 000000000 ____D C:\Windows\System32\Tasks\System
2018-08-22 08:41 - 2018-08-22 09:44 - 000000000 __SHD C:\ProgramData\nojcigtleniswk 
 2018-08-22 14:14 - 2018-08-22 14:14 - 000000000 __SHD C:\Users\yapap\Desktop\Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}
2018-08-22 13:01 - 2018-08-23 07:53 - 000000000 _RSHD C:\ProgramData\{76e7fb6b-683d-588d-352c-30e0ef438185}
2018-08-22 12:57 - 2018-08-22 13:28 - 000000000 __SHD C:\ProgramData\Flash
2018-08-22 12:57 - 2018-08-22 13:28 - 000000000 ____D C:\Program Files\TKH4TLVOSQ
2018-08-22 12:57 - 2018-08-22 13:27 - 000000000 __SHD C:\ProgramData\{IT1VI14H-PYI9-ASVV-N6DOQR0PLI0Z}
2018-08-22 12:57 - 2018-08-22 13:27 - 000000000 __SHD C:\ProgramData\{I4X61SXO-MXWA-38OH-6I61ZJCAEFQD}
2018-08-22 12:57 - 2018-08-22 13:06 - 000000000 ____D C:\Users\yapap\AppData\Roaming\yn5f4arznl1
2018-08-22 12:57 - 2018-08-22 13:05 - 000000000 ____D C:\Users\yapap\AppData\Roaming\Msos
2018-08-22 12:55 - 2018-08-23 08:05 - 000000000 ____D C:\Windows\SysWOW64\knqeybfa
2018-08-22 12:55 - 2018-08-22 13:05 - 000000000 _RSHD C:\ProgramData\{ecdc30a3-0062-c488-ad0f-bf67678887e3}
2018-08-22 12:55 - 2018-08-22 12:55 - 000000000 ____D C:\Users\yapap\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\{20949f-a734e6-ecd3-60272a203373}
2018-08-22 12:55 - 2018-08-22 12:55 - 000000000 ____D C:\Users\yapap\AppData\Local\AdvinstAnalytics
2018-08-22 12:55 - 2018-08-22 12:55 - 000000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2018-08-22 12:55 - 2018-08-22 12:55 - 000000000 _____ C:\Users\yapap\AppData\Roaming\y0n1xkRhpsSdsjI.db 
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:

Save the content via the file menu then save.

Close the notepad, return to FRST and click the "Fix" button.
A restart may be necessary and automatic.
A text file will appear, copy/paste the content here in a new message.

Restart the computer.

2°)
Reset/Repair the web browsers concerned by the issues:

Repair Mozilla Firefox (first paragraph)
Repair Google Chrome (only the first paragraph).

3)
To protect yourself from removable infections like Wscript (Windows Script Host)
Download and install Marmiton
Click on Disable for Windows Script Host.
Marmiton will block malicious scripts (VBS, VBE, JavaScript, etc.), especially those used to spread ransomware like Locky.

To clean removable drives from USB viruses, follow the steps in order from the tutorial: insert one by one your USB keys and external hard drives that you have to clean them. Then send the reports to https://pjjoint.malekal.com/ and provide the links to these reports so we can review them.

Connect all USB keys and other removable peripherals.

Download Remediate VBS Worm
Launch option B
Type the letter of the USB key, for example, E and enter

[color=red]WARNING: DO NOT SPECIFY YOUR HARD DRIVE LETTER![/color]

Go to "My Computer" then disk "C", a report "Rem-VBS.log" should be found there.

Open this report with notepad and copy/paste the content here in a next response.

--
Please press a key to continue the disinfection...

Réponse 4 / 10

IHaveSomeQuestions

Here is the "fixlog" which is called...

Results of the Farbar Recovery Scan Tool (x64) Version: 22.08.2018
Executed by SD (23-08-2018 09:05:04) Run:1
Executed from C:\Users\yapap\Desktop
Loaded profiles: SD (Available profiles: SD)
Boot mode: Normal
==============================================

fixlist contents:
CreateRestorePoint:
CloseProcesses:
2018-08-22 12:56 - 2018-08-22 12:56 - 000003708 _____ () C:\Program Files\Common Files\AppLoaderPM.xml
2018-08-22 12:55 - 2018-08-22 12:55 - 000000000 _____ () C:\Users\yapap\AppData\Roaming\y0n1xkRhpsSdsjI.db
2018-08-22 08:39 - 2018-08-22 08:39 - 000140800 _____ () C:\Users\yapap\AppData\Local\installer.dat
InternetURL: C:\Users\yapap\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BznMMQqmAG.url ->
Startup: C:\Users\yapap\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JUplwUQDOu.vbs [2018-08-22] ()
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
R2 WCAssistantService; C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe [25888 2018-08-22] ()
S4 knqeybfa; C:\Windows\SysWOW64\knqeybfa\kreehskf.exe [X]
2018-08-22 08:41 - 2018-08-22 09:47 - 000000000 ____D C:\Windows\System32\Tasks\System
2018-08-22 08:41 - 2018-08-22 09:44 - 000000000 __SHD C:\ProgramData\nojcigtleniswk
2018-08-22 14:14 - 2018-08-22 14:14 - 000000000 __SHD C:\Users\yapap\Desktop\Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}
2018-08-22 13:01 - 2018-08-23 07:53 - 000000000 _RSHD C:\ProgramData\{76e7fb6b-683d-588d-352c-30e0ef438185}
2018-08-22 12:57 - 2018-08-22 13:28 - 000000000 __SHD C:\ProgramData\Flash
2018-08-22 12:57 - 2018-08-22 13:28 - 000000000 ____D C:\Program Files\TKH4TLVOSQ
2018-08-22 12:57 - 2018-08-22 13:27 - 000000000 __SHD C:\ProgramData\{IT1VI14H-PYI9-ASVV-N6DOQR0PLI0Z}
2018-08-22 12:57 - 2018-08-22 13:27 - 000000000 __SHD C:\ProgramData\{I4X61SXO-MXWA-38OH-6I61ZJCAEFQD}
2018-08-22 12:57 - 2018-08-22 13:06 - 000000000 ____D C:\Users\yapap\AppData\Roaming\yn5f4arznl1
2018-08-22 12:57 - 2018-08-22 13:05 - 000000000 ____D C:\Users\yapap\AppData\Roaming\Msos
2018-08-22 12:55 - 2018-08-23 08:05 - 000000000 ____D C:\Windows\SysWOW64\knqeybfa
2018-08-22 12:55 - 2018-08-22 13:05 - 000000000 _RSHD C:\ProgramData\{ecdc30a3-0062-c488-ad0f-bf67678887e3}
2018-08-22 12:55 - 2018-08-22 12:55 - 000000000 ____D C:\Users\yapap\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\{20949f-a734e6-ecd3-60272a203373}
2018-08-22 12:55 - 2018-08-22 12:55 - 000000000 ____D C:\Users\yapap\AppData\Local\AdvinstAnalytics
2018-08-22 12:55 - 2018-08-22 12:55 - 000000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2018-08-22 12:55 - 2018-08-22 12:55 - 000000000 _____ C:\Users\yapap\AppData\Roaming\y0n1xkRhpsSdsjI.db
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:

The restore point was successfully created.
Processes successfully closed.
C:\Program Files\Common Files\AppLoaderPM.xml => moved successfully
C:\Users\yapap\AppData\Roaming\y0n1xkRhpsSdsjI.db => moved successfully
C:\Users\yapap\AppData\Local\installer.dat => moved successfully
C:\Users\yapap\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BznMMQqmAG.url => moved successfully
C:\Users\yapap\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JUplwUQDOu.vbs => moved successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => deleted successfully
"HKLM\System\CurrentControlSet\Services\WCAssistantService" => deleted successfully
WCAssistantService => service deleted successfully
"HKLM\System\CurrentControlSet\Services\knqeybfa" => deleted successfully
knqeybfa => service deleted successfully
C:\Windows\System32\Tasks\System => moved successfully
C:\ProgramData\nojcigtleniswk => moved successfully
C:\Users\yapap\Desktop\Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D} => moved successfully
C:\ProgramData\{76e7fb6b-683d-588d-352c-30e0ef438185} => moved successfully
C:\ProgramData\Flash => moved successfully
C:\Program Files\TKH4TLVOSQ => moved successfully
C:\ProgramData\{IT1VI14H-PYI9-ASVV-N6DOQR0PLI0Z} => moved successfully
C:\ProgramData\{I4X61SXO-MXWA-38OH-6I61ZJCAEFQD} => moved successfully
C:\Users\yapap\AppData\Roaming\yn5f4arznl1 => moved successfully
C:\Users\yapap\AppData\Roaming\Msos => moved successfully
C:\Windows\SysWOW64\knqeybfa => moved successfully
C:\ProgramData\{ecdc30a3-0062-c488-ad0f-bf67678887e3} => moved successfully
C:\Users\yapap\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\{20949f-a734e6-ecd3-60272a203373} => moved successfully
C:\Users\yapap\AppData\Local\AdvinstAnalytics => moved successfully
C:\Program Files (x86)\Microsoft Silverlight => moved successfully
"C:\Users\yapap\AppData\Roaming\y0n1xkRhpsSdsjI.db" => not found
Hosts successfully restored.

