Oh My: Streamlining Lenovo

Discussion in 'Malware Help (A Specialist Will Reply)' started by manilka835, Jan 5, 2026.

  1. manilka835

    manilka835 Specialist

    The above machine freezes from time to time during Start-ups and while working.

    I have run READ & RUN ME FIRST- Malware Removal Guide to make sure there are no Malware. The relevant logs are attached.

    Dr. K.D.J.H. Manilka Jayawardena,
    Medical Officer of Health,
    Katana.
    Proud to be a Sri Lankan!
     

    Attached Files:

    manilka835, Jan 5, 2026
    #1
  2. manilka835

    manilka835 Specialist

    AdwCleaner[S00] is attached.
     

    Attached Files:

    manilka835, Jan 5, 2026
    #2
  3. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings my friend.

    Let's start with this.

    We need to clean all of this up. We will remove everything except for Windows Defender then another antivirus program can be installed once the system is healthy.

    -----

    We need to keep a close eye on this. Not much available RAM to operate things.

    -----

    ===================================================

    Create a System Restore Point. If this is not successful stop and let me know.

    ===================================================

    Uninstalling Programs Using Revo Uninstaller Free Portable

    --------------------
    • Download Revo Uninstaller Free Portable and save it to your Desktop
    • Right click on the folder and select Extract All..., then click Extract
    • Double click on the RevoUninstaller-Portable folder
    • Right click on RevoUPort and select Run as administrator
    • Click OK on the License Agreement
    • From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)
    Code:
    Autorun Eater v2.6
CCleaner 7
COMODO Firewall
Internet Security Essentials
SecureAPlus v6.9.2
Smart Defrag 11
SpywareBlaster 6.0
TeamViewer 10
    • If the program's uninstaller appears work through the steps to remove the program(s)
    • Be sure the Advanced option is selected then click Scan
    • For each window that may appear identifying leftover items click Select All, Delete, then confirm the deletion
    • Once done click Finish
    • Reboot your computer
    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
CreateRestorePoint:
CloseProcesses:
cmd: bcdedit /enum all
Zip: C:\WINDOWS\Minidump
File: C:\ProgramData\DeleteFile.exe
GroupPolicy: Restriction - Chrome <==== ATTENTION
GroupPolicy-Firefox-x32: Restriction <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
2025-12-25 15:26 - 2025-12-25 15:26 - 001666169 _____ C:\Users\USER\Downloads\6c3ce966-4e45-43be-a00d-b3a9e59c15c3.tmp
C:\Program Files (x86)\T-Mobile
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [136]
2012-12-24 14:01 - 2012-12-24 14:01 - 000247136 _____ () C:\ProgramData\DeleteFile.exe
S3 ew_usbenumfilter; \SystemRoot\System32\drivers\ew_usbenumfilter.sys [X]
S3 huawei_enumerator; \SystemRoot\System32\drivers\ew_jubusenum.sys [X]
S3 hwusb_cdcacm; \SystemRoot\system32\DRIVERS\ew_cdcacm.sys [X]
S3 hwusb_wwanecm; \SystemRoot\System32\drivers\ew_wwanecm.sys [X]
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\Run: [HW_OPENEYE_OUC_T-Mobile Internet Manager] => C:\Program Files (x86)\T-Mobile\InternetManager_H\UpdateDog\ouc.exe [110592 2009-12-31] (Huawei Technologies Co., Ltd.) [File not signed]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\saappsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\saappsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sascansvc => ""="Service"
HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {2ff307b3-173e-11ee-9c2f-08d40c5f4a0f} - "G:\HiSuiteDownLoader.exe"
HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {59b69c28-3730-11ee-9c3c-08d40c5f4a0f} - "G:\LaunchU3.exe" -a
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{1108FD1C-492F-4251-B9DB-77F0274267B2}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.187.37\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{1C67DF85-7959-43C0-92F8-2CAD0314C31C}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.201.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{2ABD6384-2E18-40E8-8439-F06D21E0B03D}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{2B49DB21-41C5-44C0-8358-CA4C76205AE1}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.209.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{2FDB3305-19B8-4FE2-972B-ED5E97CBBD6E}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.39\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{41B09861-5409-4D44-8CA4-D49FBFAA2E6F}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.49\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{4FFB4BD8-A109-4F25-A4DB-313678B19417}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.31\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{5247F326-2FF0-4920-998E-12AA35F0883C}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.213.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{5FC44EBC-3A1F-4FBB-85E5-34405788C8D7}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.187.41\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{608D599A-DCA6-4A7C-BED7-AFCD8465345A}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.175.29\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{64C6EFB9-8F79-4106-B975-067448DC768F}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.177.