Threatening email following a hack of my computer
Olivberna
-
Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention -
Malekal_morte- Posted messages 178136 Registration date Status Modérateur, Contributeur sécurité Last intervention -
Hello,
I received an email from a stranger last night:
“Hi!
I am a computerphile who has access to your operating system.
I as well have complete access to ur acc.
I've been tracking you for a few months already.
The point is that I infected u with malicious software through an adult site that you visited.
If you have no idea of what is happening, I will define it.
Trojan Virus gives me total access and control of a PC or any other device.
This means that I can see everything on your screen, switch on the webcam and micro, but you can’t even guess it.
I as well have gained access to all of ur contacts and all your communications.
Why haven’t ur antivirus identify rogue application?
Answer: My badware exploits the driver, I novelize its signatures every four hours so that ur antivirus solution keeps silent.
I have shot a vid which demonstrates the way u get pleasure of yourself in the left part of the screen, and in the right part you see the vid that you watched.
With one click of the mouse, I may direct the video to all your electronic-mails and contacts on social networking sites.
I can as well reveal access to all of your electronic mail correspondence and messengers that you utilize chat through.
If you want to avoid this, pay the sum of 13 to my DASH address (if you do not know how to do this, search in Google: "Buy DashCoin").
My Dash Coin address (Dash digital wallet) is: XxTciHx3fejCNVPiTQA2p5JnGXsYWEYe8T
After receiving the money reward, I will eliminate the video and you will never see me again.
I offer u 50 hours (more than two days) to make transfer.
I will be notified of the notification opening, and the countdown will begin.
Filing a complaint somewhere is meaningless as this email cannot be traced and my DashCoin address as well.
I do not make mistakes.
If I find out that you have shared this letter with somebody else, the video will be instantly published.
Best regards!"
I looked online and found that this type of email is common, however one detail bothers me. The guy who sent this email claims to have installed a Trojan Virus on my computer and I discovered that this malware was indeed present on my computer.
I don’t do this kind of thing especially in front of my computer camera. But this email still worries me. Should I be concerned? Does anyone know if I am at risk with the malware and what should I do to get rid of it?
Thank you for your responses!
I received an email from a stranger last night:
“Hi!
I am a computerphile who has access to your operating system.
I as well have complete access to ur acc.
I've been tracking you for a few months already.
The point is that I infected u with malicious software through an adult site that you visited.
If you have no idea of what is happening, I will define it.
Trojan Virus gives me total access and control of a PC or any other device.
This means that I can see everything on your screen, switch on the webcam and micro, but you can’t even guess it.
I as well have gained access to all of ur contacts and all your communications.
Why haven’t ur antivirus identify rogue application?
Answer: My badware exploits the driver, I novelize its signatures every four hours so that ur antivirus solution keeps silent.
I have shot a vid which demonstrates the way u get pleasure of yourself in the left part of the screen, and in the right part you see the vid that you watched.
With one click of the mouse, I may direct the video to all your electronic-mails and contacts on social networking sites.
I can as well reveal access to all of your electronic mail correspondence and messengers that you utilize chat through.
If you want to avoid this, pay the sum of 13 to my DASH address (if you do not know how to do this, search in Google: "Buy DashCoin").
My Dash Coin address (Dash digital wallet) is: XxTciHx3fejCNVPiTQA2p5JnGXsYWEYe8T
After receiving the money reward, I will eliminate the video and you will never see me again.
I offer u 50 hours (more than two days) to make transfer.
I will be notified of the notification opening, and the countdown will begin.
Filing a complaint somewhere is meaningless as this email cannot be traced and my DashCoin address as well.
I do not make mistakes.
If I find out that you have shared this letter with somebody else, the video will be instantly published.
Best regards!"
I looked online and found that this type of email is common, however one detail bothers me. The guy who sent this email claims to have installed a Trojan Virus on my computer and I discovered that this malware was indeed present on my computer.
I don’t do this kind of thing especially in front of my computer camera. But this email still worries me. Should I be concerned? Does anyone know if I am at risk with the malware and what should I do to get rid of it?
Thank you for your responses!
3 réponses
Hi,
If these are blackmail emails saying that your PC is being monitored, etc.
It's totally bogus.
It's to scare you and extort money from you.
More information on these links:
Sextortion and email scams: a hacker has hacked you.
https://forums.commentcamarche.net/forum/affich-35582045-mail-hacker-et-menace-de-diffusion-video
If these are blackmail emails saying that your PC is being monitored, etc.
It's totally bogus.
It's to scare you and extort money from you.
More information on these links:
Sextortion and email scams: a hacker has hacked you.
https://forums.commentcamarche.net/forum/affich-35582045-mail-hacker-et-menace-de-diffusion-video
It has nothing to do with it.
If you want to check his PC for potential malware.
To check your computer for possible infections and get a general status of the system:
Follow the FRST tutorial by clicking on this blue link. ( take the time to read carefully - everything is well explained ).
Download and run the FRST scan,
Wait for the scan to finish, a message indicates that the analysis is complete.