========= RemoveProxy: =========

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => deleted successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => deleted successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => deleted successfully
"HKU\S-1-5-21-1028610114-2292961572-1659980261-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => deleted successfully
"HKU\S-1-5-21-1028610114-2292961572-1659980261-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => deleted successfully

========= End of RemoveProxy: =========

=========== EmptyTemp: ==========

BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 30992782 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 1417498 B
Edge => 10240 B
Chrome => 238977442 B
Firefox => 0 B
Opera => 147884 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 4572 B
LocalService => 0 B
NetworkService => 0 B
NetworkService => 0 B
yapap => 773857512 B

RecycleBin => 0 B
EmptyTemp: => 1004.5 MB temporary data deleted.

================================

The system had to restart.

End of Fixlog 09:05:29

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711

I'm sorry, but I can't assist with that.

IHaveSomeQuestions

Here, I reset Google Chrome and not Mozilla because I don't have it and anyway, I don't use it... I also disabled Windows Script Host. It's done!

And as for the USB drives, I fried one not long ago, I don't know if it has a link or if it can help, but I always mention it...

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711 > IHaveSomeQuestions

no, nothing to do with it :)

IHaveSomeQuestions

What should I do with the USB keys? Because I just restarted my PC and the error message is gone... so it's fixed, right? :-);-)

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711 > IHaveSomeQuestions

Yes, but they need to be cleaned as indicated.

Réponse 5 / 10

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711

No it's fine :)

Delete the folder C:\FRST

Finish with a cleanup using Malwarebytes - Malwarebytes Anti-Malware free version tutorial
Avoid regular scans and cleanups with ZHPCleaner, AdwCleaner, not useful.

A few tips:

To avoid getting caught again.
To read - Parasite programs / PUPs: Adwares/PUPs folder: unwanted and parasite programs
(Especially enable LPI detections to identify parasite and advertising programs)

--
Please press any key to continue the disinfection...

Anonymous user

Ok, thank you very much Malekal_morte-

Réponse 6 / 10

Mika311 Posted messages 1 Status Membre

Hello,

I seem to have the same issue as "IHaveSomeQuestions" previously.
Could you please help me resolve it?
Thank you.

https://pjjoint.malekal.com/files.php?id=FRST_20180921_u11x14i11v7h13
https://pjjoint.malekal.com/files.php?id=20180921_o9z15s9c6t10
https://pjjoint.malekal.com/files.php?id=20180921_e11p8x5u11l11

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711

Hello,

Here is the correction to be made with FRST. You can refer to this explanatory note with screenshots.
Restart FRST and then press CTRL + Y on your keyboard.
The Notepad will open, copy/paste this.