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{6A49690B-7DB6-424B-81CE-F51078F2A58D}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.203.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{6DD6748E-7DAE-47EF-B4D5-03AA1B06D697}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.187.39\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{72726D01-426C-4B35-8266-B4496CAA889E}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.183.29\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{78C1ADF4-6DAE-4164-AEFA-4E3EAD9E750A}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.19\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{79F05C14-E714-4C12-9924-93C812894CB0}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.57\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{7EFB4924-4B93-4C43-9832-9C3D05E85214}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.59\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{83F21C4B-8643-4A08-A29A-822AFD835037}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.193.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{9C391760-8CB8-4F1E-AB7D-0C9915EFB004}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.211.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{A087E49F-1F8E-4603-A200-55537B737421}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.25\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{A78355B5-2A4D-486B-B97A-43448FC8C34D}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.207.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{AE1542A7-3989-481B-93A9-1500C5F56B14}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.185.27\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{B258532D-3529-4BEB-BF38-F08F98B3968C}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{BB04C6F8-598E-4733-ABB4-07489C863436}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.205.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{BC4C72EF-3055-4A6D-86E1-AE4D24DB63CA}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.35\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{C88B3957-621C-415B-8EE5-B688FC7EF924}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.61\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{CAE1760A-CB07-481B-8F9A-BC65510AF5D5}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.185.21\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{D2188EEC-2B0F-488C-8ECA-5285E8ECD87D}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.69\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{D8599F80-3D26-46D2-8CF1-0AD21B0ECF31}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.65\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{DAA7499A-B3AC-4419-A89B-124318504051}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.185.29\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{E76F97B1-1AE9-497C-9FA4-F57BBABAD54A}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.185.17\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{ECCE2756-C45D-4E13-BC2D-EC9F138997E6}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.199.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{F1658933-2997-4DDB-869C-061D53A9718E}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.21\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1065632034-2401704988-3883178100-1001_Classes\CLSID\{F46A78BD-06FC-442C-88DF-0500F08F2379}\InprocServer32 -> C:\Users\USER\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\psuser_64.dll => No File
ContextMenuHandlers2: [ContextMenu] -> {ee10d625-cc60-30a4-b3df-4b349785be6b} => C:\Program Files (x86)\Avira\Security\Antivirus.ContextMenu\Antivirus.ContextMenu.DLL -> No File
ContextMenuHandlers3: [ContextMenu] -> {ee10d625-cc60-30a4-b3df-4b349785be6b} => C:\Program Files (x86)\Avira\Security\Antivirus.ContextMenu\Antivirus.ContextMenu.DLL -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Task: {f59cc42c-dec6-4893-b29b-47acf2c7e511} - no filepath. <==== ATTENTION
cmd: netsh winsock reset catalog
cmd: netsh int ip reset resetlog.txt
Reg: reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules C:\Firewall.reg
C:\Firewall.reg
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: bitsadmin /reset /allusers
cmd: netsh winsock reset
cmd: netsh int ip reset
cmd: ipconfig /flushdns
cmd: ipconfig /release
cmd: ipconfig /renew
Removeproxy:
hosts:
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /CheckHealth
StartPowershell:
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -DisableIOAVProtection $false
start-service WinDefend
start-service WdNisSvc
Get-MpComputerStatus
EndPowershell:
Emptytemp:
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • Note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program agree to the request.
    • Note: The Emptytemp: command will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
    • The tool will create a zipped folder in the same location from where FRST was run with today's date. Attach the file to your reply.
    ===================================================

