Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chevys and Macht processes multiplying cant get rid of them


  • This topic is locked This topic is locked
3 replies to this topic

#1 cknowlan

cknowlan

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 21 March 2018 - 07:53 PM

Two processes keep multiplying themselves eating up CPU and memory until the laptop cannot function.

 

I have run Malware bytes and killed 1183 infected files but it did not eliminate the two processes

 

This is my second post. The first one resulted in me running a bunch of logs.

 

Here is the log the gentleman told me to post in my new topic

 

FRST output

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
Ran by owner (administrator) on DESKTOP-QUDIBUB (21-03-2018 17:12:30)
Running from C:\Users\owner\Desktop
Loaded Profiles: owner (Available Profiles: defaultuser0 & owner)
Platform: Windows 10 Pro Version 1607 14393.1066 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Windows\System32\vmms.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\vmcompute.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
() C:\Program Files (x86)\antagonized\macht.exe
() C:\Users\owner\AppData\Local\chevys.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
() C:\Users\owner\AppData\Local\macht.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.14.675.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamTray.exe
() C:\Users\owner\AppData\Local\chevys.exe
() C:\Program Files (x86)\antagonized\macht.exe
() C:\Users\owner\AppData\Local\macht.exe
(Microsoft Corporation) C:\Windows10Upgrade\Windows10UpgraderApp.exe
(Microsoft Corporation) C:\Program Files\rempl\remsh.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1051_none_7f2bf7ea21d201b2\TiWorker.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Windows\System32\SppExtComObj.Exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2017-03-27] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3954352 2016-04-28] (Synaptics Incorporated)
HKLM\...\Run: [mtn] => "C:\Program Files (x86)\Throwbacks\chevys.exe" 0wX
HKLM\...\Run: [mtnafterword] => C:\Program Files (x86)\antagonized\macht.exe [139776 2018-03-09] ()
HKLM\...\Run: [mtnmtn] => "C:\Program Files (x86)\Chert\chevys.exe" 0wX
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [136488 2010-08-20] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\CyberLink\YouCam\YouCamTray.exe [162912 2010-08-20] (CyberLink Corp.)
HKLM-x32\...\Run: [chamomile] => "C:\Program Files (x86)\Throwbacks\chevys.exe" 0wX
HKLM-x32\...\Run: [chamomilekulp] => C:\Program Files (x86)\antagonized\macht.exe [139776 2018-03-09] ()
HKLM-x32\...\Run: [chamomilechamomile] => "C:\Program Files (x86)\Chert\chevys.exe" 0wX
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\Run: [TUGX8P0GN6MIS7E] => "C:\Program Files (x86)\PubHotspot\11AS1.exe"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\Run: [kulp] => "C:\Program Files (x86)\Throwbacks\chevys.exe" 0wX
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\Run: [kulpchamomile] => C:\Program Files (x86)\antagonized\macht.exe [139776 2018-03-09] ()
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\Run: [kulpkulp] => "C:\Program Files (x86)\Chert\chevys.exe" 0wX
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\Run: [afterword] => "C:\Program Files (x86)\Throwbacks\chevys.exe" 0wX
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\Run: [afterwordmtn] => C:\Program Files (x86)\antagonized\macht.exe [139776 2018-03-09] ()
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\Run: [afterwordafterword] => "C:\Program Files (x86)\Chert\chevys.exe" 0wX
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\Run: [riverbanks] => C:\Program Files (x86)\basf\riverbanks.exe [66839 2018-03-09] ()
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\Run: [govern] => "C:\Program Files (x86)\Throwbacks\chevys.exe" 0wX
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\Run: [dixons] => C:\Program Files (x86)\archaic\dixons.exe [40336 2017-04-19] ()
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\Run: [eyewear] => "C:\Program Files (x86)\archaic\humbling.exe"
Startup: C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mestre.lnk [2018-03-12]
ShortcutTarget: mestre.lnk -> C:\Program Files (x86)\Throwbacks\chevys.exe (No File)
Startup: C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mestremestre.lnk [2018-03-12]
ShortcutTarget: mestremestre.lnk -> C:\Program Files (x86)\antagonized\macht.exe ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.43.1
Tcpip\Parameters: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{09eb982c-5071-4d13-a74c-cc237ddae77f}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{09eb982c-5071-4d13-a74c-cc237ddae77f}: [DhcpNameServer] 192.168.43.1
Tcpip\..\Interfaces\{0c3f2f85-350d-4e01-ad98-28336d0828c8}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{4816a4a7-9f0c-4a9b-a3c1-2757820a0c3d}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{6354e82a-9add-44ad-acff-75a6ac5e2c43}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{756ae78b-6cdb-11e6-98ff-806e6f6e6963}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{881300ad-30cf-468a-a38e-a9080f2e0c02}: [NameServer] 8.8.8.8
ManualProxies: 
 