CreateRestorePoint:
CloseProcesses:
Task: {08D6F900-C526-4426-BA51-5C6A5A505021} - System32\Tasks\MPDUW2L8FO22IK => C:\ProgramData\{WIDQW7EN-K469-PFVE-JU06Z9MAD632}\0KTVQMVK1S8U.vbs [2018-09-12] () <==== ATTENTION
Task: {0A7AA876-862F-4F81-AA4B-B73950FA632C} - System32\Tasks\Microsoft\Windows\InstallService\WakeUpAndScanForUpdates
Task: {0E9E9B11-74BC-4FD3-8840-DDAE30734B64} - System32\Tasks\JOQE4C9ZJK4ID7 => C:\ProgramData\{K5MKYES4-2CTI-PPZX-QAYL3ACB9BRM}\Q2ZPBDRHQVU5.vbs [2018-09-08] () <==== ATTENTION
Task: {0F103132-CFD9-46A8-B9F4-1F98A0D8972C} - System32\Tasks\HLV06R65RNFAV3 => C:\ProgramData\{5G1SBKNS-2PG1-TWJR-YUC8215MN1ZT}\TF5DHKI2RT1I.vbs [2018-09-07] () <==== ATTENTION
Task: {1178D219-B9A3-414F-92D4-A9E26B604816} - System32\Tasks\KC3C816HP3MONW => C:\ProgramData\{KC3C816H-XSYY-FP2S-2MTGR1DK1OCZ}\UBOBGADOJ55L.vbs [2018-09-05] () <==== ATTENTION
Task: {1BE936D4-EE40-4F04-84E0-18FFD27C0A6A} - System32\Tasks\Microsoft\Windows\Chkdsk\SyspartRepair => C:\Windows\system32\bcdboot.exe [2018-04-12] (Microsoft Corporation)
Task: {1E3D30FD-578C-4986-85D7-FF68442437EE} - System32\Tasks\4A3RUSHN9YNEWN => C:\ProgramData\{Y4QZTVH4-CS44-RJ1Z-AOWAB3U8TLWR}\43BALOGDA84Q.vbs [2018-09-07] () <==== ATTENTION
Task: {2231CAFE-FABE-41F5-A0B3-842D9319DBF9} - System32\Tasks\microsoft\windows\applicationdata\appuriverifierinstall => C:\Windows\system32\AppHostRegistrationVerifier.exe [2018-09-13] (Microsoft Corporation)
Task: {26D5DA42-6003-4503-8077-A09BDCCE3B08} - System32\Tasks\B223ZIZ0XNLCLH => C:\ProgramData\{YF288PHO-WISG-8H1D-CP8Z9ZN3KMVU}\MMARK99RL1EK.vbs [2018-09-12] () <==== ATTENTION
Task: {2DF366D8-6F94-4BFB-B494-6760CFBAC2DF} - System32\Tasks\Z963VOSGOIU1NB => C:\ProgramData\{JC5QOL7B-8AGP-JVYH-YKWAUMKGDVL5}\47ZAEB6B1LPN.vbs [2018-09-07] () <==== ATTENTION
Task: {31A6D3E3-574A-4B93-9811-93B17C20CF73} - System32\Tasks\cauterizedcauterized => C:\Program Files (x86)\Mathew\moratorium.exe [2018-08-31] ()
Task: {32D95D9D-8878-42E3-ABF9-CBB77F099496} - System32\Tasks\71AM3Q7B9ZCO5M => C:\ProgramData\{D90XW6TN-5ELN-5HP1-44RL3409E9P6}\TOU11C03M8IM.vbs [2018-09-04] () <==== ATTENTION
Task: {4608F6A0-2412-4354-B95E-2C08A50678D8} - \Microsoft\Windows\UNP\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\RunCampaignManager2 -> No file <==== ATTENTION
Task: {468D5305-9776-40A5-85E9-5A1ABDD657C2} - System32\Tasks\FXVOSNU9GCN682 => C:\ProgramData\{GAAPBBQ6-XG19-CHHD-TFHQBEKFBOPK}\CWB4JBUDVFD3.vbs [2018-09-06] () <==== ATTENTION
Task: {541F72F4-A592-4CD8-A957-167A19AEB6C5} - System32\Tasks\RunAsStdUser Task => C:\Program Files (x86)\Moo0\ColorPicker 1.14\ColorPicker.exe [2013-08-14] (Moo0)
Task: {557C7D6B-9167-4FFE-A794-DB04C453FE8D} - System32\Tasks\Microsoft\Windows\Subscription\EnableLicenseAcquisition => C:\Windows\system32\ClipRenew.exe [2018-04-12] (Microsoft Corporation)
Task: {56D9255E-2622-4793-A0D1-90041842BC31} - \Microsoft\Windows\UNP\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Unlock -> No file <==== ATTENTION
Task: {5755CC7D-3572-40FC-AC6D-7FE3B4536A32} - System32\Tasks\XQVGT702C9E824 => C:\ProgramData\{VGQDMSDC-ACW0-5ZJ0-XZXYFD1HZCEU}\267C2E5SRYZF.vbs [2018-09-11] () <==== ATTENTION
Task: {58F647F1-329D-4CCC-8B59-D1E2AD4E1689} - System32\Tasks\C43J8TTSVBF9FZ => C:\ProgramData\{BGTP1VO5-8PLK-EY12-BGTP1VO510D4}\I2ZXYL0RQCGV.vbs [2018-09-12] () <==== ATTENTION
Task: {62BE21A7-D561-4424-9F3F-31BC58015D3C} - System32\Tasks\ADVNY3U1E2QYIT => C:\ProgramData\{BYFEYNOS-J5X8-8OAO-G1GLSRK7S42F}\C8AWLVWLR81I.vbs [2018-09-09] () <==== ATTENTION
Task: {63817941-8590-447D-B4C7-86C0C02EF9EC} - \Microsoft\Windows\UNP\RunCampaignManager -> No file <==== ATTENTION
Task: {690BE4FD-4362-4C54-BC04-BC540461A37C} - System32\Tasks\0TY76ZGU6RT4U1 => C:\ProgramData\{29WFVDXF-EJOP-1SS5-C7WW1J85CD5M}\VHQUATWDBCLP.vbs [2018-09-06] () <==== ATTENTION
Task: {6A8CC987-8DB6-4998-8726-20F1B1726FD1} - System32\Tasks\8P7GXTKJAO988R => C:\ProgramData\{LMO1HZE2-HZZZ-XNTF-BIIZEJSIXVC1}\UWGL98AON2PU.vbs [2018-09-03] () <==== ATTENTION
Task: {6B427178-EF44-4655-AEEB-CF5745184111} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun => C:\Windows\UpdateAssistant\UpdateAssistant.exe [2018-03-05] (Microsoft Corporation)
Task: {6D6695FD-F260-4096-8951-020DBE3AEA66} - System32\Tasks\YM4LFO2ZZHFD92 => C:\ProgramData\{04YRTEN1-PG0B-6E4S-LWEG11PVLCMS}\0XTDD7LSV3SB.vbs [2018-09-05] () <==== ATTENTION
Task: {6DE4F7DC-0B8D-404A-A6C9-83241658F8CA} - System32\Tasks\microsoft\windows\applicationdata\appuriverifierdaily => C:\Windows\system32\AppHostRegistrationVerifier.exe [2018-09-13] (Microsoft Corporation)
Task: {7138D0D3-1873-4A77-86CF-4840F491C90F} - System32\Tasks\Microsoft\XblGameSave\XblGameSaveTask => C:\Windows\System32\XblGameSaveTask.exe [2018-04-12] (Microsoft Corporation)
Task: {71ECCD74-8419-454A-85E4-9668DBF90C7A} - System32\Tasks\RN074OXKVU9A3T => C:\ProgramData\{U11XQ8X4-3TGP-CP8Z-1LUX4VZWVDO4}\S41OXLIP39DL.vbs [2018-09-06] () <==== ATTENTION
Task: {73CC2263-421A-4195-A660-B42B1860A4D2} - System32\Tasks\Y54GPFK51J8629 => C:\ProgramData\{MCCWRYW8-A1QL-K234-P6VD0BXO711E}\Y54GPFK51J86.vbs [2018-09-12] () <==== ATTENTION
Task: {749E286C-C205-4C7C-B742-BE5023BF06DE} - System32\Tasks\Microsoft\Windows\PushToInstall\LoginCheck => Sc.exe start pushtoinstall login
Task: {752785A5-8A61-4D08-BE07-AC61E656A663} - System32\Tasks\YLD611FF5AP39U => C:\ProgramData\{G0I1RA31-N88X-YN9I-U4FGBULQY4HB}\JDNASJNOI06R.vbs [2018-09-13] () <==== ATTENTION
Task: {773E02EA-7569-41E3-937B-87D043C8B7E4} - System32\Tasks\Microsoft\XblGameSave\XblGameSaveTaskLogon => C:\Windows\System32\XblGameSaveTask.exe [2018-04-12] (Microsoft Corporation)
Task: {780D8785-1806-4095-AFBA-90E86F9E1EE1} - System32\Tasks\0DW7JRCFAJ68SK => C:\ProgramData\{1W8GKD1V-ON27-91XP-OTEOLJAR9UZP}\0DW7JRCFAJ68.vbs [2018-09-05] () <==== ATTENTION
Task: {78BABCCD-20B8-49B7-B4F8-87490C41C875} - System32\Tasks\Microsoft\Windows\InstallService\ScanForUpdatesAsUser
Task: {7EAE5A6B-00F4-4B9F-A255-E1C163B587A1} - System32\Tasks\Microsoft\Windows\DeviceDirectoryClient\LocateCommandUserSession
Task: {841C38FA-240C-4A84-BFBD-0ED305F94A66} - System32\Tasks\PYYGGBW8J1VJ12 => C:\ProgramData\{97R7A4IL-NYDC-1X24-6PCBPW5NP1OS}\8GSLZJVTM822.vbs [2018-09-13] () <==== ATTENTION
Task: {9008A161-7A26-4344-9717-A47B06E4CDCD} - System32\Tasks\1SGMDTCBWELMYR => C:\ProgramData\{YYO6688T-3SKQ-FRQH-IN5QY8828A7G}\N1V9O4379KWB.vbs [2018-09-12] () <==== ATTENTION
Task: {96A7680D-5088-4441-B118-A712A436A71C} - \Microsoft\Windows\UNP\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\OnIdle -> No file <==== ATTENTION
Task: {98C0A6A3-FC4A-42E6-994C-3F0873D6651A} - System32\Tasks\9PM0KHJP34NCUG => C:\ProgramData\{EDR4ZKN9-2SVN-OWC2-5VROCR894N0F}\32HH00Q53WNK.vbs [2018-09-08] () <==== ATTENTION
Task: {9DD5276C-27AE-4719-8490-F093BFBD5DD5} - System32\Tasks\UL2AHGLICWNDWG => C:\ProgramData\{0L1X5C9R-NCX6-LGW3-U19IJG3SI9U0}\P1YYZGGCIJ7M.vbs [2018-08-31] () <==== ATTENTION
Task: {A310AEE2-887B-4F83-8EAE-4805C984B694} - System32\Tasks\N65HW1YWPR63E1 => C:\ProgramData\{FZSFPJ3P-AUAT-GOKQ-3OXRQ07E8ADA}\XRG4QZDTMAKJ.vbs [2018-09-05] () <==== ATTENTION
Task: {A622958B-2386-456E-838E-700F79060511} - System32\Tasks\YLKFENTK6QNBZ2 => C:\ProgramData\{AJMSKG45-9UYY-XWAB-UMMFUTNOGUNO}\YLKFENTK6QNB.vbs [2018-09-09] () <==== ATTENTION
Task: {A84A5CB7-D429-4E00-82B4-9FD74693D38D} - System32\Tasks\N1FU8D1UIPNFTX => C:\ProgramData\{QP20Z8GX-7X3V-GW9M-I0GFEK4Q34NG}\Z44G0MFAVVH0.vbs [2018-09-11] () <==== ATTENTION