Three FRST reports will be generated:
Send these 3 reports to the website https://pjjoint.malekal.com/ and in return provide the 3 pjjoint links that lead to the reports here in a new response so that we can review them.
(The blue links lead to step-by-step explanatory tutorials, click on them for more precise instructions to follow).
--
Please press any key to continue the disinfection...
If you want to check his PC for potential malware.
To check your computer for possible infections and get a general status of the system:
Follow the FRST tutorial by clicking on this blue link. ( take the time to read carefully - everything is well explained ).
Download and run the FRST scan,
Wait for the scan to finish, a message indicates that the analysis is complete.
Three FRST reports will be generated:
- FRST.txt
- Shortcut.
- Additionnal.txt
Send these 3 reports to the website https://pjjoint.malekal.com/ and in return provide the 3 pjjoint links that lead to the reports here in a new response so that we can review them.
(The blue links lead to step-by-step explanatory tutorials, click on them for more precise instructions to follow).
--
Please press any key to continue the disinfection...
Here are the requested links (FRST, Additional, Shortcut)
https://pjjoint.malekal.com/files.php?id=FRST_20200224_m8z10l13y14k14
https://pjjoint.malekal.com/files.php?id=20200224_r15w10h15y10m10
https://pjjoint.malekal.com/files.php?id=20200224_c12v7q7p10v7
Thank you.
https://pjjoint.malekal.com/files.php?id=FRST_20200224_m8z10l13y14k14
https://pjjoint.malekal.com/files.php?id=20200224_r15w10h15y10m10
https://pjjoint.malekal.com/files.php?id=20200224_c12v7q7p10v7
Thank you.
well yes you have malware :/
It dates from early February.
Here is the fix to implement with FRST. You can refer to this guide with screenshots.
Restart FRST and then press CTRL + Y on your keyboard.
The Notepad will open, copy/paste this.
Save the content from the file menu and then save.
Close Notepad, go back to FRST and click on the "Fix" button
A restart may be necessary and automatic.
A text file will appear, copy/paste the content here in a new message.
Restart the computer.
2°)
Reset/Repair the web browsers affected by the issues:
3°)
Finish with a cleanup using Malwarebytes - Malwarebytes Anti-Malware free version tutorial
4°)
See what happens and if there have been improvements.
If not, if you still have pop-up ads, specify which web browser.
Redo a FRST scan and provide the new reports via attachment.
It dates from early February.
Here is the fix to implement with FRST. You can refer to this guide with screenshots.
Restart FRST and then press CTRL + Y on your keyboard.
The Notepad will open, copy/paste this.
Start:
CloseProcesses:
CreateRestorePoint:
HKLM\...\Run: [Biota] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 characters extra).
HKLM\...\Run: [Stifled] => "C:\Program Files (x86)\meandered\Dutko.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKLM\...\Run: [Pentamidine] => "C:\Program Files (x86)\Tenanted\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsA (the data item has 2 characters extra).
HKLM-x32\...\Run: [Bosnia] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 characters extra).
HKLM-x32\...\Run: [Remunerative] => "C:\Program Files (x86)\meandered\Dutko.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKLM-x32\...\Run: [Rosel] => "C:\Program Files (x86)\Tenanted\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsA (the data item has 2 characters extra).
KU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Guillaume] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 characters extra).
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Irascible] => "C:\Program Files (x86)\meandered\Dutko.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Roberson] => "C:\Program Files (x86)\Tenanted\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsA (the data item has 2 characters extra).
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Decode] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 characters extra).
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Corresponded] => "C:\Program Files (x86)\meandered\Dutko.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Duddy] => "C:\Program Files (x86)\Tenanted\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsA (the data item has 2 characters extra).
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [nunez] => "C:\Program Files (x86)\tanner\nunez.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [car] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 characters extra).