Internet Explorer:
==================
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-03-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-03-10] (Google Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxps://www.google.com/
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR Profile: C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default [2018-03-12]
CHR Extension: (Slides) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-03-10]
CHR Extension: (Docs) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-03-10]
CHR Extension: (Google Drive) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-04-03]
CHR Extension: (YouTube) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-04-03]
CHR Extension: (Sheets) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-03-10]
CHR Extension: (Google Docs Offline) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-04-03]
CHR Extension: (Chrome Web Store Payments) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-03-10]
CHR Extension: (Gmail) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-04-03]
CHR Extension: (Chrome Media Router) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-03-12]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 DsRoleSvc; C:\Windows\system32\dsrolesrv.dll [293376 2017-05-01] (Microsoft Corporation)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135488 2017-07-26] (SurfRight B.V.)
S3 hns; C:\Windows\System32\HostNetSvc.dll [584192 2017-05-01] (Microsoft Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6440736 2018-03-03] (Malwarebytes)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-09-15] (Microsoft Corporation)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [253960 2016-04-28] (Synaptics Incorporated)
R3 vmcompute; C:\Windows\system32\vmcompute.exe [1915392 2017-05-01] (Microsoft Corporation)
R2 vmms; C:\Windows\system32\vmms.exe [14423040 2017-05-01] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2017-03-27] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2017-03-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
R0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253664 2018-03-12] (Malwarebytes)
R2 msdcb; C:\Windows\System32\drivers\msdcb.sys [70144 2017-05-01] (Microsoft Corporation)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 netr28x; C:\Windows\System32\drivers\netr28x.sys [2504192 2016-07-16] (MediaTek Inc.)
S3 pvhdparser; C:\Windows\System32\drivers\pvhdparser.sys [50176 2017-05-01] (Microsoft Corporation)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [310528 2015-06-29] (Realtek Semiconductor Corp.)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek )
R3 rtbth; C:\Windows\System32\drivers\rtbth.sys [1219200 2015-06-03] (Ralink Technology, Corp.)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [52904 2016-04-28] (Synaptics Incorporated)
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
S3 usbrndis6; C:\Windows\System32\drivers\usb80236.sys [23040 2016-07-16] (Microsoft Corporation)
R1 VfpExt; C:\Windows\System32\drivers\vfpext.sys [988672 2017-05-01] (Microsoft Corporation)
S3 vhdparser; C:\Windows\System32\drivers\vhdparser.sys [26624 2017-05-01] (Microsoft Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
R3 WirelessButtonDriver64; C:\Windows\system32\DRIVERS\WirelessButtonDriver64.sys [31656 2016-04-13] (HP)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: hns -> C:\Windows\System32\HostNetSvc.dll (Microsoft Corporation)
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-21 17:12 - 2018-03-21 17:13 - 000012492 _____ C:\Users\owner\Desktop\FRST.txt
2018-03-21 17:11 - 2018-03-21 19:05 - 002403328 _____ (Farbar) C:\Users\owner\Desktop\FRST64.exe
2018-03-21 17:11 - 2018-03-21 17:12 - 000000000 ____D C:\FRST
2018-03-12 17:26 - 2018-03-12 17:26 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\42774315.sys
2018-03-12 17:25 - 2018-03-12 17:25 - 000192952 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2018-03-12 17:25 - 2018-03-12 16:52 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2018-03-12 17:24 - 2018-03-12 16:58 - 000000000 ____D C:\Users\owner\Desktop\mbar
2018-03-12 17:23 - 2018-03-12 16:57 - 014178840 _____ (Malwarebytes Corp.) C:\Users\owner\Desktop\mbar-1.10.3.1001.exe
2018-03-12 17:02 - 2018-03-12 19:00 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\owner\Desktop\rkill.exe
2018-03-12 17:02 - 2018-03-12 17:05 - 000003176 _____ C:\Users\owner\Desktop\Rkill.txt
2018-03-12 17:00 - 2018-03-12 17:00 - 000007949 _____ C:\Users\owner\Desktop\malB.txt
2018-03-12 16:49 - 2018-03-12 16:49 - 000004422 _____ C:\Users\owner\Desktop\mbar-log-2018-03-12 (17-26-39).txt
2018-03-12 16:32 - 2018-03-12 16:32 - 000000000 ___HD C:\$GetCurrent
2018-03-12 16:29 - 2018-03-12 16:30 - 000025435 _____ C:\Users\owner\Desktop\MTB.txt
2018-03-12 16:27 - 2018-03-12 16:24 - 000892416 _____ (Farbar) C:\Users\owner\Desktop\MiniToolBox.exe
2018-03-12 16:21 - 2018-03-12 16:21 - 000002938 _____ C:\Users\owner\Desktop\FSS.txt
2018-03-12 16:20 - 2018-03-21 17:08 - 000000000 ____D C:\Windows10Upgrade
2018-03-12 16:20 - 2018-03-21 16:58 - 000000807 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows 10 Update Assistant.lnk
2018-03-12 16:20 - 2018-03-21 16:58 - 000000795 _____ C:\Users\owner\Desktop\Windows 10 Update Assistant.lnk
2018-03-12 16:18 - 2018-03-12 16:16 - 000899584 _____ (Farbar) C:\Users\owner\Desktop\FSS.exe
2018-03-12 15:59 - 2018-03-12 16:10 - 000000948 _____ C:\Users\owner\Desktop\checkup.txt
2018-03-12 15:56 - 2018-03-12 15:45 - 000852798 _____ C:\Users\owner\Desktop\SecurityCheck.exe
2018-03-10 13:02 - 2018-03-10 13:02 - 000000732 _____ C:\Users\owner\Downloads\Downloads - Shortcut.lnk
2018-03-10 01:16 - 2018-03-10 14:23 - 000000000 ____D C:\ProgramData\AVG
2018-03-10 01:12 - 2018-03-10 01:16 - 007371128 _____ (AVG Technologies CZ, s.r.o.) C:\Users\owner\Downloads\avg_antivirus_free_setup.exe
2018-03-10 00:41 - 2018-03-10 00:42 - 000000000 ___HD C:\$WINDOWS.~BT
2018-03-10 00:41 - 2018-03-10 00:42 - 000000000 ____D C:\Program Files\UNP
2018-03-10 00:41 - 2018-03-10 00:41 - 000003378 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2069836725-4032621661-3516960666-1002
2018-03-10 00:41 - 2018-03-10 00:41 - 000000000 ____D C:\Windows\UpdateAssistant
2018-03-10 00:41 - 2018-03-10 00:41 - 000000000 ____D C:\Windows\system32\UNP
2018-03-10 00:40 - 2018-03-10 00:40 - 000000000 ____D C:\Program Files\rempl
2018-03-10 00:35 - 2018-03-12 16:43 - 000253664 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-03-09 21:04 - 2018-02-18 04:00 - 000026408 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2018-03-09 21:04 - 2018-02-18 03:31 - 000023552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2018-03-09 21:04 - 2018-02-18 03:26 - 000557568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\StoreAgent.dll
2018-03-09 21:04 - 2018-02-18 03:26 - 000180224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\InstallAgent.exe
2018-03-09 21:04 - 2018-02-18 03:26 - 000048640 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2018-03-09 21:04 - 2018-02-18 03:26 - 000032768 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2018-03-09 21:04 - 2018-02-18 03:24 - 000223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\InstallAgentUserBroker.exe