Task: {A9BE0988-52B0-448C-863C-B9C052AEEAA4} - System32\Tasks\DSPR63BKI4CQFX => C:\ProgramData\{3BD8T59Z-4FV8-5L9E-WIZEWYH3CMUV}\95FK86659HQV.vbs [2018-09-10] () <==== ATTENTION
Task: {B5812D15-7F84-42BB-A059-43E408F33A44} - System32\Tasks\5J27TNFQ6S40Z3 => C:\ProgramData\{6E5XR8NZ-F5BB-LXAL-Z0YU3XG3TJEA}\VLIS1YWXIOO8.vbs [2018-09-05] () <==== ATTENTION
Task: {B735ECF0-C659-4902-BE73-A0D8E5575147} - \WPD\SqmUpload_S-1-5-21-1029258102-1461592582-2451884663-1001 -> No file <==== ATTENTION
Task: {BA7CBB36-3399-4592-AA6D-72EE51FF51A7} - System32\Tasks\PT2Z7ZFRAJB9AG => C:\ProgramData\{9CI80HIQ-ZTEE-G911-YD0QQSKQ0GFH}\JMRSNVASDFLO.vbs [2018-09-12] () <==== ATTENTION
Task: {BC2E4A73-0D58-4C04-8BDA-5FB5985B5880} - \Microsoft\Windows\UNP\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Logon -> No file <==== ATTENTION
Task: {C3CA72A5-073E-49DF-A988-B019D145A736} - \Microsoft\Windows\UNP\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Time -> No file <==== ATTENTION
Task: {C6F1438A-1ECD-48FC-8CC0-09D9C41A1BF7} - System32\Tasks\CO4PPNXP7LEGQC => C:\ProgramData\{5U59VFMW-A1GW-P33D-6J5WDKILO4LA}\93O9KCITZE85.vbs [2018-09-09] () <==== ATTENTION
Task: {CCACD4B3-685B-41AE-A842-D7A5EE86D62F} - System32\Tasks\QSQD29XJXIJU6Y => C:\ProgramData\{B8OERDAU-S71S-B3SW-RM4RS09HPT34}\M26HZEEG8NGX.vbs [2018-09-11] () <==== ATTENTION
Task: {D52D714B-4180-4DC9-BB98-D5F75918008A} - System32\Tasks\IIWQEMOBDPWMGA => C:\ProgramData\{DJMX74FR-PXYO-NDZR-QZC22WZ20N7Q}\NDZRZL65D8MY.vbs [2018-09-11] () <==== ATTENTION
Task: {E0862994-9083-482D-A921-27B4860FFA21} - System32\Tasks\Microsoft\Windows\Printing\EduPrintProv => C:\Windows\system32\eduprintprov.exe [2018-04-12] (Microsoft Corporation)
Task: {E162D41D-37EB-473C-A209-E93F10A48A4E} - System32\Tasks\ON79QNSWQEP5OZ => C:\ProgramData\{LGCGMC43-XEN4-04QD-42T11W1TGYM7}\OJ8G6I27L4L1.vbs [2018-09-05] () <==== ATTENTION
Task: {E3396689-AAC5-4774-8D65-1A83B9FD2372} - System32\Tasks\SGCJ1G6QJII5O0 => C:\ProgramData\{4DIENLXC-TI13-YPDK-XO56NPSIVYFH}\FGSJYL91ZSZS.vbs [2018-09-11] () <==== ATTENTION
Task: {E41D554E-5437-4E18-8769-978A6C30EC12} - System32\Tasks\ZBOOGAZSKKH8YW => C:\ProgramData\{L1GXW89J-IDOU-LY02-8FVORKYGRD5A}\WK78MPIJ1G9W.vbs [2018-09-08] () <==== ATTENTION
Task: {E4DD81AF-A266-40C8-AC69-B633578B2DA9} - System32\Tasks\67N5DWP3BX5QGN => C:\ProgramData\{3WSA75CS-NJS9-P3V5-2UTQ9KZ638S7}\9Z2HN373HA4Y.vbs [2018-09-08] () <==== ATTENTION
Task: {E86A28BD-FDBA-4F64-A9ED-E602FDC3B76B} - System32\Tasks\N1CX5YK7JHL8SC => C:\ProgramData\{VDP0AH59-39C1-II7J-PIJW59TPWVQ0}\39C1P6W02NYN.vbs [2018-09-12] () <==== ATTENTION
Task: {EE0F458A-BCDE-424A-87EB-FD51E447C86C} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-08-14] (Adobe Systems Incorporated)
Task: {EE3861D6-401D-45F9-A0A6-0FF4AA507C8F} - System32\Tasks\LZSOABM5AUML4H => C:\ProgramData\{6PGWSD89-KA1O-TKH8-RAPTUNG51HSO}\BP35QUYWL7X6.vbs [2018-09-11] () <==== ATTENTION
Task: {EFA86FF7-22AE-4997-AFD9-E89E1BF9B7D6} - System32\Tasks\Microsoft\Windows\Device Information\Device => C:\Windows\system32\devicecensus.exe [2018-09-13] (Microsoft Corporation)
Task: {FBB7ED1C-8420-4687-A810-5EE1D78B45C4} - System32\Tasks\K4C1BFNTLYGO59 => C:\ProgramData\{UZX91FL0-FYHB-KPJV-PHDTGY7RM2SJ}\SXSCSIQRPL04.vbs [2018-09-05] () <==== ATTENTION
Task: {FC02B593-DEF0-4AEC-82FB-3EF8336ECEB7} - \Microsoft\Windows\UNP\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\OutOfIdle -> No file <==== ATTENTION
Task: {FD6A51D4-D67B-434C-B36D-3A9F09E9C949} - System32\Tasks\FileAdvisorUpdate => C:\Program Files (x86)\File Type Advisor\fileadvisor.exe [2015-07-15] (File Type Advisor)
Task: {FE5175B9-2CDE-431E-A1CD-331A7F0A6378} - System32\Tasks\IDXESPPHGXXZDV => C:\ProgramData\{J4Q6TNMJ-6R3W-UUAH-KQ7CK1NEQ77R}\D6LVYQ5UB84Z.vbs [2018-09-04] () <==== ATTENTION
 Startup: C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JUplwUQDOu.vbs [2018-08-31] ()
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION 
2018-09-13 19:57 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{C43L3JEM-T5W8-01VC-JG81WIZZXTD6}
2018-09-13 19:57 - 2018-09-13 19:57 - 00003584 _____ C:\WINDOWS\System32\Tasks\PYYGGBW8J1VJ12
2018-09-13 19:57 - 2018-09-13 19:57 - 00000000 __SHD C:\ProgramData\{97R7A4IL-NYDC-1X24-6PCBPW5NP1OS}
2018-09-13 19:21 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{PH9FSOPM-KY6G-TNMD-6S3B49FEWI2Y}
2018-09-13 19:21 - 2018-09-13 19:21 - 00003584 _____ C:\WINDOWS\System32\Tasks\YLD611FF5AP39U
2018-09-13 19:21 - 2018-09-13 19:21 - 00000000 __SHD C:\ProgramData\{G0I1RA31-N88X-YN9I-U4FGBULQY4HB}
2018-09-05 12:26 - 2018-09-05 12:26 - 00000000 __SHD C:\ProgramData\{1W8GKD1V-ON27-91XP-OTEOLJAR9UZP}
2018-09-05 12:07 - 2018-09-20 12:32 - 00000000 __SHD C:\ProgramData\{8D3EMEQK-PBB4-2MDK-576720P1NI5X}
2018-09-05 12:07 - 2018-09-05 12:07 - 00000000 __SHD C:\ProgramData\{LGCGMC43-XEN4-04QD-42T11W1TGYM7}
2018-09-04 15:47 - 2018-09-04 15:47 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Tempzxpsignd4aaa451abbaeaa5
2018-09-04 14:18 - 2018-09-04 14:18 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Tempzxpsign123e0ce7e2889412
2018-09-04 14:14 - 2018-09-04 14:14 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Tempzxpsignc18b315f96265baf
2018-09-04 14:08 - 2018-09-20 12:32 - 00000000 __SHD C:\ProgramData\{STGHZCP6-21VR-GQXR-F3AGQBSUZTP9}
2018-09-04 14:08 - 2018-09-04 14:08 - 00000000 __SHD C:\ProgramData\{J4Q6TNMJ-6R3W-UUAH-KQ7CK1NEQ77R}
2018-09-04 14:04 - 2018-09-04 14:04 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Tempzxpsign2c1048742c61f3df
2018-09-04 12:17 - 2018-09-04 12:17 - 00000000 __SHD C:\ProgramData\{LTK52M3C-4WKF-VDKW-SL8OFS1O2IQL}
2018-09-04 12:17 - 2018-09-04 12:17 - 00000000 __SHD C:\ProgramData\{D90XW6TN-5ELN-5HP1-44RL3409E9P6}
2018-09-03 16:52 - 2018-09-03 16:52 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Tempzxpsign4e75584fd6f3888a
2018-09-03 13:17 - 2018-09-03 13:17 - 00000000 __SHD C:\ProgramData\{LMO1HZE2-HZZZ-XNTF-BIIZEJSIXVC1}
2018-09-03 13:17 - 2018-09-03 13:17 - 00000000 __SHD C:\ProgramData\{4Z64RAU3-QHLR-6UWD-PAH05LGF57WW}
2018-09-02 19:55 - 2018-09-02 19:55 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Tempzxpsign6481f71ca8592257
2018-09-02 19:53 - 2018-09-02 19:53 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Tempzxpsign318427fc303e7faf
2018-09-01 20:12 - 2018-09-20 12:32 - 00000000 __SHD C:\ProgramData\Flash
2018-09-01 14:41 - 2018-09-01 14:41 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Tempzxpsign0dea6e6834682151
2018-09-01 14:32 - 2018-09-01 14:32 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Tempzxpsign1462cfd68952be6a
2018-09-01 13:10 - 2018-09-01 13:10 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Tempzxpsignc8477e60961d1707
2018-09-01 12:31 - 2018-09-01 12:32 - 00000000 ____D C:\Users\Public\Librairies
2018-08-31 22:54 - 2018-08-31 22:54 - 01014272 _____ C:\WINDOWS\dyodnxvjpnujtdwx.dyodn
2018-08-31 20:31 - 2018-08-31 20:31 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\LavasoftStatistics
2018-08-31 20:01 - 2018-08-31 20:01 - 00000000 ____D C:\Program Files\Common Files\Lavasoft
2018-08-31 19:59 - 2018-08-31 19:59 - 00000000 ____D C:\Users\ADMIN\AppData\Local\Lavasoft
2018-08-31 19:59 - 2018-08-31 19:59 - 00000000 ____D C:\ProgramData\Lavasoft
2018-08-31 19:57 - 2018-08-31 22:39 - 00000000 ____D C:\Program Files\fik Geronimo Updater
2018-08-31 19:57 - 2018-08-31 19:57 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\Python
2018-08-31 19:56 - 2018-08-31 19:56 - 00000012 _____ C:\WINDOWS\b32142451
2018-08-31 19:55 - 2018-08-31 22:42 - 00000000 ___HD C:\Program Files (x86)\Pudong
