Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Stubborn Malware - Not Sure What


  • This topic is locked This topic is locked
29 replies to this topic

#1 cutaeng

cutaeng

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 28 December 2017 - 10:49 PM

Hello, I am a dingus and I downloaded a very suspicious file that I normally would have never touched. I am a graphic and web design student and needed a copy of Adobe Media Encoder quick and resorted to illegal (and incredibly stupid) measures, downloading a zip file that clearly was not Adobe Media Encoder, but instead some sort of annoying malware that I still cannot get rid of. I have run RKill, Malwarebytes, Malwarebytes Anti-Rootkit, HitmanPro, and nothing has helped. Additionally, it seems that this malware has prevented SpyBot from updating and therefore being able to scan, and my Windows Defender Security Center won't allow me to turn on the "Virus & threat protection"; each time I try to click "Restart now" I am faced with an error message saying "Unexpected error. Sorry, we ran into a problem. Please try again."

 

Other things I have noticed that are a bit suspicious are:

  • When booting up, I see a quick message that says "Scanning and repairing drive (\\?\Volume{edce5054-ed40-4a03-aa8e-4713e54c5cd2}): 100% complete". It is there every time I boot up but only stays for about 2-5 seconds.
  • SOMETIMES when I am restarting, right before it shuts down, I see a popup that says "A problem has occured [sic] in BitDefender Threat Scanner. A file containing error information has been created at C:\\WINDOWS\TEMP\BitDefender Threat Scanner.dmp. You are strongly encouraged to send the file to the developers of the application for further investigation of the error." I have no idea what BitDefender is.
  • A weird application called "codgtlxsvc" is always running in my background processes. Interestingly enough, the creation date on said application just so happens to be around the same time I downloaded the infected zip file (same date and around the same time of day), so I have a feeling that it's not supposed to be there. It also says it's created by Toshiba, but says Microsoft if you go into the properties. However, I don't feel comfortable ending the task or deleting the application. I have attached some screenshots below.

2gw6y2t.png

 

nd5yci.png

 

Almost every time I have run Malwarebytes, it finds these files, quarantines them, I delete them, restart the computer, and then the exact same files show up when I run a Malwarebytes scan again.

 

117zpr7.png

 

One more thing to note is that I did have quite a bit of illegally downloaded software on my computer, but I read through your rules and see that you don't allow that, which is understandable. I have since deleted all of the programs. I have deleted my torrent client (qBittorrent) as well, but did not delete it before running FRST. Please let me know if you would like to me to re-run now that it is uninstalled.

 

Now for the part you want, here are my logs.

 

FRST

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 26-12-2017
Ran by Megan (administrator) on DESKTOP-52TD2ON (28-12-2017 19:25:00)
Running from C:\Users\Megan\Downloads
Loaded Profiles: Megan (Available Profiles: Megan)
Platform: Windows 10 Home Version 1709 16299.64 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(TOSHIBA CORPORATION) C:\Windows\System32\codgtlxsvc.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\ki125183.inf_amd64_cb49708b33bad074\igfxCUIService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\ki125183.inf_amd64_cb49708b33bad074\IntelCpHDCPSvc.exe
(Intel Corporation) C:\Windows\System32\Intel\DPTF\esif_uf.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel Corporation) C:\Windows\System32\ibtsiva.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Waves Audio Ltd.) C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\ki125183.inf_amd64_cb49708b33bad074\IntelCpHeciSvc.exe
(Intel Corporation) C:\Windows\Temp\DPTF\esif_assist_64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\ki125183.inf_amd64_cb49708b33bad074\igfxEM.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Waves Audio Ltd.) C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Users\Megan\AppData\Local\dsmwtil\dsmwtil.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Users\Megan\AppData\Local\igfxmtc\igfxmtc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DDVRulesProcessor.exe
(Dell Inc.) C:\Program Files (x86)\Dell Customer Connect\DCCService.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe
(Dell Inc.) C:\Program Files\Dell\Dell Help & Support\MDLCSvc.exe
(Dell) C:\Program Files\Dell\SARemediation\agent\DellSupportAssistRemedationService.exe
(Dell Products, LP.) C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(Dell) C:\Program Files\Dell\Dell Product Registration\PRSvc.exe
(Dell Inc.) C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DDVCollectorSvcApi.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFS.Common.Agent.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\nvapiw.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Users\Megan\AppData\Local\dsmwtil\exevcwr.exe
() C:\Users\Megan\AppData\Local\dsmwtil\exevcwr.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [9229280 2017-05-18] (Realtek Semiconductor)
HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [3893296 2016-05-17] (Dell Inc.)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [320568 2016-09-20] (Intel Corporation)
HKLM\...\Run: [ShadowPlay] => "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [RtHDVBg_PushButton] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1488360 2017-05-18] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe [976768 2017-05-08] (Waves Audio Ltd.)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [297272 2017-12-11] (Apple Inc.)
HKU\S-1-5-21-1476650472-3548292237-2988209075-1001\...\Run: [Spotify Web Helper] => C:\Users\Megan\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1562224 2017-06-30] (Spotify Ltd)
HKU\S-1-5-21-1476650472-3548292237-2988209075-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [10249048 2017-12-13] (Piriform Ltd)
HKU\S-1-5-21-1476650472-3548292237-2988209075-1001\...\RunOnce: [Application Restart #1] => C:\Program Files\pia_manager\pia_tray_bin\nw-win\pia_nw.exe [1260544 2017-07-02] (The NWJS Community)
HKU\S-1-5-21-1476650472-3548292237-2988209075-1001\...\RunOnce: [Application Restart #0] => C:\Program Files\pia_manager\pia_tray_bin\nw-win\pia_nw.exe [1260544 2017-07-02] (The NWJS Community)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 209.222.18.222 209.222.18.218
Tcpip\..\Interfaces\{73a5ab19-5ed3-44f1-89c5-843114149284}: [DhcpNameServer] 172.51.1.171
Tcpip\..\Interfaces\{9aab0ca1-a4e1-402b-83ad-1974b9633fc0}: [DhcpNameServer] 192.168.0.1 205.171.3.25
Tcpip\..\Interfaces\{fa397102-6272-415f-9768-f79164ffe7eb}: [DhcpNameServer] 209.222.18.222 209.222.18.218
 
Internet Explorer:
==================
HKU\S-1-5-21-1476650472-3548292237-2988209075-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://dell17win10.msn.com/?pc=DCTE
HKU\S-1-5-21-1476650472-3548292237-2988209075-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell17win10.msn.com/?pc=DCTE
SearchScopes: HKU\S-1-5-21-1476650472-3548292237-2988209075-1001 -> DefaultScope {254CAFE3-3B8F-4110-843A-DB8C3CC5846B} URL = 
SearchScopes: HKU\S-1-5-21-1476650472-3548292237-2988209075-1001 -> {254CAFE3-3B8F-4110-843A-DB8C3CC5846B} URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-12-15] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-12-15] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-12-15] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-12-15] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-12-15] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @videolan.org/vlc,version=2.2.6 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-12-15] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://tumblr.com/
CHR StartupUrls: Default -> "hxxp://twitter.com/"
CHR Profile: C:\Users\Megan\AppData\Local\Google\Chrome\User Data\Default [2017-12-28]
CHR Extension: (Slides) - C:\Users\Megan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-13]
CHR Extension: (Docs) - C:\Users\Megan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-13]
CHR Extension: (Google Drive) - C:\Users\Megan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-06-30]
CHR Extension: (YouTube) - C:\Users\Megan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-06-30]
CHR Extension: (uBlock Origin) - C:\Users\Megan\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2017-12-19]
CHR Extension: (Sheets) - C:\Users\Megan\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-13]
CHR Extension: (Google Docs Offline) - C:\Users\Megan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-06-30]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Megan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-21]
CHR Extension: (Gmail) - C:\Users\Megan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-06-30]
CHR Extension: (Chrome Media Router) - C:\Users\Megan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-14]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2207960 2016-09-26] (Adobe Systems, Incorporated)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-11-27] (Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [7760552 2017-12-07] (Microsoft Corporation)
R2 DDVCollectorSvcApi; C:\Program Files\Dell\DellDataVault\DDVCollectorSvcApi.exe [208760 2017-07-27] (Dell Inc.)
R2 DDVDataCollector; C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe [3294584 2017-07-27] (Dell Inc.)
R2 DDVRulesProcessor; C:\Program Files\Dell\DellDataVault\DDVRulesProcessor.exe [217464 2017-07-27] (Dell Inc.)
R2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\DCCService.exe [132472 2016-09-09] (Dell Inc.)
R2 Dell Foundation Services; C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe [97616 2017-01-11] (Dell)
R2 Dell Help & Support; C:\Program Files\Dell\Dell Help & Support\MDLCSvc.exe [40976 2017-09-18] (Dell Inc.)
R2 Dell SupportAssist Remediation; C:\Program Files\Dell\SARemediation\agent\DellSupportAssistRemedationService.exe [122400 2017-10-13] (Dell)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [230248 2017-05-01] (Dell Inc.)
R2 esifsvc; C:\WINDOWS\system32\Intel\DPTF\esif_uf.exe [2208888 2016-09-02] (Intel Corporation)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135488 2017-12-28] (SurfRight B.V.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [17976 2016-09-20] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [974632 2016-02-19] (Intel® Corporation)
R3 Intel® Security Assist; C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe [335872 2016-03-02] (Intel Corporation) [File not signed]
S2 isaHelperSvc; C:\Program Files (x86)\Intel\Intel® Security Assist\isaHelperService.exe [8704 2016-03-02] (Intel Corporation) [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [215328 2016-05-16] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268704 2017-02-13] ()
S3 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [495040 2017-05-04] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [495040 2017-05-04] (NVIDIA Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [462968 2017-10-30] (NVIDIA Corporation)
R2 NvTelemetryContainer; C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe [449984 2017-05-04] (NVIDIA Corporation)
R2 Product Registration; C:\Program Files\Dell\Dell Product Registration\PRSvc.exe [47144 2017-04-06] (Dell)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [324576 2017-05-18] (Realtek Semiconductor)
R2 SupportAssistAgent; C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [53208 2017-09-22] (Dell Inc.)
R2 WavesSysSvc; C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe [592776 2017-05-08] (Waves Audio Ltd.)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\NisSrv.exe [356176 2017-12-08] (Microsoft Corporation)
S2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\MsMpEng.exe [105792 2017-12-08] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3743648 2017-02-13] (Intel® Corporation)
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 DDDriver; C:\WINDOWS\system32\drivers\DDDriver64Dcsa.sys [32960 2017-07-27] (Dell Inc.)
R3 DellProf; C:\WINDOWS\system32\drivers\DellProf.sys [32568 2017-07-27] (Dell Computer Corporation)
R2 DpmLiteDrv; c:\Program Files\Dell\QuickSet\DpmLiteDrv64.sys [15080 2014-10-15] (Wistron Corp.)
R3 dptf_acpi; C:\WINDOWS\System32\drivers\dptf_acpi.sys [71232 2016-08-12] (Intel Corporation)
R3 dptf_cpu; C:\WINDOWS\System32\drivers\dptf_cpu.sys [66624 2016-08-12] (Intel Corporation)
R3 esif_lf; C:\WINDOWS\system32\DRIVERS\esif_lf.sys [350272 2016-08-12] (Intel Corporation)
R3 HidEventFilter; C:\WINDOWS\System32\drivers\HidEventFilter.sys [54800 2016-08-15] (Intel Corporation)
R3 HID_PCI; C:\WINDOWS\System32\drivers\HID_PCI.sys [30816 2016-05-24] (Intel)
R4 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [55232 2017-12-28] ()
R3 ibtusb; C:\WINDOWS\system32\DRIVERS\ibtusb.sys [244744 2017-04-13] (Intel Corporation)
R3 ISH; C:\WINDOWS\System32\drivers\ISH.sys [140896 2016-06-05] (Intel)
R3 ISH_BusDriver; C:\WINDOWS\System32\drivers\ISH_BusDriver.sys [78432 2016-06-08] (Intel)
R3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [253880 2017-12-28] (Malwarebytes)
R3 Netwtw04; C:\WINDOWS\System32\drivers\Netwtw04.sys [7689728 2017-09-29] (Intel Corporation)
R3 nvlddmkm; C:\WINDOWS\System32\DriverStore\FileRepository\nvdm.inf_amd64_51a64609261c1be4\nvlddmkm.sys [16936560 2017-11-28] (NVIDIA Corporation)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [30144 2017-05-04] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\WINDOWS\system32\drivers\nvvad64v.sys [48064 2017-05-04] (NVIDIA Corporation)
R3 nvvhci; C:\WINDOWS\System32\drivers\nvvhci.sys [57792 2017-05-04] (NVIDIA Corporation)
S3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [418784 2016-08-04] (Realsil Semiconductor Corporation)
R3 rtsuvc; C:\WINDOWS\system32\DRIVERS\rtsuvc.sys [3149832 2016-10-07] (Realtek Semiconductor Corp.)
R3 VirtualButtons; C:\WINDOWS\System32\drivers\VirtualButtons.sys [41992 2017-03-31] (Intel Corporation)
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46072 2017-12-08] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [288848 2017-12-08] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [129616 2017-12-08] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-12-28 19:25 - 2017-12-28 19:27 - 000018992 _____ C:\Users\Megan\Downloads\FRST.txt
2017-12-28 19:24 - 2017-12-28 19:25 - 000000000 ____D C:\FRST
2017-12-28 19:22 - 2017-12-28 19:23 - 000000000 ____D C:\Users\Megan\Documents\Cross Stitch
2017-12-28 19:22 - 2017-12-28 17:37 - 000000000 ____D C:\Users\Megan\Desktop\TOHOSHINKI - Reboot [www.k2nblog.com]
2017-12-28 19:22 - 2017-12-27 19:26 - 000000000 ____D C:\Users\Megan\Desktop\LOONA - Chuu [www.k2nblog.com]
2017-12-28 19:22 - 2017-12-27 07:10 - 000000000 ____D C:\Users\Megan\Desktop\Eric Nam - Hold me [www.k2nblog.com]
2017-12-28 19:22 - 2017-12-26 16:05 - 000000000 ____D C:\Users\Megan\Desktop\EXO - Universe - Winter Special Album, 2017 [www.k2nblog.com]
2017-12-28 19:21 - 2017-12-27 15:34 - 000000000 ____D C:\Users\Megan\Desktop\Apink - Pink Stories (iTunes) [www.k2nblog.com]
2017-12-28 19:20 - 2017-12-28 19:21 - 019162982 _____ C:\Users\Megan\Downloads\Eric Nam - Hold me [www.k2nblog.com].7z
2017-12-28 19:18 - 2017-12-28 19:21 - 026633195 _____ C:\Users\Megan\Downloads\THSK-R-K2N.7z
2017-12-28 19:18 - 2017-12-28 19:20 - 016887158 _____ C:\Users\Megan\Downloads\LOONA - Chuu [www.k2nblog.com].7z
2017-12-28 19:18 - 2017-12-28 19:18 - 002391552 _____ (Farbar) C:\Users\Megan\Downloads\FRST64.exe
2017-12-28 19:13 - 2017-12-28 19:22 - 076203718 _____ C:\Users\Megan\Downloads\EXO_-_Universe_-_Winter_Special_Album,_2017_[www.k2nblog.com].rar
2017-12-28 19:12 - 2017-12-28 19:18 - 084980072 _____ C:\Users\Megan\Downloads\Apink-PS-iT-K2N.rar
2017-12-28 18:52 - 2017-12-28 18:52 - 000142136 ____N C:\WINDOWS\system32\Drivers\usnmptwz.sys
2017-12-28 18:21 - 2017-12-28 18:21 - 000255928 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\AF131693.sys
2017-12-28 17:44 - 2017-12-28 17:44 - 000097702 _____ C:\Users\Megan\Documents\cc_20171228_174403.reg
2017-12-28 17:05 - 2017-12-28 18:53 - 000253880 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2017-12-28 03:54 - 2017-12-28 03:54 - 000255928 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\73375706.sys
2017-12-28 01:09 - 2017-12-28 01:09 - 000255928 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\5632D45E.sys
2017-12-28 01:08 - 2017-12-28 18:54 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-12-28 01:08 - 2017-12-28 18:18 - 000192952 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2017-12-28 01:07 - 2017-12-28 18:48 - 000000000 ____D C:\Users\Megan\Desktop\mbar
2017-12-28 01:05 - 2017-12-28 01:06 - 014178840 _____ (Malwarebytes Corp.) C:\Users\Megan\Desktop\mbar-1.10.3.1001.exe
2017-12-28 00:42 - 2017-12-28 00:42 - 000000000 ____D C:\ProgramData\043f3c38-96e7-4540-b960-229abeba951c
2017-12-28 00:41 - 2017-12-28 00:41 - 000012872 _____ (SurfRight B.V.) C:\WINDOWS\system32\bootdelete.exe
2017-12-28 00:08 - 2017-12-28 19:01 - 000055232 _____ C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2017-12-28 00:08 - 2017-12-28 00:08 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2017-12-28 00:07 - 2017-12-28 00:41 - 000000000 ____D C:\ProgramData\HitmanPro
2017-12-28 00:07 - 2017-12-28 00:08 - 000000000 ____D C:\Program Files\HitmanPro
2017-12-28 00:05 - 2017-12-28 00:06 - 011584088 _____ (SurfRight B.V.) C:\Users\Megan\Desktop\hitmanpro_x64.exe
2017-12-22 05:41 - 2017-12-22 05:41 - 000001914 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-12-22 05:41 - 2017-12-22 05:41 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-12-22 05:40 - 2017-12-22 05:40 - 000000000 ____D C:\ProgramData\MB3CoreBackup
2017-12-22 03:54 - 2017-12-28 17:57 - 000002194 _____ C:\Users\Megan\Desktop\Rkill.txt
2017-12-22 03:53 - 2017-12-22 03:54 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\Megan\Desktop\rkill.com
2017-12-22 02:52 - 2017-12-28 17:31 - 000000085 _____ C:\WINDOWS\wininit.ini
2017-12-19 16:57 - 2017-12-19 16:57 - 000080842 _____ C:\Users\Megan\Documents\cc_20171219_165739.reg
2017-12-19 16:51 - 2017-12-19 16:51 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2017-12-19 16:51 - 2017-12-19 16:51 - 000000000 ____D C:\Program Files\iPod
2017-12-17 22:50 - 2017-12-20 23:23 - 000000000 ____D C:\Users\Megan\Downloads\QI Series 1-10 Season A-J  mp4 -- XL UNCUT HDTV 720p if available
2017-12-15 22:21 - 2017-12-07 14:13 - 001008640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\InstallService.dll
2017-12-15 22:21 - 2017-12-07 14:10 - 001313792 _____ (Microsoft Corporation) C:\WINDOWS\system32\InstallService.dll
2017-12-13 20:52 - 2017-12-13 20:52 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign6b3857f48b69d614
2017-12-13 20:52 - 2017-12-13 20:52 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign455c14043a85435f
2017-12-13 20:52 - 2017-12-13 20:52 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign3c0f26a83191e06a
2017-12-13 20:14 - 2017-12-13 20:14 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign3af3e4045e160872
2017-12-13 20:06 - 2017-12-13 20:06 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsignb70b9b629f56d536
2017-12-13 20:06 - 2017-12-13 20:06 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign37a57670828b8b00
2017-12-13 20:05 - 2017-12-13 20:05 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign77b56e609af2f5fe
2017-12-13 20:05 - 2017-12-13 20:05 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign4133586ea75b8f8c
2017-12-13 20:05 - 2017-12-13 20:05 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign237d050fb81c8b41
2017-12-13 17:17 - 2017-12-16 18:18 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2017-12-12 17:52 - 2017-12-12 17:52 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsigndbfa00ac4435736a
2017-12-12 17:52 - 2017-12-12 17:52 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsignccbca959c82d6c01
2017-12-12 17:52 - 2017-12-12 17:52 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign1be87ae30d9f1157
2017-12-09 20:10 - 2017-12-19 16:30 - 000003938 _____ C:\WINDOWS\System32\Tasks\CCleaner Update
2017-12-09 20:10 - 2017-12-09 20:10 - 000002870 _____ C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
2017-12-09 20:10 - 2017-12-09 20:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Defraggler
2017-12-09 20:10 - 2017-12-09 20:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-12-09 20:10 - 2017-12-09 20:10 - 000000000 ____D C:\Program Files\Defraggler
2017-12-09 20:10 - 2017-12-09 20:10 - 000000000 ____D C:\Program Files\CCleaner
2017-12-04 22:08 - 2017-12-04 22:08 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign50b50d7891ac5c2b
2017-12-04 22:00 - 2017-12-04 22:00 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsignfbd27917f21b97e0
2017-12-04 21:59 - 2017-12-04 21:59 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsigna445ed32b3640c4b
2017-12-04 21:58 - 2017-12-04 21:58 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign4f62aaeff013bdeb
2017-12-04 21:58 - 2017-12-04 21:58 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign4388f3fcce852c92
2017-12-04 20:13 - 2017-12-04 20:13 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign88f53c709f3cfdda
2017-12-04 20:13 - 2017-12-04 20:13 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign039c65b7b588896d
2017-12-04 20:12 - 2017-12-04 20:12 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign03ee611c9e099db8
2017-12-04 20:11 - 2017-12-04 20:11 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign90c65c57ce90deaf
2017-12-04 20:10 - 2017-12-04 20:10 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign841144c9bcaa09ea
2017-12-04 20:10 - 2017-12-04 20:10 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign22ad2871a751aafa
2017-12-04 20:08 - 2017-12-04 20:08 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsignaa27c844be7a6979
2017-12-04 20:08 - 2017-12-04 20:08 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsigna11d427b2090e0f9
2017-12-04 20:08 - 2017-12-04 20:08 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign7006ef6935568656
2017-12-04 20:08 - 2017-12-04 20:08 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign21708e07b2f75c36
2017-12-04 18:39 - 2017-12-04 18:39 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign5e8cfb7d6503b3ca
2017-12-04 18:38 - 2017-12-04 18:38 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsignaf55a9a45bbf3cf6
2017-12-04 18:36 - 2017-12-04 18:36 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign8f429b298b8bea03
2017-12-04 18:36 - 2017-12-04 18:36 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign3675aa8fdeb62faa
2017-12-04 18:36 - 2017-12-04 18:36 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign189464d14fa1a118
2017-12-04 18:35 - 2017-12-04 18:35 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign9a152a7397ac0f19
2017-12-04 18:35 - 2017-12-04 18:35 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign5d5e55dedde6a1b2
2017-12-04 18:13 - 2017-12-04 18:13 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign88d88dab70d2f2cf
2017-12-04 18:09 - 2017-12-04 18:09 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsignf687fac49c1c7d7a
2017-12-04 18:09 - 2017-12-04 18:09 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsignf092e10376742a28
2017-12-04 18:09 - 2017-12-04 18:09 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign8c4e847d0c704f19
2017-12-03 23:44 - 2017-12-03 23:44 - 000641696 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvcp140.dll
2017-12-03 23:44 - 2017-12-03 23:44 - 000389296 _____ (Microsoft Corporation) C:\WINDOWS\system32\vccorlib140.dll
2017-12-03 23:44 - 2017-12-03 23:44 - 000331432 _____ (Microsoft Corporation) C:\WINDOWS\system32\concrt140.dll
2017-12-03 23:44 - 2017-12-03 23:44 - 000087728 _____ (Microsoft Corporation) C:\WINDOWS\system32\vcruntime140.dll
2017-12-03 23:38 - 2017-12-03 23:38 - 000440128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvcp140.dll
2017-12-03 23:38 - 2017-12-03 23:38 - 000263856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vccorlib140.dll
2017-12-03 23:38 - 2017-12-03 23:38 - 000242496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\concrt140.dll
2017-12-03 23:38 - 2017-12-03 23:38 - 000083792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vcruntime140.dll
2017-12-03 23:01 - 2017-12-28 01:09 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-12-03 23:01 - 2017-12-03 23:01 - 000000000 ____D C:\Program Files\Malwarebytes
2017-12-03 23:01 - 2017-11-29 09:11 - 000077432 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-12-03 22:58 - 2017-12-03 22:58 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pkilqjke.sys
2017-12-03 22:55 - 2017-12-03 22:55 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\nouzpdir.sys
2017-12-03 22:50 - 2017-12-10 18:28 - 000000000 ____D C:\Users\Megan\AppData\Local\sncobea
2017-12-03 22:46 - 2017-12-28 19:24 - 000000000 ____D C:\Users\Megan\AppData\Local\dsmwtil
2017-12-03 22:46 - 2017-12-08 00:08 - 000000000 ____D C:\Users\Megan\AppData\Local\igfxmtc
2017-12-03 22:46 - 2017-12-03 22:46 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\lccsiwmj.sys
2017-12-03 22:45 - 2017-12-28 18:52 - 002884096 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\codgtlxsvc.exe
2017-12-03 22:45 - 2017-12-03 23:49 - 000000000 ____D C:\Users\Megan\AppData\Local\AdService
2017-12-03 22:45 - 2017-12-03 22:47 - 000000000 ____D C:\Users\Megan\AppData\Local\kinmzawx
2017-12-03 22:45 - 2017-12-03 22:45 - 000000000 ____D C:\WINDOWS\SysWOW64\rekldwn
2017-12-03 22:45 - 2017-12-03 22:45 - 000000000 ____D C:\WINDOWS\system32\rekldwn
2017-12-03 22:44 - 2017-12-03 22:44 - 000000000 ____D C:\Users\Megan\AppData\Roaming\et
2017-11-28 22:04 - 2017-11-28 22:04 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsignb4e2dfdef55d25ca
2017-11-28 22:04 - 2017-11-28 22:04 - 000000000 ____D C:\Users\Megan\AppData\Local\Tempzxpsign6cab2d0593261337
2017-11-28 04:04 - 2017-11-28 04:04 - 036247992 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvoglv64.dll
2017-11-28 04:04 - 2017-11-28 04:04 - 029279672 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvoglv32.dll
2017-11-28 04:03 - 2017-11-28 04:03 - 000989808 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFR64.dll
2017-11-28 04:03 - 2017-11-28 04:03 - 000941168 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFR.dll
2017-11-28 04:03 - 2017-11-28 04:03 - 000624240 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFROpenGL.dll
2017-11-28 04:03 - 2017-11-28 04:03 - 000514488 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFROpenGL.dll
2017-11-28 04:02 - 2017-11-28 04:02 - 001997936 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispco6438816.dll
2017-11-28 04:02 - 2017-11-28 04:02 - 001682360 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispgenco6438816.dll
2017-11-28 04:02 - 2017-11-28 04:02 - 001108408 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvFBC64.dll
2017-11-28 04:02 - 2017-11-28 04:02 - 001039800 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvFBC.dll
2017-11-28 03:57 - 2017-11-28 03:57 - 040246200 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcompiler.dll
2017-11-28 03:57 - 2017-11-28 03:57 - 035165808 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcompiler.dll
2017-11-28 03:57 - 2017-11-28 03:57 - 004210104 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuvid.dll
2017-11-28 03:57 - 2017-11-28 03:57 - 003622840 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuvid.dll
2017-11-28 03:52 - 2017-11-28 03:52 - 023474480 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvopencl.dll
2017-11-28 03:52 - 2017-11-28 03:52 - 019212712 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvopencl.dll
2017-11-28 03:52 - 2017-11-28 03:52 - 013379352 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvptxJitCompiler.dll
2017-11-28 03:52 - 2017-11-28 03:52 - 010986960 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvptxJitCompiler.dll
2017-11-28 03:52 - 2017-11-28 03:52 - 001154288 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvfatbinaryLoader.dll
2017-11-28 03:52 - 2017-11-28 03:52 - 000902128 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvfatbinaryLoader.dll
2017-11-28 03:52 - 2017-11-28 03:52 - 000810480 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncodeAPI64.dll
2017-11-28 03:52 - 2017-11-28 03:52 - 000648728 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncodeAPI.dll
2017-11-28 03:51 - 2017-11-28 03:51 - 013994128 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuda.dll
2017-11-28 03:51 - 2017-11-28 03:51 - 011891384 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuda.dll
2017-11-28 03:51 - 2017-11-28 03:51 - 003859848 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvapi.dll
2017-11-28 03:51 - 2017-11-28 03:51 - 001342000 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncMFTH264.dll
2017-11-28 03:51 - 2017-11-28 03:51 - 001056712 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncMFTH264.dll
2017-11-28 03:37 - 2017-11-28 03:37 - 000000669 _____ C:\WINDOWS\SysWOW64\nv-vk32.json
2017-11-28 03:37 - 2017-11-28 03:37 - 000000669 _____ C:\WINDOWS\system32\nv-vk64.json
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-12-28 19:27 - 2017-09-29 05:37 - 000000000 ____D C:\WINDOWS\CbsTemp
2017-12-28 19:00 - 2017-11-10 17:53 - 001316298 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-12-28 19:00 - 2017-07-02 03:44 - 000000000 ____D C:\Users\Megan\AppData\Roaming\qBittorrent
2017-12-28 18:54 - 2017-06-28 20:26 - 000000000 __SHD C:\Users\Megan\IntelGraphicsProfiles
2017-12-28 18:53 - 2017-11-10 17:57 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-12-28 18:53 - 2017-07-03 07:48 - 000000000 ____D C:\ProgramData\NVIDIA
2017-12-28 18:52 - 2017-09-29 00:45 - 025690112 _____ C:\WINDOWS\system32\config\HARDWARE
2017-12-28 18:52 - 2017-09-29 00:45 - 000786432 _____ C:\WINDOWS\system32\config\BBI
2017-12-28 18:21 - 2017-09-29 05:46 - 000000000 ____D C:\WINDOWS\DeliveryOptimization
2017-12-28 17:47 - 2017-11-10 17:20 - 000256920 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-12-28 17:46 - 2017-06-30 19:45 - 000000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-12-28 17:41 - 2017-09-29 05:44 - 000000000 ____D C:\WINDOWS\INF
2017-12-28 17:31 - 2017-06-30 19:46 - 000000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-12-28 17:24 - 2017-08-28 11:45 - 000000000 ____D C:\Program Files (x86)\Adobe
2017-12-28 17:23 - 2017-11-10 17:32 - 000000000 ____D C:\Users\Megan
2017-12-28 17:23 - 2017-06-28 20:26 - 000000000 ____D C:\Users\Megan\AppData\Roaming\Adobe
2017-12-28 17:18 - 2017-09-06 16:06 - 000000000 ____D C:\ProgramData\Adobe
2017-12-28 17:17 - 2017-09-06 16:13 - 000000000 ____D C:\Program Files\Adobe
2017-12-28 12:25 - 2017-11-10 17:21 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2017-12-26 23:56 - 2017-07-03 01:52 - 000000000 ____D C:\Users\Megan\AppData\Roaming\vlc
2017-12-25 11:13 - 2017-09-29 05:46 - 000000000 ___HD C:\Program Files\WindowsApps
2017-12-25 11:13 - 2017-09-29 05:46 - 000000000 ____D C:\WINDOWS\AppReadiness
2017-12-19 17:07 - 2017-07-02 22:29 - 000000000 ____D C:\Users\Megan\AppData\Local\Last.fm
2017-12-19 16:58 - 2017-09-29 05:46 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2017-12-19 16:51 - 2017-06-30 21:04 - 000000000 ____D C:\Program Files\iTunes
2017-12-15 14:31 - 2017-09-29 05:46 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-12-15 14:28 - 2017-02-07 14:16 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2017-12-13 20:52 - 2017-09-06 16:16 - 000000033 _____ C:\Users\Megan\AppData\Roaming\AdobeWLCMCache.dat
2017-12-13 19:58 - 2017-06-30 18:41 - 000002274 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-12-13 19:56 - 2017-09-06 16:06 - 000000000 ____D C:\Users\Megan\AppData\Local\Adobe
2017-12-13 19:39 - 2017-10-12 16:08 - 000000000 ___HD C:\adobeTemp
2017-12-13 16:40 - 2017-06-28 20:26 - 000000000 ____D C:\Users\Megan\AppData\Local\NVIDIA
2017-12-13 15:01 - 2017-11-10 17:33 - 000000000 ____D C:\Users\Megan\AppData\Local\Packages
2017-12-12 18:00 - 2017-07-03 07:46 - 000000000 ____D C:\Program Files (x86)\VulkanRT
2017-12-12 17:58 - 2017-07-03 07:48 - 000000000 ____D C:\ProgramData\NVIDIA Corporation
2017-12-12 17:57 - 2017-07-03 07:47 - 000000000 ____D C:\Program Files\NVIDIA Corporation
2017-12-12 17:57 - 2017-02-07 14:08 - 000000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2017-12-12 17:54 - 2017-06-29 21:01 - 000000000 ____D C:\WINDOWS\system32\MRT
2017-12-12 17:50 - 2017-10-10 20:33 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2017-12-12 17:50 - 2017-06-29 21:00 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-12-09 20:49 - 2017-06-28 20:34 - 000000000 ____D C:\Users\Megan\AppData\Roaming\Skype
2017-12-09 20:14 - 2017-11-02 14:34 - 000000000 ___DC C:\WINDOWS\Panther
2017-12-09 20:14 - 2017-06-28 20:47 - 000000000 ____D C:\Users\Megan\AppData\Local\CrashDumps
2017-12-08 00:54 - 2017-07-03 07:46 - 000000000 ____D C:\Program Files\Intel
2017-12-07 23:27 - 2017-11-10 17:57 - 000003378 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1476650472-3548292237-2988209075-1001
2017-12-07 23:27 - 2017-06-28 20:31 - 000002369 _____ C:\Users\Megan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-12-07 23:27 - 2017-06-28 20:31 - 000000000 ___RD C:\Users\Megan\OneDrive
2017-12-04 18:36 - 2017-09-06 16:16 - 000000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2017-12-03 14:38 - 2017-09-29 05:49 - 000835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-12-03 14:38 - 2017-09-29 05:49 - 000177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2017-11-30 19:40 - 2017-09-24 17:09 - 000000000 ____D C:\ProgramData\Skype
2017-11-28 03:51 - 2017-10-03 03:34 - 004532992 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvapi64.dll
2017-11-28 03:37 - 2017-10-03 03:21 - 000048442 _____ C:\WINDOWS\system32\nvinfo.pb
 
==================== Files in the root of some directories =======
 
2017-09-06 16:16 - 2017-12-13 20:52 - 000000033 _____ () C:\Users\Megan\AppData\Roaming\AdobeWLCMCache.dat
2017-10-02 21:04 - 2017-10-02 21:04 - 000000852 _____ () C:\Users\Megan\AppData\Local\recently-used.xbel
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\WINDOWS\system32\drivers\usnmptwz.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION
 
LastRegBack: 2017-12-27 00:30
 

 

==================== End of FRST.txt ============================
 
Addition (FRST)
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 26-12-2017
Ran by Megan (28-12-2017 19:27:47)
Running from C:\Users\Megan\Downloads
Windows 10 Home Version 1709 16299.64 (X64) (2017-11-11 02:01:02)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1476650472-3548292237-2988209075-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1476650472-3548292237-2988209075-503 - Limited - Disabled)
Guest (S-1-5-21-1476650472-3548292237-2988209075-501 - Limited - Disabled)
Megan (S-1-5-21-1476650472-3548292237-2988209075-1001 - Administrator - Enabled) => C:\Users\Megan
WDAGUtilityAccount (S-1-5-21-1476650472-3548292237-2988209075-504 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe After (HKLM\...\{6A915992-D887-4897-82F5-950EDD12DEB1}) (Version: 1.0.0000 - Adobe Systems Incorporated) Hidden
Adobe Digital Editions 4.5 (HKLM-x32\...\Adobe Digital Editions 4.5) (Version: 4.5.6 - Adobe Systems Incorporated)
Ansel (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Ansel) (Version: 382.05 - NVIDIA Corporation) Hidden
Apple Application Support (32-bit) (HKLM-x32\...\{BC7C46A4-D7A7-48EC-A98C-32A7762B5EFA}) (Version: 6.2.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{F0C4B709-8BF4-4A72-B527-12E7BF5482F8}) (Version: 6.2.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BD6778C5-6FA5-492A-ADD6-E706339C2A7B}) (Version: 11.0.2.4 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{C1BBFD2A-BCDD-45B3-8C0B-66BD434970A8}) (Version: 2.4.8.1 - Apple Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.38 - Piriform)
Cyberduck 4.3.1 (11008) (HKLM-x32\...\Cyberduck) (Version: 4.3.1 (11008) - )
Defraggler (HKLM\...\Defraggler) (Version: 2.21 - Piriform)
Dell Customer Connect (HKLM-x32\...\{35BEC446-269E-42E4-8EED-191A38CCFF3D}) (Version: 1.4.10.0 - Dell Inc.)
Dell Digital Delivery (HKLM-x32\...\{99B7C4B5-DC14-441D-A5B6-7340F682BC81}) (Version: 3.1.1117.0 - Dell Products, LP)
Dell Foundation Services (HKLM\...\{BDB50421-E961-42F3-B803-6DAC6F173834}) (Version: 3.4.16100.0 - Dell Inc.)
Dell Help & Support (HKLM\...\{457EFE69-8F49-43E0-80F9-1DEF4F7690C2}) (Version: 2.5.23.0 - Dell Inc.) Hidden
Dell Help & Support (HKLM-x32\...\InstallShield_{457EFE69-8F49-43E0-80F9-1DEF4F7690C2}) (Version: 2.5.23.0 - Dell Inc.)
Dell Product Registration (HKLM-x32\...\InstallShield_{48114909-3C3B-43E6-BF98-AE9C396500A3}) (Version: 3.0.127.0 - Dell Inc.)
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.3.6855.61 - Dell)
Dell SupportAssist Remediation (HKLM\...\{4164FBBB-3428-4EFE-863F-30CAC3ADE51A}) (Version: 3.1.2.3837 - Dell Inc.) Hidden
Dell SupportAssist Remediation (HKLM-x32\...\{80642b68-d76d-4777-a9dc-4ca30647e8a8}) (Version: 3.1.2.3837 - Dell Inc.)
Dell SupportAssistAgent (HKLM\...\{18EF001B-B005-46CB-917B-112BA69ED85E}) (Version: 2.0.3.10 - Dell)
Dell Update - SupportAssist Update Plugin (HKLM\...\{2228BC43-73DA-4F9A-BEE6-8E9C15328513}) (Version: 3.1.1.3832 - Dell Inc.)
Dell Update (HKLM-x32\...\{F91263FA-BE4D-439D-9C0A-2E7204E0E9E3}) (Version: 1.9.20.0 - Dell Inc.)
DSC/AA Factory Installer (HKLM\...\{F7A70D00-F283-45C8-B163-49EC365D7E27}) (Version: 1.3.6855.61 - PC-Doctor, Inc.) Hidden
encoder (HKLM\...\{816B3B8A-576A-4B1E-8C18-150BB3A9DD6C}) (Version: 1.0.0000 - Adobe Systems Incorporated) Hidden
GIMP 2.8.22 (HKLM\...\GIMP-2_is1) (Version: 2.8.22 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.84 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.20.286 - SurfRight B.V.)
Intel® Chipset Device Software (HKLM-x32\...\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}) (Version: 10.1.1.35 - Intel® Corporation) Hidden
Intel® Dynamic Platform and Thermal Framework (HKLM-x32\...\{654EE65D-FAA4-4EA6-8C07-DC94E6A304D4}) (Version: 8.2.11000.2996 - Intel Corporation)
Intel® HID Event Filter (HKLM-x32\...\3FB06EEC-013D-4366-9918-71B97DFB84EB) (Version: 1.1.0.317 - Intel Corporation)
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.5.0.1015 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 22.20.16.4836 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 15.2.0.1020 - Intel Corporation)
Intel® Virtual Buttons (HKLM-x32\...\1992736F-C90A-481C-B21B-EE34CAD07387) (Version: 1.1.0.21 - Intel Corporation)
Intel® Wireless Bluetooth® (HKLM-x32\...\{52DA40D6-6EF4-4B28-B501-FC538ECE638C}) (Version: 19.01.1627.3533 - Intel Corporation)
Intel® Integrated Sensor Solution (HKLM-x32\...\{b3c2a365-876b-4588-97ce-5ab104b07d57}) (Version: 3.0.30.1076 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{66614300-cd9b-4a62-8b18-c97e9562dc3e}) (Version: 19.50.0 - Intel Corporation)
Intel® Security Assist (HKLM-x32\...\{8B08DDA1-FDE7-4897-8EB6-E0B048A6D88B}) (Version: 1.0.1.618 - Intel Corporation)
ISS_Drivers_x64 (HKLM\...\{7F65AED2-5B3C-40DD-996B-6F8820856F34}) (Version: 3.0.30.1076 - Intel Corporation) Hidden
iTunes (HKLM\...\{D7D4465C-B3B6-4BC1-B336-2803FB57BFAF}) (Version: 12.7.2.60 - Apple Inc.)
Last.fm Scrobbler 2.1.37 (HKLM-x32\...\LastFM_is1) (Version:  - Last.fm)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Maxx Audio Installer (x64) (HKLM\...\{307032B2-6AF2-46D7-B933-62438DEB2B9A}) (Version: 2.7.9179.0 - Waves Audio Ltd.) Hidden
Microsoft Office Home and Student 2016 - en-us (HKLM\...\HomeStudentRetail - en-us) (Version: 16.0.8730.2127 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1476650472-3548292237-2988209075-1001\...\OneDriveSetup.exe) (Version: 17.3.7131.1115 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 (HKLM-x32\...\{d992c12e-cab2-426f-bde3-fb8c53950b0d}) (Version: 14.0.24215.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23918 (HKLM-x32\...\{2e085fd2-a3e4-4b39-8e10-6b8d35f55244}) (Version: 14.0.23918.0 - Microsoft Corporation)
Notepad++ (32-bit x86) (HKLM-x32\...\Notepad++) (Version: 7.5.1 - Notepad++ Team)
NVIDIA GeForce Experience 3.6.0.74 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 3.6.0.74 - NVIDIA Corporation)
NVIDIA Graphics Driver 388.16 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 388.16 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.17.0329 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.17.0329 - NVIDIA Corporation)
NvNodejs (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NvNodejs) (Version: 3.6.0.74 - NVIDIA Corporation) Hidden
NvTelemetry (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NvTelemetry) (Version: 2.4.10.0 - NVIDIA Corporation) Hidden
NvvHci (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NvvHci) (Version: 2.02.0.5 - NVIDIA Corporation) Hidden
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.8730.2127 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.8730.2127 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.8730.2127 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.8730.2127 - Microsoft Corporation) Hidden
Premiere Pro (HKLM\...\{3DF5A448-80E1-43C1-8428-984429451989}) (Version: 1.0.0000 - Adobe Systems Incorporated) Hidden
Private Internet Access Support Files (HKLM-x32\...\{7D72DAFF-DCB2-437B-BC22-4B2ABF21462B}) (Version: 1.0.0.0 - Private Internet Access)
Product Registration (HKLM\...\{48114909-3C3B-43E6-BF98-AE9C396500A3}) (Version: 3.0.127.0 - Dell Inc.) Hidden
qBittorrent 3.3.13 (HKLM-x32\...\qBittorrent) (Version: 3.3.13 - The qBittorrent project)
QuickSet64 (HKLM\...\{87CF757E-C1F1-4D22-865C-00C6950B5258}) (Version: 11.1.37 - Dell Inc.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.14393.31228 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.8158 - Realtek Semiconductor Corp.)
Realtek PC Camera Driver (HKLM-x32\...\{E399A5B3-ED53-4DEA-AF04-8011E1EB1EAC}) (Version: 10.0.10586.11224 - Realtek Semiconductor Corp.)
SHIELD Streaming (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_GFExperience.NvStreamSrv) (Version: 7.1.0370 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_ShieldWirelessController) (Version: 3.6.0.74 - NVIDIA Corporation) Hidden
Skype™ 7.40 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.40.104 - Skype Technologies S.A.)
Spotify (HKU\S-1-5-21-1476650472-3548292237-2988209075-1001\...\Spotify) (Version: 1.0.57.474.gca9c9538 - Spotify AB)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.6 - VideoLAN)
Vulkan Run Time Libraries 1.0.33.0 (HKLM\...\VulkanRT1.0.33.0) (Version: 1.0.33.0 - LunarG, Inc.) Hidden
Vulkan Run Time Libraries 1.0.33.0 (HKLM\...\VulkanRT1.0.33.0-2) (Version: 1.0.33.0 - LunarG, Inc.)
Vulkan Run Time Libraries 1.0.54.1 (HKLM\...\VulkanRT1.0.54.1) (Version: 1.0.54.1 - Intel Corporation Inc.)
Vulkan Run Time Libraries 1.0.61.0 (HKLM\...\VulkanRT1.0.61.0) (Version: 1.0.61.0 - LunarG, Inc.) Hidden
Windows 10 Upgrade Assistant (HKLM-x32\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.22175 - Microsoft Corporation)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1476650472-3548292237-2988209075-1001_Classes\CLSID\{a9872fee-5a55-4ecb-9b0f-b06fedcf14d1}\localserver32 -> C:\Program Files\Waves\MaxxAudio\MaxxAudioPro.exe (Waves Audio Ltd)
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files (x86)\Notepad++\NppShell_06.dll [2017-08-28] ()
ContextMenuHandlers1: [DefragglerShellExtension] -> {4380C993-0C43-4E02-9A7A-0D40B6EA7590} => C:\Program Files\Defraggler\DefragglerShell64.dll [2016-03-08] (Piriform Ltd)
ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll [2017-09-29] (Microsoft Corporation)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-14] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-14] (Alexander Roshal)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll [2017-09-29] (Microsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll [2017-09-29] (Microsoft Corporation)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\WINDOWS\System32\DriverStore\FileRepository\ki125183.inf_amd64_cb49708b33bad074\igfxDTCM.dll [2017-11-07] (Intel Corporation)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\WINDOWS\system32\nvshext.dll [2017-10-30] (NVIDIA Corporation)
ContextMenuHandlers6: [DefragglerShellExtension] -> {4380C993-0C43-4E02-9A7A-0D40B6EA7590} => C:\Program Files\Defraggler\DefragglerShell64.dll [2016-03-08] (Piriform Ltd)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-14] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-14] (Alexander Roshal)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0301D33E-C131-44CE-9862-4C0213343B15} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {030E2A11-766E-4EC1-BAEB-E2ECBEA6C67A} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-12-15] (Microsoft Corporation)
Task: {037FE5FE-EA79-4C12-BD95-CEA37E0B5761} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-06-30] (Google Inc.)
Task: {06D44229-7497-40D3-AD36-12C145636205} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2017-07-24] (Apple Inc.)
Task: {0A5900E1-1645-438C-83B9-E28E9493496D} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {0DBC3270-9C09-491D-B9A5-EE45A6803C94} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2017-05-04] (NVIDIA Corporation)
Task: {1A65546C-7DBE-4442-8C16-991B06DBFCD7} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-12-13] (Piriform Ltd)
Task: {2AEA5C25-680F-4C2F-8E93-1B50D429EB76} - System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmMon.exe [2017-05-04] (NVIDIA Corporation)
Task: {3590BA05-00BC-4250-9BD4-DD9739D729B6} - System32\Tasks\AdobeAAMUpdater-1.0-DESKTOP-52TD2ON-Megan => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe
Task: {36FE9D84-0765-45AE-BED8-D4E88BE64D35} - System32\Tasks\Dell SupportAssistAgent AutoUpdate => C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssist.exe [2017-09-22] (Dell Inc.)
Task: {39BFD62C-CC9C-41FF-96C2-75DFF8DB028E} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-12-15] (Microsoft Corporation)
Task: {49EE8238-48A0-4E7B-BDE7-6EE052DBCB6E} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\Dell\SupportAssist\uaclauncher.exe [2016-09-13] (PC-Doctor, Inc.)
Task: {508A67AD-53DA-4A3C-BCEA-B6DE324C6C07} - System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [2017-05-04] (NVIDIA Corporation)
Task: {513073CE-042D-4CD0-95DE-AC899439868D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-06-30] (Google Inc.)
Task: {51538D8B-98C0-4A9A-8FFC-3373CDABB84B} - System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [2017-05-04] (NVIDIA Corporation)
Task: {576B7C8B-9AE1-4D73-894D-07CAA1BE567D} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {5952BF33-3F89-425F-9A0E-89A6F603E48D} - System32\Tasks\Dell Cleanup => c:\windows\system32\oem\startmenufix.vbs [2016-09-14] ()
Task: {5DFC026D-6D10-471E-98EC-792EB11DE5D1} - System32\Tasks\Dell SupportAssistAgent AnonymousRegistration => C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssist.exe [2017-09-22] (Dell Inc.)
Task: {691D5462-9E9C-4438-B34F-10A0B2906AC2} - System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe [2017-05-04] (NVIDIA Corporation)
Task: {8A01683F-DF1C-4777-BBA4-A30EC99668DD} - System32\Tasks\PCDDataUploadTask => uaclauncher.exe
Task: {9797ECE2-34EF-414A-ADAC-4AC9CE2A8F8F} - System32\Tasks\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [2017-05-04] (NVIDIA Corporation)
Task: {9B9A2E3B-E360-4848-A3A5-0E7048E2DFCE} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {A0F7192F-6988-4A90-8C1D-F6E0C796BEFD} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-12-07] (Microsoft Corporation)
Task: {B10987B3-9316-4F18-A413-566380C51198} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\Dell\SupportAssist\sessionchecker.exe [2016-09-13] (PC-Doctor, Inc.)
Task: {B2C37AAC-1AAB-4625-B5A1-0A6A75A98CCB} - System32\Tasks\Private Internet Access Startup => C:\Program Files\pia_manager\pia_manager.exe [2017-07-02] ()
Task: {B3172AD5-990F-464A-87A7-D902ECA0126A} - System32\Tasks\Intel PTT EK Recertification => C:\Program Files\Intel\iCLS Client\IntelPTTEKRecertification.exe [2016-02-19] (Intel® Corporation)
Task: {BD8F2C17-38EF-4DA6-9B5E-D7CB5E71BD53} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {CB1AF18C-D746-4C6B-AC68-4AE75055A1E4} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2017-05-04] (NVIDIA Corporation)
Task: {CB51F0CF-5483-48AD-BAE5-782A31FFB198} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe
Task: {CCAD2958-C897-4934-8800-CFF6E3EE4BDF} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2017-12-13] (Piriform Ltd)
Task: {D1EDDB39-89C0-4F2C-8870-8F0E8C92805D} - System32\Tasks\RtHDVBg_PushButton => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2017-05-18] (Realtek Semiconductor)
Task: {E71F39C0-7C9E-41A1-A501-CB320644BA5E} - System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe [2017-05-04] (NVIDIA Corporation)
Task: {FFD5B132-AAAA-4B84-B102-7D2E2F9F3CB9} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-12-07] (Microsoft Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\RunDLC.job => cmd c sc start Dell Help SupportWORKGROUP DESKTOP 52TD2ON
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-09-29 05:41 - 2017-09-29 05:41 - 000184432 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2017-12-08 01:48 - 2017-12-08 01:48 - 000088888 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2017-12-08 01:48 - 2017-12-08 01:48 - 001356088 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2017-12-03 23:01 - 2017-11-29 09:11 - 002301384 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2017-09-29 05:42 - 2017-09-29 06:43 - 011044864 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-09-29 05:42 - 2017-09-29 06:43 - 001804288 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-12-13 19:58 - 2017-12-05 20:24 - 004063064 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.84\libglesv2.dll
2017-12-13 19:58 - 2017-12-05 20:24 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.84\libegl.dll
2016-09-09 08:32 - 2016-09-09 08:32 - 000134008 _____ () C:\Program Files (x86)\Dell Customer Connect\ServiceTagPlusPlus.dll
2016-05-02 14:46 - 2016-05-02 14:46 - 000134008 _____ () c:\Program Files (x86)\Dell Digital Delivery\ServiceTagPlusPlus.dll
2017-05-01 14:27 - 2017-05-01 14:27 - 000133992 _____ () C:\Program Files (x86)\Dell Update\ServiceTagPlusPlus.dll
2016-05-16 21:50 - 2016-05-16 21:50 - 001243936 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\WINDOWS\system32\Drivers\lccsiwmj.sys:changelist [1134]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\nouzpdir.sys:changelist [472]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\pkilqjke.sys:changelist [322]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2016-07-16 03:47 - 2016-07-16 03:45 - 000000824 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1476650472-3548292237-2988209075-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Megan\Desktop\DRXwwv9UIAA6hfW.png
DNS Servers: 192.168.0.1 - 205.171.3.25
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "SDTray"
HKU\S-1-5-21-1476650472-3548292237-2988209075-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-1476650472-3548292237-2988209075-1001\...\StartupApproved\Run: => "Spotify Web Helper"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [TCP Query User{6DBBC1FA-520B-4AF2-9BB6-6BD45ABCB4F1}C:\program files (x86)\google\chrome\application\chrome.exe] => (Allow) C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [UDP Query User{1D7BB0AA-4907-4364-91BC-134F21EC1080}C:\program files (x86)\google\chrome\application\chrome.exe] => (Allow) C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [TCP Query User{847936AB-89C1-47B8-A74B-8B9AD1A6373E}C:\program files (x86)\qbittorrent\qbittorrent.exe] => (Allow) C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [UDP Query User{DC5C1645-3791-4248-8ADD-02D827402FA8}C:\program files (x86)\qbittorrent\qbittorrent.exe] => (Allow) C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [{986F4535-CCDE-40EC-8FD2-06CF0B7A6D6A}] => (Block) C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [{F6C8B9EC-EE98-4021-B5EE-298C90ABA4A5}] => (Block) C:\program files (x86)\qbittorrent\qbittorrent.exe
 
==================== Restore Points =========================
 
28-12-2017 19:03:54 Windows Update
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/28/2017 06:50:05 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine QueryFullProcessImageNameW.  hr = 0x80070006, The handle is invalid.
.
 
 
Operation:
   Executing Asynchronous Operation
 
Context:
   Current State: DoSnapshotSet
 
Error: (12/28/2017 05:41:00 PM) (Source: ESENT) (EventID: 489) (User: )
Description: taskhostw (4080,G,0) An attempt to open the file "C:\Users\Megan\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).
 
Error: (12/28/2017 05:00:56 PM) (Source: ESENT) (EventID: 455) (User: )
Description: DllHost (5424,R,0) WebCacheLocal: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Users\Megan\AppData\Local\Microsoft\Windows\WebCache\V01.log.
 
Error: (12/28/2017 05:00:56 PM) (Source: ESENT) (EventID: 490) (User: )
Description: DllHost (5424,R,0) WebCacheLocal: An attempt to open the file "C:\Users\Megan\AppData\Local\Microsoft\Windows\WebCache\V01.log" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).
 
Error: (12/28/2017 05:00:46 PM) (Source: ESENT) (EventID: 455) (User: )
Description: DllHost (5424,R,0) WebCacheLocal: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Users\Megan\AppData\Local\Microsoft\Windows\WebCache\V01.log.
 
Error: (12/28/2017 05:00:46 PM) (Source: ESENT) (EventID: 490) (User: )
Description: DllHost (5424,R,0) WebCacheLocal: An attempt to open the file "C:\Users\Megan\AppData\Local\Microsoft\Windows\WebCache\V01.log" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).
 
Error: (12/28/2017 05:00:27 PM) (Source: ESENT) (EventID: 489) (User: )
Description: CCleaner64 (9852,G,0) An attempt to open the file "C:\Users\Megan\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).
 
Error: (12/28/2017 04:59:54 PM) (Source: ESENT) (EventID: 455) (User: )
Description: taskhostw (7172,R,0) WebCacheLocal: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Users\Megan\AppData\Local\Microsoft\Windows\WebCache\V01.log.
 
Error: (12/28/2017 04:59:54 PM) (Source: ESENT) (EventID: 490) (User: )
Description: taskhostw (7172,R,0) WebCacheLocal: An attempt to open the file "C:\Users\Megan\AppData\Local\Microsoft\Windows\WebCache\V01.log" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).
 
Error: (12/28/2017 04:59:44 PM) (Source: ESENT) (EventID: 455) (User: )
Description: taskhostw (7172,R,0) WebCacheLocal: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Users\Megan\AppData\Local\Microsoft\Windows\WebCache\V01.log.
 
 
System errors:
=============
Error: (12/28/2017 07:25:19 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: 2017-12 Cumulative Update for Windows 10 Version 1709 for x64-based Systems (KB4054517).
 
Error: (12/28/2017 07:18:37 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: 2017-12 Cumulative Update for Windows 10 Version 1709 for x64-based Systems (KB4054517).
 
Error: (12/28/2017 07:09:03 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (12/28/2017 07:08:00 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: 2017-12 Cumulative Update for Windows 10 Version 1709 for x64-based Systems (KB4054517).
 
Error: (12/28/2017 07:02:59 PM) (Source: volsnap) (EventID: 14) (User: )
Description: The shadow copies of volume C: were aborted because of an IO failure on volume C:.
 
Error: (12/28/2017 07:02:59 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (12/28/2017 07:02:59 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (12/28/2017 07:02:59 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (12/28/2017 07:02:59 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (12/28/2017 07:02:59 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
 
CodeIntegrity:
===================================
  Date: 2017-12-28 19:26:55.513
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2017-12-28 19:26:55.511
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2017-12-28 19:25:14.197
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2017-12-28 19:25:14.193
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2017-12-28 19:25:12.149
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2017-12-28 19:25:12.147
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2017-12-28 19:24:47.579
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2017-12-28 19:24:47.577
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2017-12-28 19:24:31.354
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2017-12-28 19:24:31.352
  Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-7500U CPU @ 2.70GHz
Percentage of memory in use: 30%
Total physical RAM: 16253.06 MB
Available physical RAM: 11265.34 MB
Total Virtual: 18685.06 MB
Available Virtual: 13529.03 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:918.82 GB) (Free:697.65 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: F36CBE26)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

 



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 29 December 2017 - 08:00 AM

Hi cutaeng :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Open FRST and copy/paste the following inside the text area. Once done, click on the Fix button. Afterwards, a file called fixlog.txt should appear on your desktop. Attach it in your next reply.
Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir C:\Windows\system32\drivers
End::

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 cutaeng

cutaeng
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 29 December 2017 - 10:08 PM

Hello, thank you for your quick response! Am I still allowed to use my computer for your every day web browsing stuff?

 

Here is my log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 26-12-2017
Ran by Megan (29-12-2017 19:02:46) Run:1
Running from C:\Users\Megan\Downloads
Loaded Profiles: Megan (Available Profiles: Megan)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir C:\Windows\system32\drivers
 
*****************
 
 
========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= bcdedit.exe /set {default} recoveryenabled yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= fltmc instances =========
 
Filter                Volume Name                              Altitude        Instance Name       Frame   SprtFtrs  VlStatus
--------------------  -------------------------------------  ------------  ----------------------  -----   --------  --------
FileInfo                                                         40500     FileInfo                  0     00000007  
FileInfo              C:                                         40500     FileInfo                  0     00000007  
FileInfo                                                         40500     FileInfo                  0     00000007  
FileInfo                                                         40500     FileInfo                  0     00000007  
FileInfo              \Device\HarddiskVolumeShadowCopy13         40500     FileInfo                  0     00000007  Detached
FileInfo              \Device\HarddiskVolumeShadowCopy17         40500     FileInfo                  0     00000007  
FileInfo              \Device\Mup                                40500     FileInfo                  0     00000007  
WdFilter                                                        328010     WdFilter Instance         0     00000007  
WdFilter              C:                                        328010     WdFilter Instance         0     00000007  
WdFilter                                                        328010     WdFilter Instance         0     00000007  
WdFilter                                                        328010     WdFilter Instance         0     00000007  
WdFilter              \Device\HarddiskVolumeShadowCopy13        328010     WdFilter Instance         0     00000007  Detached
WdFilter              \Device\HarddiskVolumeShadowCopy17        328010     WdFilter Instance         0     00000007  
WdFilter              \Device\Mup                               328010     WdFilter Instance         0     00000007  
Wof                   C:                                         40700     Wof Instance              0     00000007  
Wof                                                              40700     Wof Instance              0     00000007  
Wof                                                              40700     Wof Instance              0     00000007  
Wof                   \Device\HarddiskVolumeShadowCopy13         40700     Wof Instance              0     00000007  Detached
Wof                   \Device\HarddiskVolumeShadowCopy17         40700     Wof Instance              0     00000007  
luafv                 C:                                        135000     luafv                     0     00000007  
mzarvkip              C:                                         45666     mzarvkip Instance         0     00000000  
mzarvkip              \Device\Mup                                45666     mzarvkip Instance         0     00000000  
npsvctrig             \Device\NamedPipe                          46000     npsvctrig                 0     00000000  
udiskMgr                                                         45888     udiskMgr Instance         0     00000000  
udiskMgr              C:                                         45888     udiskMgr Instance         0     00000000  
udiskMgr                                                         45888     udiskMgr Instance         0     00000000  
udiskMgr                                                         45888     udiskMgr Instance         0     00000000  
wcifs                 C:                                        189900     wcifs Instance            0     00000007  
 
========= End of CMD: =========
 
 
========= dir C:\Windows\system32\drivers =========
 
 Volume in drive C is OS
 Volume Serial Number is B6DE-E709
 
 Directory of C:\Windows\system32\drivers
 
12/28/2017  06:53 PM    <DIR>          .
12/28/2017  06:53 PM    <DIR>          ..
02/07/2017  01:20 PM             3,143 1028_Dell_INS_7779.mrk
09/29/2017  05:41 AM           237,056 1394ohci.sys
09/29/2017  05:41 AM           107,416 3ware.sys
12/28/2017  01:09 AM           255,928 5632D45E.sys
12/28/2017  03:54 AM           255,928 73375706.sys
09/29/2017  05:41 AM           733,592 acpi.sys
09/29/2017  05:41 AM            20,480 AcpiDev.sys
09/29/2017  05:41 AM           127,896 acpiex.sys
09/29/2017  05:41 AM            12,800 acpipagr.sys
09/29/2017  05:41 AM            14,336 acpipmi.sys
09/29/2017  05:41 AM            13,312 acpitime.sys
09/29/2017  05:41 AM         1,135,512 adp80xx.sys
12/28/2017  06:21 PM           255,928 AF131693.sys
09/29/2017  05:41 AM           614,296 afd.sys
09/29/2017  05:41 AM           108,032 agilevpn.sys
09/29/2017  05:41 AM           240,640 ahcache.sys
09/29/2017  05:41 AM           180,224 amdk8.sys
09/29/2017  05:41 AM           178,176 amdppm.sys
09/29/2017  05:41 AM            83,352 amdsata.sys
09/29/2017  05:41 AM           258,592 amdsbs.sys
09/29/2017  05:41 AM            27,032 amdxata.sys
09/29/2017  05:41 AM           191,008 appid.sys
09/29/2017  05:41 AM            18,432 applockerfltr.sys
09/29/2017  05:41 AM           131,992 arcsas.sys
09/29/2017  05:41 AM            28,160 asyncmac.sys
09/29/2017  05:41 AM            28,568 atapi.sys
09/29/2017  05:41 AM           194,456 ataport.sys
09/29/2017  05:42 AM            60,312 bam.sys
09/29/2017  05:41 AM            58,880 BasicDisplay.sys
11/10/2017  04:47 PM            34,816 BasicRender.sys
09/29/2017  05:41 AM            39,832 battc.sys
09/29/2017  05:41 AM             9,728 bcmfn2.sys
09/29/2017  05:42 AM            10,240 beep.sys
09/29/2017  05:41 AM           101,888 bowser.sys
09/29/2017  05:41 AM           116,736 bridge.sys
09/29/2017  05:41 AM            23,040 BtaMPM.sys
09/29/2017  05:41 AM            45,056 BthAvrcpTg.sys
09/29/2017  05:41 AM           107,008 bthhfenum.sys
09/29/2017  05:41 AM            31,232 BthhfHid.sys
09/29/2017  05:40 AM            67,584 bthmodem.sys
10/24/2017  07:12 PM         1,015,296 bthport.sys
09/29/2017  05:41 AM            85,504 BTHUSB.SYS
09/29/2017  05:41 AM            37,784 bttflt.sys
09/29/2017  05:41 AM            39,424 buttonconverter.sys
09/29/2017  05:41 AM           533,912 bxvbda.sys
09/29/2017  05:40 AM            60,312 CAD.sys
09/29/2017  05:41 AM           122,368 capimg.sys
09/29/2017  05:41 AM            93,184 cdfs.sys
09/29/2017  05:41 AM           159,744 cdrom.sys
09/29/2017  05:41 AM            78,744 CEA.sys
09/29/2017  05:41 AM           141,208 cht4dx64.sys
09/29/2017  05:41 AM           357,272 cht4sx64.sys
09/29/2017  05:41 AM         1,723,288 cht4vx64.sys
09/29/2017  05:40 AM            49,152 circlass.sys
09/29/2017  05:41 AM           403,352 Classpnp.sys
09/29/2017  05:41 AM           384,000 cldflt.sys
11/10/2017  04:47 PM           373,656 clfs.sys
09/29/2017  05:41 AM         1,007,512 ClipSp.sys
09/29/2017  05:41 AM            29,696 CmBatt.sys
09/29/2017  05:41 AM            28,568 cmimcext.sys
11/10/2017  04:47 PM           677,280 cng.sys
09/29/2017  05:41 AM            39,320 cnghwassist.sys
09/29/2017  05:41 AM            55,704 condrv.sys
09/29/2017  05:41 AM            85,912 crashdmp.sys
09/29/2017  05:42 AM            81,304 dam.sys
07/27/2017  09:52 AM            32,960 DDDriver64Dcsa.sys
07/27/2017  09:52 AM            32,568 DellProf.sys
09/29/2017  05:41 AM            45,056 devauthe.sys
09/29/2017  05:41 AM           151,040 dfsc.sys
09/29/2017  05:41 AM            94,104 disk.sys
09/29/2017  05:41 AM            38,808 Diskdump.sys
09/29/2017  05:41 AM            15,360 Dmpusbstor.sys
09/29/2017  05:41 AM            46,592 dmvsc.sys
08/12/2016  05:39 PM            71,232 dptf_acpi.sys
08/12/2016  05:39 PM            66,624 dptf_cpu.sys
09/29/2017  05:40 AM            96,768 drmk.sys
09/29/2017  05:40 AM            16,224 drmkaud.sys
09/29/2017  05:41 AM            35,736 Dumpata.sys
09/29/2017  05:43 AM            91,152 dumpfve.sys
10/24/2017  08:36 PM           187,288 dumpsd.sys
09/29/2017  05:41 AM            32,256 dumpsdport.sys
09/29/2017  05:41 AM            25,600 Dumpstorport.sys
10/24/2017  08:34 PM         2,573,208 dxgkrnl.sys
09/29/2017  05:41 AM           408,096 dxgmms1.sys
09/29/2017  05:41 AM           749,976 dxgmms2.sys
09/29/2017  05:41 AM            87,960 EhStorClass.sys
09/29/2017  05:40 AM           118,680 EhStorTcgDrv.sys
09/29/2017  06:43 AM    <DIR>          en-US
09/29/2017  05:41 AM            13,824 errdev.sys
08/12/2016  05:40 PM           350,272 esif_lf.sys
11/10/2017  05:07 PM    <DIR>          etc
09/29/2017  05:41 AM         3,419,032 evbda.sys
09/29/2017  05:41 AM           354,304 exfat.sys
09/29/2017  05:41 AM           371,608 fastfat.sys
09/29/2017  05:41 AM            32,768 fdc.sys
09/29/2017  05:41 AM            55,808 filecrypt.sys
09/29/2017  05:41 AM            85,400 fileinfo.sys
09/29/2017  05:41 AM            36,864 filetrace.sys
09/29/2017  05:41 AM            26,624 flpydisk.sys
09/29/2017  05:41 AM           398,744 fltMgr.sys
09/29/2017  05:41 AM            62,872 fsdepends.sys
09/29/2017  05:41 AM            34,200 fs_rec.sys
09/29/2017  05:43 AM           727,448 fvevol.sys
09/29/2017  05:41 AM           441,240 FWPKCLNT.SYS
09/29/2017  05:41 AM            20,992 genericusbfn.sys
09/29/2017  05:41 AM         3,440,660 gm.dls
09/29/2017  05:41 AM               646 gmreadme.txt
09/29/2017  05:41 AM             8,192 gpuenergydrv.sys
09/29/2017  05:40 AM            86,016 hdaudbus.sys
09/29/2017  05:41 AM            38,296 hidbatt.sys
09/29/2017  05:41 AM           114,688 hidbth.sys
09/29/2017  05:41 AM           187,392 hidclass.sys
08/15/2016  11:09 PM            54,800 HidEventFilter.sys
09/29/2017  05:41 AM            52,224 hidi2c.sys
09/29/2017  05:41 AM            50,584 hidinterrupt.sys
09/29/2017  05:40 AM            46,592 hidir.sys
09/29/2017  05:41 AM            45,568 hidparse.sys
09/29/2017  05:41 AM            40,960 hidusb.sys
05/24/2016  01:11 PM            30,816 HID_PCI.sys
12/28/2017  07:01 PM            55,232 hitmanpro37.sys
09/29/2017  05:41 AM            63,520 HpSAMD.sys
09/29/2017  05:41 AM         1,103,768 http.sys
09/29/2017  05:41 AM            73,112 hvservice.sys
09/29/2017  05:41 AM           129,432 hvsocket.sys
09/29/2017  05:41 AM            29,592 hwpolicy.sys
09/29/2017  05:41 AM            16,896 hyperkbd.sys
09/29/2017  05:41 AM            28,160 HyperVideo.sys
09/29/2017  05:41 AM           105,984 i8042prt.sys
09/29/2017  05:40 AM            36,864 iagpio.sys
09/29/2017  05:40 AM            91,648 iai2c.sys
09/29/2017  05:40 AM            79,360 iaLPSS2i_GPIO2.sys
09/29/2017  05:40 AM            88,576 iaLPSS2i_GPIO2_BXT_P.sys
09/29/2017  05:40 AM           171,520 iaLPSS2i_I2C.sys
09/29/2017  05:40 AM           174,592 iaLPSS2i_I2C_BXT_P.sys
08/29/2016  08:53 PM           151,352 iaLPSS2_SPI.sys
08/29/2016  08:53 PM           282,424 iaLPSS2_UART2.sys
09/29/2017  05:41 AM            38,128 iaLPSSi_GPIO.sys
09/29/2017  05:40 AM           113,152 iaLPSSi_I2C.sys
09/20/2016  11:04 AM           795,640 iaStorA.sys
09/29/2017  05:41 AM           674,200 iaStorAV.sys
09/29/2017  05:41 AM           412,056 iaStorV.sys
09/29/2017  05:41 AM           526,232 ibbus.sys
04/13/2017  07:26 PM           244,744 ibtusb.sys
09/29/2017  05:41 AM            39,424 IndirectKmd.sys
09/14/2017  02:49 PM           831,008 IntcDAud.sys
09/29/2017  05:41 AM            19,352 intelide.sys
05/16/2016  09:48 PM            18,720 IntelMEFWVer.dll
09/29/2017  05:41 AM           130,640 intelpep.sys
09/29/2017  05:41 AM           198,656 intelppm.sys
09/29/2017  05:41 AM            38,912 invdimm.sys
09/29/2017  05:41 AM            56,728 iorate.sys
09/29/2017  05:41 AM            85,504 ipfltdrv.sys
09/29/2017  05:41 AM            92,056 IPMIDrv.sys
09/29/2017  05:41 AM           214,016 ipnat.sys
09/29/2017  05:41 AM            26,112 ipt.sys
09/29/2017  05:42 AM           119,808 irda.sys
09/29/2017  05:42 AM            19,968 irenum.sys
09/29/2017  05:41 AM            22,936 isapnp.sys
06/05/2016  04:54 PM           140,896 ISH.sys
06/08/2016  05:34 PM            78,432 ISH_BusDriver.sys
09/29/2017  05:41 AM            63,384 kbdclass.sys
09/29/2017  05:41 AM            40,448 kbdhid.sys
09/29/2017  05:41 AM            23,040 kdnic.sys
09/29/2017  05:41 AM           394,752 ks.sys
11/10/2017  04:47 PM           139,672 ksecdd.sys
09/29/2017  05:41 AM           170,904 ksecpkg.sys
09/29/2017  05:41 AM            27,136 ksthunk.sys
12/03/2017  10:46 PM            72,816 lccsiwmj.sys
09/29/2017  05:41 AM            65,024 lltdio.sys
09/29/2017  05:41 AM           108,064 lsi_sas.sys
09/29/2017  05:41 AM           123,800 lsi_sas2i.sys
09/29/2017  05:41 AM           103,320 lsi_sas3i.sys
09/29/2017  05:41 AM            82,840 lsi_sss.sys
10/24/2017  07:04 PM           124,928 luafv.sys
09/29/2017  05:41 AM           505,240 mausbhost.sys
09/29/2017  05:41 AM            55,840 mausbip.sys
11/29/2017  09:11 AM            77,432 mbae64.sys
12/28/2017  06:18 PM           192,952 mbamchameleon.sys
12/28/2017  06:53 PM           253,880 mbamswissarmy.sys
09/29/2017  05:42 AM            23,552 mcd.sys
09/29/2017  05:41 AM            59,800 megasas.sys
09/29/2017  05:41 AM            63,520 MegaSas2i.sys
09/29/2017  05:41 AM           575,896 megasr.sys
09/29/2017  05:41 AM           842,648 mlx4_bus.sys
09/29/2017  05:41 AM            43,520 mmcss.sys
09/29/2017  05:42 AM            42,496 modem.sys
09/29/2017  05:41 AM            38,912 monitor.sys
09/29/2017  05:41 AM            57,240 mouclass.sys
09/29/2017  05:41 AM            32,768 mouhid.sys
09/29/2017  05:41 AM           103,320 mountmgr.sys
09/29/2017  05:41 AM            75,776 mpsdrv.sys
09/29/2017  05:42 AM           143,872 mrxdav.sys
09/29/2017  05:41 AM           496,536 mrxsmb.sys
11/10/2017  04:47 PM           232,344 mrxsmb20.sys
09/29/2017  05:41 AM            31,232 msfs.sys
07/16/2016  03:42 AM                 3 MsftWdf_Kernel_01019_Inbox_Critical.Wdf
07/03/2017  07:46 AM                 0 Msft_Kernel_esif_lf_01011.Wdf
07/03/2017  07:45 AM                 0 Msft_User_esif_umdf2_02_00_00.Wdf
06/30/2017  09:08 PM                 0 Msft_User_WpdFs_01_11_00.Wdf
07/02/2017  10:42 PM                 0 Msft_User_WpdMtpDr_01_11_00.Wdf
09/29/2017  05:41 AM           169,880 msgpioclx.sys
09/29/2017  05:41 AM            49,048 msgpiowin32.sys
09/29/2017  05:41 AM             8,704 mshidkmdf.sys
09/29/2017  05:41 AM            11,776 mshidumdf.sys
09/29/2017  05:41 AM            27,136 mshwnclx.sys
09/29/2017  05:41 AM            18,840 msisadrv.sys
09/29/2017  05:41 AM           279,448 msiscsi.sys
09/29/2017  05:41 AM            33,280 mskssrv.sys
09/29/2017  05:41 AM            84,480 mslldp.sys
09/29/2017  05:41 AM            10,752 mspclock.sys
09/29/2017  05:41 AM            10,752 mspqm.sys
09/29/2017  05:41 AM           376,864 msrpc.sys
09/29/2017  05:41 AM            40,856 mssmbios.sys
09/29/2017  05:41 AM            12,800 mstee.sys
09/29/2017  05:41 AM            16,896 MTConfig.sys
09/29/2017  05:41 AM           123,800 mup.sys
09/29/2017  05:41 AM            63,896 mvumis.sys
09/29/2017  05:41 AM           108,952 ndfltr.sys
09/29/2017  05:41 AM         1,278,872 ndis.sys
09/29/2017  05:42 AM            50,688 ndiscap.sys
09/29/2017  05:41 AM           128,000 NdisImPlatform.sys
09/29/2017  05:41 AM            27,136 ndistapi.sys
09/29/2017  05:41 AM            65,024 ndisuio.sys
09/29/2017  05:41 AM            21,504 NdisVirtualBus.sys
09/29/2017  05:41 AM           192,000 ndiswan.sys
09/29/2017  05:41 AM            62,464 ndproxy.sys
09/29/2017  05:41 AM           124,416 Ndu.sys
09/29/2017  05:41 AM           132,608 NetAdapterCx.sys
09/29/2017  05:41 AM            57,752 netbios.sys
09/29/2017  05:41 AM           316,928 netbt.sys
09/29/2017  05:41 AM           535,960 netio.sys
09/29/2017  05:41 AM           192,512 netvsc.sys
09/29/2017  05:40 AM        13,332,880 Netwfw04.dat
09/29/2017  05:40 AM         7,689,728 Netwtw04.sys
12/03/2017  10:55 PM            72,816 nouzpdir.sys
09/29/2017  05:41 AM            73,216 npfs.sys
09/29/2017  05:41 AM            26,112 npsvctrig.sys
09/29/2017  05:41 AM            44,544 nsiproxy.sys
10/24/2017  08:36 PM         2,400,664 ntfs.sys
09/29/2017  05:41 AM            19,864 ntosext.sys
09/29/2017  05:41 AM             7,168 null.sys
09/29/2017  05:41 AM            88,576 nvdimmn.sys
09/29/2017  05:41 AM           150,424 nvraid.sys
09/29/2017  05:41 AM           166,296 nvstor.sys
05/04/2017  03:19 AM            48,064 nvvad64v.sys
05/04/2017  03:19 AM            57,792 nvvhci.sys
11/10/2017  04:47 PM           529,408 nwifi.sys
09/29/2017  05:41 AM           152,984 pacer.sys
09/29/2017  05:41 AM            98,816 parport.sys
09/29/2017  05:41 AM           165,784 partmgr.sys
09/29/2017  05:41 AM           362,904 pci.sys
09/29/2017  05:41 AM            16,280 pciide.sys
09/29/2017  05:41 AM            53,144 pciidex.sys
09/29/2017  05:40 AM           119,704 pcmcia.sys
09/29/2017  05:41 AM            53,144 pcw.sys
09/29/2017  05:41 AM           123,288 pdc.sys
09/29/2017  05:42 AM           723,968 PEAuth.sys
09/29/2017  05:41 AM            58,776 percsas2i.sys
09/29/2017  05:41 AM            61,848 percsas3i.sys
12/03/2017  10:58 PM            72,816 pkilqjke.sys
09/29/2017  05:41 AM           100,352 pmem.sys
09/29/2017  05:41 AM            16,896 pnpmem.sys
09/29/2017  05:40 AM           379,392 portcls.sys
09/29/2017  05:41 AM           177,152 processr.sys
09/29/2017  05:41 AM            49,152 qwavedrv.sys
09/29/2017  05:41 AM            39,832 ramdisk.sys
09/29/2017  05:41 AM            17,920 rasacd.sys
09/29/2017  05:41 AM           106,496 rasl2tp.sys
09/29/2017  05:41 AM            82,944 raspppoe.sys
09/29/2017  05:41 AM            97,280 raspptp.sys
09/29/2017  05:41 AM            78,336 rassstp.sys
10/24/2017  08:24 PM           428,952 rdbss.sys
09/29/2017  06:43 AM            27,136 rdpbus.sys
09/29/2017  06:43 AM           182,784 rdpdr.sys
09/29/2017  06:43 AM            30,616 rdpvideominiport.sys
09/29/2017  05:42 AM           282,520 rdyboost.sys
09/29/2017  05:41 AM         1,849,752 refs.sys
09/29/2017  05:41 AM           936,856 refsv1.sys
09/29/2017  05:41 AM            43,008 RfxVmt.sys
09/29/2017  05:41 AM           103,936 rhproxy.sys
09/29/2017  05:41 AM           149,504 rmcast.sys
09/29/2017  05:42 AM            35,328 RNDISMP.sys
09/29/2017  05:42 AM            13,312 rootmdm.sys
09/29/2017  05:41 AM            80,896 rspndr.sys
05/18/2017  05:24 PM        12,870,376 RTAIODAT.DAT
09/29/2017  05:41 AM            59,904 rteth.sys
11/10/2017  05:29 PM           110,423 rtkhdasetting.zip
05/18/2017  05:25 PM         5,766,624 RTKVHD64.sys
01/29/2016  03:04 PM             8,236 RTPL.dat
02/02/2016  04:12 PM             8,236 RTPL1.dat
02/23/2016  03:07 PM             8,236 RTPL2.dat
05/12/2017  03:33 PM            17,232 RTSPKPT.dat
05/12/2017  03:33 PM            17,232 RTSPKPT1.dat
05/12/2017  03:33 PM            17,232 RTSPKPT10.dat
05/12/2017  03:33 PM            17,232 RTSPKPT11.dat
05/12/2017  03:33 PM            17,232 RTSPKPT2.dat
05/12/2017  03:33 PM            17,232 RTSPKPT3.dat
05/12/2017  03:33 PM            17,232 RTSPKPT4.dat
05/12/2017  03:33 PM            17,232 RTSPKPT5.dat
05/12/2017  03:33 PM            17,232 RTSPKPT6.dat
05/12/2017  03:33 PM            17,232 RTSPKPT7.dat
05/12/2017  03:33 PM            17,232 RTSPKPT8.dat
05/12/2017  03:33 PM            17,232 RTSPKPT9.dat
08/04/2016  08:09 PM           418,784 RtsUer.sys
10/07/2016  03:43 PM         3,149,832 rtsuvc.sys
05/18/2017  05:25 PM         5,804,772 rtvienna.dat
09/29/2017  05:41 AM           109,976 sbp2port.sys
09/29/2017  05:42 AM            43,008 scfilter.sys
09/29/2017  05:41 AM           118,168 scmbus.sys
09/29/2017  05:42 AM           175,512 scsiport.sys
10/24/2017  08:39 PM           285,080 sdbus.sys
09/29/2017  05:41 AM            33,176 SDFRd.sys
09/29/2017  05:41 AM            97,688 sdport.sys
09/29/2017  05:41 AM            96,664 sdstor.sys
09/29/2017  05:41 AM            74,784 SerCx.sys
09/29/2017  05:41 AM           154,520 SerCx2.sys
09/29/2017  05:41 AM            25,088 serenum.sys
09/29/2017  05:41 AM            84,992 serial.sys
09/29/2017  05:41 AM            28,160 sermouse.sys
09/29/2017  05:41 AM            17,920 sfloppy.sys
09/29/2017  05:41 AM            44,952 sisraid2.sys
09/29/2017  05:41 AM            81,816 sisraid4.sys
09/29/2017  05:41 AM            34,200 SleepStudyHelper.sys
09/29/2017  05:42 AM            21,504 smclib.sys
09/29/2017  05:41 AM           171,416 spacedump.sys
09/29/2017  05:41 AM           571,288 spaceport.sys
09/29/2017  06:43 AM            56,216 SpatialGraphFilter.sys
09/29/2017  05:41 AM            81,816 SpbCx.sys
11/10/2017  04:47 PM           422,912 srv.sys
11/10/2017  04:47 PM           726,016 srv2.sys
09/29/2017  05:41 AM           258,560 srvnet.sys
09/29/2017  05:41 AM            31,128 stexstor.sys
09/29/2017  05:41 AM           149,400 storahci.sys
09/29/2017  05:41 AM           103,320 stornvme.sys
10/24/2017  08:32 PM           559,512 storport.sys
09/29/2017  05:41 AM            79,872 storqosflt.sys
10/24/2017  08:31 PM            45,464 storufs.sys
09/29/2017  05:41 AM            39,320 storvsc.sys
09/29/2017  05:42 AM            75,264 stream.sys
09/29/2017  05:41 AM            18,328 swenum.sys
09/29/2017  05:41 AM            64,512 Synth3dVsc.sys
07/02/2017  03:38 AM            27,136 tap0901.sys
09/29/2017  05:42 AM            31,232 tape.sys
09/29/2017  05:41 AM            28,056 tbs.sys
09/29/2017  05:41 AM         2,773,400 tcpip.sys
09/29/2017  05:41 AM            51,712 tcpipreg.sys
09/29/2017  05:41 AM            40,344 tdi.sys
09/29/2017  05:41 AM           121,240 tdx.sys
04/14/2016  02:37 AM           202,848 TeeDriverW8x64.sys
09/29/2017  06:43 AM            37,272 terminpt.sys
09/29/2017  05:41 AM           128,408 tm.sys
09/29/2017  05:41 AM           229,272 tpm.sys
09/29/2017  05:41 AM            62,976 TsUsbFlt.sys
09/29/2017  05:41 AM            35,328 TsUsbGD.sys
09/29/2017  05:41 AM           106,496 tunnel.sys
09/29/2017  05:41 AM            79,256 uaspstor.sys
10/24/2017  07:16 PM           114,688 UcmCx.sys
09/29/2017  05:41 AM           146,944 UcmTcpciCx.sys
11/10/2017  04:47 PM            57,344 UcmUcsi.sys
09/29/2017  05:41 AM           227,224 Ucx01000.sys
09/29/2017  05:41 AM            45,056 Udecx.sys
09/29/2017  05:42 AM           323,072 udfs.sys
09/29/2017  05:41 AM            28,568 uefi.sys
09/29/2017  05:41 AM           266,648 ufx01000.sys
09/29/2017  05:41 AM            97,312 UfxChipidea.sys
09/29/2017  05:41 AM           140,696 ufxsynopsys.sys
09/29/2017  05:41 AM            56,320 umbus.sys
11/29/2017  11:05 AM    <DIR>          UMDF
09/29/2017  05:41 AM            14,336 umpass.sys
09/29/2017  05:41 AM            28,568 urschipidea.sys
11/10/2017  04:47 PM            60,824 urscx01000.sys
09/29/2017  05:41 AM            27,544 urssynopsys.sys
09/29/2017  05:41 AM            23,040 usb8023.sys
12/21/2016  12:20 PM            54,784 usbaapl64.sys
09/29/2017  05:42 AM            37,376 USBCAMD2.sys
09/29/2017  05:41 AM           168,856 usbccgp.sys
09/29/2017  05:40 AM           102,912 usbcir.sys
09/29/2017  05:41 AM            32,152 usbd.sys
09/29/2017  05:41 AM            95,640 usbehci.sys
09/29/2017  05:41 AM           513,944 usbhub.sys
10/24/2017  08:30 PM           555,416 USBHUB3.SYS
09/29/2017  05:41 AM            30,720 usbohci.sys
09/29/2017  05:41 AM           454,040 usbport.sys
09/29/2017  05:41 AM            27,136 usbprint.sys
09/29/2017  05:41 AM            71,680 usbser.sys
09/29/2017  05:41 AM           130,968 USBSTOR.SYS
09/29/2017  05:41 AM            35,328 usbuhci.sys
09/29/2017  05:41 AM           437,656 USBXHCI.SYS
12/28/2017  06:52 PM           142,136 usnmptwz.sys
09/29/2017  05:41 AM            54,680 vdrvroot.sys
09/29/2017  05:41 AM           225,688 VerifierExt.sys
09/29/2017  05:41 AM           713,624 vhdmp.sys
09/29/2017  05:41 AM            34,816 vhf.sys
09/29/2017  05:41 AM            44,544 videoprt.sys
03/31/2017  07:02 PM            41,992 VirtualButtons.sys
09/29/2017  05:41 AM            81,304 vmbkmcl.sys
09/29/2017  05:41 AM            80,384 vmbkmclr.sys
09/29/2017  05:41 AM           109,976 vmbus.sys
09/29/2017  05:41 AM            25,088 VMBusHID.sys
09/29/2017  05:41 AM            13,312 vmgencounter.sys
09/29/2017  05:41 AM            10,240 vmgid.sys
09/29/2017  05:41 AM             9,216 vms3cap.sys
09/29/2017  05:41 AM            47,512 vmstorfl.sys
09/29/2017  05:41 AM            43,008 vnvdimm.sys
09/29/2017  05:41 AM            83,864 volmgr.sys
09/29/2017  05:41 AM           373,144 volmgrx.sys
09/29/2017  05:42 AM           401,304 volsnap.sys
09/29/2017  05:41 AM            15,392 volume.sys
09/29/2017  05:41 AM            75,160 vpci.sys
09/29/2017  05:41 AM           166,808 vsmraid.sys
09/29/2017  05:41 AM           305,560 VSTXRAID.SYS
09/29/2017  05:42 AM            27,136 vwifibus.sys
09/29/2017  05:42 AM            76,800 vwififlt.sys
09/29/2017  05:42 AM            40,448 vwifimp.sys
09/29/2017  05:41 AM            30,720 wacompen.sys
09/29/2017  05:41 AM            80,896 wanarp.sys
09/29/2017  05:41 AM            56,320 watchdog.sys
10/24/2017  08:32 PM           147,864 wcifs.sys
09/29/2017  05:41 AM            76,288 wcnfs.sys
12/16/2017  06:18 PM    <DIR>          wd
09/29/2017  05:41 AM            44,608 WdBoot.sys
09/29/2017  05:41 AM           918,240 Wdf01000.sys
09/29/2017  05:41 AM           309,144 WdFilter.sys
09/29/2017  05:41 AM            61,664 WdfLdr.sys
09/29/2017  05:42 AM           770,048 WdiWiFi.sys
09/29/2017  05:41 AM           119,192 WdNisDrv.sys
09/29/2017  05:41 AM            33,792 wdnsfltr.sys
09/29/2017  05:41 AM            45,464 werkernel.sys
09/29/2017  05:41 AM           163,736 wfplwfs.sys
09/29/2017  05:41 AM            35,736 wimmount.sys
09/29/2017  05:41 AM            71,248 WindowsTrustedRT.sys
09/29/2017  05:41 AM            18,000 WindowsTrustedRTProxy.sys
09/29/2017  05:41 AM            31,640 winhv.sys
09/29/2017  05:41 AM            62,464 winhvr.sys
09/29/2017  05:41 AM            32,152 winmad.sys
09/29/2017  05:41 AM           225,280 winnat.sys
09/29/2017  05:41 AM            92,672 winusb.sys
09/29/2017  05:41 AM            64,920 winverbs.sys
09/29/2017  05:41 AM            18,432 wmiacpi.sys
09/29/2017  05:41 AM            20,376 wmilib.sys
09/29/2017  05:41 AM           209,304 wof.sys
09/29/2017  05:41 AM            30,104 WpdUpFltr.sys
09/29/2017  05:41 AM            33,176 WppRecorder.sys
09/29/2017  05:42 AM            23,040 ws2ifsl.sys
09/29/2017  05:41 AM            23,040 WSDPrint.sys
09/29/2017  05:41 AM            25,088 WSDScan.sys
09/29/2017  05:41 AM           115,200 WUDFPf.sys
09/29/2017  05:41 AM           259,584 WUDFRd.sys
09/29/2017  05:41 AM           281,600 xboxgip.sys
09/29/2017  05:41 AM            46,592 xinputhid.sys
             446 File(s)    128,872,787 bytes
               6 Dir(s)  744,422,174,720 bytes free
 
========= End of CMD: =========
 
 
==== End of Fixlog 19:03:01 ====


#4 cutaeng

cutaeng
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 30 December 2017 - 01:09 AM

Hello again, I had to force restart my computer a few minutes ago because it had been frozen for about 25 minutes. When it rebooted, I got a black screen that gave me boot options. I picked Windows 10, it led me to a screen that said something like "Looks like Windows didn't load correctly, you can either try again or see advanced options" so I tried again, which gave me the black screen again. But this time when I picked Windows 10, my computer booted up normally and I am using it to post this comment.

 

Please let me know if you need any of the tests redone because of this. Sorry!



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 30 December 2017 - 12:55 PM

For the next steps, you'll need to download FRST64.exe and the fixlist.txt from a clean computer and move them on a USB Flash Drive. That USB can only be inserted in the infected computer once it is either shutdown, or in the Windows RE. Otherwise, the infection will mess with the files on the USB and you'll have to re-download them.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:
  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
  • Another computer (optional: only needed if you cannot work from the infected computer directly)
Preparing the USB Flash Drive
  • Download the right version of FRST for your system:
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive
  • Download the attached fixlist.txt, and move it on your USB Flash Drive as well
Boot in the Recovery Environment
  • Plug your USB Flash Drive in the infected computer
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
Once in the command prompt
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Fix button and wait for the scan to complete
  • A log called fixlog.txt will be saved on your USB Flash Drive. Attach it in your next reply

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 cutaeng

cutaeng
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 01 January 2018 - 10:50 PM

Attached File  Fixlog.txt   2.82KB   16 downloads Sorry for the late reply - happy new year! I have attached my fix log to this reply.



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 02 January 2018 - 01:38 PM

No problem cutaeng, Happy New Year to you as well :) It seems like you didn't run the fix in the RE though, but in Safe Mode. Can you try again?
Boot Mode: Safe Mode (minimal)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 cutaeng

cutaeng
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 02 January 2018 - 10:11 PM

Oh gosh, Im sorry. I misread the tutorial completely... However I ended up getting to the command prompt in WRE, but it said that the version of FRST wasnt compatible with this version of Windows. I tried the 32 and 64 version. Any ideas? :(

#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 03 January 2018 - 08:08 AM

This is most likely because you either downloaded FRST from the infected computer, or, plugged in the USB with FRST on it in the infected computer while you were still under Windows. In that case, you'll have to redownload FRST (you need the 64-bit version), move it on your USB, and try again.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 cutaeng

cutaeng
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 03 January 2018 - 06:45 PM

Oh jeez, my bad. I'm pretty sure I did the correct thing this time... Log attached.

 

Thank you for your patience!!! 

 

Attached File  Fixlog.txt   1.97KB   8 downloads



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 03 January 2018 - 07:00 PM

You did! :) Now, you should be able to install and run a scan with Malwarebytes.

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 cutaeng

cutaeng
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 03 January 2018 - 07:51 PM

I already had Malwarebytes installed, so I went to update and run a scan, but once the scan started it didnt go anywhere, just hung at 0%. I closed it and restarted my computer to see if it would help, but now I am stuck at the Dell BIOS loading screen... I see the Dell logo and the loading icon. No please wait or _% completed or anything. Its been loading for an incredibly long time. Hopefully I didnt do anything to cause this? :/

EDIT: NEVER MIND! I got in finally and Malwarebytes is running its scan right now. It seems to be stuck at 0% still, but I will be patient this time.

Edited by cutaeng, 03 January 2018 - 08:03 PM.


#13 cutaeng

cutaeng
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 03 January 2018 - 08:31 PM

Here is what I got from MBM:

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 1/3/18
Scan Time: 5:23 PM
Log File: ea49d61e-f0ed-11e7-b7bd-00fffa397102.json
Administrator: Yes
 
-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3618
License: Free
 
-System Information-
OS: Windows 10 (Build 16299.125)
CPU: x64
File System: NTFS
User: DESKTOP-52TD2ON\Megan
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 293804
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 5 min, 5 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 04 January 2018 - 08:02 AM

Good :) Now let's do a sweep with RogueKiller and AdwCleaner.

RQKuhw1.pngRogueKiller
  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply
Your next reply(ies) should therefore contain:
  • Copy/pasted RogueKiller clean log
  • Copy/pasted AdwCleaner clean log

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 cutaeng

cutaeng
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 04 January 2018 - 03:54 PM

RogueKiller V12.11.31.0 (x64) [Jan  2 2018] (Free) by Adlice Software

 
Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : Megan [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 01/04/2018 12:00:31 (Duration : 00:44:02)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 5 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1476650472-3548292237-2988209075-1001\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1476650472-3548292237-2988209075-1001\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1476650472-3548292237-2988209075-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1476650472-3548292237-2988209075-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{73a5ab19-5ed3-44f1-89c5-843114149284} | DhcpNameServer : 172.51.1.171 ([United States])  -> Replaced ()
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 2 ¤¤¤
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://tumblr.com/] -> Deleted
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://twitter.com/] -> Deleted
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM035-1RK172 +++++
--- User ---
[MBR] 4ed3271884adac219be2ef7b1fbb1d92
[BSP] de44ba731caf156f6a0ea2bd11d60104 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1026048 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 1288192 | Size: 940874 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1928200192 | Size: 840 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1929920512 | Size: 10416 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1951254528 | Size: 1108 MB
User = LL1 ... OK
User = LL2 ... OK
 
---
 
# AdwCleaner 7.0.6.0 - Logfile created on Thu Jan 04 20:49:53 2018
# Updated on 2017/21/12 by Malwarebytes 
# Running on Windows 10 Home (X64)
# Mode: clean
 
***** [ Services ] *****
 
No malicious services deleted.
 
***** [ Folders ] *****
 
No malicious folders deleted.
 
***** [ Files ] *****
 
No malicious files deleted.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
No malicious tasks deleted.
 
***** [ Registry ] *****
 
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost|AdsServiceGroup
Deleted: [Key] - HKU\S-1-5-21-1476650472-3548292237-2988209075-1001\Software\SetupCompany
Deleted: [Key] - HKCU\Software\SetupCompany
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost|AdsServiceGroup
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries deleted.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries deleted.
 
*************************
 
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 
 
 
*************************
 
C:/AdwCleaner/AdwCleaner[S0].txt - [1297 B] - [2018/1/4 20:48:41]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users