    Farbar Service Scanner

    --------------------
    • Download Farbar Service Scanner and save the file taking note of where the file is saved (Desktop, Downloads folder, etc.)
    • Make sure the following options are checked:
    Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other Services
    • Press Scan
    • Please copy and paste the contents of the FSS.txt report in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Restore Point created?
    • Programs uninstalled?
    • Fixlog
    • Attached zip file
    • FSS.txt
     
    Oh My!, Jan 6, 2026
    #3
  4. manilka835

    manilka835 Specialist

    Greetings once again!

    Restore Point created
    Programmes uninstalled
     

    Attached Files:

    manilka835, Jan 7, 2026
    #4
  5. manilka835

    manilka835 Specialist

    Fixlog: attached due to large size

    FSS.txt

    Farbar Service Scanner Version: 18-01-2025
    Ran by USER (administrator) on 08-01-2026 at 00:14:12
    Running from "C:\Users\USER\Desktop"
    Microsoft Windows 10 Pro (X64)
    Boot Mode: Normal
    ****************************************************************



    RpcSs and PlugPlay:
    ================
    C:\WINDOWS\System32\umpnpmgr.dll => File is digitally signed
    C:\WINDOWS\System32\rpcss.dll => File is digitally signed
    C:\WINDOWS\System32\svchost.exe => File is digitally signed

    Internet Services:
    ============
    C:\WINDOWS\System32\dnsrslvr.dll => File is digitally signed
    C:\WINDOWS\System32\dhcpcore.dll => File is digitally signed
    C:\WINDOWS\System32\nsisvc.dll => File is digitally signed
    C:\WINDOWS\System32\drivers\nsiproxy.sys => File is digitally signed
    C:\WINDOWS\System32\DRIVERS\tdx.sys => File is digitally signed
    C:\WINDOWS\System32\drivers\afd.sys => File is digitally signed
    C:\WINDOWS\System32\drivers\tcpip.sys => File is digitally signed


    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    C:\WINDOWS\System32\drivers\mpsdrv.sys => File is digitally signed
    C:\WINDOWS\System32\mpssvc.dll => File is digitally signed
    C:\WINDOWS\System32\bfe.dll => File is digitally signed


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    C:\WINDOWS\System32\vssvc.exe => File is digitally signed
    C:\WINDOWS\System32\SDRSVC.dll => File is digitally signed


    System Restore Policy:
    ========================


    Windows Security:
    ============
    C:\WINDOWS\System32\SecurityHealthService.exe => File is digitally signed
    C:\WINDOWS\System32\wscsvc.dll => File is digitally signed
    C:\WINDOWS\System32\wbem\WMIsvc.dll => File is digitally signed


    Windows Update:
    ===============
    C:\WINDOWS\System32\wuaueng.dll => File is digitally signed
    C:\WINDOWS\System32\qmgr.dll => File is digitally signed
    C:\WINDOWS\System32\es.dll => File is digitally signed
    C:\WINDOWS\System32\cryptsvc.dll => File is digitally signed
    C:\WINDOWS\System32\usosvc.dll => File is digitally signed
    C:\WINDOWS\System32\WaaSMedicSvc.dll => File is digitally signed
    C:\WINDOWS\System32\dosvc.dll => File is digitally signed


    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============


    Other Services:
    ==============
    C:\WINDOWS\System32\ipnathlp.dll => File is digitally signed
    C:\WINDOWS\System32\ipsecsvc.dll => File is digitally signed
    C:\WINDOWS\System32\termsrv.dll => File is digitally signed


    **** End of log ****
     

    Attached Files:

    manilka835, Jan 7, 2026
    #5
  6. Oh My!