2018-08-31 19:55 - 2018-08-31 22:42 - 00000000 ____D C:\Program Files (x86)\Sowed
2018-08-31 19:55 - 2018-08-31 22:42 - 00000000 ____D C:\Program Files (x86)\overcame
2018-08-31 19:55 - 2018-08-31 22:42 - 00000000 ____D C:\Program Files (x86)\fugue
2018-08-31 19:55 - 2018-08-31 19:55 - 00000000 ___HD C:\Program Files (x86)\slimmest
2018-08-31 19:55 - 2018-08-31 19:55 - 00000000 ____D C:\Program Files (x86)\Mathew
2018-08-31 19:51 - 2018-09-20 12:32 - 00000000 __SHD C:\ProgramData\vgjholxrhocqdsy
2018-08-31 19:47 - 2018-09-20 12:34 - 00000000 ____D C:\Users\ADMIN\AppData\Roaming\Msos
2018-08-31 19:47 - 2018-08-31 19:47 - 01014272 _____ C:\WINDOWS\aajzehginadntkcl.aajz
2018-08-31 19:47 - 2018-08-31 19:47 - 00000000 __SHD C:\ProgramData\{E82D7JQH-8269-8D5R-DBFFQ17XVTWT}
2018-08-31 19:47 - 2018-08-31 19:47 - 00000000 __SHD C:\ProgramData\{0L1X5C9R-NCX6-LGW3-U19IJG3SI9U0}
2018-09-12 19:38 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{RF6WW0ZR-1O6F-M8LV-VMNS66ZEQ03N}
2018-09-12 19:38 - 2018-09-12 19:38 - 00000000 __SHD C:\ProgramData\{9CI80HIQ-ZTEE-G911-YD0QQSKQ0GFH}
2018-09-12 18:17 - 2018-09-12 18:17 - 00000000 __SHD C:\ProgramData\{YYO6688T-3SKQ-FRQH-IN5QY8828A7G}
2018-09-12 18:17 - 2018-09-12 18:17 - 00000000 __SHD C:\ProgramData\{SHIJA2YN-5GD7-DN7K-XWM8QHWBBORN}
2018-09-12 17:58 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{3GOAO969-7ASW-SJLS-6ZCKCDRZIWY0}
2018-09-12 17:58 - 2018-09-12 17:58 - 00000000 __SHD C:\ProgramData\{MCCWRYW8-A1QL-K234-P6VD0BXO711E}
2018-09-12 14:57 - 2018-09-20 12:32 - 00000000 __SHD C:\ProgramData\{6ZRA30SO-LYRI-8G9I-A50RTX8T40XM}
2018-09-12 14:57 - 2018-09-12 14:57 - 00000000 __SHD C:\ProgramData\{BGTP1VO5-8PLK-EY12-BGTP1VO510D4}
2018-09-12 13:40 - 2018-09-20 12:32 - 00000000 __SHD C:\ProgramData\{J4CQP2SM-7X2V-O8AL-HK70L32QG6OM}
2018-09-12 13:40 - 2018-09-12 13:40 - 00000000 __SHD C:\ProgramData\{WIDQW7EN-K469-PFVE-JU06Z9MAD632}
2018-09-12 11:34 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{PIJW59TP-AUJ5-DGD9-15WFFDDQXVMO}
2018-09-12 11:34 - 2018-09-12 11:34 - 00000000 __SHD C:\ProgramData\{VDP0AH59-39C1-II7J-PIJW59TPWVQ0}
2018-09-12 04:04 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{DMMBJX16-DTBY-BYH4-3257C2I78VM0}
2018-09-12 04:04 - 2018-09-12 04:04 - 00000000 __SHD C:\ProgramData\{YF288PHO-WISG-8H1D-CP8Z9ZN3KMVU}
2018-09-11 17:40 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{4Q1R098R-BMS2-Z5WE-1JKCXTEP25I2}
2018-09-11 17:40 - 2018-09-11 17:40 - 00000000 __SHD C:\ProgramData\{4DIENLXC-TI13-YPDK-XO56NPSIVYFH}
2018-09-11 15:56 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{9W4M9AFA-O6P3-3MQG-YMPIH8ZVCTFX}
2018-09-11 15:56 - 2018-09-11 15:56 - 00000000 __SHD C:\ProgramData\{QP20Z8GX-7X3V-GW9M-I0GFEK4Q34NG}
2018-09-11 15:28 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{SQW5RJH2-ZHUW-FNVK-TDEKD3Z7PZVL}
2018-09-11 15:28 - 2018-09-11 15:28 - 00000000 __SHD C:\ProgramData\{VGQDMSDC-ACW0-5ZJ0-XZXYFD1HZCEU}
2018-09-11 14:20 - 2018-09-20 12:32 - 00000000 __SHD C:\ProgramData\{7TQWVTIJ-G21S-3KWJ-L01XG5O3FS3G}
2018-09-11 14:20 - 2018-09-11 14:20 - 00000000 __SHD C:\ProgramData\{B8OERDAU-S71S-B3SW-RM4RS09HPT34}
2018-09-11 14:09 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{02JE3U5N-X1FY-NH6K-BIQDLIS9M5Y3}
2018-09-11 14:09 - 2018-09-11 14:09 - 00000000 __SHD C:\ProgramData\{6PGWSD89-KA1O-TKH8-RAPTUNG51HSO}
2018-09-11 11:54 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{7ICBTFM6-SZYG-0WLL-RQKCYAL0J1J1}
2018-09-11 11:54 - 2018-09-11 11:54 - 00000000 __SHD C:\ProgramData\{DJMX74FR-PXYO-NDZR-QZC22WZ20N7Q}
2018-09-10 19:39 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{UZ7PMOCM-YYEB-0LQ5-LCD1XJKGFKZQ}
2018-09-10 19:39 - 2018-09-10 19:39 - 00000000 __SHD C:\ProgramData\{3BD8T59Z-4FV8-5L9E-WIZEWYH3CMUV}
2018-09-09 18:50 - 2018-09-09 18:50 - 00000000 __SHD C:\ProgramData\{BYFEYNOS-J5X8-8OAO-G1GLSRK7S42F}
2018-09-09 18:49 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{8K7NXG2T-5T2H-PI9M-B2CUNDDKFF3Y}
2018-09-09 16:59 - 2018-09-09 16:59 - 00000000 __SHD C:\ProgramData\{AJMSKG45-9UYY-XWAB-UMMFUTNOGUNO}
2018-09-09 16:59 - 2018-09-09 16:59 - 00000000 __SHD C:\ProgramData\{5U59VFMW-A1GW-P33D-6J5WDKILO4LA}
2018-09-09 16:58 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{ZYOAYZB7-SUH6-16PW-Y7GIS3CPJEZS}
2018-09-09 00:04 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{X6KR2U9S-QPMH-IEU5-MTSECCQIHAXB}
2018-09-08 16:09 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{TTNTLNPM-WL57-FERI-V4T3Y3OPNSIQ}
2018-09-08 16:09 - 2018-09-08 16:09 - 00000000 __SHD C:\ProgramData\{EDR4ZKN9-2SVN-OWC2-5VROCR894N0F}
2018-09-08 15:33 - 2018-09-21 09:34 - 00000000 __SHD C:\ProgramData\{D5834A10-JWR5-NN3U-016ODW33PMV2}
2018-09-08 15:33 - 2018-09-08 15:33 - 00000000 __SHD C:\ProgramData\{3WSA75CS-NJS9-P3V5-2UTQ9KZ638S7}
2018-09-08 07:09 - 2018-09-20 12:32 - 00000000 __SHD C:\ProgramData\{X1KK99ER-HI86-DXVQ-7UKTN5QL78VS}
2018-09-08 07:09 - 2018-09-08 07:09 - 00000000 __SHD C:\ProgramData\{L1GXW89J-IDOU-LY02-8FVORKYGRD5A}
2018-09-08 02:24 - 2018-09-20 12:32 - 00000000 __SHD C:\ProgramData\{CHWF10RB-CNQ1-X95Q-I3MU81UYIYB8}
2018-09-08 02:24 - 2018-09-08 02:24 - 00000000 __SHD C:\ProgramData\{K5MKYES4-2CTI-PPZX-QAYL3ACB9BRM}
2018-09-07 19:32 - 2018-09-21 09:34 - 00000000 __SHD C:\ProgramData\{Q40Y4ZUK-A2BJ-BJ6A-6VM30KP9ZRSH}
2018-09-07 19:32 - 2018-09-07 19:32 - 00000000 __SHD C:\ProgramData\{Y4QZTVH4-CS44-RJ1Z-AOWAB3U8TLWR}
2018-09-07 16:36 - 2018-09-20 12:32 - 00000000 __SHD C:\ProgramData\{FY0S4OCB-5WCR-13UU-VASU2I3Z8MJJ}
2018-09-07 16:36 - 2018-09-07 16:36 - 00000000 __SHD C:\ProgramData\{5G1SBKNS-2PG1-TWJR-YUC8215MN1ZT}
2018-09-07 12:29 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{CTY3VDWN-CH2S-K7YB-THXW52V0EZH8}
2018-09-07 12:29 - 2018-09-07 12:29 - 00000000 __SHD C:\ProgramData\{JC5QOL7B-8AGP-JVYH-YKWAUMKGDVL5}
2018-09-06 21:25 - 2018-09-20 12:32 - 00000000 __SHD C:\ProgramData\{QKJJ6VV6-1MN2-VS61-WFIEH6ZPAGNO}
2018-09-06 21:25 - 2018-09-06 21:25 - 00000000 __SHD C:\ProgramData\{29WFVDXF-EJOP-1SS5-C7WW1J85CD5M}
2018-09-06 20:24 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{5JGD4SWM-DD0S-JX43-ANIBPLL7IGIW}
2018-09-06 20:24 - 2018-09-06 20:24 - 00000000 __SHD C:\ProgramData\{U11XQ8X4-3TGP-CP8Z-1LUX4VZWVDO4}
2018-09-06 12:17 - 2018-09-06 12:17 - 00000000 __SHD C:\ProgramData\{GAAPBBQ6-XG19-CHHD-TFHQBEKFBOPK}
2018-09-06 12:17 - 2018-09-06 12:17 - 00000000 __SHD C:\ProgramData\{ANIL4SQM-UIU7-3ON0-ANIL4SQMFGK2}
2018-09-05 16:05 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{MBX9W90Z-FFG9-DQRQ-552IP5BGUNTP}
2018-09-05 16:05 - 2018-09-05 16:05 - 00000000 __SHD C:\ProgramData\{04YRTEN1-PG0B-6E4S-LWEG11PVLCMS}
2018-09-05 15:52 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{FA6S5KDX-FIUC-840S-U19H1MOO5TH0}
2018-09-05 15:52 - 2018-09-05 15:52 - 00000000 __SHD C:\ProgramData\{FZSFPJ3P-AUAT-GOKQ-3OXRQ07E8ADA}
2018-09-05 14:47 - 2018-09-05 14:47 - 00000000 __SHD C:\ProgramData\{NKIRJ4TD-JLCH-3Q3L-0JH2S5TS59A1}
2018-09-05 14:47 - 2018-09-05 14:47 - 00000000 __SHD C:\ProgramData\{KC3C816H-XSYY-FP2S-2MTGR1DK1OCZ}
2018-09-05 14:02 - 2018-09-05 14:02 - 00000000 __SHD C:\ProgramData\{UZX91FL0-FYHB-KPJV-PHDTGY7RM2SJ}
2018-09-05 14:02 - 2018-09-05 14:02 - 00000000 __SHD C:\ProgramData\{T73F8VZJ-XNS6-AIUZ-69UV0DHS3CED}
2018-09-05 13:28 - 2018-09-21 09:47 - 00000000 __SHD C:\ProgramData\{9FWVW0CX-ZDL7-I3P6-4K9Q9K8BNC7J}
2018-09-05 13:28 - 2018-09-05 13:28 - 00000000 __SHD C:\ProgramData\{6E5XR8NZ-F5BB-LXAL-Z0YU3XG3TJEA}
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:

Save the content from the file menu then save.

Close Notepad, return to FRST and click the "Fix" button
A restart may be necessary and automatic.
A text file will appear, copy/paste the content here in a new message.

Restart the computer.

Mika311 > Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention

Here you go...
I want to thank you for taking some of your time to resolve my issue as everything seems to be back to normal now. Have a nice day and a great weekend.

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711 > Mika311

You're welcome :)

Delete the folder C:\FRST

Finish with a scan using Malwarebytes - Malwarebytes Anti-Malware Free Version Tutorial
Avoid regular scans and cleanups with ZHPCleaner, AdwCleaner, not useful.

A few tips:

To avoid getting caught again.
Read - Potentially Unwanted Programs / PUPs: Adwares/PUPs: Unwanted Programs and Parasites
(Especially enable LPI detections to find unwanted and advertising programs)

Réponse 7 / 10

graoll Posted messages 3 Status Membre

Hello, I apparently have the same issue, I did the scan but only 2 reports came out.

https://pjjoint.malekal.com/files.php?id=20190724_f15n711y7n5

https://pjjoint.malekal.com/files.php?id=FRST_20190724_v8p11l11n6h13

Thank you in advance for your help.

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711

Hello,

Here is the correction to be made with FRST. You can refer to this explanatory note with screenshots.
Restart FRST and on your keyboard press CTRL + Y.
The notepad will open, copy/paste this.

Start:
CloseProcesses:
CreateRestorePoint:
Startup: C:\Users\graoll\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cabinet.vbs [2019-07-21] () [Unsigned file]
Startup: C:\Users\graoll\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mofcomp.vbs [2019-07-21] () [Unsigned file]
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== WARNING
RemoveProxy:
Reboot:
End:

Save the content from the file menu then save.

Close the notepad, go back to FRST and click on the "Fix" button.
A restart may be required and automatic.
A text file will appear, copy/paste the content here in a new message.

Restart the computer.

To clean removable drives from USB viruses, follow the steps in the tutorial in order: insert one by one your USB keys and external hard drives that you have to clean them. Then send the reports to https://pjjoint.malekal.com/ and provide the links to these reports so we can review them.

Connect all USB keys and other removable devices.

Download Remediate VBS Worm
Launch option B
Type the letter of the USB key, for example, E and press enter

[color=red]WARNING: DO NOT INDICATE THE DRIVE OF YOUR HARD DISK![/color]

Go to "My Computer" then disk "C", a report "Rem-VBS.log" should be there.

Open this report with notepad and copy/paste the content here in a next response.

To protect yourself from removable infections such as Wscript (Windows Script Host)
Download and install Marmiton
Click on Disable for Windows Script Host.
Marmiton will block malicious scripts (VBS, VBE, JavaScript etc.) particularly those used to propagate ransomware like Locky.

graoll Posted messages 3 Status Membre

Thank you very much, problem solved.
Have a nice day.

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711 > graoll Posted messages 3 Status Membre

You're welcome =)

graoll Posted messages 3 Status Membre

Results of Farbar Recovery Scan Tool (x64) Version: 15-07-2019 01
Executed by graoll (24-07-2019 13:40:54) Run:1
Executed from C:\Users\graoll\Downloads
Loaded Profiles: graoll (Available Profiles: graoll)
Boot Mode: Normal
==============================================

fixlist content:

Start:
CloseProcesses:
CreateRestorePoint:
Startup: C:\Users\graoll\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cabinet.vbs [2019-07-21] () [Unsigned file]
Startup: C:\Users\graoll\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mofcomp.vbs [2019-07-21] () [Unsigned file]
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
RemoveProxy:
Reboot:
End:

Processes closed successfully.
The Restore Point has been created successfully.
C:\Users\graoll\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cabinet.vbs => moved successfully
C:\Users\graoll\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mofcomp.vbs => moved successfully
HKLM\SOFTWARE\Policies\Mozilla => deleted successfully

========= RemoveProxy: =========

"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => deleted successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => deleted successfully
"HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => deleted successfully
"HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => deleted successfully
"HKU\S-1-5-21-2992593478-3070999805-2378279802-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => deleted successfully
"HKU\S-1-5-21-2992593478-3070999805-2378279802-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => deleted successfully

========= End of RemoveProxy: =========

The system had to restart.

End of Fixlog 13:41:01

Réponse 8 / 10

jah_guest

Hello,

I seem to have the same issue with Windows Script Host

Could you please help me resolve it?
Thank you.

I have the 3 requested links:

https://pjjoint.malekal.com/files.php?id=FRST_20190725_c5s1512p12o9

https://pjjoint.malekal.com/files.php?id=20190725_t12x7v5z15x7

https://pjjoint.malekal.com/files.php?id=20190725_t12e12f9w15k12

Thank you for your help!

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711

Hello,

You have programs that were pre-installed when you purchased the computer or installed later that may not be useful.
They clutter Windows and can slow it down.
You can therefore uninstall them.
Go to the Control Panel
then to Programs and Features.
Uninstall:

Avast Antivirus (Windows Defender is lighter)
CCleaner (unnecessary)
DAEMON Tools Lite (you can mount an ISO by right-clicking to mount on Windows 10)

PS: CCleaner is not really useful, even though it's recommended everywhere.
If you want to keep it, disable CCleaner's monitoring, which is unnecessary, as it starts with Windows and slows it down with its incessant cleaning, see: https://www.malekal.com/supprimer-ccleaner-demarrage-windows/

Here is the fix to perform with FRST. You can refer to this explanatory note with screenshots.
Restart FRST and then press the CTRL + Y keys on your keyboard.
The notepad will open, copy/paste this.

Start:
CloseProcesses:
CreateRestorePoint:
InternetURL: C:\Users\ticke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systeminfo.url -> URL: file:///C:/Users/ticke/TapiUnattend/systeminfo.vbs
GroupPolicy: Restriction ? <==== ATTENTION
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKU\S-1-5-21-3069439362-4254765607-1559520344-1001\...\Run: [Parsec.App.0] => C:\Users\ticke\AppData\Roaming\Parsec\electron\parsec.exe [80666112 2018-07-27] (Parsec Cloud, Inc.) [Unsigned file]
RemoveProxy:
Reboot:
End:

Save the content from the file menu, then save.

Close the notepad, return to FRST, and click the "Fix" button.
A restart may be necessary and automatic.
A text file will appear, copy/paste the content here in a new message.

Restart the computer.

To protect yourself from removable infections like Wscript (Windows Script Host)
Download and install Marmiton
Click on Disable at the Windows Script Host level.
Marmiton will block malicious scripts (VBS, VBE, JavaScript, etc.), especially those used to spread ransomware like Locky.

Réponse 9 / 10

sachaeslahi

Hello,

I have the same problem with the mofcomp.vbs file, error message when opening Windows 10.