2018-03-09 21:04 - 2018-02-18 03:23 - 000033280 _____ (Microsoft Corporation) C:\Windows\system32\wuautoappupdate.dll
2018-03-09 21:04 - 2018-02-18 03:22 - 000165376 _____ (Microsoft Corporation) C:\Windows\system32\storewuauth.dll
2018-03-09 21:04 - 2018-02-18 03:20 - 000211968 _____ (Microsoft Corporation) C:\Windows\system32\InstallAgent.exe
2018-03-09 21:04 - 2018-02-18 03:19 - 000078336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\updatepolicy.dll
2018-03-09 21:04 - 2018-02-18 03:17 - 000711680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2018-03-09 21:04 - 2018-02-18 03:16 - 000748544 _____ (Microsoft Corporation) C:\Windows\system32\StoreAgent.dll
2018-03-09 21:04 - 2018-02-18 03:16 - 000299008 _____ (Microsoft Corporation) C:\Windows\system32\updatehandlers.dll
2018-03-09 21:04 - 2018-02-18 03:16 - 000260608 _____ (Microsoft Corporation) C:\Windows\system32\InstallAgentUserBroker.exe
2018-03-09 21:04 - 2018-02-18 03:15 - 000092672 _____ (Microsoft Corporation) C:\Windows\system32\updatepolicy.dll
2018-03-09 21:04 - 2018-02-18 03:14 - 000558080 _____ (Microsoft Corporation) C:\Windows\system32\usocore.dll
2018-03-09 21:04 - 2018-02-18 03:12 - 000870400 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2018-03-09 21:04 - 2018-02-18 03:11 - 002321920 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2018-03-09 21:04 - 2018-02-18 03:11 - 001224704 _____ (Microsoft Corporation) C:\Windows\system32\dosvc.dll
2018-03-09 21:04 - 2018-02-18 03:11 - 000392192 _____ (Microsoft Corporation) C:\Windows\system32\wuuhext.dll
2018-03-09 21:04 - 2017-12-31 21:51 - 000052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usoapi.dll
2018-03-09 21:04 - 2017-12-31 21:49 - 000073728 _____ (Microsoft Corporation) C:\Windows\system32\usoapi.dll
2018-03-09 21:04 - 2017-12-31 21:49 - 000053248 _____ (Microsoft Corporation) C:\Windows\system32\musdialoghandlers.dll
2018-03-09 21:04 - 2017-12-31 21:48 - 000310784 _____ (Microsoft Corporation) C:\Windows\system32\MusNotification.exe
2018-03-09 21:04 - 2017-12-31 21:48 - 000135168 _____ (Microsoft Corporation) C:\Windows\system32\MusNotificationUx.exe
2018-03-09 21:04 - 2017-12-31 21:41 - 000577024 _____ (Microsoft Corporation) C:\Windows\system32\MusUpdateHandlers.dll
2018-03-09 21:04 - 2017-11-01 15:12 - 000032768 _____ (Microsoft Corporation) C:\Windows\system32\UsoClient.exe
2018-03-09 21:04 - 2017-09-17 19:27 - 000326656 _____ (Microsoft Corporation) C:\Windows\system32\domgmt.dll
2018-03-09 21:04 - 2017-08-21 22:08 - 000079872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2018-03-09 21:04 - 2017-08-21 22:06 - 000093696 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2018-03-09 21:04 - 2017-06-20 23:50 - 001054208 _____ (Microsoft Corporation) C:\Windows\system32\qmgr.dll
2018-03-09 21:02 - 2018-01-26 11:16 - 002003288 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2018-03-09 21:02 - 2018-01-26 11:16 - 001577816 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2018-03-09 21:02 - 2018-01-26 11:16 - 000758104 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2018-03-09 21:02 - 2018-01-26 11:16 - 000662872 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2018-03-09 21:02 - 2018-01-26 11:16 - 000613208 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2018-03-09 21:02 - 2018-01-26 11:16 - 000387416 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2018-03-09 21:02 - 2018-01-26 11:16 - 000270680 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2018-03-09 21:02 - 2018-01-26 11:16 - 000245080 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2018-03-09 21:02 - 2018-01-26 11:16 - 000138072 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2018-03-09 21:02 - 2018-01-26 11:16 - 000069976 _____ (Microsoft Corporation) C:\Windows\system32\win32appinventorycsp.dll
2018-03-09 21:02 - 2018-01-26 11:15 - 000460632 _____ (Microsoft Corporation) C:\Windows\system32\dcntel.dll
2018-03-09 21:02 - 2018-01-26 11:15 - 000035160 _____ (Microsoft Corporation) C:\Windows\system32\DeviceCensus.exe
2018-03-09 21:02 - 2018-01-26 11:02 - 000484184 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll
2018-03-09 21:02 - 2018-01-26 10:23 - 000044544 _____ (Microsoft Corporation) C:\Windows\system32\pcadm.dll
2018-03-09 21:02 - 2018-01-26 10:22 - 000029696 _____ (Microsoft Corporation) C:\Windows\system32\pcalua.exe
2018-03-09 21:02 - 2018-01-26 06:40 - 000199000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aepic.dll
2018-03-09 20:35 - 2018-03-09 20:36 - 000365068 _____ C:\Windows\Minidump\030918-39218-01.dmp
2018-03-09 20:35 - 2018-03-09 20:35 - 619682739 _____ C:\Windows\MEMORY.DMP
2018-03-09 20:35 - 2018-03-09 20:35 - 000000000 ____D C:\Windows\Minidump
2018-03-09 20:04 - 2018-03-09 20:28 - 000000258 __RSH C:\ProgramData\ntuser.pol
2018-03-09 20:03 - 2018-03-09 20:03 - 000000000 ____D C:\Program Files (x86)\municipally
2018-03-09 19:54 - 2018-03-10 00:32 - 000001694 _____ C:\Windows\system32\.crusader
2018-03-09 19:39 - 2018-03-09 19:39 - 000000000 ____D C:\Users\owner\AppData\Roaming\Screenshot Pro
2018-03-09 19:36 - 2018-03-09 19:36 - 000247889 _____ C:\Users\owner\Desktop\fixlog.txt
2018-03-09 19:36 - 2018-03-09 19:36 - 000014040 ____N C:\Windows\system32\Drivers\WinmonFS.sys
2018-03-09 19:36 - 2018-03-09 19:36 - 000014040 ____N C:\Windows\system32\Drivers\Winmon.sys
2018-03-09 19:35 - 2018-03-09 19:36 - 007786336 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlmp.exe
2018-03-09 19:35 - 2018-03-09 19:36 - 001172984 _____ (Microsoft Corporation) C:\Windows\system32\osloader.exe
2018-03-09 19:32 - 2018-03-09 19:32 - 000000000 ____D C:\Users\owner\AppData\Roaming\FastDataX
2018-03-09 19:31 - 2018-03-09 19:55 - 000003656 _____ C:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask
2018-03-09 19:31 - 2018-03-09 19:31 - 000001810 _____ C:\Users\owner\AppData\Roaming\ROZNG9Z.exe.config
2018-03-09 19:30 - 2018-03-09 19:52 - 000704000 _____ C:\Windows\system32\mcicda64.dll
2018-03-09 19:30 - 2018-03-09 19:31 - 000000000 ____D C:\Program Files (x86)\ShutdownTime
2018-03-09 19:30 - 2018-03-09 19:30 - 000003034 _____ C:\Windows\System32\Tasks\WlbBJSMcknvngxNxC2
2018-03-09 19:30 - 2018-03-09 19:30 - 000000000 ____D C:\Program Files\My Program
2018-03-09 19:29 - 2018-03-09 19:30 - 000000000 ____D C:\Users\owner\AppData\LocalLow\HHbsGmflFYCDR
2018-03-09 19:10 - 2018-03-09 19:10 - 000003984 _____ C:\Windows\System32\Tasks\wiederaufbau_faience
2018-03-09 19:10 - 2018-03-09 19:10 - 000003940 _____ C:\Windows\System32\Tasks\strate skated
2018-03-09 19:10 - 2018-03-09 19:10 - 000003880 _____ C:\Windows\System32\Tasks\gawiederaufbau_faiencewiederaufbau_faience
2018-03-09 19:10 - 2018-03-09 19:10 - 000003822 _____ C:\Windows\System32\Tasks\gastrate skatedstrate skated
2018-03-09 19:09 - 2018-03-09 20:03 - 000000000 ____D C:\Program Files (x86)\kneip
2018-03-09 19:09 - 2018-03-09 19:09 - 000004002 _____ C:\Windows\System32\Tasks\preying casazza feeding
2018-03-09 19:09 - 2018-03-09 19:09 - 000004000 _____ C:\Windows\System32\Tasks\makepeace-supervisors
2018-03-09 19:09 - 2018-03-09 19:09 - 000003970 _____ C:\Windows\System32\Tasks\minimized_boisseau
2018-03-09 19:09 - 2018-03-09 19:09 - 000003904 _____ C:\Windows\System32\Tasks\gapreying casazza feedingpreying casazza feeding
2018-03-09 19:09 - 2018-03-09 19:09 - 000003898 _____ C:\Windows\System32\Tasks\gamakepeace-supervisorsmakepeace-supervisors
2018-03-09 19:09 - 2018-03-09 19:09 - 000003892 _____ C:\Windows\System32\Tasks\mor
2018-03-09 19:09 - 2018-03-09 19:09 - 000003862 _____ C:\Windows\System32\Tasks\gaminimized_boisseauminimized_boisseau
2018-03-09 19:09 - 2018-03-09 19:09 - 000003754 _____ C:\Windows\System32\Tasks\gamormor
2018-03-09 19:09 - 2018-03-09 19:09 - 000000000 ___HD C:\Program Files (x86)\basf
2018-03-09 19:08 - 2018-03-10 15:01 - 000000000 ___HD C:\Program Files (x86)\Chert
2018-03-09 19:08 - 2018-03-09 19:08 - 000000000 ____D C:\Program Files (x86)\antagonized
2018-03-09 19:06 - 2018-03-09 19:06 - 000140800 _____ C:\Users\owner\AppData\Local\installer.dat
2018-03-09 19:04 - 2018-03-09 20:33 - 000000000 ____D C:\Users\owner\AppData\Local\26ab3df7d6e843549769d43c80c526a7
2018-03-09 19:04 - 2018-03-09 20:00 - 000000000 ____D C:\Program Files (x86)\Driver Updater Plus
2018-03-09 19:03 - 2018-03-09 20:04 - 000000000 ____D C:\Program Files (x86)\driverupdaterplus
2018-03-09 19:03 - 2018-03-09 19:54 - 000000000 ____D C:\Users\owner\AppData\Local\fc9cd60d2f804394b480c78a9a7dc1ba
2018-03-09 18:55 - 2018-03-09 18:55 - 000000022 _____ C:\Users\owner\Desktop\ESETPoweliksCleaner.exe_20180309.175536.7220.zip
2018-03-09 18:51 - 2018-03-12 17:26 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-03-09 18:51 - 2018-03-12 16:52 - 000002091 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-03-09 18:51 - 2018-03-09 18:51 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-03-09 18:51 - 2018-03-09 18:51 - 000000000 ____D C:\Program Files\Malwarebytes
2018-03-09 18:51 - 2018-01-18 09:03 - 000076200 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-03-09 14:27 - 2018-03-09 20:33 - 000000000 ____D C:\Users\owner\AppData\Local\IisBetta
2018-03-09 14:05 - 2018-03-09 14:05 - 000139776 _____ C:\Windows\evangelization.exe
2018-03-09 14:05 - 2018-03-09 14:05 - 000139776 _____ C:\Users\owner\AppData\Local\macht.exe
2018-03-09 14:05 - 2018-03-09 14:05 - 000139776 _____ C:\Users\owner\AppData\Local\chevys.exe
2018-03-09 12:52 - 2018-03-09 12:52 - 000000022 _____ C:\Users\owner\Desktop\ESETPoweliksCleaner.exe_20180309.115258.9336.zip
2018-03-09 03:41 - 2018-03-09 03:41 - 000539136 _____ C:\Windows\2ded469b0c7b6d2401aa54ba6d6743c1.exe
2018-03-09 03:41 - 2018-03-09 03:41 - 000047249 _____ C:\Windows\uninstaller.dat
2018-03-09 03:41 - 2018-03-09 03:41 - 000014040 _____ C:\Windows\system32\Drivers\c0dbb67a79765d890ffbba1806880907.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-21 17:08 - 2017-05-01 18:09 - 000000000 ____D C:\Windows\AppReadiness
2018-03-21 17:08 - 2016-07-16 04:47 - 000000000 ___HD C:\Program Files\WindowsApps
2018-03-21 17:08 - 2016-07-16 04:45 - 000000000 ____D C:\Windows\INF
2018-03-21 16:59 - 2016-08-27 20:54 - 000000000 ____D C:\Windows\system32\SleepStudy
2018-03-12 17:56 - 2016-07-16 04:36 - 000000000 ____D C:\Windows\CbsTemp
2018-03-12 17:23 - 2017-03-22 13:48 - 000000000 ____D C:\Users\owner\AppData\Local\Packages
2018-03-12 17:17 - 2016-07-16 04:47 - 000000000 ____D C:\Windows\rescache
2018-03-12 17:16 - 2016-07-15 23:04 - 000524288 _____ C:\Windows\system32\config\BBI
2018-03-12 17:01 - 2017-03-22 13:43 - 000000000 ____D C:\Users\owner
2018-03-12 16:58 - 2017-05-01 13:26 - 000000000 ____D C:\Users\owner\AppData\Local\ufldq
2018-03-12 16:55 - 2017-03-22 13:43 - 002257620 _____ C:\Windows\system32\PerfStringBackup.INI
2018-03-12 16:52 - 2017-07-26 00:33 - 000001960 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2018-03-12 16:52 - 2017-04-13 16:16 - 000001275 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Studio One 3.lnk
2018-03-12 16:52 - 2017-04-13 16:16 - 000001257 _____ C:\Users\Public\Desktop\Studio One 3.lnk
2018-03-12 16:52 - 2017-04-12 15:51 - 000001330 _____ C:\Users\Public\Desktop\CyberLink YouCam.lnk
2018-03-12 16:52 - 2017-03-22 13:50 - 000002365 _____ C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2018-03-12 16:51 - 2016-08-27 20:54 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-03-10 14:25 - 2016-07-16 04:47 - 000000000 ____D C:\Windows\system32\appraiser
2018-03-10 14:24 - 2016-07-16 04:47 - 000000000 ____D C:\Windows\PolicyDefinitions
2018-03-10 00:53 - 2017-04-03 16:03 - 000003416 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2018-03-10 00:53 - 2017-04-03 16:03 - 000003292 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2018-03-10 00:53 - 2017-04-03 16:03 - 000000000 ____D C:\Program Files (x86)\Google
2018-03-10 00:44 - 2016-08-27 21:53 - 000000000 ____D C:\Windows\Panther
2018-03-10 00:41 - 2017-04-03 17:32 - 000002772 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task v2
2018-03-10 00:41 - 2017-03-22 13:50 - 000000000 ___RD C:\Users\owner\OneDrive
2018-03-10 00:33 - 2017-03-22 13:39 - 000000000 ____D C:\Users\defaultuser0.DESKTOP-QUDIBUB
2018-03-10 00:33 - 2016-08-27 20:55 - 000000000 ____D C:\Users\defaultuser0
2018-03-09 20:40 - 2017-05-01 13:27 - 000000000 ____D C:\Users\owner\AppData\Roaming\AGData
2018-03-09 20:33 - 2017-05-01 13:56 - 000000000 ____D C:\Users\Default\WindowsUpdate
2018-03-09 20:11 - 2017-07-26 00:33 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2018-03-09 19:55 - 2017-07-26 00:29 - 000000000 ____D C:\ProgramData\HitmanPro
2018-03-09 19:54 - 2017-07-26 00:18 - 000000000 ____D C:\Windows\src_srv_2
2018-03-09 19:54 - 2017-05-01 13:27 - 000000000 ____D C:\Program Files (x86)\AdBlocker
2018-03-09 19:54 - 2016-07-15 23:04 - 000000000 ____D C:\Program Files\Alamic Guitar Voice Maker
2018-03-09 19:34 - 2017-05-01 13:29 - 000000000 ____D C:\Program Files (x86)\archaic
2018-03-09 19:34 - 2017-05-01 13:28 - 000000000 ____D C:\Program Files\SH8KEUW16P
2018-03-09 19:34 - 2017-05-01 13:28 - 000000000 ____D C:\Program Files\O13TUPG9L7
2018-03-09 19:34 - 2017-05-01 13:27 - 000000000 ____D C:\Program Files\X1ZQMR3OXW
2018-03-09 19:34 - 2017-05-01 13:27 - 000000000 ____D C:\Program Files\V79K4WC8AO
2018-03-09 19:34 - 2017-05-01 13:27 - 000000000 ____D C:\Program Files\GYEG9P791Z
2018-03-09 19:34 - 2017-05-01 13:27 - 000000000 ____D C:\Program Files (x86)\AnonymizerGadget
2018-03-09 19:33 - 2017-07-25 23:54 - 000000000 ____D C:\Users\owner\AppData\Local\llssoft
2018-03-09 19:27 - 2016-07-16 04:47 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2018-03-09 19:20 - 2017-05-01 13:28 - 000000000 ____D C:\Users\owner\AppData\Roaming\801494
2018-03-09 19:20 - 2017-05-01 13:27 - 000000000 ____D C:\Users\owner\AppData\Roaming\761523
2018-03-09 19:20 - 2017-05-01 13:27 - 000000000 ____D C:\Users\owner\AppData\Roaming\368498
2018-03-09 19:20 - 2017-05-01 13:26 - 000000000 ____D C:\ProgramData\VideoMemoryDiagnostic
2018-03-09 19:18 - 2017-05-01 13:30 - 000000000 ____D C:\Program Files (x86)\ProxyGate
2018-03-09 19:02 - 2016-08-27 20:55 - 000000000 ____D C:\Program Files\MSBuild
2018-03-09 19:01 - 2016-07-16 04:47 - 000000000 __SHD C:\Program Files\Windows Sidebar
 
==================== Files in the root of some directories =======
 
2017-05-01 18:13 - 2017-05-01 18:13 - 000000824 _____ () C:\Program Files\hosts.txt
2017-05-01 13:28 - 2017-05-01 13:28 - 000140288 _____ () C:\Users\owner\AppData\Roaming\Installer.dat
2018-03-09 19:31 - 2018-03-09 19:31 - 000001810 _____ () C:\Users\owner\AppData\Roaming\ROZNG9Z.exe.config
2018-03-09 14:05 - 2018-03-09 14:05 - 000139776 _____ () C:\Users\owner\AppData\Local\chevys.exe
2018-03-09 19:06 - 2018-03-09 19:06 - 000140800 _____ () C:\Users\owner\AppData\Local\installer.dat
2018-03-09 14:05 - 2018-03-09 14:05 - 000139776 _____ () C:\Users\owner\AppData\Local\macht.exe
2017-05-01 13:28 - 2017-05-01 13:28 - 000000000 _____ () C:\Users\owner\AppData\Local\run.txt
2017-05-01 13:30 - 2017-05-01 13:30 - 000000001 _____ () C:\Users\owner\AppData\Local\setupsuccessful.txt
 
Some files in TEMP:
====================
2017-05-01 13:27 - 2017-05-01 13:27 - 000931704 _____ () C:\Users\owner\AppData\Local\Temp\AnonymizerGadgetSetup.1.000.1680.exe
2018-03-09 19:35 - 2018-03-09 19:35 - 001527488 _____ (Microsoft Corporation) C:\Users\owner\AppData\Local\Temp\dbghelp.dll
2017-03-31 20:32 - 2017-03-31 20:32 - 000744080 _____ () C:\Users\owner\AppData\Local\Temp\InstallHelper.exe
2018-03-09 19:35 - 2018-03-09 19:35 - 000167616 _____ (Microsoft Corporation) C:\Users\owner\AppData\Local\Temp\symsrv.dll
2018-03-09 13:29 - 2018-03-09 13:29 - 000046924 _____ () C:\Users\owner\AppData\Local\Temp\tu17p84.exe
2017-05-01 13:26 - 2017-05-01 13:26 - 001199825 _____ () C:\Users\owner\AppData\Local\Temp\unins000.exe
2017-01-09 08:36 - 2017-01-09 08:36 - 014157672 _____ (Microsoft Corporation) C:\Users\owner\AppData\Local\Temp\vcredist_x86.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
nointegritychecks: ==> "IntegrityChecks" is disabled. <==== ATTENTION
 
BCD (recoveryenabled=No -> recoveryenabled=Yes) <==== restored successfully
 
LastRegBack: 2018-03-06 07:45
 
==================== End of FRST.txt ============================
 
 
 
 
 
Additional.txt
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by owner (21-03-2018 17:13:39)
Running from C:\Users\owner\Desktop
Windows 10 Pro Version 1607 14393.1066 (X64) (2017-03-22 20:43:07)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2069836725-4032621661-3516960666-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2069836725-4032621661-3516960666-503 - Limited - Disabled)
defaultuser0 (S-1-5-21-2069836725-4032621661-3516960666-1001 - Limited - Disabled) => C:\Users\defaultuser0.DESKTOP-QUDIBUB
Guest (S-1-5-21-2069836725-4032621661-3516960666-501 - Limited - Disabled)
owner (S-1-5-21-2069836725-4032621661-3516960666-1002 - Administrator - Enabled) => C:\Users\owner
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Antares Auto-Tune 8 VST (32-bit) (HKLM-x32\...\{29CF765D-061F-4026-B6A8-87A1BF481676}) (Version: 8.00.0005 - Antares Audio Technologies)
Antares Auto-Tune 8 VST (64+32-bit) (HKLM\...\{7F01057D-215F-4637-83EA-199793F4898B}) (Version: 8.00.0005 - Antares Audio Technologies)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 4.0.0820 - CyberLink Corp.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 65.0.3325.146 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.20.286 - SurfRight B.V.)
HitmanPro 3.8 (HKLM\...\HitmanPro38) (Version: 3.8.0.292 - SurfRight B.V.)
Malwarebytes version 3.4.4.2398 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.4.4.2398 - Malwarebytes)
Microsoft OneDrive (HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\OneDriveSetup.exe) (Version: 18.025.0204.0009 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
PreSonus Studio One 3 (HKLM-x32\...\PreSonus Studio One 3) (Version: 3.3.4.41933 - PreSonus Audio Electronics)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.12.98 - Synaptics Incorporated)
Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{BF492E7F-BD3F-4F33-932A-1DD0891968B0}) (Version: 2.13.0.0 - Microsoft Corporation)
UpdateAssistant (HKLM\...\{E1D7CB46-BAE9-4D58-99C4-582332B1755A}) (Version: 1.13.0.0 - Microsoft Corporation) Hidden
Windows 10 Update and Privacy Settings (HKLM\...\{4DFCD818-036A-4229-A67D-CF17DC461D92}) (Version: 1.0.14.0 - Microsoft Corporation)
Windows 10 Update Assistant (HKLM-x32\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.22395 - Microsoft Corporation)
Windows Setup Remediations (x64) (KB4023057) (HKLM\...\{5534e02f-0f5d-40dd-ba92-bea38d22384d}.sdb) (Version:  - )
WinRAR 5.40 beta 4 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.4 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-07-21] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-07-21] (Alexander Roshal)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-03] (Malwarebytes)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2017-03-09] (Intel Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-03] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-07-21] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-07-21] (Alexander Roshal)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0481DC26-636F-4F8C-B63B-A2520908EF7C} - System32\Tasks\AGProxyCheck => C:\Program [Argument = Files (x86)\AnonymizerGadget\AGService.exe /recove]
Task: {05E13C59-0374-46B3-B14D-A1AE6624C0C0} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\Windows\explorer.exe /NOUACCHECK
Task: {0B3F080C-913F-45DA-B72E-795BE8B3A92D} - System32\Tasks\gawiederaufbau_faiencewiederaufbau_faience => C:\Program Files (x86)\Chert\chevys.exe
Task: {0F033D57-FBB7-4768-884F-654EF45753CE} - System32\Tasks\gaminimized_boisseauminimized_boisseau => C:\Users\owner\AppData\Local\macht.exe [2018-03-09] ()
Task: {1301B9D7-01A1-44B7-9C93-1457C7F7984E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-03-10] (Google Inc.)
Task: {3150DE5C-B643-4999-9619-42850FDB398A} - System32\Tasks\gamakepeace-supervisorsmakepeace-supervisors => C:\Program Files (x86)\antagonized\macht.exe [2018-03-09] ()
Task: {40293D3C-3537-44C1-825D-C8A97D01AD8D} - System32\Tasks\R@1n-KMS\Windows64Professional => wmic [Argument = path SoftwareLicensingProduct where (ID="2de67392-b7a7-462a-b1ca-108dd189f588") call Activate]
Task: {59682C49-1A3A-465D-BA61-C6E2BD056FE3} - System32\Tasks\makepeace-supervisors => C:\Program Files (x86)\antagonized\macht.exe [2018-03-09] ()
Task: {6873E1A1-736B-48BD-8A72-193DD0E5FF56} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-03-10] (Google Inc.)
Task: {6ADB37E7-CA60-41EE-8C73-C768A96E62F1} - System32\Tasks\preying casazza feeding => C:\Users\owner\AppData\Local\chevys.exe [2018-03-09] ()
Task: {8CBE4B2A-3F58-4143-9DC5-1F889FAFF59D} - System32\Tasks\gastrate skatedstrate skated => C:\Program Files (x86)\Chert\macht.exe
Task: {B3091785-5563-48C9-9193-C9538251DF9C} - System32\Tasks\wiederaufbau_faience => C:\Program Files (x86)\Chert\chevys.exe
Task: {B7A70567-5D2C-4EEB-A2DA-B65D6AC6FCD9} - System32\Tasks\gamormor => C:\Program Files (x86)\Throwbacks\chevys.exe
Task: {D015DBFD-5718-4FB6-B7C0-D973CF472672} - System32\Tasks\Microsoft\Windows\Windows Subsystem for Linux\AptPackageIndexUpdate => %comspec% [Argument = /c start "AptPackageIndexUpdate" /min %windir%\System32\LxRun.exe /update]
Task: {D0439390-7553-4DEC-A7AD-854729D6D417} - System32\Tasks\minimized_boisseau => C:\Users\owner\AppData\Local\macht.exe [2018-03-09] ()
Task: {EC397406-1049-4934-8267-97E9EA3F28B1} - System32\Tasks\gapreying casazza feedingpreying casazza feeding => C:\Users\owner\AppData\Local\chevys.exe [2018-03-09] ()
Task: {EEC02823-634C-47F0-AEAE-EB9A40E31457} - System32\Tasks\mor => C:\Program Files (x86)\Throwbacks\chevys.exe
Task: {EEEE817F-A4FE-48FA-ABA0-33138141C816} - System32\Tasks\strate skated => C:\Program Files (x86)\Chert\macht.exe
Task: {F4F272C2-5A0E-47A5-BB32-0FC940D0FBEB} - System32\Tasks\WlbBJSMcknvngxNxC2 => rundll32 "C:\Program Files (x86)\mAUzXDPkZrvZtXzyunR\zxmShtI.dll",#1
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2018-03-09 18:51 - 2018-02-05 15:44 - 002299168 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2016-07-16 04:42 - 2016-07-16 04:42 - 000231424 _____ () C:\Windows\SYSTEM32\ism32k.dll
2017-04-12 18:54 - 2017-03-27 23:22 - 002681200 _____ () C:\Windows\System32\CoreUIComponents.dll
2018-03-09 14:05 - 2018-03-09 14:05 - 000139776 _____ () C:\Program Files (x86)\antagonized\macht.exe
2018-03-09 14:05 - 2018-03-09 14:05 - 000139776 _____ () C:\Users\owner\AppData\Local\chevys.exe
2018-03-09 14:05 - 2018-03-09 14:05 - 000139776 _____ () C:\Users\owner\AppData\Local\macht.exe