    Oh My! Malware Expert Staff Member

    That looks pretty good but we have more to do.

    Please do this.

    ===================================================

    Farbar Recovery Scan Tool SearchAll

    --------------------
    • Launch FRST
    • Copy and paste the following in the Search: box
    Code:
    SearchAll: CCleaner;"Gen Digital";Avira;Comodo;SecureAPlus;SecureAge;SpywareBlaster;IObit;TeamViewer;Bytemobile
    • Click the Search Files button
    • When completed click OK and a Search.txt document will open on your desktop
    • Please zip and attach the file to your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Attached zip file
     
    Oh My!, Jan 7, 2026
    #6
  7. manilka835

    manilka835 Specialist

    zip file of Search.txt is attached.
     

    Attached Files:

    manilka835, Jan 7, 2026
    #7
  8. Oh My!

    Oh My! Malware Expert Staff Member

    This is our next step.

    ===================================================

    Farbar Recovery Scan Tool - Run Fix Using Attached File

    --------------------
    • Download the attached file and save it in the same location as FRST.exe (example, Desktop, USB device) <<< Important
    • Right click on FRST and select Run as administrator
    • Click Fix and once completed your computer will reboot
    • The tool will create a log on the desktop called Fixlog.txt
    • Attach the report to your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Attached Fixlog
     

    Attached Files:

    Oh My!, Jan 8, 2026
    #8
  9. manilka835

    manilka835 Specialist

    Attached Fixlog
     

    Attached Files:

    manilka835, Jan 8, 2026
    #9
  10. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you.

    Please run a new FRST Scan and attach both reports.
     
    Oh My!, Jan 8, 2026
    #10
  11. manilka835

    manilka835 Specialist

    Your welcome.
     

    Attached Files:

    manilka835, Jan 8, 2026
    #11
  12. Oh My!

    Oh My! Malware Expert Staff Member

    Now this.

    Still very low on RAM. You can expect degraded system performance up to and including freezing/crashing.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
CreateRestorePoint:
CloseProcesses:
ContextMenuHandlers1: [SmartDefragExtension] -> {189F1E63-33A7-404B-B2F6-8C76A452CC54} => -> No File
ContextMenuHandlers6: [SmartDefragExtension] -> {189F1E63-33A7-404B-B2F6-8C76A452CC54} => -> No File
Task: {1A95659E-9013-4550-B639-FCCFB39B4F71} - no filepath. <==== ATTENTION
Task: {2E447714-EE89-41D2-98EB-6B4929330DE8} - no filepath. <==== ATTENTION
Task: {48391C0F-BB9D-4F43-88F5-05936DF62040} - no filepath. <==== ATTENTION
Task: {62762372-C2BD-4E5B-A593-43FCB0A2BD9B} - no filepath. <==== ATTENTION
Task: {6B545895-8D09-482D-9714-AB5D11DA8D06} - no filepath. <==== ATTENTION
Task: {70C7F6B0-9ABB-460F-B647-B978C238AEB3} - no filepath. <==== ATTENTION
Task: {B243768F-6606-4995-BD97-C6E9D9880F94} - System32\Tasks\HPCustParticipation HP LaserJet Pro M404-M405 => "C:\Program Files\HP\HP LaserJet Pro M404-M405\Bin\HPCustPartic.exe" /UA 21.6 (No File)
C:\Users\USER\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\caiblelclndcckfafdaggpephhgfpoip
C:\Users\USER\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\emgfgdclgfeldebanedpihppahgngnle
Edge HKLM-x32\...\Edge\Extension: [caiblelclndcckfafdaggpephhgfpoip]
Edge HKLM-x32\...\Edge\Extension: [emgfgdclgfeldebanedpihppahgngnle]
CHR HKLM\...\Chrome\Extension: [ihcjicgdanjaechkgeegckofjjedodee]
CHR HKLM-x32\...\Chrome\Extension: [caljgklbbfbcjjanaijlacgncafpegll]
CHR HKLM-x32\...\Chrome\Extension: [ccbpbkebodcjkknkfkpmfeciinhidaeh]
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk]
CHR HKLM-x32\...\Chrome\Extension: [ihcjicgdanjaechkgeegckofjjedodee]
S0 BMLoad; C:\WINDOWS\System32\drivers\BMLoad.sys [16512 2009-12-15] (Bytemobile Inc. -> Bytemobile, Inc.) [File not signed]
S1 tcpipBM; C:\WINDOWS\system32\drivers\tcpipBM.sys [39552 2009-12-15] (Bytemobile Inc. -> Bytemobile, Inc.) [File not signed]
U3 SARPSvc; no ImagePath
C:\WINDOWS\System32\drivers\BMLoad.sys
C:\WINDOWS\system32\drivers\tcpipBM.sys
Unlock: C:\ProgramData\cis21A2.exe
C:\ProgramData\cis21A2.exe
AV: Avira Security (Enabled - Up to date) {D76CC0CC-5B8D-C222-E82F-D14369E4A430}
AV: SecureAPlus Antivirus (Enabled - Up to date) {BAE8F8A8-0B73-5FD4-D5A8-816771E66CF7}
AV: Avira Security (Enabled - Out of date) {73535B65-1023-5EE7-9DB9-8A0AB906421A}
FW: COMODO Firewall (Disabled) {3D87FB90-B561-70B4-3B0B-BCEFE7656ABC}
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    SecurityCheck by glax24 & Severnyj