Startup: C:\Users\Nayan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oder.lnk [2019-11-22]
ShortcutTarget: oder.lnk -> C:\Program Files (x86)\Uncertainty\Campaigned.exe (File not found)
Startup: C:\Users\Nayan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oderoder.lnk [2019-11-22]
ShortcutTarget: oderoder.lnk -> C:\Program Files (x86)\meandered\Dutko.exe (File not found)
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== WARNING
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== WARNING
CHR HKU\S-1-5-21-1343850409-2829504140-975250977-1002\SOFTWARE\Policies\Google: Restriction <==== WARNING
Task: {DF866467-8A14-4903-964A-69263BE9A6CA} - System32\Tasks\trendtrend => C:\Program Files (x86)\maris\maris.exe
Task: {EDE0EEDD-275E-43BF-A321-2B3107FF5DDA} - System32\Tasks\Yandere Simulator => C:\Users\Nayan\AppData\Local\Temp\is-O13BB.tmp\prsetup.exe <==== WARNING
Task: {90D5EFD4-7576-4FA1-8E6D-8994C1C183B4} - System32\Tasks\howsoever_comediennehowsoever_comedienne => C:\Users\Nayan\AppData\Local\Dutko.exe
Task: {941535B1-5F6C-4741-A4BC-1830ED0B0EC3} - System32\Tasks\lancasterlancaster => C:\Program Files (x86)\Uncertainty\Campaigned.exe
Task: {9D66090E-85A6-4517-ACB9-F008457BF238} - System32\Tasks\ModifyLinkUpdate => C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe [468992 2019-09-10] (Advanced Micro Devices, Inc.) [Unsigned file]
Task: {9D7C4998-FCDF-43FC-B2AD-6F54A823978F} - System32\Tasks\Chameleon Folder-Nayan => "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
Task: {A1F0FF9D-3810-41B6-B68A-23005E480046} - System32\Tasks\schoolchild-chimpsschoolchild-chimps => C:\Program Files (x86)\meandered\Dutko.exe
Task: {A6DA238B-FDDD-4CD0-993D-9C74121EFC7E} - System32\Tasks\neutral_yukataneutral_yukata => C:\Program Files (x86)\Tenanted\Campaigned.exe
Task: {A7015487-5946-448D-A33B-EF608401CDA3} - System32\Tasks\Opera scheduled assistant Autoupdate 1559378683 => C:\Users\Nayan\AppData\Local\Programs\Opera\launcher.exe
Task: {AD4C9718-D0D6-44F4-8A82-3B186673F385} - System32\Tasks\Microsoft\Windows\Task Manager\Guids => C:\Users\Nayan\AppData\Roaming\\freetools\\guids.exe
Task: {6488BB53-33E3-44CB-907A-F90A07E725F0} - System32\Tasks\Wscanner Secure => C:\Program Files (x86)\Wscanner\secure\secureupdater.exe
Task: {6B50E230-219B-412D-9897-E9DF59D4F1D4} - no file path
S3 TKFsAvM; C:\WINDOWS\system32\TKFsAv64.sys [198808 2018-03-07] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKFsFtM; C:\WINDOWS\system32\TKFsFt64.sys [28824 2018-03-07] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKPcFt; C:\WINDOWS\system32\TKPcFtCb64.sys [54504 2018-01-30] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKRgAc; C:\WINDOWS\system32\TKRgAc2k64.sys [115760 2018-01-29] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKRgFt; C:\WINDOWS\system32\TKRgFtXp64.sys [68848 2018-02-04] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKSP; C:\WINDOWS\system32\TKSPxp64.sys [80824 2018-01-29] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
2020-02-20 19:25 - 2020-02-21 02:42 - 000000000 ___HD C:\ProgramData\0BED69FF
2020-02-20 19:22 - 2020-02-21 02:41 - 000000000 ____D C:\WINDOWS\system32\Tasks\System
2020-02-20 19:21 - 2020-02-20 19:21 - 000000000 ____D C:\ProgramData\Cerfd
2020-02-20 19:21 - 2020-02-20 19:21 - 000000000 ____D C:\ProgramData\1tF6apsIYNFVvMQ6
2020-02-20 19:20 - 2020-02-20 19:25 - 000001382 _____ C:\WINDOWS\unins000.dat
2020-02-20 19:20 - 2020-02-20 19:24 - 000967450 _____ C:\WINDOWS\unins000.exe
2020-02-20 19:18 - 2020-02-21 02:42 - 000000000 ____D C:\ProgramData\UBlockPlugin
2020-02-20 19:18 - 2020-02-20 19:18 - 000000000 ____D C:\ProgramData\Newfol
2020-02-20 19:17 - 2020-02-20 19:19 - 000000000 ____D C:\ProgramData\Clend
2020-02-19 14:25 - 2020-02-19 14:25 - 000000000 ____D C:\ProgramData\ssh
2020-02-01 14:11 - 2020-02-01 14:11 - 000000000 ____C C:\TKSPProtectLog.txt
2020-02-01 14:08 - 2020-02-21 02:41 - 000000000 ____D C:\ProgramData\{C4327E67-6849-773B-3175-B8FB3192E1AA}
2020-02-01 14:08 - 2020-02-21 02:41 - 000000000 ____D C:\ProgramData\{5D5F6896-7EB8-EE56-C063-D562C0848C33}
2020-02-01 14:08 - 2020-02-01 14:13 - 000000000 ____D C:\Program Files (x86)\TACHYON
2020-02-01 14:08 - 2020-02-01 14:08 - 000000000 ____D C:\ProgramData\TACHYON
2020-02-01 14:08 - 2020-02-01 14:08 - 000000000 ____D C:\ProgramData\INCAInternet
2020-02-01 14:09 - 2019-11-22 17:27 - 000000000 ____D C:\ProgramData\{13412BF2-3DDC-A048-A420-CB2CA4C7927D}
2020-02-01 14:08 - 2019-11-22 17:27 - 000000000 ____D C:\ProgramData\{D5CC15F4-03DA-66C5-A21E-46EAA2F91FBB}
EmptyTemp:
RemoveProxy:
Hosts:
Reboot:
End:
Save the content from the file menu and then save.
Close Notepad, go back to FRST and click on the "Fix" button
A restart may be necessary and automatic.
A text file will appear, copy/paste the content here in a new message.
Restart the computer.
2°)
Reset/Repair the web browsers affected by the issues:
- Repair Mozilla Firefox (first paragraph)
- Repair Google Chrome (only the first paragraph).
