Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan DNS Changer, PUP.WinResSync. stuck after multiple scans Win 8.1


  • This topic is locked This topic is locked
32 replies to this topic

#1 CaptainFistula

CaptainFistula

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 21 February 2018 - 08:03 PM

Hi Team,

  I've scanned with several programs including Malwarebytes with Rootkits, as well as ADWcleaner, as well as trying windows updates.   My latest results include:

 

Trojan.DNSChanger.ACMB2

Trojan.ProxyAgent

Pup.Optional.OnlineIO

PUP.Optional.WinResSync.Generic

Generic DNS Unlocker

 

Attached FRST LOG: HELP?!

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21.02.2018
Ran by Allison Lewski (administrator) on ALLISON (21-02-2018 17:58:40)
Running from G:\Downloads Firefox
Loaded Profiles: Allison Lewski (Available Profiles: Allison Lewski)
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(TOSHIBA CORPORATION) C:\Windows\System32\iaoterwsvc.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Hi-Rez Studios) C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
(AMD) C:\Windows\System32\atieclxx.exe
(HP) C:\Windows\System32\HPSIsvc.exe
() C:\Program Files (x86)\EVGA Precision X\EVGAPrecision.exe
(Spotify Ltd) C:\Users\Allison Lewski\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Spotify Ltd) C:\Users\Allison Lewski\AppData\Roaming\Spotify\SpotifyWebHelper.exe
() C:\Users\Allison Lewski\AppData\Local\atbmxhd\atbmxhd.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
() C:\Users\Allison Lewski\AppData\Local\aumvxot\vdhzswo.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17709_none_fa7932f59afc2e40\TiWorker.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
() C:\Users\Allison Lewski\AppData\Local\atbmxhd\upctzrn.exe
() C:\Users\Allison Lewski\AppData\Local\atbmxhd\upctzrn.exe
() C:\Users\Allison Lewski\AppData\Local\atbmxhd\upctzrn.exe
() C:\Users\Allison Lewski\AppData\Local\atbmxhd\upctzrn.exe
() C:\Users\Allison Lewski\AppData\Local\atbmxhd\upctzrn.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [WindowsDefender] => "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\Run: [Discord] => C:\Users\Allison Lewski\AppData\Local\Discord\app-0.0.300\Discord.exe [57821176 2018-01-08] (Discord Inc.)
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\Run: [Spotify] => C:\Users\Allison Lewski\AppData\Roaming\Spotify\Spotify.exe [21325200 2018-02-15] (Spotify Ltd)
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\Run: [Spotify Web Helper] => C:\Users\Allison Lewski\AppData\Roaming\Spotify\SpotifyWebHelper.exe [780688 2018-02-15] (Spotify Ltd)
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\MountPoints2: {363fbe9e-03f4-11e8-8381-bcaec5b71406} - "F:\SISetup.exe"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\MountPoints2: {dddef49f-0b76-11e8-838c-bcaec5b71406} - "F:\setup.exe"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [589312 2014-10-28] (Microsoft Corporation)
Startup: C:\Users\Allison Lewski\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Twitch.lnk [2018-02-07]
ShortcutTarget: Twitch.lnk -> C:\Users\Allison Lewski\AppData\Roaming\Twitch\Bin\Twitch.exe (Twitch Interactive, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 24.116.0.53 24.116.2.50
Tcpip\..\Interfaces\{bbed3e08-0b41-11e3-8249-806e6f6e6963}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{F1F654A3-A9BF-44A6-A7A2-284E70B811F8}: [DhcpNameServer] 24.116.0.53 24.116.2.50

Internet Explorer:
==================

FireFox:
========
FF DefaultProfile: 4lefnmm5.default
FF ProfilePath: C:\Users\Allison Lewski\AppData\Roaming\Mozilla\Firefox\Profiles\4lefnmm5.default [2018-02-21]
FF Extension: (uBlock Origin) - C:\Users\Allison Lewski\AppData\Roaming\Mozilla\Firefox\Profiles\4lefnmm5.default\Extensions\uBlock0@raymondhill.net.xpi [2018-02-20]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_27_0_0_183.dll [2017-10-25] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_27_0_0_183.dll [2017-10-25] ()
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-02-11] (Adobe Systems Inc.)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\secure_cert.js [2018-02-19]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

HKLM\SYSTEM\CurrentControlSet\Services\magxso <==== ATTENTION (Rootkit!)

S2 EasyAntiCheat; C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe [526888 2018-01-06] (EasyAntiCheat Ltd)
U2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9728 2018-02-19] (Hi-Rez Studios) [File not signed]
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-12] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-12] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [21160 2012-09-22] (Advanced Micro Devices, Inc.)
S3 athur; C:\Windows\system32\DRIVERS\athuwbx.sys [2702336 2017-03-11] (Qualcomm Atheros Communications, Inc.)
S3 cpuz140; C:\Users\Allison Lewski\AppData\Local\Temp\cpuz140\cpuz140_x64.sys [45888 2017-11-19] (CPUID) <==== ATTENTION
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
R0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2018-02-21] (Malwarebytes)
R3 MTsensor; C:\Windows\system32\DRIVERS\ASACPI.sys [17280 2013-05-17] ()
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2010-03-05] (Marvell Semiconductor, Inc.)
R3 RTCore64; C:\Program Files (x86)\EVGA Precision X\RTCore64.sys [15176 2013-07-17] ()
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [46600 2017-02-10] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [274776 2017-01-12] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [117592 2017-01-12] (Microsoft Corporation)
S4 beeeii; system32\drivers\vyyybb.sys [X]
S4 dlidxfht; \??\C:\Windows\system32\drivers\dlidxfht.sys [X]
R3 ehloru; system32\drivers\loruyb.sys [X]
S4 ElbyCDIO; System32\Drivers\ElbyCDIO.sys [X]
S3 GPU-Z; \??\C:\Users\ALLISO~1\AppData\Local\Temp\GPU-Z.sys [X] <==== ATTENTION
S4 MpKslefafb96f; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8BE8D72B-BC39-47A7-AD65-2323D37EE158}\MpKslefafb96f.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-02-21 17:58 - 2018-02-21 17:58 - 000000000 ____D C:\FRST
2018-02-21 17:21 - 2018-02-21 17:21 - 000143184 ____N C:\Windows\system32\Drivers\pwiadhkn.sys
2018-02-21 17:20 - 2018-02-21 17:23 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-02-21 11:43 - 2018-02-21 17:10 - 000025600 ___SH C:\Users\Allison Lewski\Documents\Thumbs.db
2018-02-21 11:35 - 2018-02-21 11:35 - 000000000 ____D C:\Windows\system32\appraiser
2018-02-21 11:23 - 2017-12-12 06:10 - 000875688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr120_clr0400.dll
2018-02-21 11:23 - 2017-12-12 06:10 - 000536744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp120_clr0400.dll
2018-02-21 11:23 - 2017-12-12 06:07 - 000869544 _____ (Microsoft Corporation) C:\Windows\system32\msvcr120_clr0400.dll
2018-02-21 11:23 - 2017-12-12 06:07 - 000678568 _____ (Microsoft Corporation) C:\Windows\system32\msvcp120_clr0400.dll
2018-02-21 11:23 - 2016-10-20 06:14 - 000029888 _____ (Microsoft Corporation) C:\Windows\system32\aspnet_counters.dll
2018-02-21 11:23 - 2016-10-20 06:10 - 000028352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aspnet_counters.dll
2018-02-21 11:19 - 2018-01-21 04:09 - 000145080 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2018-02-21 11:19 - 2018-01-20 23:13 - 001994752 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2018-02-21 11:19 - 2018-01-20 23:13 - 001569280 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000749568 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000654336 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000604672 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000450048 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000378880 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000262144 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000236544 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2018-02-21 11:19 - 2018-01-01 22:28 - 000013312 _____ (Microsoft Corporation) C:\Windows\system32\pcalua.exe
2018-02-21 11:19 - 2018-01-01 21:16 - 000464384 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll
2018-02-21 10:51 - 2018-02-21 10:51 - 000001453 _____ C:\Users\Allison Lewski\Desktop\firefox - Shortcut.lnk
2018-02-21 10:14 - 2018-02-21 10:14 - 000012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2018-02-21 10:14 - 2018-02-21 10:14 - 000001962 _____ C:\Windows\system32\.crusader
2018-02-21 10:14 - 2018-02-21 10:14 - 000001314 _____ C:\Windows\system32\bootdelete.lst
2018-02-21 10:10 - 2018-02-21 10:14 - 000000000 ____D C:\ProgramData\HitmanPro
2018-02-21 10:10 - 2018-02-21 10:10 - 000055232 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2018-02-20 18:32 - 2018-02-20 18:32 - 000000003 _____ C:\Users\Allison\HRUPPROG.TXT
2018-02-20 18:32 - 2018-02-20 18:32 - 000000003 _____ C:\Users\Allison\HRUPPROG.EXIT
2018-02-20 18:32 - 2018-02-20 18:32 - 000000000 ____D C:\Users\Allison
2018-02-20 16:16 - 2018-02-20 16:16 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\.mono
2018-02-20 16:16 - 2018-02-20 16:16 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\Colossal Order
2018-02-20 16:16 - 2018-02-20 16:16 - 000000000 ____D C:\ProgramData\.mono
2018-02-20 11:40 - 2018-02-20 11:40 - 000003504 _____ C:\Users\Allison Lewski\Desktop\MWB log 1.txt
2018-02-20 11:06 - 2018-02-20 11:06 - 000001157 _____ C:\Users\Allison Lewski\Desktop\adwcleaner_7.0.8.0 - Shortcut.lnk
2018-02-20 11:02 - 2018-02-20 11:39 - 000000000 ____D C:\AdwCleaner
2018-02-20 10:40 - 2018-02-21 17:22 - 002888704 _____ (TOSHIBA CORPORATION) C:\Windows\system32\iaoterwsvc.exe
2018-02-19 19:26 - 2018-02-21 17:22 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-02-19 18:39 - 2018-02-19 18:39 - 000000000 ____D C:\Windows\pss
2018-02-19 18:20 - 2018-02-21 14:44 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\sinkdzx
2018-02-19 18:18 - 2018-02-21 17:23 - 000002090 _____ C:\Users\Allison Lewski\Desktop\Rkill.txt
2018-02-19 18:17 - 2018-02-21 17:55 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\atbmxhd
2018-02-19 18:17 - 2018-02-19 18:20 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\aumvxot
2018-02-19 18:16 - 2018-02-19 19:44 - 002888704 ____R C:\Windows\system32\iaoterwsvcf.exe
2018-02-19 18:16 - 2018-02-19 18:16 - 000000012 _____ C:\Windows\b61275733
2018-02-19 18:16 - 2018-02-19 18:16 - 000000000 ____D C:\Windows\SysWOW64\rtepdnv
2018-02-19 18:16 - 2018-02-19 18:16 - 000000000 ____D C:\Windows\system32\rtepdnv
2018-02-19 18:16 - 2018-02-19 18:16 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\et
2018-02-19 18:12 - 2018-02-19 18:12 - 001286144 _____ C:\Windows\d73a5bce2d40b3acebc67264591a1f4e.dll
2018-02-19 08:51 - 2018-02-19 08:51 - 000041210 _____ C:\Windows\uninstaller.dat
2018-02-18 17:55 - 2018-02-18 17:55 - 000000218 _____ C:\Users\Allison Lewski\AppData\Local\recently-used.xbel
2018-02-11 16:14 - 2018-02-11 16:14 - 000000000 ____D C:\ProgramData\Twitch
2018-02-09 13:02 - 2018-02-09 13:02 - 000000000 ____D C:\Users\Allison Lewski\AppData\LocalLow\AMD
2018-02-08 16:48 - 2018-02-08 16:48 - 000001368 _____ C:\Users\Allison Lewski\Desktop\Sid Meiers Civilization VI Rise and Fall.lnk
2018-02-08 16:48 - 2018-02-08 16:48 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sid Meiers Civilization VI Rise and Fall
2018-02-08 16:44 - 2018-02-08 16:44 - 000000000 ____D C:\Games
2018-02-08 07:37 - 2018-02-08 07:37 - 000000000 ___HD C:\ProgramData\CanonBJ
2018-02-07 08:24 - 2018-02-19 18:37 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\Twitch
2018-02-07 07:53 - 2018-02-07 07:53 - 000000849 _____ C:\Users\Public\Desktop\World of Warcraft.lnk
2018-02-07 07:53 - 2018-02-07 07:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft
2018-02-06 12:48 - 2018-02-06 13:45 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\AMD
2018-02-06 12:48 - 2018-02-06 12:48 - 000004234 _____ C:\Windows\System32\Tasks\AMD Updater
2018-02-06 12:48 - 2018-02-06 12:48 - 000000000 ____D C:\Program Files\Common Files\ATI Technologies
2018-02-06 12:47 - 2018-02-06 12:47 - 000000000 ____D C:\Program Files (x86)\VulkanRT
2018-02-06 12:47 - 2017-07-04 15:38 - 009446336 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiumd64.dll
2018-02-06 12:47 - 2017-07-04 15:38 - 007663888 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdag.dll
2018-02-06 12:47 - 2017-07-04 15:38 - 000522632 _____ C:\Windows\system32\GameManager64.dll
2018-02-06 12:47 - 2017-07-04 15:38 - 000207760 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiuxp64.dll
2018-02-06 12:47 - 2017-07-04 15:38 - 000185088 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiu9p64.dll
2018-02-06 12:47 - 2017-07-04 15:38 - 000161344 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiuxpag.dll
2018-02-06 12:47 - 2017-07-04 15:38 - 000143864 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiu9pag.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 015728008 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticaldd64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 014318984 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticaldd.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 013254256 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdva.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 012574408 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atidxx64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 010444400 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atidxx32.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 001654880 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\aticfx64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 001507720 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atiadlxx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 001347952 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\aticfx32.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 001032072 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxy.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 001032072 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000768904 _____ (AMD) C:\Windows\system32\atieclxx.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000544136 _____ (AMD) C:\Windows\system32\atitmm64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000543112 _____ C:\Windows\system32\dgtrayicon.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000543112 _____ (AMD) C:\Windows\system32\atiesrxx.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000537992 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Rapidfire64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000520584 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\atikmpag.sys
2018-02-06 12:47 - 2017-07-04 15:37 - 000475016 _____ C:\Windows\system32\atieah64.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000469384 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\Rapidfire.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000458632 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atidemgy.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000402312 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atiapfxx.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000356744 _____ C:\Windows\SysWOW64\GameManager32.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000349064 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIODE.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000325512 _____ C:\Windows\SysWOW64\atieah32.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000236424 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atig6txx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000194952 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atigktxx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000182664 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\mantle64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000161160 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\mantleaxl64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000155528 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atig6pxx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000142216 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\mantle32.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000126344 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\mantleaxl32.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000124808 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiglpxx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000124808 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiglpxx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000114056 _____ (AMD) C:\Windows\system32\atimuixx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000078728 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticalrt64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000072072 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticalcl64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000068488 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalrt.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000067464 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIODCLI.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000065416 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalcl.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000060296 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\ati2erec.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000036232 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\RapidFireServer64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000033672 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\RapidFireServer.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000020360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\detoured.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000020360 _____ (Microsoft Corporation) C:\Windows\system32\detoured.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 059237768 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\amdocl64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 046457736 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 036562312 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\atikmdag.sys
2018-02-06 12:47 - 2017-07-04 15:36 - 028797832 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\amdocl12cl64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 022739336 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl12cl.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 014414072 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiumd6a.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 010313608 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdvlk64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 009899912 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdmantle64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 007955848 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdmantle32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 002527624 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\amfrt64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 002189704 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\amfrt32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000915848 _____ (AMD) C:\Windows\system32\coinst_17.10.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000855432 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\amdlvr64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000687496 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\amdlvr32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000559984 _____ C:\Windows\system32\amdmiracast.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000505736 _____ C:\Windows\system32\amdgfxinfo64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000351624 _____ C:\Windows\SysWOW64\amdgfxinfo32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000305544 _____ (Advanced Micro Devices) C:\Windows\system32\Drivers\amdacpksd.sys
2018-02-06 12:47 - 2017-07-04 15:36 - 000269704 _____ C:\Windows\system32\clinfo.exe
2018-02-06 12:47 - 2017-07-04 15:36 - 000185600 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\amdhcp64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000159112 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atisamu64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000154152 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\amdhcp32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000128968 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdave64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000124808 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atisamu32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000121240 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atimpc64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000121240 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdpcom64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000112520 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000106248 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdave32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000103304 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000092840 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atimpc32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000092840 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdpcom32.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 032738184 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atio6axx.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 026831240 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atioglxx.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 008471432 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdvlk32.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000456584 _____ C:\Windows\system32\amdhdl64.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000311176 _____ C:\Windows\SysWOW64\amdhdl32.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000166280 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amduve64.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000135560 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amduve32.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000082824 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdmcl64.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000066952 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdmmcl6.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000066440 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdmcl32.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000054664 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdmmcl.dll
2018-02-06 12:47 - 2017-07-04 14:59 - 000798552 _____ C:\Windows\SysWOW64\atiapfxx.blb
2018-02-06 12:47 - 2017-07-04 14:59 - 000798552 _____ C:\Windows\system32\atiapfxx.blb
2018-02-06 12:47 - 2017-07-04 14:58 - 003437632 _____ C:\Windows\system32\atiumd6a.cap
2018-02-06 12:47 - 2017-07-04 14:57 - 000204952 _____ C:\Windows\SysWOW64\ativvsvl.dat
2018-02-06 12:47 - 2017-07-04 14:57 - 000204952 _____ C:\Windows\system32\ativvsvl.dat
2018-02-06 12:47 - 2017-07-04 14:57 - 000157144 _____ C:\Windows\SysWOW64\ativvsva.dat
2018-02-06 12:47 - 2017-07-04 14:57 - 000157144 _____ C:\Windows\system32\ativvsva.dat
2018-02-06 12:47 - 2017-07-04 14:53 - 003471376 _____ C:\Windows\SysWOW64\atiumdva.cap
2018-02-06 12:47 - 2017-07-04 08:29 - 000368576 _____ C:\Windows\system32\ativvaxy_el_nd.dat
2018-02-06 12:47 - 2017-06-22 01:46 - 000951878 _____ C:\Windows\system32\amdicdxx.dat
2018-02-06 12:47 - 2017-05-16 08:15 - 000166560 _____ C:\Windows\system32\amde34b.dat
2018-02-06 12:47 - 2017-05-16 08:15 - 000166560 _____ C:\Windows\system32\amde34a.dat
2018-02-06 12:47 - 2017-05-16 08:03 - 000159072 _____ C:\Windows\system32\amde31a.dat
2018-02-06 12:47 - 2017-05-16 08:01 - 000160768 _____ C:\Windows\system32\ativce03.dat
2018-02-06 12:47 - 2017-03-03 09:39 - 000120368 _____ C:\Windows\system32\kapp_ci.sbin
2018-02-06 12:47 - 2017-02-16 16:51 - 000234292 _____ C:\Windows\system32\ativvaxy_cik.dat
2018-02-06 12:47 - 2017-02-16 16:51 - 000234032 _____ C:\Windows\system32\ativvaxy_cik_nd.dat
2018-02-06 12:47 - 2017-02-16 16:42 - 000325316 _____ C:\Windows\system32\ativvaxy_vi.dat
2018-02-06 12:47 - 2017-02-16 16:42 - 000325056 _____ C:\Windows\system32\ativvaxy_vi_nd.dat
2018-02-06 12:47 - 2017-02-16 16:34 - 000266772 _____ C:\Windows\system32\ativvaxy_FJ.dat
2018-02-06 12:47 - 2017-02-16 16:34 - 000266512 _____ C:\Windows\system32\ativvaxy_FJ_nd.dat
2018-02-06 12:47 - 2017-02-16 16:29 - 000276960 _____ C:\Windows\system32\ativvaxy_stn_nd.dat
2018-02-06 12:47 - 2017-02-16 15:28 - 000271456 _____ C:\Windows\system32\ativvaxy_cz_nd.dat
2018-02-06 12:47 - 2017-02-16 15:20 - 000369792 _____ C:\Windows\system32\ativvaxy_gl_nd.dat
2018-02-06 12:47 - 2017-01-27 15:05 - 000103936 _____ C:\Windows\SysWOW64\vulkaninfo.exe
2018-02-06 12:47 - 2017-01-27 15:04 - 000326656 _____ C:\Windows\SysWOW64\vulkan-1.dll
2018-02-06 12:47 - 2017-01-27 15:02 - 000118272 _____ C:\Windows\system32\vulkaninfo.exe
2018-02-06 12:47 - 2017-01-27 15:01 - 000322560 _____ C:\Windows\system32\vulkan-1.dll
2018-02-06 12:47 - 2017-01-26 10:33 - 000164960 _____ C:\Windows\system32\amde40a.dat
2018-02-06 12:47 - 2017-01-12 15:25 - 000100832 _____ C:\Windows\system32\ativce02.dat
2018-02-06 12:47 - 2016-10-17 12:28 - 000020580 _____ C:\Windows\system32\AMDKernelEvents.man
2018-02-06 12:47 - 2016-09-02 15:30 - 000114704 _____ C:\Windows\system32\kapp_si.sbin
2018-02-06 12:47 - 2016-09-02 08:24 - 000154384 _____ C:\Windows\system32\samu_krnl_ci.sbin
2018-02-06 12:47 - 2015-12-16 14:06 - 000000144 _____ C:\Windows\system32\amd-vulkan64.json
2018-02-06 12:47 - 2015-12-15 10:54 - 000000144 _____ C:\Windows\SysWOW64\amd-vulkan32.json
2018-02-06 12:47 - 2014-11-06 03:53 - 000737410 _____ C:\Windows\system32\atiicdxx.dat
2018-02-06 12:47 - 2013-12-12 06:53 - 000138832 _____ C:\Windows\system32\samu_krnl_isv_ci.sbin
2018-02-06 12:47 - 2012-09-22 16:17 - 000021160 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\amdkmafd.sys
2018-02-06 12:44 - 2018-02-06 12:48 - 000000000 ____D C:\Program Files\AMD
2018-02-06 12:25 - 2018-02-06 12:25 - 000497200 _____ C:\Windows\Minidump\020618-10593-01.dmp
2018-02-06 11:41 - 2018-02-06 12:40 - 000000000 ____D C:\Windows\system32\Drivers\NVIDIA Corporation
2018-01-31 16:35 - 2018-01-31 16:35 - 000000000 __SHD C:\Windows\ftpcache
2018-01-31 16:35 - 2018-01-31 16:35 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2018-01-31 16:35 - 2010-04-07 06:04 - 000127800 _____ (HP) C:\Windows\system32\HPSIsvc.exe
2018-01-31 16:35 - 2010-03-04 16:56 - 001695232 _____ C:\Windows\system32\HP1100SM.EXE
2018-01-31 16:35 - 2010-03-04 16:56 - 000289280 _____ C:\Windows\system32\HP1100LM.DLL
2018-01-31 16:34 - 2018-01-31 16:34 - 000000000 ____D C:\Program Files\HP
2018-01-31 16:34 - 2010-03-05 16:41 - 001490656 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01007.dll
2018-01-31 16:34 - 2010-03-05 16:41 - 000082432 _____ C:\Windows\system32\mvusbews.dll
2018-01-31 16:34 - 2010-03-05 16:41 - 000020480 _____ (Marvell Semiconductor, Inc.) C:\Windows\system32\Drivers\mvusbews.sys
2018-01-31 16:34 - 2010-03-05 16:40 - 000049664 _____ C:\Windows\system32\HP1100SMs.dll
2018-01-31 16:34 - 2010-03-04 16:03 - 000350720 _____ C:\Windows\system32\mvhlewsi.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-02-21 17:58 - 2013-08-22 08:20 - 000000000 ____D C:\Windows\CbsTemp
2018-02-21 17:50 - 2016-12-26 11:38 - 000000000 ____D C:\Users\Allison Lewski\AppData\LocalLow\Mozilla
2018-02-21 17:37 - 2016-12-26 12:42 - 000003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3972468611-1799533628-2338857112-1001
2018-02-21 17:31 - 2017-11-10 08:44 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\Google
2018-02-21 17:31 - 2017-11-10 08:44 - 000000000 ____D C:\Program Files (x86)\Google
2018-02-21 17:31 - 2017-11-10 08:40 - 000000000 __SHD C:\Users\Allison Lewski\AppData\Local\EmieUserList
2018-02-21 17:31 - 2017-11-10 08:40 - 000000000 __SHD C:\Users\Allison Lewski\AppData\Local\EmieSiteList
2018-02-21 17:29 - 2016-12-26 12:41 - 000863592 _____ C:\Windows\system32\PerfStringBackup.INI
2018-02-21 17:29 - 2013-08-22 06:36 - 000000000 ____D C:\Windows\Inf
2018-02-21 17:22 - 2017-11-25 22:54 - 000000000 ____D C:\Program Files (x86)\Hi-Rez Studios
2018-02-21 17:22 - 2017-02-20 09:02 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\Spotify
2018-02-21 17:22 - 2017-02-20 09:02 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\Spotify
2018-02-21 17:21 - 2016-12-26 13:13 - 000065536 _____ C:\Windows\system32\spu_storage.bin
2018-02-21 17:21 - 2016-12-26 12:57 - 000003038 _____ C:\Windows\System32\Tasks\EVGAPrecision
2018-02-21 17:21 - 2014-04-19 11:37 - 000000000 ____D C:\Program Files (x86)\Steam
2018-02-21 17:21 - 2013-08-22 06:25 - 009961472 _____ C:\Windows\system32\config\HARDWARE
2018-02-21 17:19 - 2017-02-19 20:03 - 000505344 ___SH C:\Users\Allison Lewski\Desktop\Thumbs.db
2018-02-21 13:56 - 2016-12-26 11:36 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\Battle.net
2018-02-21 11:35 - 2018-01-09 16:22 - 000000000 ___SD C:\Windows\system32\CompatTel
2018-02-21 11:35 - 2013-08-22 08:36 - 000000000 ____D C:\Windows\AppCompat
2018-02-21 10:17 - 2017-01-16 16:46 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\discord
2018-02-21 10:14 - 2016-12-26 12:37 - 000000000 ____D C:\Users\Allison Lewski
2018-02-20 11:16 - 2018-01-02 15:09 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\CrashDumps
2018-02-20 10:44 - 2013-08-22 08:36 - 000000000 ____D C:\Windows\system32\NDF
2018-02-19 19:06 - 2018-01-01 16:10 - 000000000 ____D C:\Program Files (x86)\Sid Meiers Civilization VI
2018-02-19 18:17 - 2016-12-26 12:37 - 000001057 _____ C:\Users\Allison Lewski\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-02-18 19:54 - 2016-12-26 12:04 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\vlc
2018-02-18 16:18 - 2016-12-26 12:54 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\deluge
2018-02-14 10:37 - 2013-08-22 08:36 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2018-02-13 19:53 - 2017-08-28 15:45 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2018-02-13 19:53 - 2017-08-28 15:45 - 000002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2018-02-11 16:13 - 2017-11-10 08:41 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-02-11 15:05 - 2016-12-26 12:56 - 000000000 ____D C:\Program Files (x86)\EVGA Precision X
2018-02-10 09:25 - 2017-11-10 08:41 - 000000951 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2018-02-10 09:25 - 2017-11-10 08:41 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-02-07 20:49 - 2017-11-25 22:55 - 000000000 ____D C:\Users\Allison Lewski\Documents\My Games
2018-02-07 08:24 - 2017-04-24 18:14 - 000000971 _____ C:\Users\Allison Lewski\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Twitch.lnk
2018-02-06 12:41 - 2017-10-11 17:56 - 000376020 _____ C:\Windows\ntbtlog.txt
2018-02-06 12:25 - 2017-03-27 11:05 - 285578769 _____ C:\Windows\MEMORY.DMP
2018-02-06 11:50 - 2018-01-06 18:36 - 000000222 _____ C:\Users\Allison Lewski\Desktop\SMITE.url
2018-02-06 11:41 - 2013-08-22 08:36 - 000000000 ____D C:\Windows\Help
2018-02-06 11:36 - 2013-08-22 06:25 - 000262144 ___SH C:\Windows\system32\config\BBI
2018-02-05 13:38 - 2018-01-09 16:25 - 000835576 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-02-05 13:38 - 2018-01-09 16:25 - 000177648 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2018-01-02 16:11 - 2018-01-02 16:11 - 000000000 _____ () C:\Users\Allison Lewski\AppData\Roaming\FC29FA0894FE.ini
2018-02-18 17:55 - 2018-02-18 17:55 - 000000218 _____ () C:\Users\Allison Lewski\AppData\Local\recently-used.xbel

Some files in TEMP:
====================
2018-01-08 20:34 - 2018-01-08 20:34 - 001160072 _____ () C:\Users\Allison Lewski\AppData\Local\Temp\AMDCleanupUtility.exe
2018-02-19 18:11 - 2018-02-19 18:11 - 000024576 _____ (1010 Vine Street) C:\Users\Allison Lewski\AppData\Local\Temp\capi.exe
2018-01-08 20:34 - 2018-01-08 20:34 - 000250248 _____ () C:\Users\Allison Lewski\AppData\Local\Temp\Cleanup.dll
2018-02-19 18:18 - 2018-02-19 18:18 - 000020480 _____ () C:\Users\Allison Lewski\AppData\Local\Temp\cubesta.exe
2018-01-08 20:34 - 2018-01-08 20:34 - 000065536 _____ (Windows ® Server 2003 DDK provider) C:\Users\Allison Lewski\AppData\Local\Temp\ddu.exe
2018-01-08 20:34 - 2018-01-08 20:34 - 000414152 _____ (Microsoft Corporation) C:\Users\Allison Lewski\AppData\Local\Temp\difxapi.dll
2018-02-19 18:11 - 2018-02-19 18:11 - 004426557 _____ (Indigo Rose Corporation) C:\Users\Allison Lewski\AppData\Local\Temp\ing.exe
2018-01-08 20:34 - 2018-01-08 20:34 - 000516096 _____ (Microsoft Corporation) C:\Users\Allison Lewski\AppData\Local\Temp\msvcm80.dll
2018-01-08 20:34 - 2018-01-08 20:34 - 001061376 _____ (Microsoft Corporation) C:\Users\Allison Lewski\AppData\Local\Temp\msvcp80.dll
2018-01-08 20:34 - 2018-01-08 20:34 - 000796672 _____ (Microsoft Corporation) C:\Users\Allison Lewski\AppData\Local\Temp\msvcr80.dll
2017-12-22 11:58 - 2017-10-27 09:06 - 000370296 _____ (NVIDIA Corporation) C:\Users\Allison Lewski\AppData\Local\Temp\nvStInst.exe
2018-01-31 16:34 - 2010-04-07 06:07 - 000607800 ____R (HP) C:\Users\Allison Lewski\AppData\Local\Temp\siinst.exe
2018-01-31 16:34 - 2010-04-06 14:41 - 000270336 ____R (HP) C:\Users\Allison Lewski\AppData\Local\Temp\strings.dll
2018-02-19 18:11 - 2018-02-19 18:11 - 001464832 _____ () C:\Users\Allison Lewski\AppData\Local\Temp\XvidCodecInstaller.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\drivers\pwiadhkn.sys -> Access Denied <======= ATTENTION

LastRegBack: 2018-02-15 16:36

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21.02.2018
Ran by Allison Lewski (21-02-2018 17:59:10)
Running from G:\Downloads Firefox
Windows 8.1 Pro (Update) (X64) (2016-12-26 19:36:50)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3972468611-1799533628-2338857112-500 - Administrator - Disabled)
Allison Lewski (S-1-5-21-3972468611-1799533628-2338857112-1001 - Administrator - Enabled) => C:\Users\Allison Lewski
Guest (S-1-5-21-3972468611-1799533628-2338857112-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3972468611-1799533628-2338857112-1003 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.011.20036 - Adobe Systems Incorporated)
Adobe Flash Player 27 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 27.0.0.183 - Adobe Systems Incorporated)
AMD Software (HKLM\...\AMD Catalyst Install Manager) (Version: 9.0.000.8 - Advanced Micro Devices, Inc.)
Blizzard App (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
CPUID CPU-Z 1.82.1 (HKLM\...\CPUID CPU-Z_is1) (Version: 1.82.1 - )
CPUID HWMonitor 1.30 (HKLM\...\CPUID HWMonitor_is1) (Version:  - )
Deluge 1.3.13 (HKLM-x32\...\Deluge) (Version:  - )
Discord (HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\Discord) (Version: 0.0.300 - Discord Inc.)
EVGA Precision X 4.2.1 (HKLM-x32\...\PrecisionX) (Version: 4.2.1 - EVGA Corporation)
HD Tune Pro 5.70 (HKLM-x32\...\HD Tune Pro_is1) (Version:  - EFD Software)
Heroes of the Storm (HKLM-x32\...\Heroes of the Storm) (Version:  - Blizzard Entertainment)
HiPatch (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF000}) (Version: 6.0.1.2 - Hi-Rez Studios)
Hi-Rez Studios Authenticate and Update Service (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}) (Version: 3.0.0.0 - Hi-Rez Studios)
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version:  - )
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24123 (HKLM-x32\...\{2cbcedbb-f38c-48a3-a3e1-6c6fd821a7f4}) (Version: 14.0.24123.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24123 (HKLM-x32\...\{206898cc-4b41-4d98-ac28-9f9ae57f91fe}) (Version: 14.0.24123.0 - Microsoft Corporation)
Mozilla Firefox 58.0.2 (x64 en-US) (HKLM\...\Mozilla Firefox 58.0.2 (x64 en-US)) (Version: 58.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 56.0.2 - Mozilla)
Sid Meiers Civilization VI Khmer and Indonesia Civilization and Scenario Pack (HKLM-x32\...\Sid Meiers Civilization VI Khmer and Indonesia C~FC623E80_is1) (Version:  - )
Sid Meiers Civilization VI Rise and Fall (HKLM-x32\...\Sid Meiers Civilization VI Rise and Fall_is1) (Version:  - )
Spotify (HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\Spotify) (Version: 1.0.74.380.g1fcff12a - Spotify AB)
StarCraft (HKLM-x32\...\StarCraft) (Version:  - Blizzard Entertainment)
TechPowerUp GPU-Z (HKLM-x32\...\TechPowerUp GPU-Z) (Version:  - TechPowerUp)
Twitch (HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\{DEE70742-F4E9-44CA-B2B9-EE95DCF37295}) (Version: 7.0.0.0 - Twitch Interactive, Inc.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Vulkan Run Time Libraries 1.0.39.1 (HKLM\...\VulkanRT1.0.39.1) (Version: 1.0.39.1 - LunarG, Inc.)
World of Warcraft (HKLM-x32\...\World of Warcraft) (Version:  - Blizzard Entertainment)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {048F8DFD-933D-4CEA-ACE5-3ACAF1EA4A8B} - \dunne perri preselect -> No File <==== ATTENTION
Task: {1A3139E2-7241-4AE3-8AF3-328C7CF4C66D} - \forgiven longmont -> No File <==== ATTENTION
Task: {203AF1AC-39BD-4C3B-B8F5-D2F77B4B0032} - \badunne perri preselectdunne perri preselect -> No File <==== ATTENTION
Task: {21D3E9EF-4F67-4224-B5A4-D2971B2D1895} - \acquaintanceship-jordanian -> No File <==== ATTENTION
Task: {25FD7262-9C2C-46F6-89ED-24847DC6D767} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-01-17] (Adobe Systems Incorporated)
Task: {328EF2F4-1B42-46CF-8B9E-5822A9F83C9A} - \baforgiven longmontforgiven longmont -> No File <==== ATTENTION
Task: {40A599AE-D480-4A18-9978-C669C49DAB97} - \bashir -> No File <==== ATTENTION
Task: {461CD752-DC8E-48A7-8CE9-D52B82DD54F4} - \NT9KxuvhdgOF -> No File <==== ATTENTION
Task: {52749540-3291-4B31-AB8C-EF3B187645D4} - System32\Tasks\{489FB7C6-C8DA-4EC0-B555-E7B1C5E91D22} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\Hi-Rez Studios\HiRezGamesDiagAndSupport.exe" -c uninstall=all
Task: {71B6806F-7C07-4DB2-9647-CE94EA5EBDFF} - \batroublesome_addictiontroublesome_addiction -> No File <==== ATTENTION
Task: {74432ECE-0AEE-427A-A86B-C797A2880896} - System32\Tasks\EVGAPrecision => C:\Program Files (x86)\EVGA Precision X\EVGAPrecision.exe [2013-07-17] ()
Task: {7A96C7F0-E0F4-4562-A0A2-4CED65155242} - \troublesome_addiction -> No File <==== ATTENTION
Task: {A20560ED-DE9E-45DA-B1C8-774D08542CB4} - \crush_leicester -> No File <==== ATTENTION
Task: {E03272CB-014C-4595-8092-C5C31A3D8910} - System32\Tasks\AMD Updater => C:\Program Files\AMD\CIM\\Bin64\RadeonInstaller.exe [2017-07-04] (Advanced Micro Devices, Inc.)
Task: {E41EB3C3-48F7-4C11-8CF6-246C0C9E6528} - \babashirbashir -> No File <==== ATTENTION
Task: {E63A9096-015B-4803-800D-52A0E7CC22A5} - \baacquaintanceship-jordanianacquaintanceship-jordanian -> No File <==== ATTENTION
Task: {F8BDC497-989D-460C-A43E-C35ED1567248} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-10-25] (Adobe Systems Incorporated)
Task: {FFA10A5F-AAD7-4BB5-90A4-D40D854515A6} - \bacrush_leicestercrush_leicester -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2018-01-31 16:35 - 2010-03-04 16:56 - 000289280 _____ () C:\Windows\System32\HP1100LM.DLL
2018-01-31 16:35 - 2010-03-04 16:56 - 000074240 _____ () C:\Windows\system32\spool\PRTPROCS\x64\HP1100PP.DLL
2013-07-17 17:28 - 2013-07-17 17:28 - 000627016 _____ () C:\Program Files (x86)\EVGA Precision X\EVGAPrecision.exe
2017-03-25 12:29 - 2017-11-29 09:11 - 002301384 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2013-05-15 09:49 - 2013-05-15 09:49 - 000071680 _____ () C:\Program Files (x86)\EVGA Precision X\RTMUI.dll
2013-05-15 09:48 - 2013-05-15 09:48 - 000056832 _____ () C:\Program Files (x86)\EVGA Precision X\RTFC.dll
2013-05-15 09:49 - 2013-05-15 09:49 - 000216064 _____ () C:\Program Files (x86)\EVGA Precision X\RTCore.dll
2013-05-15 09:49 - 2013-05-15 09:49 - 000127488 _____ () C:\Program Files (x86)\EVGA Precision X\RTUI.dll
2013-05-15 09:49 - 2013-05-15 09:49 - 000587776 _____ () C:\Program Files (x86)\EVGA Precision X\RTHAL.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\Allison Lewski\AppData\Local\Temp:$DATA​ [34]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2013-08-22 06:25 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Allison Lewski\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
DNS Servers: 24.116.0.53 - 24.116.2.50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: AMD External Events Utility => 2
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: NvTelemetryContainer => 2
MSCONFIG\Services: Service KMSELDI => 2
HKLM\...\StartupApproved\Run: => "StartCN"
HKLM\...\StartupApproved\Run: => "interdepartmentalsurvived"
HKLM\...\StartupApproved\Run: => "interdepartmentalinterdepartmental"
HKLM\...\StartupApproved\Run: => "interdepartmental"
HKLM\...\StartupApproved\Run32: => "doubtsox"
HKLM\...\StartupApproved\Run32: => "doubtdoubt"
HKLM\...\StartupApproved\Run32: => "doubt"
HKLM\...\StartupApproved\Run32: => "VirtualCloneDrive"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\StartupFolder: => "gudrungudrun.lnk"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\StartupFolder: => "gudrun.lnk"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\StartupFolder: => "Twitch.lnk"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "alef"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "survivedinterdepartmental"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "soxdoubt"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "hunker"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "survivedsurvived"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "survived"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "soxsox"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "sox"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{A18E6171-8EA0-4A96-B5AD-994E390ECFD3}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{499ACF6B-5123-4899-8EF8-774E62AF1978}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{0F903FFD-E156-4EDE-9224-5352196E12EB}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{1CD5E963-913D-4EEC-9169-3958CD4DBDFD}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{8EECB8D1-6A27-4039-BF08-DBF7A33FF078}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{ACDAB867-E4CB-4EE4-84D1-89618E93BB23}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{DA77A9A7-F010-46A7-8084-1E4EC94524FD}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{53141641-C889-43B5-B806-6631ED53C365}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [TCP Query User{64C1137D-4F67-4419-B852-0B61C9B85EAE}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [UDP Query User{9456AE20-226D-4B7F-85E1-03CFFF3203B6}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [{A8567CA5-B460-4C1E-964A-B3342792E2EF}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{6E80719C-67EF-4E84-AB55-B276479FAF18}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [TCP Query User{81FD3761-FC06-404D-B41C-F60170EB9659}C:\copied programs\heroes of the storm\versions\base50441\heroesofthestorm_x64.exe] => (Allow) C:\copied programs\heroes of the storm\versions\base50441\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{BC09D8F4-6877-4F05-A858-C3054CD265FF}C:\copied programs\heroes of the storm\versions\base50441\heroesofthestorm_x64.exe] => (Allow) C:\copied programs\heroes of the storm\versions\base50441\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{51ED8B4D-3C3A-4105-9A18-847417A0385E}C:\users\allison lewski\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\allison lewski\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{ED83096C-A30B-4755-AB23-B9DD57BCC794}C:\users\allison lewski\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\allison lewski\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{4D2873A7-DD1D-4DAE-885B-91B9D711E99B}C:\users\allison lewski\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\allison lewski\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{152E9A59-A11F-40C5-9441-E975F1517F53}C:\users\allison lewski\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\allison lewski\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{B30E2854-D665-4B2F-98DB-B5742414A009}C:\copied programs\heroes of the storm\versions\base50950\heroesofthestorm_x64.exe] => (Allow) C:\copied programs\heroes of the storm\versions\base50950\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{714D606E-0EBD-4BB8-BDB7-06083E7E8C6B}C:\copied programs\heroes of the storm\versions\base50950\heroesofthestorm_x64.exe] => (Allow) C:\copied programs\heroes of the storm\versions\base50950\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{BC20D4D4-0442-4591-AA6C-BEBF5DD5D75E}C:\copied programs\heroes of the storm\versions\base52986\heroesofthestorm_x64.exe] => (Block) C:\copied programs\heroes of the storm\versions\base52986\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{ED08AB34-200D-4966-AF61-60049A082EDD}C:\copied programs\heroes of the storm\versions\base52986\heroesofthestorm_x64.exe] => (Block) C:\copied programs\heroes of the storm\versions\base52986\heroesofthestorm_x64.exe
FirewallRules: [{9598B3DC-9EEC-4801-95C4-4DE9497D410C}] => (Allow) H:\Steam\Steam.exe
FirewallRules: [{F3D77F31-5C61-44A4-B31F-0C426259A0BD}] => (Allow) H:\Steam\Steam.exe
FirewallRules: [{6C328930-F36A-4A0B-B9BE-20FACAE9C7F2}] => (Allow) H:\Steam\bin\steamwebhelper.exe
FirewallRules: [{856E551E-C27D-46DD-B2EB-E4198F2DFFFD}] => (Allow) H:\Steam\bin\steamwebhelper.exe
FirewallRules: [{6E4B4F09-97EE-4AE9-BE22-F8A7A624FABE}] => (Allow) H:\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{AFAF0734-9EEA-4EE9-B8ED-D7E9AD27C815}] => (Allow) H:\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [TCP Query User{1316AB2E-B340-4E8A-8C11-02E3806B40FD}C:\copied programs\destiny 2\destiny2.exe] => (Allow) C:\copied programs\destiny 2\destiny2.exe
FirewallRules: [UDP Query User{2F4A7D3B-E376-429F-BA27-AFE3E9EBA1B7}C:\copied programs\destiny 2\destiny2.exe] => (Allow) C:\copied programs\destiny 2\destiny2.exe
FirewallRules: [{FF8225F6-6DF6-439A-80CB-C63CF1DE7136}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{5E582372-93DB-4279-B31B-666887A39F4C}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{FC83F7AA-6A0D-491B-B08A-9C544D8ECC10}C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe] => (Allow) C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe
FirewallRules: [UDP Query User{D132CFEC-AE48-4D92-B46E-E3FD05379B17}C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe] => (Allow) C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe
FirewallRules: [{9B5E8A88-809F-4B88-A3C6-B65D7A1A6ED5}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{5B60F226-5172-4777-986A-135AC71458F6}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{B3C8183D-2474-48E6-8891-BC27C458A364}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{3C3E2E92-63AF-4E96-A878-8EC95A7531EA}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{8F1E6F34-BFBA-4B17-8EF2-99D95EF3749D}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Tools\Launcher.exe
FirewallRules: [{42F2FB6D-513D-49E4-B007-99D716294E7B}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Tools\RemoteCrashSender.exe
FirewallRules: [{3F000DD2-265F-4DFF-BA07-FEDBB714D48A}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{1B74FE83-8299-4723-97A2-6BBDB69D054A}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{E2C77DE4-2409-4AAC-8408-3548FBFE7B1F}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{43257455-354E-45B6-9AFC-08ECFFCA4E19}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{15691CD7-07ED-45B1-B90A-911C9FFC4EC2}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Tools\Launcher.exe
FirewallRules: [{D0DB158F-CE38-4089-90EF-5D92E2A5745C}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Tools\RemoteCrashSender.exe
FirewallRules: [{1428E833-5EEF-4BB5-A921-982A5647F1C3}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher Enhanced Edition\System\witcher.exe
FirewallRules: [{F407160D-0CA6-4C6A-A133-18A8CEF1F511}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher Enhanced Edition\System\witcher.exe
FirewallRules: [{DCF050A4-6DF9-4B1A-BA3B-D39E7DF1F988}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher Enhanced Edition\System\djinni!.exe
FirewallRules: [{72BE3B41-3C9C-4CDB-BFE0-E77FD477FDD6}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher Enhanced Edition\System\djinni!.exe
FirewallRules: [{33330440-1304-4582-9BCF-54E077B41C90}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher Enhanced Edition\Digital Comic\DigitalComic.exe
FirewallRules: [{FF1D8421-3FCA-4ADD-84E3-FE02E22E32C8}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher Enhanced Edition\Digital Comic\DigitalComic.exe
FirewallRules: [{E76E3C44-7541-4009-B90F-DE0490CEC7EA}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher 3\bin\x64\witcher3.exe
FirewallRules: [{53834EC2-40BA-4A7B-9E01-E332C60F468A}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher 3\bin\x64\witcher3.exe
FirewallRules: [TCP Query User{77C292DB-3BB2-45A7-B53E-CF2B431155DA}C:\steamlibrary\steamapps\common\the witcher 2\bin\witcher2.exe] => (Allow) C:\steamlibrary\steamapps\common\the witcher 2\bin\witcher2.exe
FirewallRules: [UDP Query User{F6F70D9A-1F73-4FFE-BAC8-8E0111557F61}C:\steamlibrary\steamapps\common\the witcher 2\bin\witcher2.exe] => (Allow) C:\steamlibrary\steamapps\common\the witcher 2\bin\witcher2.exe
FirewallRules: [TCP Query User{94EFA593-E87C-467E-BBD6-F2342C29914C}C:\program files (x86)\sid meiers civilization vi\base\binaries\win64steam\civilizationvi.exe] => (Allow) C:\program files (x86)\sid meiers civilization vi\base\binaries\win64steam\civilizationvi.exe
FirewallRules: [UDP Query User{A7C67C09-6B94-40EC-A049-30FD5385F1A4}C:\program files (x86)\sid meiers civilization vi\base\binaries\win64steam\civilizationvi.exe] => (Allow) C:\program files (x86)\sid meiers civilization vi\base\binaries\win64steam\civilizationvi.exe
FirewallRules: [{1FA598DB-8DFF-4941-847B-0EE83E63EDA0}] => (Allow) C:\SteamLibrary\steamapps\common\SMITE\Binaries\Win32\HirezBridge.exe
FirewallRules: [{B6492403-65BE-451A-857F-F3B95260B5A6}] => (Allow) C:\SteamLibrary\steamapps\common\SMITE\Binaries\Win32\HirezBridge.exe
FirewallRules: [TCP Query User{B6270FF8-3D44-4AEC-9954-CBBA6A2F185E}C:\steamlibrary\steamapps\common\smite\binaries\win32\smite.exe] => (Block) C:\steamlibrary\steamapps\common\smite\binaries\win32\smite.exe
FirewallRules: [UDP Query User{347C480C-D3FF-427F-87A9-DB47A90B2E25}C:\steamlibrary\steamapps\common\smite\binaries\win32\smite.exe] => (Block) C:\steamlibrary\steamapps\common\smite\binaries\win32\smite.exe
FirewallRules: [{60786355-25DB-4C36-A3A2-8826BD83717B}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{8DD21702-74D1-445A-8EC9-495D6A9A99FC}] => (Allow) H:\Steam\SteamApps\common\SMITE\Binaries\Win32\HirezBridge.exe
FirewallRules: [{2021090B-DA42-4287-BF40-81538F1C7E84}] => (Allow) H:\Steam\SteamApps\common\SMITE\Binaries\Win32\HirezBridge.exe
FirewallRules: [TCP Query User{67A3FCE5-3328-4670-9C4C-98021D12D420}H:\steam\steamapps\common\smite\binaries\win32\smite.exe] => (Allow) H:\steam\steamapps\common\smite\binaries\win32\smite.exe
FirewallRules: [UDP Query User{2602543E-E0F8-4443-A7E8-0165C9151B36}H:\steam\steamapps\common\smite\binaries\win32\smite.exe] => (Allow) H:\steam\steamapps\common\smite\binaries\win32\smite.exe
FirewallRules: [{EA94DE66-409E-44DC-87F0-355B4D605A88}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{C03EEE7B-CB63-4535-8594-9F18CE9CD48E}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{01A5D906-BEE8-4EF2-BB5C-C8124084FC42}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{8C047B5B-17FF-401A-8847-92DD36EB2EF5}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [TCP Query User{60C01A9B-2FC8-4E69-A152-1CF04C591306}C:\games\sid meiers civilization vi rise and fall\base\binaries\win64steam\civilizationvi.exe] => (Allow) C:\games\sid meiers civilization vi rise and fall\base\binaries\win64steam\civilizationvi.exe
FirewallRules: [UDP Query User{C4C02E7D-8A52-48AE-AA76-214A23150187}C:\games\sid meiers civilization vi rise and fall\base\binaries\win64steam\civilizationvi.exe] => (Allow) C:\games\sid meiers civilization vi rise and fall\base\binaries\win64steam\civilizationvi.exe
FirewallRules: [{5F799D02-829F-4438-9903-073580852614}] => (Allow) C:\Program Files (x86)\Forfeited\rhythm.exe
FirewallRules: [{3683DA8F-AA5A-4847-AD68-8FD98D335E23}] => (Allow) C:\Program Files (x86)\Championing\rhythm.exe
FirewallRules: [{C3FB7245-BCBC-44B1-9729-7E66B5638285}] => (Allow) C:\Program Files (x86)\detainees\discipline.exe
FirewallRules: [{2DFF7A1B-9169-4C3B-A9A5-BDDD9DD475BC}] => (Allow) C:\Program Files (x86)\Championing\discipline.exe

==================== Restore Points =========================


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (02/21/2018 05:22:39 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (02/21/2018 05:22:35 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=UserLogon;SessionId=1

Error: (02/21/2018 02:19:35 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program SteamLauncherUI.exe version 6.0.1.2 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1030

Start Time: 01d3ab599238d1e7

Termination Time: 4

Application Path: C:\Program Files (x86)\Hi-Rez Studios\SteamLauncherUI.exe

Report Id: e7d855ec-174c-11e8-8396-bcaec5b71406

Faulting package full name:

Faulting package-relative application ID:

Error: (02/21/2018 01:05:02 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=UserLogon;SessionId=1

Error: (02/21/2018 12:58:01 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (02/21/2018 12:31:41 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (02/21/2018 11:39:26 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=UserLogon;SessionId=1

Error: (02/21/2018 11:38:44 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=TimerEvent


System errors:
=============
Error: (02/21/2018 05:32:38 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070005: 2018-02 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB4074594).

Error: (02/21/2018 05:31:45 PM) (Source: volsnap) (EventID: 14) (User: )
Description: The shadow copies of volume C: were aborted because of an IO failure on volume C:.

Error: (02/21/2018 05:31:45 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/21/2018 05:31:45 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/21/2018 05:31:45 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/21/2018 05:31:45 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/21/2018 05:31:45 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/21/2018 05:27:53 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.


Windows Defender:
===================================
Date: 2018-02-19 18:16:26.457
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanSpy:Win32/SocStealer!rfn&threatid=2147724296&enterprise=0
Name: TrojanSpy:Win32/SocStealer!rfn
ID: 2147724296
Severity: Severe
Category: Trojan Monitoring Software
Path: chromeinstall:_HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME;file:_C:\Program Files (x86)\Google\Chrome\Application\winhttp.dll;file:_C:\Users\Allison Lewski\AppData\Local\AdService\AdService.dll;file:_C:\Users\Allison Lewski\AppData\Local\Microsoft\Windows\INetCache\IE\7PWPM3XA\dll_service[1].bin;file:_C:\Users\Allison Lewski\AppData\Local\Microsoft\Windows\INetCache\IE\HUK7CB0G\dll_x64[1].bin
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\ALLISO~1\AppData\Local\Temp\336463171\ic-0.ee5e458616065.exe
Signature Version: AV: 1.259.1399.0, AS: 1.259.1399.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0

Date: 2018-02-19 18:16:26.456
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=BrowserModifier:Win32/Soctuseer!excl&threatid=237119&enterprise=0
Name: BrowserModifier:Win32/Soctuseer!excl
ID: 237119
Severity: High
Category: Browser Modifier
Path: regkeyvalue:_HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\\c:\program files\01caea05d08c25c64941f61bbf04b4eb\;regkeyvalue:_HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\\C:\Windows\e4964b6c4f2444b5c47e4eef478bf980.exe
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Signature Version: AV: 1.259.1399.0, AS: 1.259.1399.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0

Date: 2018-02-19 18:16:26.455
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Tiggre!plock&threatid=2147723626&enterprise=0
Name: Trojan:Win32/Tiggre!plock
ID: 2147723626
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Allison Lewski\AppData\Local\Temp\336463171\ic-0.ee5e458616065.exe;process:_pid:6108,ProcessStart:131635629114186480
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\Users\ALLISO~1\AppData\Local\Temp\336463171\ic-0.ee5e458616065.exe
Signature Version: AV: 1.259.1399.0, AS: 1.259.1399.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0

Date: 2018-02-19 18:15:13.916
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Tiggre!plock&threatid=2147723626&enterprise=0
Name: Trojan:Win32/Tiggre!plock
ID: 2147723626
Severity: Severe
Category: Trojan
Path: process:_pid:6108,ProcessStart:131635629114186480
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
Process Name: C:\Users\ALLISO~1\AppData\Local\Temp\336463171\ic-0.ee5e458616065.exe
Signature Version: AV: 1.259.1399.0, AS: 1.259.1399.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0

Date: 2018-02-19 18:15:13.568
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanSpy:Win32/SocStealer!rfn&threatid=2147724296&enterprise=0
Name: TrojanSpy:Win32/SocStealer!rfn
ID: 2147724296
Severity: Severe
Category: Trojan Monitoring Software
Path: file:_C:\Program Files (x86)\Google\Chrome\Application\winhttp.dll;file:_C:\Users\Allison Lewski\AppData\Local\AdService\AdService.dll;file:_C:\Users\Allison Lewski\AppData\Local\Microsoft\Windows\INetCache\IE\7PWPM3XA\dll_service[1].bin;file:_C:\Users\Allison Lewski\AppData\Local\Microsoft\Windows\INetCache\IE\HUK7CB0G\dll_x64[1].bin
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\ALLISO~1\AppData\Local\Temp\336463171\ic-0.ee5e458616065.exe
Signature Version: AV: 1.259.1399.0, AS: 1.259.1399.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0

Date: 2018-02-19 18:16:32.390
Description:
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.259.1399.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.14405.2
Error code: 0x80240017
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Date: 2018-02-06 12:25:14.015
Description:
Windows Defender Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode
Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.

Date: 2018-02-06 11:23:52.059
Description:
Windows Defender Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode
Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.

==================== Memory info ===========================

Processor: Intel® Core™ i5 CPU 650 @ 3.20GHz
Percentage of memory in use: 34%
Total physical RAM: 8183.05 MB
Available physical RAM: 5382.37 MB
Total Virtual: 9683.05 MB
Available Virtual: 6170.9 MB

==================== Drives ================================

Drive c: (SSD) (Fixed) (Total:238.13 GB) (Free:63.74 GB) NTFS
Drive d: (System Log Files) (Fixed) (Total:0.1 GB) (Free:0.05 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive g: (Extra2) (Fixed) (Total:355.47 GB) (Free:312.22 GB) NTFS
Drive h: (Extra Drive) (Fixed) (Total:575.94 GB) (Free:40.26 GB) NTFS

\\?\Volume{9bc49891-cba1-11e6-824b-806e6f6e6963}\ (System Reserved) (Fixed) (Total:0.34 GB) (Free:0.09 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 238.5 GB) (Disk ID: 9CF9C308)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=238.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: 4DB9C001)
Partition 1: (Not Active) - (Size=993 KB) - (Type=42)
Partition 2: (Active) - (Size=100 MB) - (Type=42)
Partition 3: (Not Active) - (Size=931.4 GB) - (Type=42)

==================== End of Addition.txt ============================

 

 



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:10 AM

Posted 22 February 2018 - 07:20 AM

CaptainFistula:

 
 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil.  May I address you by your first name?
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time.   Forum policy requires that I post within 48 hours after your last post, but I do endeavor to post within 24 hours of your last post.
 
I would ask that you please continue to copy and paste the contents of all requested log files directly into your replies.   Please do not use "code" or "quote" boxes.  Thank you for your anticipated cooperation.
 
I will need some time to review your FRST logs.  That could take a day or two.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:10 AM

Posted 22 February 2018 - 09:50 AM

CaptainFistula:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools. Malware removal can cause unpredictable and unintended issues. Also you should be aware that some of the tools and scripts that will be used, will remove malware detected, without notice.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post(s), unless otherwise instructed. Please do not use code or quote boxes.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

:step1: Unfortunately, in going over your logs, I see evidence of a software utility, or utilities, used to evade software licensing requirements for one or more programs. You might not be aware of this/these program(s), so I am NOT accusing you of knowingly installing this/these program(s) on your computer.

Bleeping Computer does not condone software piracy. Downloading and using such software, apart from being illegal by infringing on copyrights, is a MAJOR attack vector for malware. If you use such software, it is not a question of "IF" your computer will be infected, but only "WHEN", and by HOW MANY different variants of malware!

I am going to ask you to remove any and all software that you do not own, and to uninstall the software that is evading licensing requirements. If you are not aware of these software utility, or utilities, then you will have to accept, that as a part of my "fix" for your computer, the disinfection scripts and utilities will remove/disable any, and all, such software, tasks, etc., designed to evade legal software licencing requirements detected in the scan logs. Some of the anti-malware tools that I use will automatically quarantine software "cracks", without notice, so if you are not willing to take the chance of one or more "cracked" programs being disabled, please let me know right away.

If is agreeable to you to uninstall the "cracked" sofware, then after you have uninstalled any illicit software, please run the following scan for me.

If it is not agreeable to you, then please let me know and I will conclude your topic.

.

:step2: ckscanner.jpg Scan with CKScanner

Download CKScanner by askey127 and save it to your desktop.

  • Right-click on ckscanner.jpg icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • click Search For Files.
  • When finished, click Save List To File.
  • Remember to run this tool once only, if not asked to run it again.

Please copy and paste the content of CKFiles.txt into your next reply.

.

:step3: Please run a fresh FRST scan. Please copy and paste the contents of both the "FRST.txt" and "Addition.txt" scan logs into your next reply, or replies. Sometimes, when the FRST logs are large, you have to post each log individually.

.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#4 CaptainFistula

CaptainFistula
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 22 February 2018 - 10:15 AM

Good Morning Phil,

   Thank you for taking the time to send a quick response.   I have removed a known program as well as the Deluge client.    I'm not sure what you will make of my malware case after reviewing the CKscanner log, however i can advise that there was no known Malware on this machine for 2 years until a couple days back, and the likely culprit program was removed two days back, in addition to the two that i mentioned in the previous sentence.    Take a look at the logs and let me know your thoughts.  Thanks again!

 

 

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files\kmspico\devcomponents.dotnetbar2.dll
c:\program files\kmspico\unins000.dat
c:\program files\kmspico\unins000.exe
c:\program files\kmspico\uninshs.exe
c:\program files\kmspico\wdfcoinstaller01009.dll
c:\program files\kmspico\windivert.dll
c:\program files\kmspico\windivert.inf
c:\program files\kmspico\windivert.sys
c:\program files\kmspico\cert\installall.cmd
c:\program files\kmspico\cert\kmscert2010\access\accessvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\access\accessvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\access\accessvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\access\access_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\access\access_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excelvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\excel\excelvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\excel\excelvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\excel\excel_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\excel\excel_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groovevlreg32.reg
c:\program files\kmspico\cert\kmscert2010\groove\groovevlreg64.reg
c:\program files\kmspico\cert\kmscert2010\groove\groovevlregwow.reg
c:\program files\kmspico\cert\kmscert2010\groove\groove_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\groove\groove_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopathvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\infopath\infopathvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\infopath\infopathvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\infopath\infopath_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenotevlreg32.reg
c:\program files\kmspico\cert\kmscert2010\onenote\onenotevlreg64.reg
c:\program files\kmspico\cert\kmscert2010\onenote\onenotevlregwow.reg
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\onenote\onenote_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlookvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\outlook\outlookvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\outlook\outlookvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\outlook\outlook_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpointvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpointvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpointvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\powerpoint\powerpoint_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectprovlreg32.reg
c:\program files\kmspico\cert\kmscert2010\projectpro\projectprovlreg64.reg
c:\program files\kmspico\cert\kmscert2010\projectpro\projectprovlregwow.reg
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectpro\projectpro_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstdvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstdvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstdvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak2.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak2.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak2.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\projectstd\projectstd_mak2.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplusacad_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplusacad_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplusacad_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplusacad_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplusvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\proplus\proplusvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\proplus\proplusvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\proplus\proplus_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publishervlreg32.reg
c:\program files\kmspico\cert\kmscert2010\publisher\publishervlreg64.reg
c:\program files\kmspico\cert\kmscert2010\publisher\publishervlregwow.reg
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\publisher\publisher_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasicsvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasicsvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasicsvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\smallbusbasics\smallbusbasics_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standardacad_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standardacad_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standardacad_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standardacad_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standardvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\standard\standardvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\standard\standardvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\standard\standard_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\standard\standard_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visioprem_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiopro_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiostd_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\visio\visiovlreg32.reg
c:\program files\kmspico\cert\kmscert2010\visio\visiovlreg64.reg
c:\program files\kmspico\cert\kmscert2010\visio\visiovlregwow.reg
c:\program files\kmspico\cert\kmscert2010\word\wordvlreg32.reg
c:\program files\kmspico\cert\kmscert2010\word\wordvlreg64.reg
c:\program files\kmspico\cert\kmscert2010\word\wordvlregwow.reg
c:\program files\kmspico\cert\kmscert2010\word\word_kms_client.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_kms_client.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_kms_client.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_kms_client.rac_priv.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_kms_client.rac_pub.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_mak.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_mak.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_mak.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2010\word\word_mak.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licensesetdata._4374022d_56b8_48c1_9bb7_d8f2fc726343.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licensesetdata._4374022d_56b8_48c1_9bb7_d8f2fc726343.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licensesetdata._4374022d_56b8_48c1_9bb7_d8f2fc726343.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licensesetdata._4374022d_56b8_48c1_9bb7_d8f2fc726343.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licensesetdata._6ee7622c_18d8_4005_9fb7_92db644a279b.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licensesetdata._6ee7622c_18d8_4005_9fb7_92db644a279b.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\access\licensesetdata._6ee7622c_18d8_4005_9fb7_92db644a279b.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licensesetdata._ac1ae7fd_b949_4e04_a330_849bc40638cf.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licensesetdata._ac1ae7fd_b949_4e04_a330_849bc40638cf.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licensesetdata._ac1ae7fd_b949_4e04_a330_849bc40638cf.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licensesetdata._ac1ae7fd_b949_4e04_a330_849bc40638cf.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licensesetdata._f7461d52_7c2b_43b2_8744_ea958e0bd09a.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licensesetdata._f7461d52_7c2b_43b2_8744_ea958e0bd09a.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\excel\licensesetdata._f7461d52_7c2b_43b2_8744_ea958e0bd09a.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licensesetdata._9e016989_4007_42a6_8051_64eb97110cf2.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licensesetdata._9e016989_4007_42a6_8051_64eb97110cf2.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licensesetdata._9e016989_4007_42a6_8051_64eb97110cf2.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licensesetdata._9e016989_4007_42a6_8051_64eb97110cf2.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licensesetdata._a30b8040_d68a_423f_b0b5_9ce292ea5a8f.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licensesetdata._a30b8040_d68a_423f_b0b5_9ce292ea5a8f.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\infopath\licensesetdata._a30b8040_d68a_423f_b0b5_9ce292ea5a8f.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licensesetdata._1b9f11e3_c85c_4e1b_bb29_879ad2c909e3.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licensesetdata._1b9f11e3_c85c_4e1b_bb29_879ad2c909e3.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licensesetdata._1b9f11e3_c85c_4e1b_bb29_879ad2c909e3.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licensesetdata._e1264e10_afaf_4439_a98b_256df8bb156f.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licensesetdata._e1264e10_afaf_4439_a98b_256df8bb156f.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licensesetdata._e1264e10_afaf_4439_a98b_256df8bb156f.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\lync\licensesetdata._e1264e10_afaf_4439_a98b_256df8bb156f.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licensesetdata._b067e965_7521_455b_b9f7_c740204578a2.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licensesetdata._b067e965_7521_455b_b9f7_c740204578a2.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licensesetdata._b067e965_7521_455b_b9f7_c740204578a2.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licensesetdata._b067e965_7521_455b_b9f7_c740204578a2.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licensesetdata._efe1f3e6_aea2_4144_a208_32aa872b6545.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licensesetdata._efe1f3e6_aea2_4144_a208_32aa872b6545.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\onenote\licensesetdata._efe1f3e6_aea2_4144_a208_32aa872b6545.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licensesetdata._771c3afa_50c5_443f_b151_ff2546d863a0.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licensesetdata._771c3afa_50c5_443f_b151_ff2546d863a0.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licensesetdata._771c3afa_50c5_443f_b151_ff2546d863a0.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licensesetdata._8d577c50_ae5e_47fd_a240_24986f73d503.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licensesetdata._8d577c50_ae5e_47fd_a240_24986f73d503.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licensesetdata._8d577c50_ae5e_47fd_a240_24986f73d503.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\outlook\licensesetdata._8d577c50_ae5e_47fd_a240_24986f73d503.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licensesetdata._8c762649_97d1_4953_ad27_b7e2c25b972e.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licensesetdata._8c762649_97d1_4953_ad27_b7e2c25b972e.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licensesetdata._8c762649_97d1_4953_ad27_b7e2c25b972e.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licensesetdata._e40dcb44_1d5c_4085_8e8f_943f33c4f004.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licensesetdata._e40dcb44_1d5c_4085_8e8f_943f33c4f004.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licensesetdata._e40dcb44_1d5c_4085_8e8f_943f33c4f004.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\powerpoint\licensesetdata._e40dcb44_1d5c_4085_8e8f_943f33c4f004.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licensesetdata._4a5d124a_e620_44ba_b6ff_658961b33b9a.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licensesetdata._4a5d124a_e620_44ba_b6ff_658961b33b9a.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licensesetdata._4a5d124a_e620_44ba_b6ff_658961b33b9a.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licensesetdata._ed34dc89_1c27_4ecd_8b2f_63d0f4cedc32.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licensesetdata._ed34dc89_1c27_4ecd_8b2f_63d0f4cedc32.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licensesetdata._ed34dc89_1c27_4ecd_8b2f_63d0f4cedc32.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectpro\licensesetdata._ed34dc89_1c27_4ecd_8b2f_63d0f4cedc32.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licensesetdata._2b9e4a37_6230_4b42_bee2_e25ce86c8c7a.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licensesetdata._2b9e4a37_6230_4b42_bee2_e25ce86c8c7a.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licensesetdata._2b9e4a37_6230_4b42_bee2_e25ce86c8c7a.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licensesetdata._2b9e4a37_6230_4b42_bee2_e25ce86c8c7a.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licensesetdata._427a28d1_d17c_4abf_b717_32c780ba6f07.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licensesetdata._427a28d1_d17c_4abf_b717_32c780ba6f07.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\projectstd\licensesetdata._427a28d1_d17c_4abf_b717_32c780ba6f07.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._2b88c4f2_ea8f_43cd_805e_4d41346e18a7.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._2b88c4f2_ea8f_43cd_805e_4d41346e18a7.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._2b88c4f2_ea8f_43cd_805e_4d41346e18a7.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._2b88c4f2_ea8f_43cd_805e_4d41346e18a7.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._b322da9c_a2e2_4058_9e4e_f59a6970bd69.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._b322da9c_a2e2_4058_9e4e_f59a6970bd69.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._b322da9c_a2e2_4058_9e4e_f59a6970bd69.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\proplus.reg
c:\program files\kmspico\cert\kmscert2013\publisher\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\publisher\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\publisher\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\publisher\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\publisher\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\publisher\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\publisher\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\publisher\licensesetdata._00c79ff1_6850_443d_bf61_71cde0de305f.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\publisher\licensesetdata._00c79ff1_6850_443d_bf61_71cde0de305f.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\publisher\licensesetdata._00c79ff1_6850_443d_bf61_71cde0de305f.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\publisher\licensesetdata._38ea49f6_ad1d_43f1_9888_99a35d7c9409.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\publisher\licensesetdata._38ea49f6_ad1d_43f1_9888_99a35d7c9409.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\publisher\licensesetdata._38ea49f6_ad1d_43f1_9888_99a35d7c9409.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\publisher\licensesetdata._38ea49f6_ad1d_43f1_9888_99a35d7c9409.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licensesetdata._a24cca51_3d54_4c41_8a76_4031f5338cb2.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licensesetdata._a24cca51_3d54_4c41_8a76_4031f5338cb2.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licensesetdata._a24cca51_3d54_4c41_8a76_4031f5338cb2.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licensesetdata._a24cca51_3d54_4c41_8a76_4031f5338cb2.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licensesetdata._b13afb38_cd79_4ae5_9f7f_eed058d750ca.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licensesetdata._b13afb38_cd79_4ae5_9f7f_eed058d750ca.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\standard\licensesetdata._b13afb38_cd79_4ae5_9f7f_eed058d750ca.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licensesetdata._3e4294dd_a765_49bc_8dbd_cf8b62a4bd3d.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licensesetdata._3e4294dd_a765_49bc_8dbd_cf8b62a4bd3d.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licensesetdata._3e4294dd_a765_49bc_8dbd_cf8b62a4bd3d.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licensesetdata._3e4294dd_a765_49bc_8dbd_cf8b62a4bd3d.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licensesetdata._e13ac10e_75d0_4aff_a0cd_764982cf541c.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licensesetdata._e13ac10e_75d0_4aff_a0cd_764982cf541c.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\licensesetdata._e13ac10e_75d0_4aff_a0cd_764982cf541c.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiopro\visio.reg
c:\program files\kmspico\cert\kmscert2013\visiostd\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiostd\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiostd\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiostd\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiostd\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiostd\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiostd\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiostd\licensesetdata._44a1f6ff_0876_4edb_9169_dbb43101ee89.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiostd\licensesetdata._44a1f6ff_0876_4edb_9169_dbb43101ee89.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiostd\licensesetdata._44a1f6ff_0876_4edb_9169_dbb43101ee89.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiostd\licensesetdata._44a1f6ff_0876_4edb_9169_dbb43101ee89.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiostd\licensesetdata._ac4efaf0_f81f_4f61_bdf7_ea32b02ab117.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiostd\licensesetdata._ac4efaf0_f81f_4f61_bdf7_ea32b02ab117.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visiostd\licensesetdata._ac4efaf0_f81f_4f61_bdf7_ea32b02ab117.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licensesetdata._9cedef15_be37_4ff0_a08a_13a045540641.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licensesetdata._9cedef15_be37_4ff0_a08a_13a045540641.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licensesetdata._9cedef15_be37_4ff0_a08a_13a045540641.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licensesetdata._9cedef15_be37_4ff0_a08a_13a045540641.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licensesetdata._d9f5b1c6_5386_495a_88f9_9ad6b41ac9b3.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licensesetdata._d9f5b1c6_5386_495a_88f9_9ad6b41ac9b3.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\word\licensesetdata._d9f5b1c6_5386_495a_88f9_9ad6b41ac9b3.ppdlic.xrm-ms
c:\program files\kmspico\driver\openvpn.cer
c:\program files\kmspico\driver\tap-windows-9.9.2_3.exe
c:\program files\kmspico\driver\uninstalldriver.cmd
c:\program files\kmspico\icons\error.png
c:\program files\kmspico\icons\information.png
c:\program files\kmspico\icons\question.png
c:\program files\kmspico\icons\warning.png
c:\program files\kmspico\logs\autopico.log
c:\program files\kmspico\logs\kmseldi.log
c:\program files\kmspico\logs\service_kms.log
c:\program files\kmspico\scripts\enablesmartscreen.cmd
c:\program files\kmspico\scripts\enablesmartscreen.reg
c:\program files\kmspico\scripts\install_service.cmd
c:\program files\kmspico\scripts\install_task.cmd
c:\program files\kmspico\scripts\log.cmd
c:\program files\kmspico\scripts\silent.cmd
c:\program files\kmspico\scripts\uninstall_service.cmd
c:\program files\kmspico\sounds\affirmative.mp3
c:\program files\kmspico\sounds\begin.mp3
c:\program files\kmspico\sounds\complete.mp3
c:\program files\kmspico\sounds\diagnostic.mp3
c:\program files\kmspico\sounds\enterauthorizationcode.mp3
c:\program files\kmspico\sounds\incomingtransmission.mp3
c:\program files\kmspico\sounds\inputfailed.mp3
c:\program files\kmspico\sounds\inputok.mp3
c:\program files\kmspico\sounds\processing.mp3
c:\program files\kmspico\sounds\transfer.mp3
c:\program files\kmspico\sounds\verified.mp3
c:\program files\kmspico\sounds\warning.mp3
c:\steamlibrary\steamapps\common\smite\battlegame\cookedpc\characters\npcs\npc_ward_firecracker.upk
c:\steamlibrary\steamapps\common\smite\battlegame\cookedpc\sounds\aud_npc_ward_firecracker.upk
scanner sequence 3.ZZ.11.CKNAWZ
 ----- EOF -----
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21.02.2018
Ran by Allison Lewski (administrator) on ALLISON (22-02-2018 08:11:29)
Running from G:\Downloads Firefox
Loaded Profiles: Allison Lewski (Available Profiles: Allison Lewski)
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(TOSHIBA CORPORATION) C:\Windows\System32\iaoterwsvc.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Hi-Rez Studios) C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
() C:\Users\Allison Lewski\AppData\Local\aumvxot\vdhzswo.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files (x86)\EVGA Precision X\EVGAPrecision.exe
(Discord Inc.) C:\Users\Allison Lewski\AppData\Local\Discord\app-0.0.300\Discord.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Discord Inc.) C:\Users\Allison Lewski\AppData\Local\Discord\app-0.0.300\Discord.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Spotify Ltd) C:\Users\Allison Lewski\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Spotify Ltd) C:\Users\Allison Lewski\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Discord Inc.) C:\Users\Allison Lewski\AppData\Local\Discord\app-0.0.300\Discord.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\prevhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [WindowsDefender] => "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\Run: [Discord] => C:\Users\Allison Lewski\AppData\Local\Discord\app-0.0.300\Discord.exe [57821176 2018-01-08] (Discord Inc.)
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\Run: [Spotify] => C:\Users\Allison Lewski\AppData\Roaming\Spotify\Spotify.exe [21325200 2018-02-15] (Spotify Ltd)
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\Run: [Spotify Web Helper] => C:\Users\Allison Lewski\AppData\Roaming\Spotify\SpotifyWebHelper.exe [780688 2018-02-15] (Spotify Ltd)
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\MountPoints2: {363fbe9e-03f4-11e8-8381-bcaec5b71406} - "F:\SISetup.exe"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\MountPoints2: {dddef49f-0b76-11e8-838c-bcaec5b71406} - "F:\setup.exe"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [589312 2014-10-28] (Microsoft Corporation)
Startup: C:\Users\Allison Lewski\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Twitch.lnk [2018-02-07]
ShortcutTarget: Twitch.lnk -> C:\Users\Allison Lewski\AppData\Roaming\Twitch\Bin\Twitch.exe (Twitch Interactive, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 24.116.0.53 24.116.2.50
Tcpip\..\Interfaces\{bbed3e08-0b41-11e3-8249-806e6f6e6963}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{F1F654A3-A9BF-44A6-A7A2-284E70B811F8}: [DhcpNameServer] 24.116.0.53 24.116.2.50

Internet Explorer:
==================

FireFox:
========
FF DefaultProfile: 4lefnmm5.default
FF ProfilePath: C:\Users\Allison Lewski\AppData\Roaming\Mozilla\Firefox\Profiles\4lefnmm5.default [2018-02-22]
FF Extension: (uBlock Origin) - C:\Users\Allison Lewski\AppData\Roaming\Mozilla\Firefox\Profiles\4lefnmm5.default\Extensions\uBlock0@raymondhill.net.xpi [2018-02-20]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_27_0_0_183.dll [2017-10-25] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_27_0_0_183.dll [2017-10-25] ()
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-02-11] (Adobe Systems Inc.)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\secure_cert.js [2018-02-19]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

HKLM\SYSTEM\CurrentControlSet\Services\magxso <==== ATTENTION (Rootkit!)

S2 EasyAntiCheat; C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe [526888 2018-01-06] (EasyAntiCheat Ltd)
U2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9728 2018-02-19] (Hi-Rez Studios) [File not signed]
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-12] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-12] (Microsoft Corporation)
S4 apexpsvc; "C:\Users\Allison Lewski\AppData\Local\ibvpu\apexpsvc.exe" /svc [X]
S4 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S4 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [21160 2012-09-22] (Advanced Micro Devices, Inc.)
S3 athur; C:\Windows\system32\DRIVERS\athuwbx.sys [2702336 2017-03-11] (Qualcomm Atheros Communications, Inc.)
S3 cpuz140; C:\Users\Allison Lewski\AppData\Local\Temp\cpuz140\cpuz140_x64.sys [45888 2017-11-19] (CPUID) <==== ATTENTION
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
S3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2018-02-21] (Malwarebytes)
R3 MTsensor; C:\Windows\system32\DRIVERS\ASACPI.sys [17280 2013-05-17] ()
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2010-03-05] (Marvell Semiconductor, Inc.)
R3 RTCore64; C:\Program Files (x86)\EVGA Precision X\RTCore64.sys [15176 2013-07-17] ()
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [46600 2017-02-10] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [274776 2017-01-12] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [117592 2017-01-12] (Microsoft Corporation)
S4 beeeii; system32\drivers\vyyybb.sys [X]
S4 dlidxfht; \??\C:\Windows\system32\drivers\dlidxfht.sys [X]
S4 ElbyCDIO; System32\Drivers\ElbyCDIO.sys [X]
S3 GPU-Z; \??\C:\Users\ALLISO~1\AppData\Local\Temp\GPU-Z.sys [X] <==== ATTENTION
S4 MpKslefafb96f; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8BE8D72B-BC39-47A7-AD65-2323D37EE158}\MpKslefafb96f.sys [X]
R3 vzcfjm; system32\drivers\cfimps.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-02-21 17:58 - 2018-02-22 08:11 - 000000000 ____D C:\FRST
2018-02-21 17:21 - 2018-02-21 17:21 - 000143184 ____N C:\Windows\system32\Drivers\pwiadhkn.sys
2018-02-21 17:20 - 2018-02-21 17:23 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-02-21 11:43 - 2018-02-21 17:10 - 000025600 ___SH C:\Users\Allison Lewski\Documents\Thumbs.db
2018-02-21 11:35 - 2018-02-21 11:35 - 000000000 ____D C:\Windows\system32\appraiser
2018-02-21 11:23 - 2017-12-12 06:10 - 000875688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr120_clr0400.dll
2018-02-21 11:23 - 2017-12-12 06:10 - 000536744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp120_clr0400.dll
2018-02-21 11:23 - 2017-12-12 06:07 - 000869544 _____ (Microsoft Corporation) C:\Windows\system32\msvcr120_clr0400.dll
2018-02-21 11:23 - 2017-12-12 06:07 - 000678568 _____ (Microsoft Corporation) C:\Windows\system32\msvcp120_clr0400.dll
2018-02-21 11:23 - 2016-10-20 06:14 - 000029888 _____ (Microsoft Corporation) C:\Windows\system32\aspnet_counters.dll
2018-02-21 11:23 - 2016-10-20 06:10 - 000028352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aspnet_counters.dll
2018-02-21 11:19 - 2018-01-21 04:09 - 000145080 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2018-02-21 11:19 - 2018-01-20 23:13 - 001994752 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2018-02-21 11:19 - 2018-01-20 23:13 - 001569280 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000749568 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000654336 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000604672 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000450048 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000378880 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000262144 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2018-02-21 11:19 - 2018-01-20 23:13 - 000236544 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2018-02-21 11:19 - 2018-01-01 22:28 - 000013312 _____ (Microsoft Corporation) C:\Windows\system32\pcalua.exe
2018-02-21 11:19 - 2018-01-01 21:16 - 000464384 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll
2018-02-21 10:51 - 2018-02-21 10:51 - 000001453 _____ C:\Users\Allison Lewski\Desktop\firefox - Shortcut.lnk
2018-02-21 10:14 - 2018-02-21 10:14 - 000012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2018-02-21 10:14 - 2018-02-21 10:14 - 000001962 _____ C:\Windows\system32\.crusader
2018-02-21 10:14 - 2018-02-21 10:14 - 000001314 _____ C:\Windows\system32\bootdelete.lst
2018-02-21 10:10 - 2018-02-21 10:14 - 000000000 ____D C:\ProgramData\HitmanPro
2018-02-21 10:10 - 2018-02-21 10:10 - 000055232 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2018-02-20 18:32 - 2018-02-20 18:32 - 000000003 _____ C:\Users\Allison\HRUPPROG.TXT
2018-02-20 18:32 - 2018-02-20 18:32 - 000000003 _____ C:\Users\Allison\HRUPPROG.EXIT
2018-02-20 18:32 - 2018-02-20 18:32 - 000000000 ____D C:\Users\Allison
2018-02-20 16:16 - 2018-02-20 16:16 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\.mono
2018-02-20 16:16 - 2018-02-20 16:16 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\Colossal Order
2018-02-20 16:16 - 2018-02-20 16:16 - 000000000 ____D C:\ProgramData\.mono
2018-02-20 11:40 - 2018-02-20 11:40 - 000003504 _____ C:\Users\Allison Lewski\Desktop\MWB log 1.txt
2018-02-20 11:06 - 2018-02-20 11:06 - 000001157 _____ C:\Users\Allison Lewski\Desktop\adwcleaner_7.0.8.0 - Shortcut.lnk
2018-02-20 11:02 - 2018-02-20 11:39 - 000000000 ____D C:\AdwCleaner
2018-02-20 10:40 - 2018-02-21 20:24 - 002888704 _____ (TOSHIBA CORPORATION) C:\Windows\system32\iaoterwsvc.exe
2018-02-19 19:26 - 2018-02-21 20:24 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-02-19 18:39 - 2018-02-19 18:39 - 000000000 ____D C:\Windows\pss
2018-02-19 18:20 - 2018-02-21 21:50 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\sinkdzx
2018-02-19 18:18 - 2018-02-21 17:23 - 000002090 _____ C:\Users\Allison Lewski\Desktop\Rkill.txt
2018-02-19 18:17 - 2018-02-21 22:02 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\atbmxhd
2018-02-19 18:17 - 2018-02-19 18:20 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\aumvxot
2018-02-19 18:16 - 2018-02-19 19:44 - 002888704 ____R C:\Windows\system32\iaoterwsvcf.exe
2018-02-19 18:16 - 2018-02-19 18:16 - 000000012 _____ C:\Windows\b61275733
2018-02-19 18:16 - 2018-02-19 18:16 - 000000000 ____D C:\Windows\SysWOW64\rtepdnv
2018-02-19 18:16 - 2018-02-19 18:16 - 000000000 ____D C:\Windows\system32\rtepdnv
2018-02-19 18:16 - 2018-02-19 18:16 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\et
2018-02-19 18:12 - 2018-02-19 18:12 - 001286144 _____ C:\Windows\d73a5bce2d40b3acebc67264591a1f4e.dll
2018-02-19 08:51 - 2018-02-19 08:51 - 000041210 _____ C:\Windows\uninstaller.dat
2018-02-18 17:55 - 2018-02-18 17:55 - 000000218 _____ C:\Users\Allison Lewski\AppData\Local\recently-used.xbel
2018-02-11 16:14 - 2018-02-11 16:14 - 000000000 ____D C:\ProgramData\Twitch
2018-02-09 13:02 - 2018-02-09 13:02 - 000000000 ____D C:\Users\Allison Lewski\AppData\LocalLow\AMD
2018-02-08 16:48 - 2018-02-08 16:48 - 000001368 _____ C:\Users\Allison Lewski\Desktop\Sid Meiers Civilization VI Rise and Fall.lnk
2018-02-08 16:48 - 2018-02-08 16:48 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sid Meiers Civilization VI Rise and Fall
2018-02-08 16:44 - 2018-02-08 16:44 - 000000000 ____D C:\Games
2018-02-08 07:37 - 2018-02-08 07:37 - 000000000 ___HD C:\ProgramData\CanonBJ
2018-02-07 08:24 - 2018-02-19 18:37 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\Twitch
2018-02-07 07:53 - 2018-02-07 07:53 - 000000849 _____ C:\Users\Public\Desktop\World of Warcraft.lnk
2018-02-07 07:53 - 2018-02-07 07:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft
2018-02-06 12:48 - 2018-02-06 13:45 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\AMD
2018-02-06 12:48 - 2018-02-06 12:48 - 000004234 _____ C:\Windows\System32\Tasks\AMD Updater
2018-02-06 12:48 - 2018-02-06 12:48 - 000000000 ____D C:\Program Files\Common Files\ATI Technologies
2018-02-06 12:47 - 2018-02-06 12:47 - 000000000 ____D C:\Program Files (x86)\VulkanRT
2018-02-06 12:47 - 2017-07-04 15:38 - 009446336 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiumd64.dll
2018-02-06 12:47 - 2017-07-04 15:38 - 007663888 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdag.dll
2018-02-06 12:47 - 2017-07-04 15:38 - 000522632 _____ C:\Windows\system32\GameManager64.dll
2018-02-06 12:47 - 2017-07-04 15:38 - 000207760 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiuxp64.dll
2018-02-06 12:47 - 2017-07-04 15:38 - 000185088 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiu9p64.dll
2018-02-06 12:47 - 2017-07-04 15:38 - 000161344 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiuxpag.dll
2018-02-06 12:47 - 2017-07-04 15:38 - 000143864 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiu9pag.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 015728008 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticaldd64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 014318984 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticaldd.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 013254256 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdva.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 012574408 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atidxx64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 010444400 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atidxx32.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 001654880 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\aticfx64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 001507720 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atiadlxx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 001347952 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\aticfx32.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 001032072 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxy.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 001032072 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000768904 _____ (AMD) C:\Windows\system32\atieclxx.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000544136 _____ (AMD) C:\Windows\system32\atitmm64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000543112 _____ C:\Windows\system32\dgtrayicon.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000543112 _____ (AMD) C:\Windows\system32\atiesrxx.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000537992 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Rapidfire64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000520584 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\atikmpag.sys
2018-02-06 12:47 - 2017-07-04 15:37 - 000475016 _____ C:\Windows\system32\atieah64.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000469384 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\Rapidfire.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000458632 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atidemgy.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000402312 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atiapfxx.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000356744 _____ C:\Windows\SysWOW64\GameManager32.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000349064 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIODE.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000325512 _____ C:\Windows\SysWOW64\atieah32.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000236424 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atig6txx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000194952 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atigktxx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000182664 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\mantle64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000161160 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\mantleaxl64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000155528 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atig6pxx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000142216 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\mantle32.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000126344 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\mantleaxl32.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000124808 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiglpxx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000124808 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiglpxx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000114056 _____ (AMD) C:\Windows\system32\atimuixx.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000078728 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticalrt64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000072072 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticalcl64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000068488 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalrt.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000067464 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIODCLI.exe
2018-02-06 12:47 - 2017-07-04 15:37 - 000065416 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalcl.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000060296 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\ati2erec.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000036232 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\RapidFireServer64.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000033672 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\RapidFireServer.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000020360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\detoured.dll
2018-02-06 12:47 - 2017-07-04 15:37 - 000020360 _____ (Microsoft Corporation) C:\Windows\system32\detoured.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 059237768 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\amdocl64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 046457736 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 036562312 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\atikmdag.sys
2018-02-06 12:47 - 2017-07-04 15:36 - 028797832 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\amdocl12cl64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 022739336 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl12cl.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 014414072 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiumd6a.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 010313608 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdvlk64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 009899912 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdmantle64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 007955848 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdmantle32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 002527624 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\amfrt64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 002189704 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\amfrt32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000915848 _____ (AMD) C:\Windows\system32\coinst_17.10.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000855432 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\amdlvr64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000687496 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\amdlvr32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000559984 _____ C:\Windows\system32\amdmiracast.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000505736 _____ C:\Windows\system32\amdgfxinfo64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000351624 _____ C:\Windows\SysWOW64\amdgfxinfo32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000305544 _____ (Advanced Micro Devices) C:\Windows\system32\Drivers\amdacpksd.sys
2018-02-06 12:47 - 2017-07-04 15:36 - 000269704 _____ C:\Windows\system32\clinfo.exe
2018-02-06 12:47 - 2017-07-04 15:36 - 000185600 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\amdhcp64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000159112 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atisamu64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000154152 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\amdhcp32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000128968 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdave64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000124808 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atisamu32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000121240 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atimpc64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000121240 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdpcom64.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000112520 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000106248 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdave32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000103304 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000092840 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atimpc32.dll
2018-02-06 12:47 - 2017-07-04 15:36 - 000092840 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdpcom32.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 032738184 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atio6axx.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 026831240 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atioglxx.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 008471432 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdvlk32.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000456584 _____ C:\Windows\system32\amdhdl64.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000311176 _____ C:\Windows\SysWOW64\amdhdl32.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000166280 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amduve64.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000135560 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amduve32.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000082824 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdmcl64.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000066952 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdmmcl6.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000066440 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdmcl32.dll
2018-02-06 12:47 - 2017-07-04 15:35 - 000054664 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdmmcl.dll
2018-02-06 12:47 - 2017-07-04 14:59 - 000798552 _____ C:\Windows\SysWOW64\atiapfxx.blb
2018-02-06 12:47 - 2017-07-04 14:59 - 000798552 _____ C:\Windows\system32\atiapfxx.blb
2018-02-06 12:47 - 2017-07-04 14:58 - 003437632 _____ C:\Windows\system32\atiumd6a.cap
2018-02-06 12:47 - 2017-07-04 14:57 - 000204952 _____ C:\Windows\SysWOW64\ativvsvl.dat
2018-02-06 12:47 - 2017-07-04 14:57 - 000204952 _____ C:\Windows\system32\ativvsvl.dat
2018-02-06 12:47 - 2017-07-04 14:57 - 000157144 _____ C:\Windows\SysWOW64\ativvsva.dat
2018-02-06 12:47 - 2017-07-04 14:57 - 000157144 _____ C:\Windows\system32\ativvsva.dat
2018-02-06 12:47 - 2017-07-04 14:53 - 003471376 _____ C:\Windows\SysWOW64\atiumdva.cap
2018-02-06 12:47 - 2017-07-04 08:29 - 000368576 _____ C:\Windows\system32\ativvaxy_el_nd.dat
2018-02-06 12:47 - 2017-06-22 01:46 - 000951878 _____ C:\Windows\system32\amdicdxx.dat
2018-02-06 12:47 - 2017-05-16 08:15 - 000166560 _____ C:\Windows\system32\amde34b.dat
2018-02-06 12:47 - 2017-05-16 08:15 - 000166560 _____ C:\Windows\system32\amde34a.dat
2018-02-06 12:47 - 2017-05-16 08:03 - 000159072 _____ C:\Windows\system32\amde31a.dat
2018-02-06 12:47 - 2017-05-16 08:01 - 000160768 _____ C:\Windows\system32\ativce03.dat
2018-02-06 12:47 - 2017-03-03 09:39 - 000120368 _____ C:\Windows\system32\kapp_ci.sbin
2018-02-06 12:47 - 2017-02-16 16:51 - 000234292 _____ C:\Windows\system32\ativvaxy_cik.dat
2018-02-06 12:47 - 2017-02-16 16:51 - 000234032 _____ C:\Windows\system32\ativvaxy_cik_nd.dat
2018-02-06 12:47 - 2017-02-16 16:42 - 000325316 _____ C:\Windows\system32\ativvaxy_vi.dat
2018-02-06 12:47 - 2017-02-16 16:42 - 000325056 _____ C:\Windows\system32\ativvaxy_vi_nd.dat
2018-02-06 12:47 - 2017-02-16 16:34 - 000266772 _____ C:\Windows\system32\ativvaxy_FJ.dat
2018-02-06 12:47 - 2017-02-16 16:34 - 000266512 _____ C:\Windows\system32\ativvaxy_FJ_nd.dat
2018-02-06 12:47 - 2017-02-16 16:29 - 000276960 _____ C:\Windows\system32\ativvaxy_stn_nd.dat
2018-02-06 12:47 - 2017-02-16 15:28 - 000271456 _____ C:\Windows\system32\ativvaxy_cz_nd.dat
2018-02-06 12:47 - 2017-02-16 15:20 - 000369792 _____ C:\Windows\system32\ativvaxy_gl_nd.dat
2018-02-06 12:47 - 2017-01-27 15:05 - 000103936 _____ C:\Windows\SysWOW64\vulkaninfo.exe
2018-02-06 12:47 - 2017-01-27 15:04 - 000326656 _____ C:\Windows\SysWOW64\vulkan-1.dll
2018-02-06 12:47 - 2017-01-27 15:02 - 000118272 _____ C:\Windows\system32\vulkaninfo.exe
2018-02-06 12:47 - 2017-01-27 15:01 - 000322560 _____ C:\Windows\system32\vulkan-1.dll
2018-02-06 12:47 - 2017-01-26 10:33 - 000164960 _____ C:\Windows\system32\amde40a.dat
2018-02-06 12:47 - 2017-01-12 15:25 - 000100832 _____ C:\Windows\system32\ativce02.dat
2018-02-06 12:47 - 2016-10-17 12:28 - 000020580 _____ C:\Windows\system32\AMDKernelEvents.man
2018-02-06 12:47 - 2016-09-02 15:30 - 000114704 _____ C:\Windows\system32\kapp_si.sbin
2018-02-06 12:47 - 2016-09-02 08:24 - 000154384 _____ C:\Windows\system32\samu_krnl_ci.sbin
2018-02-06 12:47 - 2015-12-16 14:06 - 000000144 _____ C:\Windows\system32\amd-vulkan64.json
2018-02-06 12:47 - 2015-12-15 10:54 - 000000144 _____ C:\Windows\SysWOW64\amd-vulkan32.json
2018-02-06 12:47 - 2014-11-06 03:53 - 000737410 _____ C:\Windows\system32\atiicdxx.dat
2018-02-06 12:47 - 2013-12-12 06:53 - 000138832 _____ C:\Windows\system32\samu_krnl_isv_ci.sbin
2018-02-06 12:47 - 2012-09-22 16:17 - 000021160 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\amdkmafd.sys
2018-02-06 12:44 - 2018-02-06 12:48 - 000000000 ____D C:\Program Files\AMD
2018-02-06 12:25 - 2018-02-06 12:25 - 000497200 _____ C:\Windows\Minidump\020618-10593-01.dmp
2018-02-06 11:41 - 2018-02-06 12:40 - 000000000 ____D C:\Windows\system32\Drivers\NVIDIA Corporation
2018-01-31 16:35 - 2018-01-31 16:35 - 000000000 __SHD C:\Windows\ftpcache
2018-01-31 16:35 - 2018-01-31 16:35 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2018-01-31 16:35 - 2010-04-07 06:04 - 000127800 _____ (HP) C:\Windows\system32\HPSIsvc.exe
2018-01-31 16:35 - 2010-03-04 16:56 - 001695232 _____ C:\Windows\system32\HP1100SM.EXE
2018-01-31 16:35 - 2010-03-04 16:56 - 000289280 _____ C:\Windows\system32\HP1100LM.DLL
2018-01-31 16:34 - 2018-01-31 16:34 - 000000000 ____D C:\Program Files\HP
2018-01-31 16:34 - 2010-03-05 16:41 - 001490656 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01007.dll
2018-01-31 16:34 - 2010-03-05 16:41 - 000082432 _____ C:\Windows\system32\mvusbews.dll
2018-01-31 16:34 - 2010-03-05 16:41 - 000020480 _____ (Marvell Semiconductor, Inc.) C:\Windows\system32\Drivers\mvusbews.sys
2018-01-31 16:34 - 2010-03-05 16:40 - 000049664 _____ C:\Windows\system32\HP1100SMs.dll
2018-01-31 16:34 - 2010-03-04 16:03 - 000350720 _____ C:\Windows\system32\mvhlewsi.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-02-22 08:11 - 2016-12-26 12:42 - 000003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3972468611-1799533628-2338857112-1001
2018-02-22 08:10 - 2018-01-01 16:10 - 000000000 ____D C:\Program Files (x86)\Sid Meiers Civilization VI
2018-02-22 08:06 - 2013-08-22 08:20 - 000000000 ____D C:\Windows\CbsTemp
2018-02-22 08:05 - 2016-12-26 12:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Deluge
2018-02-22 08:05 - 2016-12-26 12:53 - 000000000 ____D C:\Program Files (x86)\Deluge
2018-02-22 08:05 - 2013-08-22 08:36 - 000000000 ____D C:\Windows\AppCompat
2018-02-22 07:58 - 2017-02-20 09:02 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\Spotify
2018-02-22 07:58 - 2017-02-20 09:02 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\Spotify
2018-02-22 07:58 - 2016-12-26 11:38 - 000000000 ____D C:\Users\Allison Lewski\AppData\LocalLow\Mozilla
2018-02-21 22:02 - 2016-12-26 12:57 - 000003038 _____ C:\Windows\System32\Tasks\EVGAPrecision
2018-02-21 22:02 - 2016-12-26 12:37 - 000000000 ____D C:\Users\Allison Lewski
2018-02-21 22:02 - 2014-04-19 11:37 - 000000000 ____D C:\Program Files (x86)\Steam
2018-02-21 22:01 - 2016-12-26 11:36 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\Battle.net
2018-02-21 20:30 - 2016-12-26 12:41 - 000863592 _____ C:\Windows\system32\PerfStringBackup.INI
2018-02-21 20:30 - 2013-08-22 06:36 - 000000000 ____D C:\Windows\Inf
2018-02-21 20:24 - 2017-11-25 22:54 - 000000000 ____D C:\Program Files (x86)\Hi-Rez Studios
2018-02-21 17:31 - 2017-11-10 08:44 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\Google
2018-02-21 17:31 - 2017-11-10 08:44 - 000000000 ____D C:\Program Files (x86)\Google
2018-02-21 17:31 - 2017-11-10 08:40 - 000000000 __SHD C:\Users\Allison Lewski\AppData\Local\EmieUserList
2018-02-21 17:31 - 2017-11-10 08:40 - 000000000 __SHD C:\Users\Allison Lewski\AppData\Local\EmieSiteList
2018-02-21 17:22 - 2013-08-22 06:25 - 009961472 _____ C:\Windows\system32\config\HARDWARE
2018-02-21 17:21 - 2016-12-26 13:13 - 000065536 _____ C:\Windows\system32\spu_storage.bin
2018-02-21 17:19 - 2017-02-19 20:03 - 000505344 ___SH C:\Users\Allison Lewski\Desktop\Thumbs.db
2018-02-21 11:35 - 2018-01-09 16:22 - 000000000 ___SD C:\Windows\system32\CompatTel
2018-02-21 10:17 - 2017-01-16 16:46 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\discord
2018-02-20 11:16 - 2018-01-02 15:09 - 000000000 ____D C:\Users\Allison Lewski\AppData\Local\CrashDumps
2018-02-20 10:44 - 2013-08-22 08:36 - 000000000 ____D C:\Windows\system32\NDF
2018-02-19 18:17 - 2016-12-26 12:37 - 000001057 _____ C:\Users\Allison Lewski\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-02-18 19:54 - 2016-12-26 12:04 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\vlc
2018-02-18 16:18 - 2016-12-26 12:54 - 000000000 ____D C:\Users\Allison Lewski\AppData\Roaming\deluge
2018-02-14 10:37 - 2013-08-22 08:36 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2018-02-13 19:53 - 2017-08-28 15:45 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2018-02-13 19:53 - 2017-08-28 15:45 - 000002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2018-02-11 16:13 - 2017-11-10 08:41 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-02-11 15:05 - 2016-12-26 12:56 - 000000000 ____D C:\Program Files (x86)\EVGA Precision X
2018-02-10 09:25 - 2017-11-10 08:41 - 000000951 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2018-02-10 09:25 - 2017-11-10 08:41 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-02-07 20:49 - 2017-11-25 22:55 - 000000000 ____D C:\Users\Allison Lewski\Documents\My Games
2018-02-07 08:24 - 2017-04-24 18:14 - 000000971 _____ C:\Users\Allison Lewski\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Twitch.lnk
2018-02-06 12:41 - 2017-10-11 17:56 - 000376020 _____ C:\Windows\ntbtlog.txt
2018-02-06 12:25 - 2017-03-27 11:05 - 285578769 _____ C:\Windows\MEMORY.DMP
2018-02-06 11:50 - 2018-01-06 18:36 - 000000222 _____ C:\Users\Allison Lewski\Desktop\SMITE.url
2018-02-06 11:41 - 2013-08-22 08:36 - 000000000 ____D C:\Windows\Help
2018-02-06 11:36 - 2013-08-22 06:25 - 000262144 ___SH C:\Windows\system32\config\BBI
2018-02-05 13:38 - 2018-01-09 16:25 - 000835576 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-02-05 13:38 - 2018-01-09 16:25 - 000177648 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2018-01-02 16:11 - 2018-01-02 16:11 - 000000000 _____ () C:\Users\Allison Lewski\AppData\Roaming\FC29FA0894FE.ini
2018-02-18 17:55 - 2018-02-18 17:55 - 000000218 _____ () C:\Users\Allison Lewski\AppData\Local\recently-used.xbel

Some files in TEMP:
====================
2018-01-08 20:34 - 2018-01-08 20:34 - 001160072 _____ () C:\Users\Allison Lewski\AppData\Local\Temp\AMDCleanupUtility.exe
2018-02-19 18:11 - 2018-02-19 18:11 - 000024576 _____ (1010 Vine Street) C:\Users\Allison Lewski\AppData\Local\Temp\capi.exe
2018-01-08 20:34 - 2018-01-08 20:34 - 000250248 _____ () C:\Users\Allison Lewski\AppData\Local\Temp\Cleanup.dll
2018-02-19 18:18 - 2018-02-19 18:18 - 000020480 _____ () C:\Users\Allison Lewski\AppData\Local\Temp\cubesta.exe
2018-01-08 20:34 - 2018-01-08 20:34 - 000065536 _____ (Windows ® Server 2003 DDK provider) C:\Users\Allison Lewski\AppData\Local\Temp\ddu.exe
2018-01-08 20:34 - 2018-01-08 20:34 - 000414152 _____ (Microsoft Corporation) C:\Users\Allison Lewski\AppData\Local\Temp\difxapi.dll
2018-02-19 18:11 - 2018-02-19 18:11 - 004426557 _____ (Indigo Rose Corporation) C:\Users\Allison Lewski\AppData\Local\Temp\ing.exe
2018-01-08 20:34 - 2018-01-08 20:34 - 000516096 _____ (Microsoft Corporation) C:\Users\Allison Lewski\AppData\Local\Temp\msvcm80.dll
2018-01-08 20:34 - 2018-01-08 20:34 - 001061376 _____ (Microsoft Corporation) C:\Users\Allison Lewski\AppData\Local\Temp\msvcp80.dll
2018-01-08 20:34 - 2018-01-08 20:34 - 000796672 _____ (Microsoft Corporation) C:\Users\Allison Lewski\AppData\Local\Temp\msvcr80.dll
2017-12-22 11:58 - 2017-10-27 09:06 - 000370296 _____ (NVIDIA Corporation) C:\Users\Allison Lewski\AppData\Local\Temp\nvStInst.exe
2018-01-31 16:34 - 2010-04-07 06:07 - 000607800 ____R (HP) C:\Users\Allison Lewski\AppData\Local\Temp\siinst.exe
2018-01-31 16:34 - 2010-04-06 14:41 - 000270336 ____R (HP) C:\Users\Allison Lewski\AppData\Local\Temp\strings.dll
2018-02-19 18:11 - 2018-02-19 18:11 - 001464832 _____ () C:\Users\Allison Lewski\AppData\Local\Temp\XvidCodecInstaller.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\drivers\pwiadhkn.sys -> Access Denied <======= ATTENTION

LastRegBack: 2018-02-15 16:36

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21.02.2018
Ran by Allison Lewski (22-02-2018 08:11:51)
Running from G:\Downloads Firefox
Windows 8.1 Pro (Update) (X64) (2016-12-26 19:36:50)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3972468611-1799533628-2338857112-500 - Administrator - Disabled)
Allison Lewski (S-1-5-21-3972468611-1799533628-2338857112-1001 - Administrator - Enabled) => C:\Users\Allison Lewski
Guest (S-1-5-21-3972468611-1799533628-2338857112-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3972468611-1799533628-2338857112-1003 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.011.20036 - Adobe Systems Incorporated)
Adobe Flash Player 27 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 27.0.0.183 - Adobe Systems Incorporated)
AMD Software (HKLM\...\AMD Catalyst Install Manager) (Version: 9.0.000.8 - Advanced Micro Devices, Inc.)
Blizzard App (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
CPUID CPU-Z 1.82.1 (HKLM\...\CPUID CPU-Z_is1) (Version: 1.82.1 - )
CPUID HWMonitor 1.30 (HKLM\...\CPUID HWMonitor_is1) (Version:  - )
Discord (HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\Discord) (Version: 0.0.300 - Discord Inc.)
EVGA Precision X 4.2.1 (HKLM-x32\...\PrecisionX) (Version: 4.2.1 - EVGA Corporation)
HD Tune Pro 5.70 (HKLM-x32\...\HD Tune Pro_is1) (Version:  - EFD Software)
Heroes of the Storm (HKLM-x32\...\Heroes of the Storm) (Version:  - Blizzard Entertainment)
HiPatch (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF000}) (Version: 6.0.1.2 - Hi-Rez Studios)
Hi-Rez Studios Authenticate and Update Service (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}) (Version: 3.0.0.0 - Hi-Rez Studios)
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version:  - )
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24123 (HKLM-x32\...\{2cbcedbb-f38c-48a3-a3e1-6c6fd821a7f4}) (Version: 14.0.24123.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24123 (HKLM-x32\...\{206898cc-4b41-4d98-ac28-9f9ae57f91fe}) (Version: 14.0.24123.0 - Microsoft Corporation)
Mozilla Firefox 58.0.2 (x64 en-US) (HKLM\...\Mozilla Firefox 58.0.2 (x64 en-US)) (Version: 58.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 56.0.2 - Mozilla)
Sid Meiers Civilization VI Rise and Fall (HKLM-x32\...\Sid Meiers Civilization VI Rise and Fall_is1) (Version:  - )
Spotify (HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\Spotify) (Version: 1.0.74.380.g1fcff12a - Spotify AB)
StarCraft (HKLM-x32\...\StarCraft) (Version:  - Blizzard Entertainment)
TechPowerUp GPU-Z (HKLM-x32\...\TechPowerUp GPU-Z) (Version:  - TechPowerUp)
Twitch (HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\{DEE70742-F4E9-44CA-B2B9-EE95DCF37295}) (Version: 7.0.0.0 - Twitch Interactive, Inc.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Vulkan Run Time Libraries 1.0.39.1 (HKLM\...\VulkanRT1.0.39.1) (Version: 1.0.39.1 - LunarG, Inc.)
World of Warcraft (HKLM-x32\...\World of Warcraft) (Version:  - Blizzard Entertainment)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {048F8DFD-933D-4CEA-ACE5-3ACAF1EA4A8B} - \dunne perri preselect -> No File <==== ATTENTION
Task: {1A3139E2-7241-4AE3-8AF3-328C7CF4C66D} - \forgiven longmont -> No File <==== ATTENTION
Task: {203AF1AC-39BD-4C3B-B8F5-D2F77B4B0032} - \badunne perri preselectdunne perri preselect -> No File <==== ATTENTION
Task: {21D3E9EF-4F67-4224-B5A4-D2971B2D1895} - \acquaintanceship-jordanian -> No File <==== ATTENTION
Task: {25FD7262-9C2C-46F6-89ED-24847DC6D767} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-01-17] (Adobe Systems Incorporated)
Task: {328EF2F4-1B42-46CF-8B9E-5822A9F83C9A} - \baforgiven longmontforgiven longmont -> No File <==== ATTENTION
Task: {3B49D590-9B56-4955-AA66-8DEEBE238E73} - System32\Tasks\EVGAPrecision => C:\Program Files (x86)\EVGA Precision X\EVGAPrecision.exe [2013-07-17] ()
Task: {40A599AE-D480-4A18-9978-C669C49DAB97} - \bashir -> No File <==== ATTENTION
Task: {461CD752-DC8E-48A7-8CE9-D52B82DD54F4} - \NT9KxuvhdgOF -> No File <==== ATTENTION
Task: {52749540-3291-4B31-AB8C-EF3B187645D4} - System32\Tasks\{489FB7C6-C8DA-4EC0-B555-E7B1C5E91D22} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\Hi-Rez Studios\HiRezGamesDiagAndSupport.exe" -c uninstall=all
Task: {71B6806F-7C07-4DB2-9647-CE94EA5EBDFF} - \batroublesome_addictiontroublesome_addiction -> No File <==== ATTENTION
Task: {7A96C7F0-E0F4-4562-A0A2-4CED65155242} - \troublesome_addiction -> No File <==== ATTENTION
Task: {A20560ED-DE9E-45DA-B1C8-774D08542CB4} - \crush_leicester -> No File <==== ATTENTION
Task: {E03272CB-014C-4595-8092-C5C31A3D8910} - System32\Tasks\AMD Updater => C:\Program Files\AMD\CIM\\Bin64\RadeonInstaller.exe [2017-07-04] (Advanced Micro Devices, Inc.)
Task: {E41EB3C3-48F7-4C11-8CF6-246C0C9E6528} - \babashirbashir -> No File <==== ATTENTION
Task: {E63A9096-015B-4803-800D-52A0E7CC22A5} - \baacquaintanceship-jordanianacquaintanceship-jordanian -> No File <==== ATTENTION
Task: {F8BDC497-989D-460C-A43E-C35ED1567248} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-10-25] (Adobe Systems Incorporated)
Task: {FFA10A5F-AAD7-4BB5-90A4-D40D854515A6} - \bacrush_leicestercrush_leicester -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2018-01-31 16:35 - 2010-03-04 16:56 - 000289280 _____ () C:\Windows\System32\HP1100LM.DLL
2018-01-31 16:35 - 2010-03-04 16:56 - 000074240 _____ () C:\Windows\system32\spool\PRTPROCS\x64\HP1100PP.DLL
2013-07-17 17:28 - 2013-07-17 17:28 - 000627016 _____ () C:\Program Files (x86)\EVGA Precision X\EVGAPrecision.exe
2013-05-15 09:49 - 2013-05-15 09:49 - 000071680 _____ () C:\Program Files (x86)\EVGA Precision X\RTMUI.dll
2013-05-15 09:48 - 2013-05-15 09:48 - 000056832 _____ () C:\Program Files (x86)\EVGA Precision X\RTFC.dll
2013-05-15 09:49 - 2013-05-15 09:49 - 000216064 _____ () C:\Program Files (x86)\EVGA Precision X\RTCore.dll
2013-05-15 09:49 - 2013-05-15 09:49 - 000127488 _____ () C:\Program Files (x86)\EVGA Precision X\RTUI.dll
2013-05-15 09:49 - 2013-05-15 09:49 - 000587776 _____ () C:\Program Files (x86)\EVGA Precision X\RTHAL.dll
2018-01-08 19:54 - 2018-01-08 17:52 - 001891832 _____ () C:\Users\Allison Lewski\AppData\Local\Discord\app-0.0.300\ffmpeg.dll
2018-01-08 19:54 - 2018-02-10 09:02 - 001780216 _____ () \\?\C:\Users\Allison Lewski\AppData\Roaming\discord\0.0.300\modules\discord_overlay2\discord_overlay2.node
2018-01-08 19:54 - 2018-01-08 17:52 - 001937912 _____ () C:\Users\Allison Lewski\AppData\Local\Discord\app-0.0.300\libglesv2.dll
2018-01-08 19:54 - 2018-01-08 17:52 - 000095736 _____ () C:\Users\Allison Lewski\AppData\Local\Discord\app-0.0.300\libegl.dll
2018-01-08 19:54 - 2018-01-26 07:45 - 009817080 _____ () \\?\C:\Users\Allison Lewski\AppData\Roaming\discord\0.0.300\modules\discord_voice\discord_voice.node
2018-01-08 19:54 - 2018-02-01 09:10 - 001508344 _____ () \\?\C:\Users\Allison Lewski\AppData\Roaming\discord\0.0.300\modules\discord_utils\discord_utils.node
2018-01-08 19:54 - 2018-01-08 19:54 - 000513016 _____ () \\?\C:\Users\Allison Lewski\AppData\Roaming\discord\0.0.300\modules\discord_erlpack\discord_erlpack.node
2018-01-08 19:54 - 2018-01-08 19:54 - 002662904 _____ () \\?\C:\Users\Allison Lewski\AppData\Roaming\discord\0.0.300\modules\discord_rpc\discord_rpc.node
2018-01-08 19:54 - 2018-02-01 09:10 - 001518072 _____ () \\?\C:\Users\Allison Lewski\AppData\Roaming\discord\0.0.300\modules\discord_game_utils\discord_game_utils.node
2018-01-08 19:54 - 2018-01-08 19:54 - 002749944 _____ () \\?\C:\Users\Allison Lewski\AppData\Roaming\discord\0.0.300\modules\discord_contact_import\discord_contact_import.node

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\Allison Lewski\AppData\Local\Temp:$DATA​ [34]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2013-08-22 06:25 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Allison Lewski\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
DNS Servers: 24.116.0.53 - 24.116.2.50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: AMD External Events Utility => 2
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: NvTelemetryContainer => 2
MSCONFIG\Services: Service KMSELDI => 2
HKLM\...\StartupApproved\Run: => "StartCN"
HKLM\...\StartupApproved\Run: => "interdepartmentalsurvived"
HKLM\...\StartupApproved\Run: => "interdepartmentalinterdepartmental"
HKLM\...\StartupApproved\Run: => "interdepartmental"
HKLM\...\StartupApproved\Run32: => "doubtsox"
HKLM\...\StartupApproved\Run32: => "doubtdoubt"
HKLM\...\StartupApproved\Run32: => "doubt"
HKLM\...\StartupApproved\Run32: => "VirtualCloneDrive"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\StartupFolder: => "gudrungudrun.lnk"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\StartupFolder: => "gudrun.lnk"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\StartupFolder: => "Twitch.lnk"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "alef"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "survivedinterdepartmental"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "soxdoubt"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "hunker"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "survivedsurvived"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "survived"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "soxsox"
HKU\S-1-5-21-3972468611-1799533628-2338857112-1001\...\StartupApproved\Run: => "sox"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{A18E6171-8EA0-4A96-B5AD-994E390ECFD3}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{499ACF6B-5123-4899-8EF8-774E62AF1978}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{0F903FFD-E156-4EDE-9224-5352196E12EB}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{1CD5E963-913D-4EEC-9169-3958CD4DBDFD}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{8EECB8D1-6A27-4039-BF08-DBF7A33FF078}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{ACDAB867-E4CB-4EE4-84D1-89618E93BB23}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{DA77A9A7-F010-46A7-8084-1E4EC94524FD}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{53141641-C889-43B5-B806-6631ED53C365}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [TCP Query User{64C1137D-4F67-4419-B852-0B61C9B85EAE}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [UDP Query User{9456AE20-226D-4B7F-85E1-03CFFF3203B6}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [{A8567CA5-B460-4C1E-964A-B3342792E2EF}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{6E80719C-67EF-4E84-AB55-B276479FAF18}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [TCP Query User{81FD3761-FC06-404D-B41C-F60170EB9659}C:\copied programs\heroes of the storm\versions\base50441\heroesofthestorm_x64.exe] => (Allow) C:\copied programs\heroes of the storm\versions\base50441\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{BC09D8F4-6877-4F05-A858-C3054CD265FF}C:\copied programs\heroes of the storm\versions\base50441\heroesofthestorm_x64.exe] => (Allow) C:\copied programs\heroes of the storm\versions\base50441\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{51ED8B4D-3C3A-4105-9A18-847417A0385E}C:\users\allison lewski\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\allison lewski\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{ED83096C-A30B-4755-AB23-B9DD57BCC794}C:\users\allison lewski\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\allison lewski\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{4D2873A7-DD1D-4DAE-885B-91B9D711E99B}C:\users\allison lewski\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\allison lewski\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{152E9A59-A11F-40C5-9441-E975F1517F53}C:\users\allison lewski\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\allison lewski\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{B30E2854-D665-4B2F-98DB-B5742414A009}C:\copied programs\heroes of the storm\versions\base50950\heroesofthestorm_x64.exe] => (Allow) C:\copied programs\heroes of the storm\versions\base50950\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{714D606E-0EBD-4BB8-BDB7-06083E7E8C6B}C:\copied programs\heroes of the storm\versions\base50950\heroesofthestorm_x64.exe] => (Allow) C:\copied programs\heroes of the storm\versions\base50950\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{BC20D4D4-0442-4591-AA6C-BEBF5DD5D75E}C:\copied programs\heroes of the storm\versions\base52986\heroesofthestorm_x64.exe] => (Block) C:\copied programs\heroes of the storm\versions\base52986\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{ED08AB34-200D-4966-AF61-60049A082EDD}C:\copied programs\heroes of the storm\versions\base52986\heroesofthestorm_x64.exe] => (Block) C:\copied programs\heroes of the storm\versions\base52986\heroesofthestorm_x64.exe
FirewallRules: [{9598B3DC-9EEC-4801-95C4-4DE9497D410C}] => (Allow) H:\Steam\Steam.exe
FirewallRules: [{F3D77F31-5C61-44A4-B31F-0C426259A0BD}] => (Allow) H:\Steam\Steam.exe
FirewallRules: [{6C328930-F36A-4A0B-B9BE-20FACAE9C7F2}] => (Allow) H:\Steam\bin\steamwebhelper.exe
FirewallRules: [{856E551E-C27D-46DD-B2EB-E4198F2DFFFD}] => (Allow) H:\Steam\bin\steamwebhelper.exe
FirewallRules: [{6E4B4F09-97EE-4AE9-BE22-F8A7A624FABE}] => (Allow) H:\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{AFAF0734-9EEA-4EE9-B8ED-D7E9AD27C815}] => (Allow) H:\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [TCP Query User{1316AB2E-B340-4E8A-8C11-02E3806B40FD}C:\copied programs\destiny 2\destiny2.exe] => (Allow) C:\copied programs\destiny 2\destiny2.exe
FirewallRules: [UDP Query User{2F4A7D3B-E376-429F-BA27-AFE3E9EBA1B7}C:\copied programs\destiny 2\destiny2.exe] => (Allow) C:\copied programs\destiny 2\destiny2.exe
FirewallRules: [{FF8225F6-6DF6-439A-80CB-C63CF1DE7136}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{5E582372-93DB-4279-B31B-666887A39F4C}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{FC83F7AA-6A0D-491B-B08A-9C544D8ECC10}C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe] => (Allow) C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe
FirewallRules: [UDP Query User{D132CFEC-AE48-4D92-B46E-E3FD05379B17}C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe] => (Allow) C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe
FirewallRules: [{9B5E8A88-809F-4B88-A3C6-B65D7A1A6ED5}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{5B60F226-5172-4777-986A-135AC71458F6}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{B3C8183D-2474-48E6-8891-BC27C458A364}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{3C3E2E92-63AF-4E96-A878-8EC95A7531EA}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{8F1E6F34-BFBA-4B17-8EF2-99D95EF3749D}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Tools\Launcher.exe
FirewallRules: [{42F2FB6D-513D-49E4-B007-99D716294E7B}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Tools\RemoteCrashSender.exe
FirewallRules: [{3F000DD2-265F-4DFF-BA07-FEDBB714D48A}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{1B74FE83-8299-4723-97A2-6BBDB69D054A}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{E2C77DE4-2409-4AAC-8408-3548FBFE7B1F}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{43257455-354E-45B6-9AFC-08ECFFCA4E19}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{15691CD7-07ED-45B1-B90A-911C9FFC4EC2}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Tools\Launcher.exe
FirewallRules: [{D0DB158F-CE38-4089-90EF-5D92E2A5745C}] => (Allow) C:\SteamLibrary\steamapps\common\Warframe\Tools\RemoteCrashSender.exe
FirewallRules: [{1428E833-5EEF-4BB5-A921-982A5647F1C3}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher Enhanced Edition\System\witcher.exe
FirewallRules: [{F407160D-0CA6-4C6A-A133-18A8CEF1F511}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher Enhanced Edition\System\witcher.exe
FirewallRules: [{DCF050A4-6DF9-4B1A-BA3B-D39E7DF1F988}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher Enhanced Edition\System\djinni!.exe
FirewallRules: [{72BE3B41-3C9C-4CDB-BFE0-E77FD477FDD6}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher Enhanced Edition\System\djinni!.exe
FirewallRules: [{33330440-1304-4582-9BCF-54E077B41C90}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher Enhanced Edition\Digital Comic\DigitalComic.exe
FirewallRules: [{FF1D8421-3FCA-4ADD-84E3-FE02E22E32C8}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher Enhanced Edition\Digital Comic\DigitalComic.exe
FirewallRules: [{E76E3C44-7541-4009-B90F-DE0490CEC7EA}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher 3\bin\x64\witcher3.exe
FirewallRules: [{53834EC2-40BA-4A7B-9E01-E332C60F468A}] => (Allow) C:\SteamLibrary\steamapps\common\The Witcher 3\bin\x64\witcher3.exe
FirewallRules: [TCP Query User{77C292DB-3BB2-45A7-B53E-CF2B431155DA}C:\steamlibrary\steamapps\common\the witcher 2\bin\witcher2.exe] => (Allow) C:\steamlibrary\steamapps\common\the witcher 2\bin\witcher2.exe
FirewallRules: [UDP Query User{F6F70D9A-1F73-4FFE-BAC8-8E0111557F61}C:\steamlibrary\steamapps\common\the witcher 2\bin\witcher2.exe] => (Allow) C:\steamlibrary\steamapps\common\the witcher 2\bin\witcher2.exe
FirewallRules: [TCP Query User{94EFA593-E87C-467E-BBD6-F2342C29914C}C:\program files (x86)\sid meiers civilization vi\base\binaries\win64steam\civilizationvi.exe] => (Allow) C:\program files (x86)\sid meiers civilization vi\base\binaries\win64steam\civilizationvi.exe
FirewallRules: [UDP Query User{A7C67C09-6B94-40EC-A049-30FD5385F1A4}C:\program files (x86)\sid meiers civilization vi\base\binaries\win64steam\civilizationvi.exe] => (Allow) C:\program files (x86)\sid meiers civilization vi\base\binaries\win64steam\civilizationvi.exe
FirewallRules: [{1FA598DB-8DFF-4941-847B-0EE83E63EDA0}] => (Allow) C:\SteamLibrary\steamapps\common\SMITE\Binaries\Win32\HirezBridge.exe
FirewallRules: [{B6492403-65BE-451A-857F-F3B95260B5A6}] => (Allow) C:\SteamLibrary\steamapps\common\SMITE\Binaries\Win32\HirezBridge.exe
FirewallRules: [TCP Query User{B6270FF8-3D44-4AEC-9954-CBBA6A2F185E}C:\steamlibrary\steamapps\common\smite\binaries\win32\smite.exe] => (Block) C:\steamlibrary\steamapps\common\smite\binaries\win32\smite.exe
FirewallRules: [UDP Query User{347C480C-D3FF-427F-87A9-DB47A90B2E25}C:\steamlibrary\steamapps\common\smite\binaries\win32\smite.exe] => (Block) C:\steamlibrary\steamapps\common\smite\binaries\win32\smite.exe
FirewallRules: [{60786355-25DB-4C36-A3A2-8826BD83717B}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{8DD21702-74D1-445A-8EC9-495D6A9A99FC}] => (Allow) H:\Steam\SteamApps\common\SMITE\Binaries\Win32\HirezBridge.exe
FirewallRules: [{2021090B-DA42-4287-BF40-81538F1C7E84}] => (Allow) H:\Steam\SteamApps\common\SMITE\Binaries\Win32\HirezBridge.exe
FirewallRules: [TCP Query User{67A3FCE5-3328-4670-9C4C-98021D12D420}H:\steam\steamapps\common\smite\binaries\win32\smite.exe] => (Allow) H:\steam\steamapps\common\smite\binaries\win32\smite.exe
FirewallRules: [UDP Query User{2602543E-E0F8-4443-A7E8-0165C9151B36}H:\steam\steamapps\common\smite\binaries\win32\smite.exe] => (Allow) H:\steam\steamapps\common\smite\binaries\win32\smite.exe
FirewallRules: [{EA94DE66-409E-44DC-87F0-355B4D605A88}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{C03EEE7B-CB63-4535-8594-9F18CE9CD48E}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{01A5D906-BEE8-4EF2-BB5C-C8124084FC42}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{8C047B5B-17FF-401A-8847-92DD36EB2EF5}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [TCP Query User{60C01A9B-2FC8-4E69-A152-1CF04C591306}C:\games\sid meiers civilization vi rise and fall\base\binaries\win64steam\civilizationvi.exe] => (Allow) C:\games\sid meiers civilization vi rise and fall\base\binaries\win64steam\civilizationvi.exe
FirewallRules: [UDP Query User{C4C02E7D-8A52-48AE-AA76-214A23150187}C:\games\sid meiers civilization vi rise and fall\base\binaries\win64steam\civilizationvi.exe] => (Allow) C:\games\sid meiers civilization vi rise and fall\base\binaries\win64steam\civilizationvi.exe
FirewallRules: [{5F799D02-829F-4438-9903-073580852614}] => (Allow) C:\Program Files (x86)\Forfeited\rhythm.exe
FirewallRules: [{3683DA8F-AA5A-4847-AD68-8FD98D335E23}] => (Allow) C:\Program Files (x86)\Championing\rhythm.exe
FirewallRules: [{C3FB7245-BCBC-44B1-9729-7E66B5638285}] => (Allow) C:\Program Files (x86)\detainees\discipline.exe
FirewallRules: [{2DFF7A1B-9169-4C3B-A9A5-BDDD9DD475BC}] => (Allow) C:\Program Files (x86)\Championing\discipline.exe

==================== Restore Points =========================


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (02/22/2018 07:58:25 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=UserLogon;SessionId=2

Error: (02/22/2018 07:58:04 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (02/21/2018 08:26:52 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=TimerEvent

Error: (02/21/2018 05:22:39 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (02/21/2018 05:22:35 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=UserLogon;SessionId=1

Error: (02/21/2018 02:19:35 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program SteamLauncherUI.exe version 6.0.1.2 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1030

Start Time: 01d3ab599238d1e7

Termination Time: 4

Application Path: C:\Program Files (x86)\Hi-Rez Studios\SteamLauncherUI.exe

Report Id: e7d855ec-174c-11e8-8396-bcaec5b71406

Faulting package full name:

Faulting package-relative application ID:

Error: (02/21/2018 01:05:02 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=UserLogon;SessionId=1

Error: (02/21/2018 12:58:01 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=NetworkAvailable


System errors:
=============
Error: (02/21/2018 09:24:32 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/21/2018 09:24:32 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/21/2018 09:24:32 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/21/2018 09:24:32 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/21/2018 09:24:32 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/21/2018 09:24:32 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/21/2018 09:24:32 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/21/2018 09:24:32 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.


Windows Defender:
===================================
Date: 2018-02-19 18:16:26.457
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanSpy:Win32/SocStealer!rfn&threatid=2147724296&enterprise=0
Name: TrojanSpy:Win32/SocStealer!rfn
ID: 2147724296
Severity: Severe
Category: Trojan Monitoring Software
Path: chromeinstall:_HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME;file:_C:\Program Files (x86)\Google\Chrome\Application\winhttp.dll;file:_C:\Users\Allison Lewski\AppData\Local\AdService\AdService.dll;file:_C:\Users\Allison Lewski\AppData\Local\Microsoft\Windows\INetCache\IE\7PWPM3XA\dll_service[1].bin;file:_C:\Users\Allison Lewski\AppData\Local\Microsoft\Windows\INetCache\IE\HUK7CB0G\dll_x64[1].bin
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\ALLISO~1\AppData\Local\Temp\336463171\ic-0.ee5e458616065.exe
Signature Version: AV: 1.259.1399.0, AS: 1.259.1399.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0

Date: 2018-02-19 18:16:26.456
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=BrowserModifier:Win32/Soctuseer!excl&threatid=237119&enterprise=0
Name: BrowserModifier:Win32/Soctuseer!excl
ID: 237119
Severity: High
Category: Browser Modifier
Path: regkeyvalue:_HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\\c:\program files\01caea05d08c25c64941f61bbf04b4eb\;regkeyvalue:_HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\\C:\Windows\e4964b6c4f2444b5c47e4eef478bf980.exe
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Signature Version: AV: 1.259.1399.0, AS: 1.259.1399.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0

Date: 2018-02-19 18:16:26.455
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Tiggre!plock&threatid=2147723626&enterprise=0
Name: Trojan:Win32/Tiggre!plock
ID: 2147723626
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Allison Lewski\AppData\Local\Temp\336463171\ic-0.ee5e458616065.exe;process:_pid:6108,ProcessStart:131635629114186480
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\Users\ALLISO~1\AppData\Local\Temp\336463171\ic-0.ee5e458616065.exe
Signature Version: AV: 1.259.1399.0, AS: 1.259.1399.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0

Date: 2018-02-19 18:15:13.916
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Tiggre!plock&threatid=2147723626&enterprise=0
Name: Trojan:Win32/Tiggre!plock
ID: 2147723626
Severity: Severe
Category: Trojan
Path: process:_pid:6108,ProcessStart:131635629114186480
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
Process Name: C:\Users\ALLISO~1\AppData\Local\Temp\336463171\ic-0.ee5e458616065.exe
Signature Version: AV: 1.259.1399.0, AS: 1.259.1399.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0

Date: 2018-02-19 18:15:13.568
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanSpy:Win32/SocStealer!rfn&threatid=2147724296&enterprise=0
Name: TrojanSpy:Win32/SocStealer!rfn
ID: 2147724296
Severity: Severe
Category: Trojan Monitoring Software
Path: file:_C:\Program Files (x86)\Google\Chrome\Application\winhttp.dll;file:_C:\Users\Allison Lewski\AppData\Local\AdService\AdService.dll;file:_C:\Users\Allison Lewski\AppData\Local\Microsoft\Windows\INetCache\IE\7PWPM3XA\dll_service[1].bin;file:_C:\Users\Allison Lewski\AppData\Local\Microsoft\Windows\INetCache\IE\HUK7CB0G\dll_x64[1].bin
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\ALLISO~1\AppData\Local\Temp\336463171\ic-0.ee5e458616065.exe
Signature Version: AV: 1.259.1399.0, AS: 1.259.1399.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0

Date: 2018-02-19 18:16:32.390
Description:
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.259.1399.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.14405.2
Error code: 0x80240017
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Date: 2018-02-06 12:25:14.015
Description:
Windows Defender Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode
Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.

Date: 2018-02-06 11:23:52.059
Description:
Windows Defender Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode
Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.

==================== Memory info ===========================

Processor: Intel® Core™ i5 CPU 650 @ 3.20GHz
Percentage of memory in use: 32%
Total physical RAM: 8183.05 MB
Available physical RAM: 5518.86 MB
Total Virtual: 9683.05 MB
Available Virtual: 7151.29 MB

==================== Drives ================================

Drive c: (SSD) (Fixed) (Total:238.13 GB) (Free:64.13 GB) NTFS
Drive d: (System Log Files) (Fixed) (Total:0.1 GB) (Free:0.05 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive g: (Extra2) (Fixed) (Total:355.47 GB) (Free:312.22 GB) NTFS
Drive h: (Extra Drive) (Fixed) (Total:575.94 GB) (Free:40.26 GB) NTFS

\\?\Volume{9bc49891-cba1-11e6-824b-806e6f6e6963}\ (System Reserved) (Fixed) (Total:0.34 GB) (Free:0.09 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 238.5 GB) (Disk ID: 9CF9C308)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=238.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: 4DB9C001)
Partition 1: (Not Active) - (Size=993 KB) - (Type=42)
Partition 2: (Active) - (Size=100 MB) - (Type=42)
Partition 3: (Not Active) - (Size=931.4 GB) - (Type=42)

==================== End of Addition.txt ============================



#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:10 AM

Posted 22 February 2018 - 10:28 AM

CaptainFistula:

 

Thank you for your post and for the CKScanner log and the fresh set of FRST logs.

 

There are files on your computer used to evade Microsoft licencing requirements.

 

If you are agreeable, I will remove those files as a part of disinfecting the computer.  If not, I will conclude your topic.

 

Please let me know what you want to do.  It is entirely YOUR choice.

 

Have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#6 CaptainFistula

CaptainFistula
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 22 February 2018 - 10:34 AM

Hello Phil,

  Please call me Al,

 

Yes, I am prepared to remove any files tied to evasion.  My primary concern is to get this machine back in working order, Moreover to do it the right way.   Please let me know the next step as you are able.



#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:10 AM

Posted 22 February 2018 - 10:48 AM

Al:

 

Thank you for your prompt reply and for permission to address you by your first name. :thumbup2:  I am also helping other clients and I have just started analyzing another set of new logs, but as soon as that is done, I will analyze your newest FRST logs and post back with an initial FRST "fixlist" script.  It looks like your computer might be infected with "SmartService" or else there are still remnants of it remaining.

 

As a part of that FRST "fixlist" script, I will remove the "offending" files.

 

I hope to post back later this afternoon.  Thank you for your patience, understanding, and cooperation.  Have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:10 AM

Posted 22 February 2018 - 11:57 AM

Al:

Thank you for your patience while I analyzed your newest set of FRST logs.

.


:step1: The "Addition.txt" log shows that your Windows Defender is disabled. Are you able to turn it on? If not, do you get any error messages; or, is the option to turn it on unavailable or greyed out?

If you cannot turn Windows Defender back on, please run the FRST "fixlist" script below, reboot your computer, and then try again to turn on Windows Defender. Does it turn back on?

.

:step2: Please run a FRST fix for me.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.





Start::
CreateRestorePoint:
CloseProcesses:
VirusTotal: C:\Windows\System32\iaoterwsvc.exe;C:\Users\Allison Lewski\AppData\Local\aumvxot\vdhzswo.exe;C:\Windows\system32\Drivers\pwiadhkn.sys;C:\Users\Allison Lewski\AppData\Local\sinkdzx
Folder: C:\Users\Allison Lewski\AppData\Local\aumvxot
Folder: C:\Users\Allison Lewski\AppData\Local\atbmxhd
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
Reg: reg query "HKLM\SYSTEM\CurrentControlSet\Services\magxso"
HKLM\SYSTEM\CurrentControlSet\Services\magxso <==== ATTENTION (Rootkit!)
S4 apexpsvc; "C:\Users\Allison Lewski\AppData\Local\ibvpu\apexpsvc.exe" /svc [X]
S4 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S4 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S4 beeeii; system32\drivers\vyyybb.sys [X]
S4 dlidxfht; \??\C:\Windows\system32\drivers\dlidxfht.sys [X]
S4 ElbyCDIO; System32\Drivers\ElbyCDIO.sys [X]
S3 GPU-Z; \??\C:\Users\ALLISO~1\AppData\Local\Temp\GPU-Z.sys [X] <==== ATTENTION
S4 MpKslefafb96f; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8BE8D72B-BC39-47A7-AD65-2323D37EE158}\MpKslefafb96f.sys [X]
R3 vzcfjm; system32\drivers\cfimps.sys [X]
Folder: C:\Users\Allison Lewski\AppData\Local\sinkdzx
VirusTotal: C:\Windows\system32\iaoterwsvcf.exe;C:\Windows\b61275733;C:\Windows\d73a5bce2d40b3acebc67264591a1f4e.dll;C:\Users\Allison Lewski\AppData\Local\Temp\capi.exe;
Folder: C:\Windows\SysWOW64\rtepdnv
Folder: C:\Windows\system32\rtepdnv
VirusTotal: C:\Users\Allison Lewski\AppData\Local\Temp\Cleanup.dll;C:\Users\Allison Lewski\AppData\Local\Temp\cubesta.exe;C:\Users\Allison Lewski\AppData\Local\Temp\ing.exe;C:\Users\Allison Lewski\AppData\Local\Temp\siinst.exe
VirusTota: C:\Users\Allison Lewski\AppData\Local\Temp\XvidCodecInstaller.exe;C:\Windows\system32\drivers\
Task: {048F8DFD-933D-4CEA-ACE5-3ACAF1EA4A8B} - \dunne perri preselect -> No File <==== ATTENTION
Task: {1A3139E2-7241-4AE3-8AF3-328C7CF4C66D} - \forgiven longmont -> No File <==== ATTENTION
Task: {203AF1AC-39BD-4C3B-B8F5-D2F77B4B0032} - \badunne perri preselectdunne perri preselect -> No File <==== ATTENTION
Task: {21D3E9EF-4F67-4224-B5A4-D2971B2D1895} - \acquaintanceship-jordanian -> No File <==== ATTENTION
Task: {328EF2F4-1B42-46CF-8B9E-5822A9F83C9A} - \baforgiven longmontforgiven longmont -> No File <==== ATTENTION
Task: {40A599AE-D480-4A18-9978-C669C49DAB97} - \bashir -> No File <==== ATTENTION
Task: {461CD752-DC8E-48A7-8CE9-D52B82DD54F4} - \NT9KxuvhdgOF -> No File <==== ATTENTION
Task: {71B6806F-7C07-4DB2-9647-CE94EA5EBDFF} - \batroublesome_addictiontroublesome_addiction -> No File <==== ATTENTION
Task: {7A96C7F0-E0F4-4562-A0A2-4CED65155242} - \troublesome_addiction -> No File <==== ATTENTION
Task: {A20560ED-DE9E-45DA-B1C8-774D08542CB4} - \crush_leicester -> No File <==== ATTENTION
Task: {E41EB3C3-48F7-4C11-8CF6-246C0C9E6528} - \babashirbashir -> No File <==== ATTENTION
Task: {E63A9096-015B-4803-800D-52A0E7CC22A5} - \baacquaintanceship-jordanianacquaintanceship-jordanian -> No File <==== ATTENTION
Task: {FFA10A5F-AAD7-4BB5-90A4-D40D854515A6} - \bacrush_leicestercrush_leicester -> No File <==== ATTENTION
FirewallRules: [{A18E6171-8EA0-4A96-B5AD-994E390ECFD3}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{499ACF6B-5123-4899-8EF8-774E62AF1978}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{0F903FFD-E156-4EDE-9224-5352196E12EB}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{1CD5E963-913D-4EEC-9169-3958CD4DBDFD}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{8EECB8D1-6A27-4039-BF08-DBF7A33FF078}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{ACDAB867-E4CB-4EE4-84D1-89618E93BB23}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{DA77A9A7-F010-46A7-8084-1E4EC94524FD}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [UDP Query User{9456AE20-226D-4B7F-85E1-03CFFF3203B6}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [{A8567CA5-B460-4C1E-964A-B3342792E2EF}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{6E80719C-67EF-4E84-AB55-B276479FAF18}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
C:\Program Files\KMSpico
End::
  • Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.
  • Right click FRST64.exe, and select "Run as Administrator".
  • Press Fix button once and wait.
  • Please reboot the computer, if requested.
  • A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
  • Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#9 CaptainFistula

CaptainFistula
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 22 February 2018 - 12:33 PM

Greetings Phil,

  I am unable to open Windows Defender, or Turn it On.   It says program cannot open due to group policy.  I tried to start the Windows Defender Service in services.msc and received same message. 

 

I am very pleased to see the first line of your fix list includes:

VirusTotal: C:\Windows\System32\iaoterwsvc.exe;C:\Users\Allison Lewski\AppData\Local\aumvxot\vdhzswo.exe;C:\Windows\system32\Drivers\pwiadhkn.sys;C:\Users\Allison Lewski\AppData\Local\sinkdzx

 

Because i have seen these processes running, and have been unable to terminate them or suspend them myself via programs such as Process Explorer, and Autoruns.

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 21.02.2018
Ran by Allison Lewski (22-02-2018 10:28:18) Run:1
Running from G:\Downloads Firefox
Loaded Profiles: Allison Lewski (Available Profiles: Allison Lewski)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
VirusTotal: C:\Windows\System32\iaoterwsvc.exe;C:\Users\Allison Lewski\AppData\Local\aumvxot\vdhzswo.exe;C:\Windows\system32\Drivers\pwiadhkn.sys;C:\Users\Allison Lewski\AppData\Local\sinkdzx
Folder: C:\Users\Allison Lewski\AppData\Local\aumvxot
Folder: C:\Users\Allison Lewski\AppData\Local\atbmxhd
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
Reg: reg query "HKLM\SYSTEM\CurrentControlSet\Services\magxso"
HKLM\SYSTEM\CurrentControlSet\Services\magxso <==== ATTENTION (Rootkit!)
S4 apexpsvc; "C:\Users\Allison Lewski\AppData\Local\ibvpu\apexpsvc.exe" /svc [X]
S4 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S4 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S4 beeeii; system32\drivers\vyyybb.sys [X]
S4 dlidxfht; \??\C:\Windows\system32\drivers\dlidxfht.sys [X]
S4 ElbyCDIO; System32\Drivers\ElbyCDIO.sys [X]
S3 GPU-Z; \??\C:\Users\ALLISO~1\AppData\Local\Temp\GPU-Z.sys [X] <==== ATTENTION
S4 MpKslefafb96f; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8BE8D72B-BC39-47A7-AD65-2323D37EE158}\MpKslefafb96f.sys [X]
R3 vzcfjm; system32\drivers\cfimps.sys [X]
Folder: C:\Users\Allison Lewski\AppData\Local\sinkdzx
VirusTotal: C:\Windows\system32\iaoterwsvcf.exe;C:\Windows\b61275733;C:\Windows\d73a5bce2d40b3acebc67264591a1f4e.dll;C:\Users\Allison Lewski\AppData\Local\Temp\capi.exe;
Folder: C:\Windows\SysWOW64\rtepdnv
Folder: C:\Windows\system32\rtepdnv
VirusTotal: C:\Users\Allison Lewski\AppData\Local\Temp\Cleanup.dll;C:\Users\Allison Lewski\AppData\Local\Temp\cubesta.exe;C:\Users\Allison Lewski\AppData\Local\Temp\ing.exe;C:\Users\Allison Lewski\AppData\Local\Temp\siinst.exe
VirusTota: C:\Users\Allison Lewski\AppData\Local\Temp\XvidCodecInstaller.exe;C:\Windows\system32\drivers\
Task: {048F8DFD-933D-4CEA-ACE5-3ACAF1EA4A8B} - \dunne perri preselect -> No File <==== ATTENTION
Task: {1A3139E2-7241-4AE3-8AF3-328C7CF4C66D} - \forgiven longmont -> No File <==== ATTENTION
Task: {203AF1AC-39BD-4C3B-B8F5-D2F77B4B0032} - \badunne perri preselectdunne perri preselect -> No File <==== ATTENTION
Task: {21D3E9EF-4F67-4224-B5A4-D2971B2D1895} - \acquaintanceship-jordanian -> No File <==== ATTENTION
Task: {328EF2F4-1B42-46CF-8B9E-5822A9F83C9A} - \baforgiven longmontforgiven longmont -> No File <==== ATTENTION
Task: {40A599AE-D480-4A18-9978-C669C49DAB97} - \bashir -> No File <==== ATTENTION
Task: {461CD752-DC8E-48A7-8CE9-D52B82DD54F4} - \NT9KxuvhdgOF -> No File <==== ATTENTION
Task: {71B6806F-7C07-4DB2-9647-CE94EA5EBDFF} - \batroublesome_addictiontroublesome_addiction -> No File <==== ATTENTION
Task: {7A96C7F0-E0F4-4562-A0A2-4CED65155242} - \troublesome_addiction -> No File <==== ATTENTION
Task: {A20560ED-DE9E-45DA-B1C8-774D08542CB4} - \crush_leicester -> No File <==== ATTENTION
Task: {E41EB3C3-48F7-4C11-8CF6-246C0C9E6528} - \babashirbashir -> No File <==== ATTENTION
Task: {E63A9096-015B-4803-800D-52A0E7CC22A5} - \baacquaintanceship-jordanianacquaintanceship-jordanian -> No File <==== ATTENTION
Task: {FFA10A5F-AAD7-4BB5-90A4-D40D854515A6} - \bacrush_leicestercrush_leicester -> No File <==== ATTENTION
FirewallRules: [{A18E6171-8EA0-4A96-B5AD-994E390ECFD3}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{499ACF6B-5123-4899-8EF8-774E62AF1978}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{0F903FFD-E156-4EDE-9224-5352196E12EB}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{1CD5E963-913D-4EEC-9169-3958CD4DBDFD}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{8EECB8D1-6A27-4039-BF08-DBF7A33FF078}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{ACDAB867-E4CB-4EE4-84D1-89618E93BB23}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{DA77A9A7-F010-46A7-8084-1E4EC94524FD}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [UDP Query User{9456AE20-226D-4B7F-85E1-03CFFF3203B6}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [{A8567CA5-B460-4C1E-964A-B3342792E2EF}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{6E80719C-67EF-4E84-AB55-B276479FAF18}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
C:\Program Files\KMSpico

*****************

Restore point was successfully created.
Processes closed successfully.
VirusTotal: C:\Windows\System32\iaoterwsvc.exe => D41D8CD98F00B204E9800998ECF8427E (0-byte MD5)
"VirusTotal: C:\Users\Allison Lewski\AppData\Local\aumvxot\vdhzswo.exe" => not found
VirusTotal: C:\Windows\system32\Drivers\pwiadhkn.sys => D41D8CD98F00B204E9800998ECF8427E (0-byte MD5)
VirusTotal: C:\Users\Allison Lewski\AppData\Local\sinkdzx => D41D8CD98F00B204E9800998ECF8427E (0-byte MD5)

========================= Folder: C:\Users\Allison Lewski\AppData\Local\aumvxot ========================


====== End of Folder: ======


========================= Folder: C:\Users\Allison Lewski\AppData\Local\atbmxhd ========================


====== End of Folder: ======

"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" => removed successfully

========= reg query "HKLM\SYSTEM\CurrentControlSet\Services\magxso" =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========

HKLM\SYSTEM\CurrentControlSet\Services\magxso <==== ATTENTION (Rootkit!) => Error: No automatic fix found for this entry.
"HKLM\System\CurrentControlSet\Services\apexpsvc" => removed successfully
apexpsvc => service removed successfully
"HKLM\System\CurrentControlSet\Services\gupdate" => removed successfully
gupdate => service removed successfully
"HKLM\System\CurrentControlSet\Services\gupdatem" => removed successfully
gupdatem => service removed successfully
"HKLM\System\CurrentControlSet\Services\beeeii" => removed successfully
beeeii => service removed successfully
"HKLM\System\CurrentControlSet\Services\dlidxfht" => removed successfully
dlidxfht => service removed successfully
"HKLM\System\CurrentControlSet\Services\ElbyCDIO" => removed successfully
ElbyCDIO => service removed successfully
"HKLM\System\CurrentControlSet\Services\GPU-Z" => removed successfully
GPU-Z => service removed successfully
"HKLM\System\CurrentControlSet\Services\MpKslefafb96f" => removed successfully
MpKslefafb96f => service removed successfully
vzcfjm => Unable to stop service.
"HKLM\System\CurrentControlSet\Services\vzcfjm" => removed successfully
vzcfjm => service removed successfully

========================= Folder: C:\Users\Allison Lewski\AppData\Local\sinkdzx ========================


====== End of Folder: ======

VirusTotal: C:\Windows\system32\iaoterwsvcf.exe => https://www.virustotal.com/file/bbd8f15694bb0eff89992eeb1bd57bf4ed28db5b8b0517fb44e630f63d40b74f/analysis/1518898363/
VirusTotal: C:\Windows\b61275733 => https://www.virustotal.com/file/0b8eb2496cb9814fba5eb4dd704d2e9f42783cb47ad30a0dfde3baaf1186690b/analysis/1519320522/
VirusTotal: C:\Windows\d73a5bce2d40b3acebc67264591a1f4e.dll => https://www.virustotal.com/file/cb5bc7a9e7a9e5ddd8ed304531dd0392e749da67cb751927784cb033c8f5c776/analysis/1519320524/
VirusTotal: C:\Users\Allison Lewski\AppData\Local\Temp\capi.exe => https://www.virustotal.com/file/e0a4169954fc29c161a7d9a71e24b2108305ee7b808fb632e99e8aebbc936ac8/analysis/1519320525/
"VirusTotal: " => not found

========================= Folder: C:\Windows\SysWOW64\rtepdnv ========================


====== End of Folder: ======


========================= Folder: C:\Windows\system32\rtepdnv ========================


====== End of Folder: ======

VirusTotal: C:\Users\Allison Lewski\AppData\Local\Temp\Cleanup.dll => https://www.virustotal.com/file/2c816e928991a76b0da98356cc77cebc7acb0a71aabe6ba76557b7daf9a42aa2/analysis/1519320525/
VirusTotal: C:\Users\Allison Lewski\AppData\Local\Temp\cubesta.exe => https://www.virustotal.com/file/4848a0a274930c8d8948bf60fa61c00eee57020d4dfc84642391d3c3e536db60/analysis/1519320526/
VirusTotal: C:\Users\Allison Lewski\AppData\Local\Temp\ing.exe => https://www.virustotal.com/file/44e25dec6865a553b0be073df15ac479f49bab7779f118a2647ecfb2496dcc75/analysis/1519320533/
VirusTotal: C:\Users\Allison Lewski\AppData\Local\Temp\siinst.exe => https://www.virustotal.com/file/3b1c93e5a578ab0a3fa0d076a9a77937c9ebfaa1bc64dc20783cba0877ee5a00/analysis/1519320534/
VirusTota: C:\Users\Allison Lewski\AppData\Local\Temp\XvidCodecInstaller.exe;C:\Windows\system32\drivers\ => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{048F8DFD-933D-4CEA-ACE5-3ACAF1EA4A8B} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{048F8DFD-933D-4CEA-ACE5-3ACAF1EA4A8B} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\dunne perri preselect => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1A3139E2-7241-4AE3-8AF3-328C7CF4C66D} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1A3139E2-7241-4AE3-8AF3-328C7CF4C66D} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\forgiven longmont => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{203AF1AC-39BD-4C3B-B8F5-D2F77B4B0032} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{203AF1AC-39BD-4C3B-B8F5-D2F77B4B0032} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\badunne perri preselectdunne perri preselect => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{21D3E9EF-4F67-4224-B5A4-D2971B2D1895} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{21D3E9EF-4F67-4224-B5A4-D2971B2D1895} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\acquaintanceship-jordanian => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{328EF2F4-1B42-46CF-8B9E-5822A9F83C9A} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{328EF2F4-1B42-46CF-8B9E-5822A9F83C9A} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\baforgiven longmontforgiven longmont => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{40A599AE-D480-4A18-9978-C669C49DAB97} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{40A599AE-D480-4A18-9978-C669C49DAB97} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bashir => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{461CD752-DC8E-48A7-8CE9-D52B82DD54F4} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{461CD752-DC8E-48A7-8CE9-D52B82DD54F4} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\NT9KxuvhdgOF => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{71B6806F-7C07-4DB2-9647-CE94EA5EBDFF} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{71B6806F-7C07-4DB2-9647-CE94EA5EBDFF} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\batroublesome_addictiontroublesome_addiction => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7A96C7F0-E0F4-4562-A0A2-4CED65155242} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7A96C7F0-E0F4-4562-A0A2-4CED65155242} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\troublesome_addiction => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A20560ED-DE9E-45DA-B1C8-774D08542CB4} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A20560ED-DE9E-45DA-B1C8-774D08542CB4} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\crush_leicester => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E41EB3C3-48F7-4C11-8CF6-246C0C9E6528} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E41EB3C3-48F7-4C11-8CF6-246C0C9E6528} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\babashirbashir => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E63A9096-015B-4803-800D-52A0E7CC22A5} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E63A9096-015B-4803-800D-52A0E7CC22A5} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\baacquaintanceship-jordanianacquaintanceship-jordanian => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FFA10A5F-AAD7-4BB5-90A4-D40D854515A6} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FFA10A5F-AAD7-4BB5-90A4-D40D854515A6} => could not remove key. ErrorCode1: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bacrush_leicestercrush_leicester => could not remove key. ErrorCode1: 0x00000002
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A18E6171-8EA0-4A96-B5AD-994E390ECFD3}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{499ACF6B-5123-4899-8EF8-774E62AF1978}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0F903FFD-E156-4EDE-9224-5352196E12EB}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1CD5E963-913D-4EEC-9169-3958CD4DBDFD}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8EECB8D1-6A27-4039-BF08-DBF7A33FF078}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{ACDAB867-E4CB-4EE4-84D1-89618E93BB23}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{DA77A9A7-F010-46A7-8084-1E4EC94524FD}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{9456AE20-226D-4B7F-85E1-03CFFF3203B6}C:\program files (x86)\deluge\deluge.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A8567CA5-B460-4C1E-964A-B3342792E2EF}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6E80719C-67EF-4E84-AB55-B276479FAF18}" => removed successfully
C:\Program Files\KMSpico => moved successfully

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 22-02-2018 10:30:50)


Result of scheduled keys to remove after reboot:

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{048F8DFD-933D-4CEA-ACE5-3ACAF1EA4A8B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{048F8DFD-933D-4CEA-ACE5-3ACAF1EA4A8B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\dunne perri preselect" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1A3139E2-7241-4AE3-8AF3-328C7CF4C66D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1A3139E2-7241-4AE3-8AF3-328C7CF4C66D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\forgiven longmont" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{203AF1AC-39BD-4C3B-B8F5-D2F77B4B0032}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{203AF1AC-39BD-4C3B-B8F5-D2F77B4B0032}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\badunne perri preselectdunne perri preselect" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{21D3E9EF-4F67-4224-B5A4-D2971B2D1895}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{21D3E9EF-4F67-4224-B5A4-D2971B2D1895}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\acquaintanceship-jordanian" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{328EF2F4-1B42-46CF-8B9E-5822A9F83C9A}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{328EF2F4-1B42-46CF-8B9E-5822A9F83C9A}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\baforgiven longmontforgiven longmont" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{40A599AE-D480-4A18-9978-C669C49DAB97}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{40A599AE-D480-4A18-9978-C669C49DAB97}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bashir" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{461CD752-DC8E-48A7-8CE9-D52B82DD54F4}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{461CD752-DC8E-48A7-8CE9-D52B82DD54F4}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\NT9KxuvhdgOF" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{71B6806F-7C07-4DB2-9647-CE94EA5EBDFF}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{71B6806F-7C07-4DB2-9647-CE94EA5EBDFF}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\batroublesome_addictiontroublesome_addiction" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7A96C7F0-E0F4-4562-A0A2-4CED65155242}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7A96C7F0-E0F4-4562-A0A2-4CED65155242}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\troublesome_addiction" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A20560ED-DE9E-45DA-B1C8-774D08542CB4}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A20560ED-DE9E-45DA-B1C8-774D08542CB4}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\crush_leicester" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E41EB3C3-48F7-4C11-8CF6-246C0C9E6528}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E41EB3C3-48F7-4C11-8CF6-246C0C9E6528}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\babashirbashir" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E63A9096-015B-4803-800D-52A0E7CC22A5}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E63A9096-015B-4803-800D-52A0E7CC22A5}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\baacquaintanceship-jordanianacquaintanceship-jordanian" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FFA10A5F-AAD7-4BB5-90A4-D40D854515A6}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FFA10A5F-AAD7-4BB5-90A4-D40D854515A6}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bacrush_leicestercrush_leicester" => removed successfully

==== End of Fixlog 10:30:50 ====



#10 CaptainFistula

CaptainFistula
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 22 February 2018 - 12:35 PM

This Fix required a PC restart.

After restart i was able to open Windows Defender.  I closed the program after opening, to wait for your further instruction.

 

Thanks!


Edited by CaptainFistula, 22 February 2018 - 12:36 PM.


#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:10 AM

Posted 22 February 2018 - 01:37 PM

Al:
 
Thank you for your posts and for copying and pasting the contents of the FRST "fixlog.txt" file.  We have made a good start.  Thank you also from refraining from the natural impulse to run a Windows Defender scan. :thumbup2:  There are good reasons why we ask users to run only what we request.  A lot of times, the user "knows" better and complicates our life as malware removal specialists by running unsupervised and unrequested scans/tools.
 
This does appear to be a "SmartService" infection, but it normally requires considerable effort to remove it, including downloading FRST64.exe from a clean computer and then running the infected computer in the Windows Recovery Environment to execute the FRST fix from a USB flash drive.  I know that the developer of FRST (Farbar) has improved his scanner considerably to deal with this infection.  Normally the later versions of this infection disable FRST and virtually all other anti-malware tools.  You might have an earlier version of the infection; or, Farbar might have fed FRST some steroids! :)
 
In any event, I don't want to complicate the disinfection process more than we have to.  So let's see how far we can get, without resorting to the more complex approach, to "nuking" this infection.  If we need to go the complex route, you will have to have access to another computer that is not infected, but let's not get ahead of ourselves.
 
.
 
:step1: ESET Online Scanner using Internet Explorer:

Note, if ESET will not run, it is probably being blocked by the "SmartService" infection, in which case, please move to Step :step2:. Be aware that, depending on the severity of the infections detected, ESET could take an hour or more to run. Be patient ... as long as it IS running.

Note: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Then select: "Enable detection of potentially unwanted applications" - Yes.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

Don't forget to re-enable your antivirus when finished!

.

:step2: Let's run a Malwarebytes Anti-Rootkit (MBAR) Scan.

  • Download Malwarebytes Anti-Rootkit from this link.
  • Run the file and follow the onscreen instructions to extract it to a location of your choosing (your desktop by default).
  • Malwarebytes Anti-Rootkit will then open, follow the instruction in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional: Internet access, Windows Update, Windows Firewall.
  • If there are additional problems with your system, such as any of those listed above or other system issues, then run the "fixdamage" tool included with Malwarebytes Anti-Rootkit located within the "Plugins" folder and reboot.
  • Verify that your system is now functioning normally.
  • If you experience any problems running the tool or it hasn't fully resolved all of the issues you had, please let me know.

If neither anti-malware tool is able to run or remove the infection, then we will resort to the more complex method involving a USB flash drive, "clean" computer and running FRST from within the Recovery Environment on your infected computer.  Don't worry, we will terminate this nuisance malware with "extreme prejudice"! :) :smash:

Thank you, GOOD LUCK, and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#12 CaptainFistula

CaptainFistula
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 22 February 2018 - 02:11 PM

Greetings Phil,

   Thank you for helping to keep a positive outlook on this situation!   I was able to begin ESET scanning as you describe, and that will take a while.  

Do i ALSO want to do MBAR after? or only ESET since it was able to run.



#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:10 AM

Posted 22 February 2018 - 02:32 PM

Al:
 
Thank you for your post and for the great news that ESET is running! :thumbup2:  We might get away easy, but as I said, don't worry, we will get your computer cleaned.  You, and I, have the benefit of all of the anti-malware expertise here at Bleeping Computer, and that is CONSIDERABLE expertise! :busy:
 
.
 
:step1: Yes, please run the MBAR scan after rebooting your computer, if ESET does not reboot it.  It might not, if nothing is detected, and also there will be no ESET log in the event that there are no detections.
 
Once you have rebooted from the MBAR scan, please run an MBAM scan for me as well.
 
.
 
:step2: Please run a Malwarebytes Anti-Malware scan for me.

  • Please download Malwarebytes to your Desktop.
  • Double-click mb3-setup-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Next, please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."
  • Ensure that under "Potential Threat Protection", both switches are set to "Always Detect PUPs/PUMs (recommended).
  • Then scroll to the bottom of that page and ensure that "Automatic Quarantine" is turned "On."
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If an update of the definitions is available, it will be downloaded and installed before the scan commences.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.

The Scan log is available through History ->Application logs. Please copy and paste the contents of the log into your next reply.

.

We might as well save some time, since I will be off-line now until late tomorrow morning or tomorrow afternoon.  "Real life" does get in the way of my joy at destroying malware whenever and wherever I find it! :)  :flamethrower:

 

I will talk to you tomorrow.  Good luck with the MBAR and MBAM scans!  Have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#14 CaptainFistula

CaptainFistula
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 22 February 2018 - 06:07 PM

Greetings Phil,

My two mystery malicious processes still seem to be running in task manager.  Also the last 2-3 days only have had my favorite game randomly closing in the middle of online play.   Also prior to my original post here, but only in the past few days of use, Malwarebytes would often close itself after being open and scanning for 1 min.

 

Response to your steps:

I ran ESET, then reset, ran MBAR, after which surfing the net and trying to play a game which magically closed itself, the whole system hung up, wouldn't let me close the completed MBAR scan (which revealed nothing).   So i restart, open Malwarebytes to perform your requested scan in that, I clicked "update definitions" which it did, then the program closed itself, and it's process is also no longer in task manager.   Might have to bring out the big guns, a la in recovery environment?   awwww.

 

Please keep in mind, the MBAM scan i ran as the 3rd step, was based off the MBAM i downloaded myself a couple months ago, so it was not a fresh download today, but obviously ran with updated definitions.

 

 

ESET Log:

 

C:\Users\Allison Lewski\AppData\Local\Temp\ing.exe    Win32/Indiloadz.U trojan    cleaned by deleting
C:\Users\Allison Lewski\AppData\Local\Temp\is-662N0.tmp\pelcf.dll    a variant of Win32/Adware.Adposhel.AS application    cleaned by deleting
 

 

MBAR Log:

 

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
  main:    v2018.02.22.09
  rootkit: v2018.01.23.01

Windows 8.1 x64 NTFS
Internet Explorer 11.0.9600.18861
Allison Lewski :: ALLISON [administrator]

2/22/2018 2:28:24 PM
mbar-log-2018-02-22 (14-28-24).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 187515
Time elapsed: 7 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

 

MBAM Log:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/22/18
Scan Time: 4:03 PM
Log File: 9a7a845e-1824-11e8-ad98-bcaec5b71406.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.4058
License: Free

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Allison\Allison Lewski

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 238393
Threats Detected: 4
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 3 min, 32 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 4
PUP.Optional.OnlineIO, C:\WINDOWS\INSTALLER\SOURCEHASH{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}, Removal Failed, [512], [391431],1.0.4058
PUP.Optional.WinResSync, C:\USERS\ALLISON LEWSKI\APPDATA\ROAMING\MICROSOFT\PROTECT\WINRESCHECK.WRC, Removal Failed, [2715], [471379],1.0.4058
PUP.Optional.WinResSync.Generic, C:\USERS\ALLISON LEWSKI\APPDATA\ROAMING\MICROSOFT\PROTECT\b65560-6d18b1-c1bd9296-aa15f0-08c0.rs, Removal Failed, [7855], [462913],1.0.4058
PUP.Optional.WinResSync.Generic, C:\USERS\ALLISON LEWSKI\APPDATA\ROAMING\MICROSOFT\PROTECT\b65560-6d18b1-c1bd9296-aa15f0-08c0.tpl.rs, Removal Failed, [7855], [462913],1.0.4058

Physical Sector: 0
(No malicious items detected)


(end)


Edited by CaptainFistula, 23 February 2018 - 11:42 AM.


#15 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:10 AM

Posted 23 February 2018 - 12:37 PM

Al:

 

Thank you for your post and those logs.  It would help if you would always use the latest version of the anti-malware tools when scans are requested.  The newer versions bring new capabilities to bear on new and mutating threats.  However, for now I am going to assume that you do have a "SmartService" infection, although I am very concerned about the Hard Drive Controller errors that I am seeing in both "Addition.txt" logs that you submitted.  A dying hard drive can wreak all kinds of unique havoc with a computer that could me mistakenly be attributed to malware.

 

I want you to run this short FRST "fixlist" script for me, preparatory to enabling FRST to kill any SmartService infection in the Windows Recovery Environment.  Please follow the instructions in this previous post to run the script, but use the contents of the code box below instead of the other script.

 

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::
 
Please copy and paste the contents of the "fixlog.txt" into your next reply, and we will then move on to the big assault against the SmartService infection.
 
Today is my weekly backup day for my two computers, so it could be a few hours before I am back online, after I get caught on my other active log topics. :busy:
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users