    --------------------
    • Download SecurityCheck by glax24 & Severnyj and save it to your Desktop
    • Right click on the SecurityCheck.zip folder, select Extract All... and extract the folder onto your Desktop
    • Right click on SecurityCheck and select Run as administrator
    • If you receive a Windows protected your PC warning screen click More info then Run anyway, the file is safe to run
    • Patiently wait for the scan to complete
    • Click on OK to acknowledge the file was copied to the clipboard
    • On the open SecurityCheck-Notepad window click File, Save As... and save the file onto the Desktop using the default name of SecurityCheck.txt
    • A copy of the file can also be found in the C:\SecurityCheck\SecurityCheck.txt folder
    • Attach the file to your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
    • SecurityCheck.txt
     
    Oh My!, Jan 8, 2026
    #12
  13. manilka835

    manilka835 Specialist

    Fixlog

    Fix result of Farbar Recovery Scan Tool (x64) Version: 20-11-2025
    Ran by USER (09-01-2026 08:06:29) Run:3
    Running from C:\Users\USER\Desktop
    Loaded Profiles: USER
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    CreateRestorePoint:
    CloseProcesses:
    ContextMenuHandlers1: [SmartDefragExtension] -> {189F1E63-33A7-404B-B2F6-8C76A452CC54} => -> No File
    ContextMenuHandlers6: [SmartDefragExtension] -> {189F1E63-33A7-404B-B2F6-8C76A452CC54} => -> No File
    Task: {1A95659E-9013-4550-B639-FCCFB39B4F71} - no filepath. <==== ATTENTION
    Task: {2E447714-EE89-41D2-98EB-6B4929330DE8} - no filepath. <==== ATTENTION
    Task: {48391C0F-BB9D-4F43-88F5-05936DF62040} - no filepath. <==== ATTENTION
    Task: {62762372-C2BD-4E5B-A593-43FCB0A2BD9B} - no filepath. <==== ATTENTION
    Task: {6B545895-8D09-482D-9714-AB5D11DA8D06} - no filepath. <==== ATTENTION
    Task: {70C7F6B0-9ABB-460F-B647-B978C238AEB3} - no filepath. <==== ATTENTION
    Task: {B243768F-6606-4995-BD97-C6E9D9880F94} - System32\Tasks\HPCustParticipation HP LaserJet Pro M404-M405 => "C:\Program Files\HP\HP LaserJet Pro M404-M405\Bin\HPCustPartic.exe" /UA 21.6 (No File)
    C:\Users\USER\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\caiblelclndcckfafdaggpephhgfpoip
    C:\Users\USER\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\emgfgdclgfeldebanedpihppahgngnle
    Edge HKLM-x32\...\Edge\Extension: [caiblelclndcckfafdaggpephhgfpoip]
    Edge HKLM-x32\...\Edge\Extension: [emgfgdclgfeldebanedpihppahgngnle]
    CHR HKLM\...\Chrome\Extension: [ihcjicgdanjaechkgeegckofjjedodee]
    CHR HKLM-x32\...\Chrome\Extension: [caljgklbbfbcjjanaijlacgncafpegll]
    CHR HKLM-x32\...\Chrome\Extension: [ccbpbkebodcjkknkfkpmfeciinhidaeh]
    CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk]