3°)
Finish with a cleanup using Malwarebytes - Malwarebytes Anti-Malware free version tutorial
4°)
See what happens and if there have been improvements.
If not, if you still have pop-up ads, specify which web browser.
Redo a FRST scan and provide the new reports via attachment.
Results of the Farbar Recovery Scan Tool correction (x64) Version: 23-02-2020
Executed by Nayan (24-02-2020 19:25:01) Run:1
Executed from D:\User\Nayan\Desktop
Loaded Profiles: Nayan (Available Profiles: Nayan & bmarg)
Boot Mode: Normal
==============================================
fixlist content:
Executed by Nayan (24-02-2020 19:25:01) Run:1
Executed from D:\User\Nayan\Desktop
Loaded Profiles: Nayan (Available Profiles: Nayan & bmarg)
Boot Mode: Normal
==============================================
fixlist content:
End of Fixlog 19:25:01
Results of Farbar Recovery Scan Tool correction (x64) Version: 23-02-2020
Executed by Nayan (24-02-2020 19:41:14) Run:2
Executed from D:\User\Nayan\Desktop
Loaded profiles: Nayan (Available profiles: Nayan & bmarg)
Boot mode: Normal
==============================================
fixlist content:
Start:
CloseProcesses:
CreateRestorePoint:
HKLM\...\Run: [Biota] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 extra characters).
HKLM\...\Run: [Stifled] => "C:\Program Files (x86)\meandered\Dutko.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKLM\...\Run: [Pentamidine] => "C:\Program Files (x86)\Tenanted\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsA (the data item has 2 extra characters).
HKLM-x32\...\Run: [Bosnia] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 extra characters).
HKLM-x32\...\Run: [Remunerative] => "C:\Program Files (x86)\meandered\Dutko.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKLM-x32\...\Run: [Rosel] => "C:\Program Files (x86)\Tenanted\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsA (the data item has 2 extra characters).
KU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Guillaume] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 extra characters).
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Irascible] => "C:\Program Files (x86)\meandered\Dutko.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Roberson] => "C:\Program Files (x86)\Tenanted\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsA (the data item has 2 extra characters).
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Decode] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 extra characters).
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Corresponded] => "C:\Program Files (x86)\meandered\Dutko.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Duddy] => "C:\Program Files (x86)\Tenanted\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsA (the data item has 2 extra characters).
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [nunez] => "C:\Program Files (x86)\tanner\nunez.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [car] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 extra characters).
Startup: C:\Users\Nayan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oder.lnk [2019-11-22]
ShortcutTarget: oder.lnk -> C:\Program Files (x86)\Uncertainty\Campaigned.exe (File not found)
Startup: C:\Users\Nayan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oderoder.lnk [2019-11-22]
ShortcutTarget: oderoder.lnk -> C:\Program Files (x86)\meandered\Dutko.exe (File not found)
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== WARNING
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== WARNING
CHR HKU\S-1-5-21-1343850409-2829504140-975250977-1002\SOFTWARE\Policies\Google: Restriction <==== WARNING
Task: {DF866467-8A14-4903-964A-69263BE9A6CA} - System32\Tasks\trendtrend => C:\Program Files (x86)\maris\maris.exe
Task: {EDE0EEDD-275E-43BF-A321-2B3107FF5DDA} - System32\Tasks\Yandere Simulator => C:\Users\Nayan\AppData\Local\Temp\is-O13BB.tmp\prsetup.exe <==== WARNING
Task: {90D5EFD4-7576-4FA1-8E6D-8994C1C183B4} - System32\Tasks\howsoever_comediennehowsoever_comedienne => C:\Users\Nayan\AppData\Local\Dutko.exe
Task: {941535B1-5F6C-4741-A4BC-1830ED0B0EC3} - System32\Tasks\lancasterlancaster => C:\Program Files (x86)\Uncertainty\Campaigned.exe
Task: {9D66090E-85A6-4517-ACB9-F008457BF238} - System32\Tasks\ModifyLinkUpdate => C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe [468992 2019-09-10] (Advanced Micro Devices, Inc.) [Unsigned file]
Task: {9D7C4998-FCDF-43FC-B2AD-6F54A823978F} - System32\Tasks\Chameleon Folder-Nayan => "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
Task: {A1F0FF9D-3810-41B6-B68A-23005E480046} - System32\Tasks\schoolchild-chimpsschoolchild-chimps => C:\Program Files (x86)\meandered\Dutko.exe
Task: {A6DA238B-FDDD-4CD0-993D-9C74121EFC7E} - System32\Tasks\neutral_yukataneutral_yukata => C:\Program Files (x86)\Tenanted\Campaigned.exe