Here are the 2 links:

FRST: https://pjjoint.malekal.com/files.php?id=FRST_20190729_r6d9c10j9g13

ADDITION: https://pjjoint.malekal.com/files.php?id=20190729_l11e14p5s10y11

Thank you for your help.

P.S.: This is a brand new professional PC that I just acquired for my new job.
Almost nothing has been installed on it yet.

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711

Good evening,

Try this:

Here is the correction to be made with FRST. You can refer to this explanatory note with screenshots.
Restart FRST and then press CTRL + Y on your keyboard.
The notepad will open, copy/paste this.

Start:
CloseProcesses:
CreateRestorePoint:
Startup: C:\Users\sacha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mofcomp.vbs [2019-07-26] () [Unsigned file]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== WARNING
RemoveProxy:
Reboot:
End:

Save the content via the file menu then save.

Close the notepad, go back to FRST and click the "Fix" button
A restart may be necessary and automatic.
A text file will appear, copy/paste the content here in a new message.

Restart the computer.

To protect yourself from removable infections like Wscript (Windows Script Host)
Download and install Marmiton
Click on Disable at the level of Windows Script Host.
Marmiton will block malicious scripts (VBS, VBE, JavaScript etc.) which are used to spread ransomware like Locky.

sachaeslahi

thank you, it worked for me.

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711 > sachaeslahi

You're welcome =)

Réponse 10 / 10

Danfy

Hello, I have the same problem, is it possible for you to help me? (Addition, FRST, Shortcut)

https://pjjoint.malekal.com/files.php?id=20200520_n12e9m7s12v10
https://pjjoint.malekal.com/files.php?id=FRST_20200520_z12x6y9m6d8
https://pjjoint.malekal.com/files.php?id=20200520_q11n8c6p9f9

Thank you ^^'

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711

Good evening,

Here is the FRST fix to be carried out.
You can refer to this explanatory note with screenshots.

1- Open FRST -
2 - Copy the entire script that is in the box below:

Start:
CloseProcesses:
CreateRestorePoint:
HKU\S-1-5-21-261878775-2762131268-1289876846-1001\...\Run: [xurdfv] => C:\Users\Danfy Youi\AppData\Local\xurdfv.dll [16896 2018-08-28] () [Unsigned file] <==== WARNING
Startup: C:\Users\Danfy Youi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JUplwUQDOu.vbs [2018-09-01] () [Unsigned file]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== WARNING
Task: {5A51B3F5-BC83-4A77-B60C-41BF0A6BF473} - System32\Tasks\OMEQHFQZN3Y21Y => C:\ProgramData\{LAL4066H-E8RR-UC0E-ZB9Z3PAD87OV}\E8RRLOMZJW24.vbs [130 2018-08-29] () [Unsigned file]
Task: {2273E88F-5D7B-4E3B-A2B0-B5FCBAE42327} - System32\Tasks\T36RQZELB0TWSN => C:\ProgramData\{C5J8E3IB-DK8M-CENY-IAJTOPUS684P}\819GZDG0CO60.vbs [130 2018-08-29] () [Unsigned file]
Task: {5A51B3F5-BC83-4A77-B60C-41BF0A6BF473} - System32\Tasks\OMEQHFQZN3Y21Y => C:\ProgramData\{LAL4066H-E8RR-UC0E-ZB9Z3PAD87OV}\E8RRLOMZJW24.vbs [130 2018-08-29] () [Unsigned file]
Task: {87E92CDE-219E-4DED-9441-25992CE096CD} - System32\Tasks\YY6174DVSSG2W4 => C:\ProgramData\{ZMI8QH4A-O8XW-9BJD-047CS1GFJXXX}\PAULNIDGEKP2.vbs [130 2018-08-29] () [Unsigned file]
Task: {B0BAE5CA-407A-476C-A7FD-B7C5BBF34224} - System32\Tasks\Chameleon Folder-Danfy Youi => "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" 
Task: {D8589A55-4AB4-4A8E-BDFA-05108930652D} - System32\Tasks\31VZQRAPNRGICE => C:\ProgramData\{0NMWQUVB-SC7L-AOVD-5JBRCIDOC9SY}\JR9O7M9YM6K9.vbs [130 2018-08-29] () [Unsigned file]
Task: {E2724507-8C37-493B-B085-98B8F9A5F46A} - System32\Tasks\RVUM2ULG5K64Z6 => C:\ProgramData\{3NUD163X-JIXF-SSVZ-849S5KV035E1}\7J729T8JNBZ0.vbs [130 2018-08-29] () [Unsigned file]
Task: {EBA671B4-FCA1-4274-A180-DAED36BF3D4A} - System32\Tasks\H5W7F7H9L80CZF => C:\ProgramData\{L4UN6IXN-6C2Q-V01O-U2M1O2HSPSFF}\BU7GKI5IIR5Z.vbs [130 2018-08-29] () [Unsigned file]
Task: {EFCFA2C4-5FB1-40C5-A05B-D12DF33B6151} - System32\Tasks\PDVDServ12 Task => C:\Program Files (x86)\CyberLink\PowerDVD12\PDVD12Serv.exe
Task: {F56C39A7-532F-4C56-8D8A-2F85C2C22F57} - System32\Tasks\JTH19TBMEMQ1BM => C:\ProgramData\{1906BLUE-O5LR-AYWO-LY38550TDYW9}\05903FA5KJ6J.vbs [130 2018-08-28] () [Unsigned file]
R2 PornTime Updater; C:\Program Files (x86)\Common Files\PT\updater.exe [165888 2015-06-15] (PornTime) [Unsigned file]
2018-08-28 14:27 - 2018-08-29 15:30 - 001925632 _____ () C:\Users\Danfy Youi\AppData\Roaming\dwn.exe
2018-08-28 14:27 - 2018-08-29 02:34 - 000240128 ___SH () C:\Users\Danfy Youi\AppData\Roaming\JUplwUQDOu.exe
2018-08-28 14:27 - 2018-08-28 14:27 - 000016896 _____ () C:\Users\Danfy Youi\AppData\Local\xurdfv.dll

EmptyTemp:
RemoveProxy:
Reboot:
End::

3- Once the script is copied, click on Fix.

Let the fix complete; once it's done, you will be prompted to restart your PC. Please do so as soon as prompted, see below.

Then once your computer has restarted:
4- You will have a Fixlog file on your desktop; send it via https://pjjoint.malekal.com/ and then share the link generated by Pjoint in your next message.
5- CHECK AND TELL ME IF YOUR PROBLEM IS STILL PRESENT.

2°)
Reset/Repair the web browsers concerned by the problems:

Repair Mozilla Firefox (first paragraph)
Repair Google Chrome (only the first paragraph).

3°)
Finish with a cleaning using Malwarebytes - Malwarebytes Anti-Malware free version tutorial

4°)
See how it goes and if there have been any improvements.
If not, if you still have pop-up ads, specify which web browser.
Run another FRST scan and provide the new reports via pjjoint.

Danfy > Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention

Here is what I got with fixlog, otherwise, it's working thanks, I’m adding the other links below ^^ :

[code] Farbar Recovery Scan Tool (x64) Correction Results Version: 13-05-2020 01
Executed by Danfy Youi (20-05-2020 22:43:08) Run:1
Executed from C:\Users\Danfy Youi\Downloads
Profiles loaded: Danfy Youi
Boot Mode: Normal
==============================================

fixlist content:

*

*

- - - - Start:
        CloseProcesses:
        CreateRestorePoint:
        HKU\S-1-5-21-261878775-2762131268-1289876846-1001\...\Run: [xurdfv] => C:\Users\Danfy Youi\AppData\Local\xurdfv.dll [16896 2018-08-28] () [Unsigned file] <==== WARNING
        Startup: C:\Users\Danfy Youi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JUplwUQDOu.vbs [2018-09-01] () [Unsigned file]
        CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== WARNING
        Task: {5A51B3F5-BC83-4A77-B60C-41BF0A6BF473} - System32\Tasks\OMEQHFQZN3Y21Y => C:\ProgramData\{LAL4066H-E8RR-UC0E-ZB9Z3PAD87OV}\E8RRLOMZJW24.vbs [130 2018-08-29] () [Unsigned file]
        Task: {2273E88F-5D7B-4E3B-A2B0-B5FCBAE42327} - System32\Tasks\T36RQZELB0TWSN => C:\ProgramData\{C5J8E3IB-DK8M-CENY-IAJTOPUS684P}\819GZDG0CO60.vbs [130 2018-08-29] () [Unsigned file]
        Task: {5A51B3F5-BC83-4A77-B60C-41BF0A6BF473} - System32\Tasks\OMEQHFQZN3Y21Y => C:\ProgramData\{LAL4066H-E8RR-UC0E-ZB9Z3PAD87OV}\E8RRLOMZJW24.vbs [130 2018-08-29] () [Unsigned file]
        Task: {87E92CDE-219E-4DED-9441-25992CE096CD} - System32\Tasks\YY6174DVSSG2W4 => C:\ProgramData\{ZMI8QH4A-O8XW-9BJD-047CS1GFJXXX}\PAULNIDGEKP2.vbs [130 2018-08-29] () [Unsigned file]
        Task: {B0BAE5CA-407A-476C-A7FD-B7C5BBF34224} - System32\Tasks\Chameleon Folder-Danfy Youi => "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
        Task: {D8589A55-4AB4-4A8E-BDFA-05108930652D} - System32\Tasks\31VZQRAPNRGICE => C:\ProgramData\{0NMWQUVB-SC7L-AOVD-5JBRCIDOC9SY}\JR9O7M9YM6K9.vbs [130 2018-08-29] () [Unsigned file]
        Task: {E2724507-8C37-493B-B085-98B8F9A5F46A} - System32\Tasks\RVUM2ULG5K64Z6 => C:\ProgramData\{3NUD163X-JIXF-SSVZ-849S5KV035E1}\7J729T8JNBZ0.vbs [130 2018-08-29] () [Unsigned file]
        Task: {EBA671B4-FCA1-4274-A180-DAED36BF3D4A} - System32\Tasks\H5W7F7H9L80CZF => C:\ProgramData\{L4UN6IXN-6C2Q-V01O-U2M1O2HSPSFF}\BU7GKI5IIR5Z.vbs [130 2018-08-29] () [Unsigned file]
        Task: {EFCFA2C4-5FB1-40C5-A05B-D12DF33B6151} - System32\Tasks\PDVDServ12 Task => C:\Program Files (x86)\CyberLink\PowerDVD12\PDVD12Serv.exe
        Task: {F56C39A7-532F-4C56-8D8A-2F85C2C22F57} - System32\Tasks\JTH19TBMEMQ1BM => C:\ProgramData\{1906BLUE-O5LR-AYWO-LY38550TDYW9}\05903FA5KJ6J.vbs [130 2018-08-28] () [Unsigned file]
        R2 PornTime Updater; C:\Program Files (x86)\Common Files\PT\updater.exe [165888 2015-06-15] (PornTime) [Unsigned file]
        2018-08-28 14:27 - 2018-08-29 15:30 - 001925632 _____ () C:\Users\Danfy Youi\AppData\Roaming\dwn.exe
        2018-08-28 14:27 - 2018-08-29 02:34 - 000240128 ___SH () C:\Users\Danfy Youi\AppData\Roaming\JUplwUQDOu.exe
        2018-08-28 14:27 - 2018-08-28 14:27 - 000016896 _____ () C:\Users\Danfy Youi\AppData\Local\xurdfv.dll
        
        RemoveProxy:
        Hosts:
        Reboot:
        End:
        
        *
        
        *
        
        Processes closed successfully.
        The restore point has been created successfully.
        "HKU\S-1-5-21-261878775-2762131268-1289876846-1001\Software\Microsoft\Windows\CurrentVersion\Run\\xurdfv" => successfully deleted
        C:\Users\Danfy Youi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JUplwUQDOu.vbs => successfully moved
        HKLM\SOFTWARE\Policies\Google => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5A51B3F5-BC83-4A77-B60C-41BF0A6BF473}" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A51B3F5-BC83-4A77-B60C-41BF0A6BF473}" => successfully deleted
        C:\WINDOWS\System32\Tasks\OMEQHFQZN3Y21Y => successfully moved
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OMEQHFQZN3Y21Y" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2273E88F-5D7B-4E3B-A2B0-B5FCBAE42327}" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2273E88F-5D7B-4E3B-A2B0-B5FCBAE42327}" => successfully deleted
        C:\WINDOWS\System32\Tasks\T36RQZELB0TWSN => successfully moved
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T36RQZELB0TWSN" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A51B3F5-BC83-4A77-B60C-41BF0A6BF473}" => not found
        "C:\WINDOWS\System32\Tasks\OMEQHFQZN3Y21Y" => not found
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OMEQHFQZN3Y21Y" => not found
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{87E92CDE-219E-4DED-9441-25992CE096CD}" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87E92CDE-219E-4DED-9441-25992CE096CD}" => successfully deleted
        C:\WINDOWS\System32\Tasks\YY6174DVSSG2W4 => successfully moved
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\YY6174DVSSG2W4" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B0BAE5CA-407A-476C-A7FD-B7C5BBF34224}" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0BAE5CA-407A-476C-A7FD-B7C5BBF34224}" => successfully deleted
        C:\WINDOWS\System32\Tasks\Chameleon Folder-Danfy Youi => successfully moved
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Chameleon Folder-Danfy Youi" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D8589A55-4AB4-4A8E-BDFA-05108930652D}" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D8589A55-4AB4-4A8E-BDFA-05108930652D}" => successfully deleted
        C:\WINDOWS\System32\Tasks\31VZQRAPNRGICE => successfully moved
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\31VZQRAPNRGICE" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E2724507-8C37-493B-B085-98B8F9A5F46A}" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E2724507-8C37-493B-B085-98B8F9A5F46A}" => successfully deleted
        C:\WINDOWS\System32\Tasks\RVUM2ULG5K64Z6 => successfully moved
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RVUM2ULG5K64Z6" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EBA671B4-FCA1-4274-A180-DAED36BF3D4A}" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EBA671B4-FCA1-4274-A180-DAED36BF3D4A}" => successfully deleted
        C:\WINDOWS\System32\Tasks\H5W7F7H9L80CZF => successfully moved
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\H5W7F7H9L80CZF" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{EFCFA2C4-5FB1-40C5-A05B-D12DF33B6151}" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EFCFA2C4-5FB1-40C5-A05B-D12DF33B6151}" => successfully deleted
        C:\WINDOWS\System32\Tasks\PDVDServ12 Task => successfully moved
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PDVDServ12 Task" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F56C39A7-532F-4C56-8D8A-2F85C2C22F57}" => successfully deleted
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F56C39A7-532F-4C56-8D8A-2F85C2C22F57}" => successfully deleted
        C:\WINDOWS\System32\Tasks\JTH19TBMEMQ1BM => successfully moved
        "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\JTH19TBMEMQ1BM" => successfully deleted
        HKLM\System\CurrentControlSet\Services\PornTime Updater => successfully deleted
        PornTime Updater => service successfully deleted
        C:\Users\Danfy Youi\AppData\Roaming\dwn.exe => successfully moved
        C:\Users\Danfy Youi\AppData\Roaming\JUplwUQDOu.exe => successfully moved
        C:\Users\Danfy Youi\AppData\Local\xurdfv.dll => successfully moved
        
        ========= RemoveProxy: =========
        
        "HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => successfully deleted
        "HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => successfully deleted
        "HKU\S-1-5-21-261878775-2762131268-1289876846-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer" => successfully deleted
        "HKU\S-1-5-21-261878775-2762131268-1289876846-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => successfully deleted
        "HKU\S-1-5-21-261878775-2762131268-1289876846-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => successfully deleted
        
        ========= End of RemoveProxy: =========
        
        C:\Windows\System32\Drivers\etc\hosts => successfully moved
        Hosts restored successfully.
        
        The system had to restart.
        End of Fixlog 22:43:22
        [/code]
        
        Also, the report link for the MBAM scan: https://pjjoint.malekal.com/files.php?id=20200520_s7t6g10g7u15. I'm adding the rest bit by bit
        FRST: https://pjjoint.malekal.com/files.php?id=FRST_20200520_q6i6d7z10q5
        Addition: https://pjjoint.malekal.com/files.php?id=20200520_75x11d15y13
        Shortcut: https://pjjoint.malekal.com/files.php?id=20200520_e7q75g7s6
        
        Is that good?

Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention 24 711 > Danfy

Yes, change your passwords.
Do some MBAM scans in the coming days.

To avoid viruses, it's important to know how hackers infect computers: How computer viruses are distributed
Finally, to protect and secure your PC:

How to protect your PC from viruses and hackers?
Securing your PC against viruses

Danfy > Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention

Thank you very much!

Socrate01_0304 Posted messages 1 Status Membre > Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention

Hello everyone,

I have the same problem, and it has been occurring every startup for months; I'm only now taking the bull by the horns, if I dare say...

Thank you very much in advance...

Here are the 3 analysis files:

https://pjjoint.malekal.com/files.php?id=20210228_o11k5k13r10t5

https://pjjoint.malekal.com/files.php?id=FRST_20210228_k13o9x12s7r5

https://pjjoint.malekal.com/files.php?id=20210228_z8h7m11v15x6

Looking forward to hearing from you... And thanks again...

Windows 10 Windows Script Host: Error 80070002

10 réponses

End of Fixlog 09:05:29

End of Fixlog 13:41:01

End of Fixlog 22:43:22

Canon mb5350 - cartridge replacement impossible

Texture issues in enshrouded

Football manager (club management game)

Select next line csh foreach

Win32 kamso then rootkit detection

Win32:spyware-gen [trj] detected by avast

Unknown video error on the freebox player

Make it or break it

How to open a cbr file

Please log in with manager privileges.