    CHR HKLM-x32\...\Chrome\Extension: [ihcjicgdanjaechkgeegckofjjedodee]
    S0 BMLoad; C:\WINDOWS\System32\drivers\BMLoad.sys [16512 2009-12-15] (Bytemobile Inc. -> Bytemobile, Inc.) [File not signed]
    S1 tcpipBM; C:\WINDOWS\system32\drivers\tcpipBM.sys [39552 2009-12-15] (Bytemobile Inc. -> Bytemobile, Inc.) [File not signed]
    U3 SARPSvc; no ImagePath
    C:\WINDOWS\System32\drivers\BMLoad.sys
    C:\WINDOWS\system32\drivers\tcpipBM.sys
    Unlock: C:\ProgramData\cis21A2.exe
    C:\ProgramData\cis21A2.exe
    AV: Avira Security (Enabled - Up to date) {D76CC0CC-5B8D-C222-E82F-D14369E4A430}
    AV: SecureAPlus Antivirus (Enabled - Up to date) {BAE8F8A8-0B73-5FD4-D5A8-816771E66CF7}
    AV: Avira Security (Enabled - Out of date) {73535B65-1023-5EE7-9DB9-8A0AB906421A}
    FW: COMODO Firewall (Disabled) {3D87FB90-B561-70B4-3B0B-BCEFE7656ABC}
    End::
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\SmartDefragExtension => removed successfully
    HKLM\Software\Classes\CLSID\{189F1E63-33A7-404B-B2F6-8C76A452CC54} => removed successfully
    HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\SmartDefragExtension => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{1A95659E-9013-4550-B639-FCCFB39B4F71}" => removed successfully
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1A95659E-9013-4550-B639-FCCFB39B4F71} => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{2E447714-EE89-41D2-98EB-6B4929330DE8}" => removed successfully
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2E447714-EE89-41D2-98EB-6B4929330DE8} => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{48391C0F-BB9D-4F43-88F5-05936DF62040}" => removed successfully
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{48391C0F-BB9D-4F43-88F5-05936DF62040} => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{62762372-C2BD-4E5B-A593-43FCB0A2BD9B}" => removed successfully
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{62762372-C2BD-4E5B-A593-43FCB0A2BD9B} => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{6B545895-8D09-482D-9714-AB5D11DA8D06}" => removed successfully
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B545895-8D09-482D-9714-AB5D11DA8D06} => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{70C7F6B0-9ABB-460F-B647-B978C238AEB3}" => removed successfully
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{70C7F6B0-9ABB-460F-B647-B978C238AEB3} => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B243768F-6606-4995-BD97-C6E9D9880F94}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B243768F-6606-4995-BD97-C6E9D9880F94}" => removed successfully
    C:\WINDOWS\System32\Tasks\HPCustParticipation HP LaserJet Pro M404-M405 => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HPCustParticipation HP LaserJet Pro M404-M405" => removed successfully