2016-09-19 15:54 - 2016-09-19 15:54 - 000134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-04-03 18:02 - 2017-03-03 23:31 - 000474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2017-04-03 18:03 - 2017-03-03 23:12 - 009760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-04-03 18:03 - 2017-03-03 23:05 - 001401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-04-03 18:02 - 2017-03-03 23:05 - 000757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2017-04-12 18:54 - 2017-03-27 22:07 - 001033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2017-04-12 18:54 - 2017-03-27 22:08 - 002424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2017-04-12 18:54 - 2017-03-27 22:11 - 004853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2017-05-01 11:41 - 2017-05-01 11:42 - 000077312 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.14.675.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2017-05-01 11:41 - 2017-05-01 11:42 - 000190464 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.14.675.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2017-05-01 11:41 - 2017-05-01 11:42 - 043012096 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.14.675.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2017-05-01 11:41 - 2017-05-01 11:42 - 002451456 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.14.675.0_x64__kzf8qxf38zg5c\skypert.dll
2017-03-09 01:16 - 2017-03-09 01:16 - 000112264 _____ () C:\Windows\System32\IccLibDll_x64.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2016-07-16 04:47 - 2018-03-09 20:01 - 000001111 _____ C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1 mydownloaddomain.com
127.0.0.1 plugpackdownload.net
127.0.0.1 texttotalk.org
127.0.0.1 gambling577.xyz
127.0.0.1 htagdownload.space
127.0.0.1 mybcnmonetize.com
127.0.0.1 360devtraking.website
127.0.0.1 dscdn.pw
127.0.0.1 bcnmonetize.go2affise.com
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Prompt)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\Services: lfsvc => 3
HKLM\...\StartupApproved\Run: => "mtnmtn"
HKLM\...\StartupApproved\Run: => "mtn"
HKLM\...\StartupApproved\Run: => "mtnafterword"
HKLM\...\StartupApproved\Run32: => "chamomilechamomile"
HKLM\...\StartupApproved\Run32: => "chamomile"
HKLM\...\StartupApproved\Run32: => "chamomilekulp"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\StartupApproved\StartupFolder: => "mestre.lnk"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\StartupApproved\StartupFolder: => "mestremestre.lnk"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\StartupApproved\Run: => "TUGX8P0GN6MIS7E"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\StartupApproved\Run: => "govern"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\StartupApproved\Run: => "afterwordafterword"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\StartupApproved\Run: => "afterword"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\StartupApproved\Run: => "kulpkulp"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\StartupApproved\Run: => "kulp"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\StartupApproved\Run: => "dixons"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\StartupApproved\Run: => "eyewear"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\StartupApproved\Run: => "afterwordmtn"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\StartupApproved\Run: => "kulpchamomile"
HKU\S-1-5-21-2069836725-4032621661-3516960666-1002\...\StartupApproved\Run: => "riverbanks"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{F82A3F7C-3268-42F6-8B59-67D554B16053}] => (Allow) C:\Windows\KMS-R@1n.exe
FirewallRules: [{ECD299FD-559C-4A3A-A9AE-EB1932A53B88}] => (Allow) C:\Windows\KMS-R@1n.exe
FirewallRules: [{313F662C-477C-4DA8-A315-9197017D8E82}] => (Allow) C:\Program Files (x86)\PreSonus\Studio One 3\Studio One.exe
FirewallRules: [{7F2C96B5-F264-4279-BD72-1A3A379C35B3}] => (Allow) C:\Windows\system32\rundll32.exe
FirewallRules: [{E18AF4FF-4D0C-4BF2-A0D7-328ED637F9DC}] => (Allow) C:\Users\owner\AppData\Local\ddnowyes.exe
FirewallRules: [{337EC424-FBA4-4975-9377-8C915F555674}] => (Allow) C:\Users\owner\AppData\Local\Temp\dca21450441947ea89a4747e31d200c8\setup.exe
FirewallRules: [{BF8A0DF4-FB1D-4EAD-AAB9-6FC3C9030818}] => (Allow) C:\Users\owner\AppData\Local\84929882.exe
FirewallRules: [{0418F1A9-D63E-46E2-979D-5E1D5969A06B}] => (Allow) C:\Users\owner\AppData\Local\tinstall.exe
FirewallRules: [{E1D84ECA-2E40-4697-8403-B57825520EE8}] => (Allow) C:\Users\owner\AppData\Local\sc64564310.exe
FirewallRules: [{BE1EFA30-4A5B-4877-9035-E0A8E931B9B3}] => (Allow) C:\Windows\system32\rundll32.exe
FirewallRules: [{16E4DD8B-A355-41D9-8928-50E3B89C62C2}] => (Allow) C:\Users\owner\AppData\Local\ddnow.exe
FirewallRules: [{5E937E9E-04A5-4575-8DC9-4184E3F6054D}] => (Allow) C:\Program Files (x86)\municipally\tickler.exe
FirewallRules: [{92925CE1-CEE8-4A44-AEA4-C5F6E2E191BD}] => (Allow) C:\Program Files (x86)\municipally\theoretical.exe
FirewallRules: [{75E368A1-0774-49D7-ACCA-5021C62DCEE1}] => (Allow) C:\Program Files (x86)\archaic\humbling.exe
FirewallRules: [{AF8D894E-22FC-4890-81D8-244461977527}] => (Allow) C:\Program Files (x86)\Dumfries\lactase.exe
FirewallRules: [{72A1487D-2143-4250-A696-4D591EED664D}] => (Allow) C:\Windows\corriere.exe
FirewallRules: [{27F3A040-B1FB-493A-9F11-BA026EE3FBE8}] => (Allow) C:\Program Files (x86)\Spoutly\Phone\Spoutly.exe
FirewallRules: [{5244DD8F-912A-4AD1-A72B-1394AEF8C4C0}] => (Allow) C:\Program Files (x86)\Spoutly\Phone\Spoutly.exe
FirewallRules: [{787D3923-7491-4626-86A6-642444050821}] => (Allow) C:\Program Files (x86)\Spoutly\NoPhone\Spoutly.exe
FirewallRules: [{A1988359-E773-47BC-A739-3AF449AA3DCF}] => (Allow) C:\Program Files (x86)\Spoutly\NoPhone\Spoutly.exe
FirewallRules: [TCP Query User{48551030-65B3-4DB6-88FF-FFD61D2900AD}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [UDP Query User{B32BBC8A-C228-47EB-97B5-72BE8370C013}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [VIRT-MIGL-In-TCP-NoScope] => (Allow) %systemroot%\system32\vmms.exe
FirewallRules: [VIRT-REMOTEDESKTOP-In-TCP-NoScope] => (Allow) %systemroot%\system32\vmms.exe
FirewallRules: [{25AB03AF-FA8E-4A96-9490-3BAA0146FDA0}] => (Allow) C:\Windows\System32\rundll32.exe
FirewallRules: [{056069F5-90F5-47C4-9942-D3F6EE61218B}] => (Allow) C:\Windows\System32\rundll32.exe
FirewallRules: [{65D3BC54-ED3C-4AC3-A3DD-94E19CF244B6}] => (Allow) C:\Program Files (x86)\Throwbacks\chevys.exe
FirewallRules: [{52FFA9AA-89D4-4726-A430-3D1C53B44266}] => (Allow) C:\Program Files (x86)\Chert\chevys.exe
FirewallRules: [{A34DAC29-3662-4F9D-8E15-EB328EC3950B}] => (Allow) C:\Program Files (x86)\antagonized\macht.exe
FirewallRules: [{04A63D96-A433-4197-A6E0-F64BD581F7DD}] => (Allow) C:\Program Files (x86)\Chert\macht.exe
FirewallRules: [{B006A165-5614-4EBF-B5B0-FE9F6474EB64}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
01-05-2017 18:37:17 Windows Modules Installer
 
==================== Faulty Device Manager Devices =============
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/21/2018 05:09:49 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (03/21/2018 04:59:52 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-QUDIBUB)
Description: Activation of app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (03/21/2018 04:59:02 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
 
Error: (03/21/2018 04:58:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: MicrosoftEdge.exe, version: 11.0.14393.1066, time stamp: 0x58d9f0a2
Faulting module name: eModel.dll, version: 11.0.14393.1066, time stamp: 0x58d9f20b
Exception code: 0xc0000409
Fault offset: 0x00000000000d4800
Faulting process id: 0x1a44
Faulting application start time: 0x01d3c17088b0c6c5
Faulting application path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
Faulting module path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eModel.dll
Report Id: f1107981-1b07-4ee2-9710-7fd6f9948cdd
Faulting package full name: Microsoft.MicrosoftEdge_38.14393.1066.0_neutral__8wekyb3d8bbwe
Faulting package-relative application ID: MicrosoftEdge
 
Error: (03/12/2018 05:06:08 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-QUDIBUB)
Description: Activation of app king.com.CandyCrushSodaSaga_kgqvnymyfvs32!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (03/12/2018 04:02:53 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-QUDIBUB)
Description: Activation of app Microsoft.WindowsStore_8wekyb3d8bbwe!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (03/10/2018 02:04:02 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-QUDIBUB)
Description: Activation of app Microsoft.SkypeApp_kzf8qxf38zg5c!ppleae38af2e007f4358a809ac99a64a67c1 failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (03/10/2018 02:04:02 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-QUDIBUB)
Description: Activation of app microsoft.windowscommunicationsapps_8wekyb3d8bbwe!ppleae38af2e007f4358a809ac99a64a67c1 failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
 
System errors:
=============
Error: (03/21/2018 05:07:56 PM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.
 
Error: (03/21/2018 04:59:51 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (03/21/2018 04:58:10 PM) (Source: Tcpip) (EventID: 4199) (User: )
Description: The system detected an address conflict for IP address 2600:100d:b010:963f:a188:a2b0:ee10:8df2 with the system
having network hardware address 04-1B-6D-F3-C9-01. Network operations on this system may
be disrupted as a result.
 
Error: (03/21/2018 04:57:35 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (03/21/2018 04:57:35 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (03/21/2018 04:57:34 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (03/12/2018 09:31:55 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (03/12/2018 09:29:04 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
 
Windows Defender:
===================================
Date: 2017-05-01 13:33:09.333
Description: 
Windows Defender scan has been stopped before completion.
Scan ID: {E50CF125-23E8-4240-9A32-28CD0A902F8D}
Scan Type: Antimalware
Scan Parameters: Full Scan
 
Date: 2017-05-01 13:31:43.760
Description: 
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
Name: TrojanDownloader:Win32/Nitedrem.F!bit
ID: 2147712467
Severity: Severe
Category: Trojan Downloader
Path: process:_pid:4236,ProcessStart:131381441374948231
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
Process Name: C:\Users\owner\AppData\Local\Temp\lez9EU2Wg\lez9EU2Wg.exe
Signature Version: AV: 1.241.890.0, AS: 1.241.890.0, NIS: 116.88.0.0
Engine Version: AM: 1.1.13701.0, NIS: 2.1.12706.0
 
Date: 2017-05-01 13:27:52.508
Description: 
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/Skeeyah.A!rfn
ID: 2147694182
Severity: Severe
Category: Trojan
Path: file:_C:\Users\owner\AppData\Local\tinstall.exe;file:_C:\Users\owner\AppData\Local\tinstall4.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\owner\AppData\Local\Temp\dca21450441947ea89a4747e31d200c8\setup.exe
Signature Version: AV: 1.241.890.0, AS: 1.241.890.0, NIS: 116.88.0.0
Engine Version: AM: 1.1.13701.0, NIS: 2.1.12706.0
 
Date: 2017-05-01 13:27:52.270
Description: 
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/Skeeyah.A!rfn
ID: 2147694182
Severity: Severe
Category: Trojan
Path: file:_C:\Users\owner\AppData\Local\tinstall.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\owner\AppData\Local\Temp\dca21450441947ea89a4747e31d200c8\setup.exe
Signature Version: AV: 1.241.890.0, AS: 1.241.890.0, NIS: 116.88.0.0
Engine Version: AM: 1.1.13701.0, NIS: 2.1.12706.0
 
Date: 2017-05-01 13:26:41.758
Description: 
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/Selfdel.B
ID: 2147697018
Severity: Severe
Category: Trojan
Path: process:_pid:7048,ProcessStart:131381439770130045
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
Process Name: C:\Users\owner\AppData\Local\Temp\component.exe
Signature Version: AV: 1.241.890.0, AS: 1.241.890.0, NIS: 116.88.0.0
Engine Version: AM: 1.1.13701.0, NIS: 2.1.12706.0
 
Date: 2017-05-01 13:31:34.130
Description: 
Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/Skeeyah.A!rfn
ID: 2147694182
Severity: Severe
Category: Trojan
Path: file:_C:\Users\owner\AppData\Local\tinstall.exe;file:_C:\Users\owner\AppData\Local\tinstall4.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\owner\AppData\Local\Temp\dca21450441947ea89a4747e31d200c8\setup.exe
Action: Quarantine
Action Status:  No additional actions required
Error Code: 0x80070490
Error description: Element not found. 
Signature Version: AV: 1.241.890.0, AS: 1.241.890.0, NIS: 116.88.0.0
Engine Version: AM: 1.1.13701.0, NIS: 2.1.12706.0
 
Date: 2017-04-29 02:44:05.440
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 116.88.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: Network Inspection System
Update Type: Full
Current Engine Version: 
Previous Engine Version: 2.1.12706.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved 
 
Date: 2017-04-29 02:44:05.434
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.241.547.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiSpyware
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.13701.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved 
 
Date: 2017-04-29 02:44:05.433
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.241.547.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.13701.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved 
 
Date: 2017-04-29 02:44:05.368
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.241.547.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.13701.0
Error code: 0x8024402c
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-2370M CPU @ 2.40GHz
Percentage of memory in use: 31%
Total physical RAM: 6040.36 MB
Available physical RAM: 4116.84 MB
Total Virtual: 7000.36 MB
Available Virtual: 4962.03 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:698.15 GB) (Free:660.1 GB) NTFS
Drive d: () (Removable) (Total:14.41 GB) (Free:14.41 GB) FAT32
Drive f: (LAZESOFT) (Removable) (Total:14.44 GB) (Free:14.11 GB) FAT32
 
\\?\Volume{6fd81186-0000-0000-0000-100000000000}\ (System Reserved) (Fixed) (Total:0.49 GB) (Free:0.13 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 698.6 GB) (Disk ID: 6FD81186)
Partition 1: (Active) - (Size=500 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=698.1 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 14.4 GB) (Disk ID: 2C75329D)
Partition 1: (Not Active) - (Size=14.4 GB) - (Type=0C)
 
========================================================
Disk: 2 (MBR Code: Windows 7/8/10) (Size: 14.5 GB) (Disk ID: 41701A04)
Partition 1: (Active) - (Size=14.5 GB) - (Type=0C)
 
==================== End of Addition.txt ============================
 


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 PM

Posted 22 March 2018 - 08:08 AM

Hi cknowlan :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Can you provide me the Malwarebytes log showing the 1183 detection?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 PM

Posted 26 March 2018 - 07:18 AM

Hi cknowlan,

Are you still with me?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 PM

Posted 28 March 2018 - 07:07 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users