Task: {A7015487-5946-448D-A33B-EF608401CDA3} - System32\Tasks\Opera scheduled assistant Autoupdate 1559378683 => C:\Users\Nayan\AppData\Local\Programs\Opera\launcher.exe
Task: {AD4C9718-D0D6-44F4-8A82-3B186673F385} - System32\Tasks\Microsoft\Windows\Task Manager\Guids => C:\Users\Nayan\AppData\Roaming\\freetools\\guids.exe
Task: {6488BB53-33E3-44CB-907A-F90A07E725F0} - System32\Tasks\Wscanner Secure => C:\Program Files (x86)\Wscanner\secure\secureupdater.exe
Task: {6B50E230-219B-412D-9897-E9DF59D4F1D4} - no file path
S3 TKFsAvM; C:\WINDOWS\system32\TKFsAv64.sys [198808 2018-03-07] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKFsFtM; C:\WINDOWS\system32\TKFsFt64.sys [28824 2018-03-07] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKPcFt; C:\WINDOWS\system32\TKPcFtCb64.sys [54504 2018-01-30] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKRgAc; C:\WINDOWS\system32\TKRgAc2k64.sys [115760 2018-01-29] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKRgFt; C:\WINDOWS\system32\TKRgFtXp64.sys [68848 2018-02-04] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKSP; C:\WINDOWS\system32\TKSPxp64.sys [80824 2018-01-29] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
2020-02-20 19:25 - 2020-02-21 02:42 - 000000000 ___HD C:\ProgramData\0BED69FF
2020-02-20 19:22 - 2020-02-21 02:41 - 000000000 ____D C:\WINDOWS\system32\Tasks\System
2020-02-20 19:21 - 2020-02-20 19:21 - 000000000 ____D C:\ProgramData\Cerfd
2020-02-20 19:21 - 2020-02-20 19:21 - 000000000 ____D C:\ProgramData\1tF6apsIYNFVvMQ6
2020-02-20 19:20 - 2020-02-20 19:25 - 000001382 _____ C:\WINDOWS\unins000.dat
2020-02-20 19:20 - 2020-02-20 19:24 - 000967450 _____ C:\WINDOWS\unins000.exe
2020-02-20 19:18 - 2020-02-21 02:42 - 000000000 ____D C:\ProgramData\UBlockPlugin
2020-02-20 19:18 - 2020-02-20 19:18 - 000000000 ____D C:\ProgramData\Newfol
2020-02-20 19:17 - 2020-02-20 19:19 - 000000000 ____D C:\ProgramData\Clend
2020-02-19 14:25 - 2020-02-19 14:25 - 000000000 ____D C:\ProgramData\ssh
2020-02-01 14:11 - 2020-02-01 14:11 - 000000000 ____C C:\TKSPProtectLog.txt
2020-02-01 14:08 - 2020-02-21 02:41 - 000000000 ____D C:\ProgramData\{C4327E67-6849-773B-3175-B8FB3192E1AA}
2020-02-01 14:08 - 2020-02-21 02:41 - 000000000 ____D C:\ProgramData\{5D5F6896-7EB8-EE56-C063-D562C0848C33}
2020-02-01 14:08 - 2020-02-01 14:13 - 000000000 ____D C:\Program Files (x86)\TACHYON
2020-02-01 14:08 - 2020-02-01 14:08 - 000000000 ____D C:\ProgramData\TACHYON
2020-02-01 14:08 - 2020-02-01 14:08 - 000000000 ____D C:\ProgramData\INCAInternet
2020-02-01 14:09 - 2019-11-22 17:27 - 000000000 ____D C:\ProgramData\{13412BF2-3DDC-A048-A420-CB2CA4C7927D}
2020-02-01 14:08 - 2019-11-22 17:27 - 000000000 ____D C:\ProgramData\{D5CC15F4-03DA-66C5-A21E-46EAA2F91FBB}
EmptyTemp:
RemoveProxy:
Hosts:
Reboot:
End:
Executed by Nayan (24-02-2020 19:41:14) Run:2
Executed from D:\User\Nayan\Desktop
Loaded profiles: Nayan (Available profiles: Nayan & bmarg)
Boot mode: Normal
==============================================
fixlist content:
Start:
CloseProcesses:
CreateRestorePoint:
HKLM\...\Run: [Biota] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 extra characters).
HKLM\...\Run: [Stifled] => "C:\Program Files (x86)\meandered\Dutko.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKLM\...\Run: [Pentamidine] => "C:\Program Files (x86)\Tenanted\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsA (the data item has 2 extra characters).
HKLM-x32\...\Run: [Bosnia] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 extra characters).
HKLM-x32\...\Run: [Remunerative] => "C:\Program Files (x86)\meandered\Dutko.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKLM-x32\...\Run: [Rosel] => "C:\Program Files (x86)\Tenanted\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsA (the data item has 2 extra characters).
KU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Guillaume] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 extra characters).
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Irascible] => "C:\Program Files (x86)\meandered\Dutko.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Roberson] => "C:\Program Files (x86)\Tenanted\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsA (the data item has 2 extra characters).
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Decode] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 extra characters).
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Corresponded] => "C:\Program Files (x86)\meandered\Dutko.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Duddy] => "C:\Program Files (x86)\Tenanted\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsA (the data item has 2 extra characters).
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [nunez] => "C:\Program Files (x86)\tanner\nunez.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfKUsAM1
HKU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [car] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 extra characters).
Startup: C:\Users\Nayan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oder.lnk [2019-11-22]
ShortcutTarget: oder.lnk -> C:\Program Files (x86)\Uncertainty\Campaigned.exe (File not found)
Startup: C:\Users\Nayan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oderoder.lnk [2019-11-22]
ShortcutTarget: oderoder.lnk -> C:\Program Files (x86)\meandered\Dutko.exe (File not found)
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== WARNING
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== WARNING
CHR HKU\S-1-5-21-1343850409-2829504140-975250977-1002\SOFTWARE\Policies\Google: Restriction <==== WARNING
Task: {DF866467-8A14-4903-964A-69263BE9A6CA} - System32\Tasks\trendtrend => C:\Program Files (x86)\maris\maris.exe
Task: {EDE0EEDD-275E-43BF-A321-2B3107FF5DDA} - System32\Tasks\Yandere Simulator => C:\Users\Nayan\AppData\Local\Temp\is-O13BB.tmp\prsetup.exe <==== WARNING
Task: {90D5EFD4-7576-4FA1-8E6D-8994C1C183B4} - System32\Tasks\howsoever_comediennehowsoever_comedienne => C:\Users\Nayan\AppData\Local\Dutko.exe
Task: {941535B1-5F6C-4741-A4BC-1830ED0B0EC3} - System32\Tasks\lancasterlancaster => C:\Program Files (x86)\Uncertainty\Campaigned.exe
Task: {9D66090E-85A6-4517-ACB9-F008457BF238} - System32\Tasks\ModifyLinkUpdate => C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe [468992 2019-09-10] (Advanced Micro Devices, Inc.) [Unsigned file]
Task: {9D7C4998-FCDF-43FC-B2AD-6F54A823978F} - System32\Tasks\Chameleon Folder-Nayan => "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
Task: {A1F0FF9D-3810-41B6-B68A-23005E480046} - System32\Tasks\schoolchild-chimpsschoolchild-chimps => C:\Program Files (x86)\meandered\Dutko.exe
Task: {A6DA238B-FDDD-4CD0-993D-9C74121EFC7E} - System32\Tasks\neutral_yukataneutral_yukata => C:\Program Files (x86)\Tenanted\Campaigned.exe
Task: {A7015487-5946-448D-A33B-EF608401CDA3} - System32\Tasks\Opera scheduled assistant Autoupdate 1559378683 => C:\Users\Nayan\AppData\Local\Programs\Opera\launcher.exe
Task: {AD4C9718-D0D6-44F4-8A82-3B186673F385} - System32\Tasks\Microsoft\Windows\Task Manager\Guids => C:\Users\Nayan\AppData\Roaming\\freetools\\guids.exe
Task: {6488BB53-33E3-44CB-907A-F90A07E725F0} - System32\Tasks\Wscanner Secure => C:\Program Files (x86)\Wscanner\secure\secureupdater.exe
Task: {6B50E230-219B-412D-9897-E9DF59D4F1D4} - no file path
S3 TKFsAvM; C:\WINDOWS\system32\TKFsAv64.sys [198808 2018-03-07] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKFsFtM; C:\WINDOWS\system32\TKFsFt64.sys [28824 2018-03-07] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKPcFt; C:\WINDOWS\system32\TKPcFtCb64.sys [54504 2018-01-30] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKRgAc; C:\WINDOWS\system32\TKRgAc2k64.sys [115760 2018-01-29] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKRgFt; C:\WINDOWS\system32\TKRgFtXp64.sys [68848 2018-02-04] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
S3 TKSP; C:\WINDOWS\system32\TKSPxp64.sys [80824 2018-01-29] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== WARNING
2020-02-20 19:25 - 2020-02-21 02:42 - 000000000 ___HD C:\ProgramData\0BED69FF
2020-02-20 19:22 - 2020-02-21 02:41 - 000000000 ____D C:\WINDOWS\system32\Tasks\System
2020-02-20 19:21 - 2020-02-20 19:21 - 000000000 ____D C:\ProgramData\Cerfd
2020-02-20 19:21 - 2020-02-20 19:21 - 000000000 ____D C:\ProgramData\1tF6apsIYNFVvMQ6
2020-02-20 19:20 - 2020-02-20 19:25 - 000001382 _____ C:\WINDOWS\unins000.dat
2020-02-20 19:20 - 2020-02-20 19:24 - 000967450 _____ C:\WINDOWS\unins000.exe
2020-02-20 19:18 - 2020-02-21 02:42 - 000000000 ____D C:\ProgramData\UBlockPlugin
2020-02-20 19:18 - 2020-02-20 19:18 - 000000000 ____D C:\ProgramData\Newfol
2020-02-20 19:17 - 2020-02-20 19:19 - 000000000 ____D C:\ProgramData\Clend
2020-02-19 14:25 - 2020-02-19 14:25 - 000000000 ____D C:\ProgramData\ssh
2020-02-01 14:11 - 2020-02-01 14:11 - 000000000 ____C C:\TKSPProtectLog.txt
2020-02-01 14:08 - 2020-02-21 02:41 - 000000000 ____D C:\ProgramData\{C4327E67-6849-773B-3175-B8FB3192E1AA}
2020-02-01 14:08 - 2020-02-21 02:41 - 000000000 ____D C:\ProgramData\{5D5F6896-7EB8-EE56-C063-D562C0848C33}
2020-02-01 14:08 - 2020-02-01 14:13 - 000000000 ____D C:\Program Files (x86)\TACHYON
2020-02-01 14:08 - 2020-02-01 14:08 - 000000000 ____D C:\ProgramData\TACHYON
2020-02-01 14:08 - 2020-02-01 14:08 - 000000000 ____D C:\ProgramData\INCAInternet
2020-02-01 14:09 - 2019-11-22 17:27 - 000000000 ____D C:\ProgramData\{13412BF2-3DDC-A048-A420-CB2CA4C7927D}
2020-02-01 14:08 - 2019-11-22 17:27 - 000000000 ____D C:\ProgramData\{D5CC15F4-03DA-66C5-A21E-46EAA2F91FBB}
EmptyTemp:
RemoveProxy:
Hosts:
Reboot:
End:
Processes closed successfully.
The restore point was created successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Biota" => deleted successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Stifled" => deleted successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Pentamidine" => deleted successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Bosnia" => deleted successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Remunerative" => deleted successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Rosel" => deleted successfully
KU\S-1-5-21-1343850409-2829504140-975250977-1002\...\Run: [Guillaume] => "C:\Program Files (x86)\Uncertainty\Campaigned.exe" supamfwsupamfwsupamfwsupamf.supamfesupamfssupamfzsupamf.supamfpsupamfwsupamf/supamfk2au0au1ausupamf9au1s1s2k2supamfkauasp1vRKsupamfZL0JW2BQlOsupamfK (the data item has 5 extra characters). => Error: No automatic fix found for this item.
"HKU\S-1-5-21-1343850409-2829504140-975250977-1002\Software\Microsoft\Windows\CurrentVersion\Run\\Irascible" => deleted successfully
"HKU\S-1-5-21-1343850409-2829504140-975250977-1002\Software\Microsoft\Windows\CurrentVersion\Run\\Roberson" => deleted successfully
"HKU\S-1-5-21-1343850409-2829504140-975250977-1002\Software\Microsoft\Windows\CurrentVersion\Run\\Decode" => deleted successfully
"HKU\S-1-5-21-1343850409-2829504140-975250977-1002\Software\Microsoft\Windows\CurrentVersion\Run\\Corresponded" => deleted successfully
"HKU\S-1-5-21-1343850409-2829504140-975250977-1002\Software\Microsoft\Windows\CurrentVersion\Run\\Duddy" => deleted successfully
"HKU\S-1-5-21-1343850409-2829504140-975250977-1002\Software\Microsoft\Windows\CurrentVersion\Run\\nunez" => deleted successfully
"HKU\S-1-5-21-1343850409-2829504140-975250977-1002\Software\Microsoft\Windows\CurrentVersion\Run\\car" => deleted successfully
C:\Users\Nayan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oder.lnk => moved successfully
"C:\Program Files (x86)\Uncertainty\Campaigned.exe" => not found
C:\Users\Nayan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oderoder.lnk => moved successfully
"C:\Program Files (x86)\meandered\Dutko.exe" => not found
"HKLM\SOFTWARE\Policies\Mozilla" => deleted successfully
"HKLM\SOFTWARE\Policies\Google" => deleted successfully
"HKU\S-1-5-21-1343850409-2829504140-975250977-1002\SOFTWARE\Policies\Google" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DF866467-8A14-4903-964A-69263BE9A6CA}" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF866467-8A14-4903-964A-69263BE9A6CA}" => deleted successfully
C:\WINDOWS\System32\Tasks\trendtrend => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\trendtrend" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{EDE0EEDD-275E-43BF-A321-2B3107FF5DDA}" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EDE0EEDD-275E-43BF-A321-2B3107FF5DDA}" => deleted successfully
C:\WINDOWS\System32\Tasks\Yandere Simulator => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Yandere Simulator" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{90D5EFD4-7576-4FA1-8E6D-8994C1C183B4}" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{90D5EFD4-7576-4FA1-8E6D-8994C1C183B4}" => deleted successfully
C:\WINDOWS\System32\Tasks\howsoever_comediennehowsoever_comedienne => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\howsoever_comediennehowsoever_comedienne" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{941535B1-5F6C-4741-A4BC-1830ED0B0EC3}" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{941535B1-5F6C-4741-A4BC-1830ED0B0EC3}" => deleted successfully
C:\WINDOWS\System32\Tasks\lancasterlancaster => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\lancasterlancaster" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{9D66090E-85A6-4517-ACB9-F008457BF238}" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9D66090E-85A6-4517-ACB9-F008457BF238}" => deleted successfully
C:\WINDOWS\System32\Tasks\ModifyLinkUpdate => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ModifyLinkUpdate" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9D7C4998-FCDF-43FC-B2AD-6F54A823978F}" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9D7C4998-FCDF-43FC-B2AD-6F54A823978F}" => deleted successfully
C:\WINDOWS\System32\Tasks\Chameleon Folder-Nayan => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Chameleon Folder-Nayan" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A1F0FF9D-3810-41B6-B68A-23005E480046}" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A1F0FF9D-3810-41B6-B68A-23005E480046}" => deleted successfully
C:\WINDOWS\System32\Tasks\schoolchild-chimpsschoolchild-chimps => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\schoolchild-chimpsschoolchild-chimps" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A6DA238B-FDDD-4CD0-993D-9C74121EFC7E}" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6DA238B-FDDD-4CD0-993D-9C74121EFC7E}" => deleted successfully