    "C:\Users\USER\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\caiblelclndcckfafdaggpephhgfpoip" Folder move:

    C:\Users\USER\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\caiblelclndcckfafdaggpephhgfpoip => moved successfully

    "C:\Users\USER\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\emgfgdclgfeldebanedpihppahgngnle" Folder move:

    C:\Users\USER\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\emgfgdclgfeldebanedpihppahgngnle => moved successfully
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Edge\Extensions\caiblelclndcckfafdaggpephhgfpoip => removed successfully
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Edge\Extensions\emgfgdclgfeldebanedpihppahgngnle => removed successfully
    HKLM\SOFTWARE\Google\Chrome\Extensions\ihcjicgdanjaechkgeegckofjjedodee => removed successfully
    HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\caljgklbbfbcjjanaijlacgncafpegll => removed successfully
    HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ccbpbkebodcjkknkfkpmfeciinhidaeh => removed successfully
    HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => removed successfully
    HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ihcjicgdanjaechkgeegckofjjedodee => removed successfully
    HKLM\System\CurrentControlSet\Services\BMLoad => removed successfully
    BMLoad => service removed successfully
    HKLM\System\CurrentControlSet\Services\tcpipBM => removed successfully
    tcpipBM => service removed successfully
    HKLM\System\CurrentControlSet\Services\SARPSvc => removed successfully
    SARPSvc => service removed successfully
    C:\WINDOWS\System32\drivers\BMLoad.sys => moved successfully
    C:\WINDOWS\system32\drivers\tcpipBM.sys => moved successfully
    "C:\ProgramData\cis21A2.exe" => was unlocked
    C:\ProgramData\cis21A2.exe => moved successfully
    "AV: Avira Security (Enabled - Up to date) {D76CC0CC-5B8D-C222-E82F-D14369E4A430}" => removed successfully
    "AV: SecureAPlus Antivirus (Enabled - Up to date) {BAE8F8A8-0B73-5FD4-D5A8-816771E66CF7}" => removed successfully
    "AV: Avira Security (Enabled - Out of date) {73535B65-1023-5EE7-9DB9-8A0AB906421A}" => removed successfully
    "FW: COMODO Firewall (Disabled) {3D87FB90-B561-70B4-3B0B-BCEFE7656ABC}" => removed successfully


    The system needed a reboot.

    ==== End of Fixlog 08:10:43 ====
     

    Attached Files:

    manilka835, Jan 8, 2026
    #13
  14. Oh My!

    Oh My! Malware Expert Staff Member

    You can review the below and take any actions you would like to.

    Other than that I think we are all set. Any other issues or concerns?


    SecurityCheck by glax24 & Severnyj v.1.4.0.58 [15.08.24]
    WebSite: www.safezone.cc
    DateLog: 09.01.2026 08:31:37
    Path starting: C:\Users\USER\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
    Log directory: C:\SecurityCheck\
    IsAdmin: True
    User: USER
    VersionXML: 15.46is-31.12.2025
    ___________________________________________________________________________