C:\WINDOWS\System32\Tasks\neutral_yukataneutral_yukata => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\neutral_yukataneutral_yukata" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A7015487-5946-448D-A33B-EF608401CDA3}" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7015487-5946-448D-A33B-EF608401CDA3}" => deleted successfully
C:\WINDOWS\System32\Tasks\Opera scheduled assistant Autoupdate 1559378683 => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Opera scheduled assistant Autoupdate 1559378683" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{AD4C9718-D0D6-44F4-8A82-3B186673F385}" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD4C9718-D0D6-44F4-8A82-3B186673F385}" => deleted successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\Task Manager\Guids => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Task Manager\Guids" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6488BB53-33E3-44CB-907A-F90A07E725F0}" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6488BB53-33E3-44CB-907A-F90A07E725F0}" => deleted successfully
C:\WINDOWS\System32\Tasks\Wscanner Secure => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Wscanner Secure" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6B50E230-219B-412D-9897-E9DF59D4F1D4}" => deleted successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B50E230-219B-412D-9897-E9DF59D4F1D4}" => deleted successfully
HKLM\System\CurrentControlSet\Services\TKFsAvM => deleted successfully
TKFsAvM => service deleted successfully
HKLM\System\CurrentControlSet\Services\TKFsFtM => deleted successfully
TKFsFtM => service deleted successfully
HKLM\System\CurrentControlSet\Services\TKPcFt => deleted successfully
TKPcFt => service deleted successfully
HKLM\System\CurrentControlSet\Services\TKRgAc => deleted successfully
TKRgAc => service deleted successfully
HKLM\System\CurrentControlSet\Services\TKRgFt => deleted successfully
TKRgFt => service deleted successfully
HKLM\System\CurrentControlSet\Services\TKSP => deleted successfully
TKSP => service deleted successfully
C:\ProgramData\0BED69FF => moved successfully
C:\WINDOWS\system32\Tasks\System => moved successfully
C:\ProgramData\Cerfd => moved successfully
C:\ProgramData\1tF6apsIYNFVvMQ6 => moved successfully
C:\WINDOWS\unins000.dat => moved successfully
C:\WINDOWS\unins000.exe => moved successfully
C:\ProgramData\UBlockPlugin => moved successfully
C:\ProgramData\Newfol => moved successfully
C:\ProgramData\Clend => moved successfully
C:\ProgramData\ssh => moved successfully
C:\TKSPProtectLog.txt => moved successfully
C:\ProgramData\{C4327E67-6849-773B-3175-B8FB3192E1AA} => moved successfully
C:\ProgramData\{5D5F6896-7EB8-EE56-C063-D562C0848C33} => moved successfully
C:\Program Files (x86)\TACHYON => moved successfully
C:\ProgramData\TACHYON => moved successfully
C:\ProgramData\INCAInternet => moved successfully
C:\ProgramData\{13412BF2-3DDC-A048-A420-CB2CA4C7927D} => moved successfully
C:\ProgramData\{D5CC15F4-03DA-66C5-A21E-46EAA2F91FBB} => moved successfully
========= RemoveProxy: =========
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => deleted successfully
"HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable" => deleted successfully
"HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer" => deleted successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => deleted successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => deleted successfully
"HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable" => deleted successfully
"HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer" => deleted successfully
"HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable" => deleted successfully
"HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer" => deleted successfully
"HKU\S-1-5-21-1343850409-2829504140-975250977-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer" => deleted successfully
"HKU\S-1-5-21-1343850409-2829504140-975250977-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => deleted successfully
"HKU\S-1-5-21-1343850409-2829504140-975250977-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => deleted successfully
========= End of RemoveProxy: =========
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
=========== EmptyTemp: ==========
BITS transfer queue => 12345344 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 108765401 B
Java, Flash, Steam htmlcache => 13884720 B
Windows/system/drivers => 1223150 B
Edge => 1869628 B
Chrome => 732228334 B
Firefox => 0 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 8651 B
Users => 8651 B
ProgramData => 8651 B
Public => 8651 B
systemprofile => 8651 B
systemprofile32 => 8651 B
LocalService => 78417 B
NetworkService => 109501 B
Nayan => 53032642 B
bmarg => 53043789 B
RecycleBin => 0 B
EmptyTemp: => 931.4 MB temporary data deleted.
================================
The system had to reboot.End of Fixlog 19:42:40
Afterwards, the computer in question is a tower, I don’t have a camera.
There is only a camera on my laptop.