    Windows 10 Professional (x64) Release: 22H2 (10.0.19045.6466) Lang: English(0809)
    Installation date OS: 07.07.2023 17:51:06
    LicenseStatus: Windows(R), Professional edition The machine is permanently activated.
    Boot Mode: Normal
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    SystemDrive: C: FS: [NTFS] Capacity: [199.5 Gb] Used: [58.8 Gb] Free: [140.7 Gb]
    ------------------------------- [ Windows ] -------------------------------
    Extended support has ended Warning! Download Update
    User Account Control enabled (Level 3)
    Security Center (wscsvc) - The service is running
    Remote Registry (RemoteRegistry) - The service has stopped
    SSDP Discovery (SSDPSRV) - The service is running
    Remote Desktop Services (TermService) - The service has stopped
    Windows Remote Management (WS-Management) (WinRM) - The service has stopped
    Background Intelligent Transfer Service (BITS) - The service has stopped
    Delivery Optimization (DoSvc) - The service is running
    Windows Security Service (SecurityHealthService) - The service is running
    Update Orchestrator Service (UsoSvc) - The service is running
    Windows Update Medic Service (WaaSMedicSvc) - The service has stopped
    Windows Update (wuauserv) - The service is running
    ------------------------------ [ MS Office ] ------------------------------
    Microsoft Office 2007 v.12.0.4518.1014
    ---------------------------- [ Antivirus_WMI ] ----------------------------
    Windows Defender (enabled and up to date)
    --------------------------- [ FirewallWindows ] ---------------------------
    Windows Defender Firewall (mpssvc) - The service is running
    --------------------------- [ AntiSpyware_WMI ] ---------------------------
    Windows Defender (disabled and up to date)
    ---------------------- [ AntiVirusFirewallInstall ] -----------------------
    Malwarebytes version 5.4.5.226 v.5.4.5.226
    -------------------------- [ SecurityUtilities ] --------------------------
    RogueKiller version 15.19.2.0 v.15.19.2.0 Warning! This software is no longer supported. Please uninstall it, download and install Adlice Protect.
    --------------------------- [ OtherUtilities ] ----------------------------
    Microsoft Office Enterprise 2007 v.12.0.4518.1014 Warning! This software is no longer supported. Please use latest Microsoft Office, Office Online or LibreOffice
    Microsoft Edge WebView2 Runtime v.143.0.3650.96
    ------------------------------- [ Backup ] --------------------------------
    Microsoft OneDrive v.25.222.1112.0002 Warning! Download Update
    ------------------------------ [ ArchAndFM ] ------------------------------
    WinRAR 5.10 (64-bit) v.5.10.0 Warning! Download Update
    -------------------------- [ IMAndCollaborate ] ---------------------------
    Zoom Workplace v.6.6.6 (19875) Warning! Download Update
    -------------------------------- [ Media ] --------------------------------
    VLC media player 2.1.3 v.2.1.3 Warning! Download Update
    --------------------------- [ AdobeProduction ] ---------------------------
    Adobe Reader 9.3 v.9.3.0 Warning! This software is no longer supported. Please uninstall it and use Adobe Acrobat Reader DC.
    ------------------------------- [ Browser ] -------------------------------
    Mozilla Firefox (x64 en-US) v.146.0.1
    Microsoft Edge v.143.0.3650.96
    ------------------ [ AntivirusFirewallProcessServices ] -------------------
    D:\Programme Files\Malwarebytes\Anti-Malware\MbamBgNativeMsg.exe v.4.1.0.194
    Malwarebytes Service (MBAMService) - The service is running
    D:\Programme Files\Malwarebytes\Anti-Malware\MBAMService.exe v.3.2.0.1450
    C:\Program Files\RogueKiller\RogueKiller64.exe v.15.19.2.0
    Microsoft Defender Core Service (MDCoreSvc) - The service is running
    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.25110.6-0\MpDefenderCoreService.exe v.4.18.25110.6
    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.25110.6-0\MsMpEng.exe v.4.18.25110.6
    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.25110.6-0\NisSrv.exe v.4.18.25110.6
    Microsoft Defender Antivirus Service (WinDefend) - The service is running
    Microsoft Defender Antivirus Network Inspection Service (WdNisSvc) - The service is running
    ----------------------------- [ End of Log ] ------------------------------
     
    Oh My!, Jan 9, 2026
    #14
  15. manilka835

    manilka835 Specialist

    No freezes since the Streamlining Process was initiated. The Computer Boots much faster now.

    I also updated the necessary Applications.

    No other problems.

    From next Monday onwards, I will be working in a new hospital. If there are simillar problems I'll get back to you.
     
    manilka835, Jan 10, 2026
    #15
  16. Oh My!

    Oh My! Malware Expert Staff Member

    Very good.

    Until later......
     
    Oh My!, Jan 10, 2026
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds