Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got infected, cleaned it, but it seems to be some spyware left on my system.


  • This topic is locked This topic is locked
11 replies to this topic

#1 yahfz

yahfz

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 07 May 2018 - 12:50 PM

Hi, got infected 4 days ago and Anti-MalwareBytes got rid of most of it, but sometimes i get 2 random apps on my desktop that i have no idea where its coming from.



BC AdBot (Login to Remove)

 


#2 RayS

RayS

  • Malware Study Hall Senior
  • 2,336 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:53 PM

Posted 08 May 2018 - 12:47 AM

Hello yahfz,

My name is Ray and I'll be assisting you with your issue. Please give me a day to prepare a reply. Since I'm still a trainee, all my posts have to be reviewed by my instructor prior to being posted to make sure that you receive the best assistance possible.

Thank you for your understanding, I'll be with you shortly!

Ray


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#3 yahfz

yahfz
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 08 May 2018 - 02:19 PM

First of all thank you for assisting me in this issue. No problem, take your time. Btw, i forgot to say but i'm using Windows 10.


Edited by yahfz, 08 May 2018 - 02:21 PM.


#4 RayS

RayS

  • Malware Study Hall Senior
  • 2,336 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:53 PM

Posted 08 May 2018 - 03:05 PM

Hello again yahfz,

Please call me Ray.

Follow Preparation Guide
Please follow the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help by Lawrence Abrams. Since you have already posted a request for help, you can skip some of the steps in the guide, but you should follow closely steps :step1:  and :step6: .
Note one exception: Please do not attach the Addition.txt file. Instead, copy and paste both FRST.txt and Addition.txt into the body of your reply.

 

If your copy of the Windows operating system is not based on the English language, please add the word English to the name e.g. EnglishFRST.exe or EnglishFRST64.exe when you scan with the Farbar Recovery Scan Tool.


Send Malwarebytes Antimalware (MBAM) log
If it is still available, please send me the latest MBAM log as follows:

  • Please launch your copy of MBAM.
  • Click History.
  • In left pane, click Application Logs.
  • If any logs are available, click the most recent one (listed at the top).
  • In the Daily Protection Log window, click Export (bottom left of window).
  • Select Text file (*.txt).
  • In the Save File window, give the file a name and note the saving location.
  • Click Save.
  • Close MBAM and include the log in your reply to me.


In your next reply...

  • Confirm that you have backed up your important files.
  • Please copy and paste both FRST.txt and Addition.txt into the body of your message.
  • Please copy and paste the latest MBAM log into the body of your message.
  • Tell me the names of the random files you're concerned about.
  • Do you have any other relevant information?

Thank you,

Ray


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#5 yahfz

yahfz
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 08 May 2018 - 03:46 PM

Apparently the log is too big to post here. Would you mind if i posted it on Pastebin?



#6 RayS

RayS

  • Malware Study Hall Senior
  • 2,336 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:53 PM

Posted 08 May 2018 - 05:05 PM

Hi yahfz,

 

Apparently the log is too big to post here. Would you mind if i posted it on Pastebin?

Post FRST.txt, addition.txt and the MBAM log in three separate posts. If any one of them is still too large, then use Pastebin.

 

Thank you,

 

Ray


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#7 yahfz

yahfz
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 08 May 2018 - 06:57 PM

FRST.txt was too big, so i posted it here like i said: https://pastebin.com/HwW9Q02y

 

MalwareBytes infected log:
 
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 5/5/18
Scan Time: 8:58 AM
Log File: 9721749c-505b-11e8-912e-2cfda16ef62b.json
Administrator: Yes
 
-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.4996
License: Trial
 
-System Information-
OS: Windows 10 (Build 16299.402)
CPU: x64
File System: NTFS
User: DESKTOP-UIJPUF7\Yahfz
 
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 274387
Threats Detected: 24
Threats Quarantined: 24
Time Elapsed: 1 min, 11 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 1
Adware.IStartSurf, C:\USERS\YAHFZ\APPDATA\LOCAL\TEMP\IXP000.TMP\SETUPEXE.EXE, Quarantined, [572], [493227],1.0.4996
 
Module: 1
Adware.IStartSurf, C:\USERS\YAHFZ\APPDATA\LOCAL\TEMP\IXP000.TMP\SETUPEXE.EXE, Quarantined, [572], [493227],1.0.4996
 
Registry Key: 1
Trojan.Agent, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\System Table_is1, Quarantined, [382], [492739],1.0.4996
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 6
Trojan.Agent, C:\USERS\YAHFZ\APPDATA\ROAMING\WIDMODULE, Quarantined, [382], [492739],1.0.4996
PUP.Optional.BundleInstaller, C:\USERS\YAHFZ\APPDATA\LOCAL\TEMP\107626953, Quarantined, [392], [463480],1.0.4996
PUP.Optional.SystemTable.Generic, C:\Users\Yahfz\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\icon, Quarantined, [4628], [509531],1.0.4996
PUP.Optional.SystemTable.Generic, C:\Users\Yahfz\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\js, Quarantined, [4628], [509531],1.0.4996
PUP.Optional.SystemTable.Generic, C:\Users\Yahfz\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0, Quarantined, [4628], [509531],1.0.4996
PUP.Optional.SystemTable.Generic, C:\USERS\YAHFZ\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\SYSTEMTABLE, Quarantined, [4628], [509531],1.0.4996
 
File: 15
PUP.Optional.Carambis, C:\USERS\YAHFZ\DESKTOP\DRIVER UPDATER.LNK, Quarantined, [781], [351666],1.0.4996
Trojan.Agent, C:\USERS\YAHFZ\APPDATA\ROAMING\WIDMODULE\DATA.TXT, Quarantined, [382], [492739],1.0.4996
Trojan.Agent, C:\Users\Yahfz\AppData\Roaming\WidModule\unins000.dat, Quarantined, [382], [492739],1.0.4996
Trojan.Agent, C:\Users\Yahfz\AppData\Roaming\WidModule\unins000.exe, Quarantined, [382], [492739],1.0.4996
PUP.Optional.BundleInstaller, C:\USERS\YAHFZ\APPDATA\LOCAL\TEMP\107626953\ic-0.5ecd9788af3698.exe, Quarantined, [392], [463480],1.0.4996
PUP.Optional.BundleInstaller, C:\Users\Yahfz\AppData\Local\Temp\107626953\dlreport, Quarantined, [392], [463480],1.0.4996
PUP.Optional.BundleInstaller, C:\Users\Yahfz\AppData\Local\Temp\107626953\ic-0.62823d43b34e5.exe, Quarantined, [392], [463480],1.0.4996
PUP.Optional.BundleInstaller, C:\Users\Yahfz\AppData\Local\Temp\107626953\ic-0.bb8e9145e38f.exe, Quarantined, [392], [463480],1.0.4996
PUP.Optional.SystemTable.Generic, C:\USERS\YAHFZ\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\SYSTEMTABLE\1.2_0\manifest.json, Quarantined, [4628], [509531],1.0.4996
PUP.Optional.SystemTable.Generic, C:\Users\Yahfz\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\icon\icon128.png, Quarantined, [4628], [509531],1.0.4996
PUP.Optional.SystemTable.Generic, C:\Users\Yahfz\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\icon\icon16.png, Quarantined, [4628], [509531],1.0.4996
PUP.Optional.SystemTable.Generic, C:\Users\Yahfz\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\icon\icon24.png, Quarantined, [4628], [509531],1.0.4996
PUP.Optional.SystemTable.Generic, C:\Users\Yahfz\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\icon\icon32.png, Quarantined, [4628], [509531],1.0.4996
PUP.Optional.SystemTable.Generic, C:\Users\Yahfz\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\js\background.js, Quarantined, [4628], [509531],1.0.4996
Adware.IStartSurf, C:\USERS\YAHFZ\APPDATA\LOCAL\TEMP\IXP000.TMP\SETUPEXE.EXE, Quarantined, [572], [493227],1.0.4996
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


Addition: 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 06.05.2018 01
Ran by Yahfz (08-05-2018 20:54:41)
Running from D:\Downloads
Windows 10 Pro Version 1709 16299.402 (X64) (2018-04-23 07:44:37)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1063343458-1627817258-3518694317-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1063343458-1627817258-3518694317-503 - Limited - Disabled)
Guest (S-1-5-21-1063343458-1627817258-3518694317-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-1063343458-1627817258-3518694317-504 - Limited - Disabled)
Yahfz (S-1-5-21-1063343458-1627817258-3518694317-1001 - Administrator - Enabled) => C:\Users\Yahfz
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
AmpliTube 4 version 4.0.2 (HKLM\...\{21B0C8E0-7EB7-4832-B764-20A7DAE86E02}_is1) (Version: 4.0.2 - IK Multimedia)
AP Tuner 3.08 (HKLM-x32\...\AP Tuner 3.08) (Version:  - )
AURA (HKLM-x32\...\{5899CD4F-8764-4303-A0D9-C60A62CFC24F}) (Version: 1.06.17 - ASUSTeK Computer Inc.)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Battlefield 3™ (HKLM-x32\...\{64BFBE7A-886C-4CA2-A9B4-0C2B5A5942BC}) (Version: 1.6.0.0 - Electronic Arts)
Battlefield 4™ (HKLM-x32\...\{ABADE36E-EC37-413B-8179-B432AD3FACE7}) (Version: 1.8.2.48475 - Electronic Arts)
Battlefield™ 1 (HKLM-x32\...\{335B50BC-6130-4BAF-9A6A-F1561270587B}) (Version: 1.0.54.357 - Electronic Arts)
Battlelog Web Plugins (HKLM-x32\...\Battlelog Web Plugins) (Version: 2.3.0 - EA Digital Illusions CE AB)
BitTorrent (HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\BitTorrent) (Version: 7.10.3.44397 - BitTorrent Inc.)
BitTorrent (HKU\S-1-5-21-1063343458-1627817258-3518694317-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05082018173614559\...\BitTorrent) (Version: 7.10.3.44397 - BitTorrent Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.42 - Piriform)
Corsair LINK 4 (HKLM-x32\...\{40036d0c-634b-4fc0-be89-13343b4bea96}) (Version: 4.9.7.35 - Corsair Components, Inc.)
Corsair LINK 4 (HKLM-x32\...\{D97F4B31-5A7D-4A07-AC85-16D64FAB93E1}) (Version: 4.9.7.35 - Corsair Components, Inc.) Hidden
Custom Shop version 1.7.0 (HKLM-x32\...\{21BAD046-50EC-49E2-BE7B-F9729704F2C3}_is1) (Version: 1.7.0 - IK Multimedia)
Discord (HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\Discord) (Version: 0.0.301 - Discord Inc.)
Discord (HKU\S-1-5-21-1063343458-1627817258-3518694317-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05082018173614559\...\Discord) (Version: 0.0.301 - Discord Inc.)
DisplayDriverAnalyzer (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_DisplayDriverAnalyzer) (Version: 397.31 - NVIDIA Corporation) Hidden
ESN Sonar (HKLM-x32\...\ESN Sonar-0.70.4) (Version: 0.70.4 - ESN Social Software AB)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 66.0.3359.139 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
IK Multimedia Authorization Manager version 1.0.15 (HKLM\...\{85BC0DCB-69E5-4279-AA25-F108EF896588}_is1) (Version: 1.0.15 - IK Multimedia)
Lightshot-5.4.0.35 (HKLM-x32\...\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1) (Version: 5.4.0.35 - Skillbrains)
Malwarebytes version 3.4.5.2467 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.4.5.2467 - Malwarebytes)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}) (Version: 3.5.92.0 - Microsoft Corporation)
Microsoft Games for Windows Marketplace (HKLM-x32\...\{67F42018-F647-4D3C-BE62-F8CB4FE2FCD5}) (Version: 3.5.67.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.10.25008 (HKLM-x32\...\{f1e7e313-06df-4c56-96a9-99fdfd149c51}) (Version: 14.10.25008.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.10.25008 (HKLM-x32\...\{c239cea1-d49e-4e16-8e87-8c055765f7ec}) (Version: 14.10.25008.0 - Microsoft Corporation)
MPC-HC 1.7.13 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.13 - MPC-HC Team)
MSI Afterburner 4.4.2 (HKLM-x32\...\Afterburner) (Version: 4.4.2 - MSI Co., LTD)
Notepad++ (64-bit x64) (HKLM\...\Notepad++) (Version: 7.5.6 - Notepad++ Team)
NVIDIA 3D Vision Controller Driver 390.41 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 390.41 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 397.31 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 397.31 - NVIDIA Corporation)
NVIDIA GeForce Experience 3.13.1.30 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 3.13.1.30 - NVIDIA Corporation)
NVIDIA Graphics Driver 397.31 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 397.31 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.37.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.37.1 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.17.0524 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.17.0524 - NVIDIA Corporation)
OBS Studio (HKLM-x32\...\OBS Studio) (Version: 21.1.0 - OBS Project)
Origin (HKLM-x32\...\Origin) (Version: 10.5.17.52805 - Electronic Arts, Inc.)
Overwatch (HKLM-x32\...\Overwatch) (Version:  - Blizzard Entertainment)
paint.net (HKLM\...\{E8FA8815-3817-4128-A814-E2EAC456ADF0}) (Version: 4.0.21 - dotPDN LLC)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.991 - Even Balance, Inc.)
RivaTuner Statistics Server 7.0.2 (HKLM-x32\...\RTSS) (Version: 7.0.2 - Unwinder)
Spotify (HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\Spotify) (Version: 1.0.77.338.g758ebd78 - Spotify AB)
Spotify (HKU\S-1-5-21-1063343458-1627817258-3518694317-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05082018173614559\...\Spotify) (Version: 1.0.77.338.g758ebd78 - Spotify AB)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.1.8 - TeamSpeak Systems GmbH)
TunnelBear (HKLM-x32\...\{18bbd477-8e4b-4ee8-a2ae-05c0d756c0f2}) (Version: 3.3.0.3 - TunnelBear)
TunnelBear (HKLM-x32\...\{194D7B5E-8A68-4354-9152-168F21E3D027}) (Version: 3.3.0.3 - TunnelBear) Hidden
VEGAS Pro 15.0 (HKLM\...\{E0F91FB0-7FC4-11E7-B8E9-95BE57594EAC}) (Version: 15.0.177 - VEGAS)
Vulkan Run Time Libraries 1.1.70.0 (HKLM\...\VulkanRT1.1.70.0) (Version: 1.1.70.0 - LunarG, Inc.) Hidden
Windows Driver Package - Corsair Components, Inc. (SIUSBXP) USB  (07/14/2017 3.3) (HKLM\...\A2206C09905C467F30CB24DCBB49F056D7F0A290) (Version: 07/14/2017 3.3 - Corsair Components, Inc.)
WinRAR 5.50 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.50.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1063343458-1627817258-3518694317-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Yahfz\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1063343458-1627817258-3518694317-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Yahfz\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1063343458-1627817258-3518694317-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Yahfz\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1063343458-1627817258-3518694317-1001_Classes\CLSID\{91A41FCC-BC02-42D8-A36E-0D27FF9BFFC8}\InprocServer32 -> C:\Users\Yahfz\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1063343458-1627817258-3518694317-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Yahfz\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll => No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files\Notepad++\NppShell_06.dll [2018-03-18] ()
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-27] (Malwarebytes)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2018-04-22] (NVIDIA Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-27] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0CB67FC0-8CD0-4C38-86A5-1FCF1FE00803} - System32\Tasks\NvBatteryBoostCheckOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe [2018-04-22] (NVIDIA Corporation)
Task: {212D2271-C96B-4059-9672-97ED26B3AE2A} - System32\Tasks\S-1-5-21-1063343458-1627817258-3518694317-1001\DataSenseLiveTileTask => C:\Windows\System32\DataUsageLiveTileTask.exe [2017-09-29] (Microsoft Corporation)
Task: {2B708ED6-CADC-4232-BEE1-966E6844FB1A} - System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [2018-04-22] (NVIDIA Corporation)
Task: {48D46AC6-7E13-47B3-B9D7-B5623204F25B} - System32\Tasks\update-sys => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2017-04-12] (TODO: <Company name>)
Task: {522258A6-29C6-40A0-8690-0732C100CB7A} - System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [2018-04-22] (NVIDIA Corporation)
Task: {5741A10B-7D86-4870-9A9B-76A28A88F76A} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2018-04-12] (Piriform Ltd)
Task: {5FE1FB51-DDC7-4306-A2B6-3A8D67099368} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: {66F1D335-9489-40BC-839A-BECDAA6CF729} - System32\Tasks\MSIAfterburner => C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe [2017-12-15] ()
Task: {69FC2B03-FEE7-4F86-ABF3-A256227C89B6} - System32\Tasks\qqwoy => C:\Users\Yahfz\AppData\Roaming\owiyq\qqwoy.vbs [2018-05-05] ()
Task: {7B8D71C6-F29E-40DF-A915-B3809201D41D} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2018-04-22] (NVIDIA Corporation)
Task: {7C9CD2A8-6FA8-4126-A95A-BDBC3F5E726B} - System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe [2018-04-22] (NVIDIA Corporation)
Task: {8DBFB464-D281-45C7-AEA0-D717EAEE17A5} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1063343458-1627817258-3518694317-1001UA => C:\Users\Yahfz\AppData\Local\Google\Update\GoogleUpdate.exe
Task: {90B28E57-557B-4838-972C-DFE71D4028DD} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2018-04-12] (Piriform Ltd)
Task: {A91D6E7A-6050-4BA1-8A28-9889474A2FD5} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1063343458-1627817258-3518694317-1001Core => C:\Users\Yahfz\AppData\Local\Google\Update\GoogleUpdate.exe
Task: {C56980C4-2467-4B14-BD1F-AB0AF1486B19} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: {CD0A4099-03D6-484C-940E-5568F62272B8} - System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmMon.exe [2018-04-22] (NVIDIA Corporation)
Task: {D8C47E25-764F-41B9-84CA-A939D399EA0D} - System32\Tasks\update-S-1-5-21-1063343458-1627817258-3518694317-1001 => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2017-04-12] (TODO: <Company name>)
Task: {DFC21F8B-97AD-4032-A2B2-DEB5A45C7E8A} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2018-04-23] ()
Task: {E2E5F80A-AB97-442A-9556-21A2377A7A89} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2018-04-22] (NVIDIA Corporation)
Task: {E7974538-8686-4867-A936-B89558BFD1A4} - System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe [2018-04-22] (NVIDIA Corporation)
Task: {EC7343DE-CDC3-4F8F-BB38-4F2A7BBAD66A} - System32\Tasks\ASUS\AsRogAuraGpuDllServer => C:\Program Files (x86)\LightingService\1.00.42\AsRogAuraGpuDllServer.exe [2018-03-29] ()
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\update-S-1-5-21-1063343458-1627817258-3518694317-1001.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\Windows\Tasks\update-sys.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2018-04-23 16:28 - 2018-05-04 11:33 - 000076152 _____ () C:\Windows\SysWOW64\PnkBstrA.exe
2018-04-26 11:09 - 2018-04-22 08:04 - 001267648 _____ () C:\Program Files\NVIDIA Corporation\NvContainer\libprotobuf.dll
2018-04-16 11:57 - 2018-04-16 11:57 - 000116096 _____ () C:\Program Files (x86)\TunnelBear\TunnelBear.Maintenance.exe
2017-09-29 10:41 - 2017-09-29 10:41 - 000184432 _____ () C:\Windows\SYSTEM32\inputhost.dll
2017-12-14 14:51 - 2017-12-14 14:51 - 000438376 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooks64.dll
2018-05-04 03:03 - 2018-03-29 08:14 - 000280536 _____ () C:\Program Files (x86)\LightingService\1.00.42\AsRogAuraGpuDllServer.exe
2017-12-15 06:04 - 2017-12-15 06:04 - 000725288 _____ () C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
2018-04-23 05:29 - 2018-02-21 21:26 - 011044864 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2018-04-23 05:29 - 2018-02-21 21:21 - 001804288 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-12-14 14:51 - 2017-12-14 14:51 - 000252008 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTSS.exe
2017-12-14 14:51 - 2017-12-14 14:51 - 000035432 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\EncoderServer.exe
2017-12-14 14:51 - 2017-12-14 14:51 - 000061032 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooksLoader64.exe
2018-04-27 21:07 - 2018-04-26 00:14 - 004443992 _____ () C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.139\libglesv2.dll
2018-04-27 21:07 - 2018-04-26 00:14 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.139\libegl.dll
2018-04-29 02:31 - 2018-02-06 08:46 - 000081368 _____ () C:\Program Files (x86)\ASUS\AXSP\4.00.01\ATKEX.dll
2018-04-29 02:31 - 2018-02-06 08:46 - 000229848 _____ () C:\Program Files (x86)\ASUS\AXSP\4.00.01\ASUS_WMI.dll
2018-04-29 02:31 - 2018-05-07 21:03 - 000046888 _____ () C:\Program Files (x86)\ASUS\AXSP\4.00.01\PEbiosinterface32.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 000047576 _____ () C:\Program Files (x86)\LightingService\1.00.42\AuraHueWrapper.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 001777664 _____ () C:\Program Files (x86)\LightingService\1.00.42\Vender.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 000073728 _____ () C:\Program Files (x86)\LightingService\1.00.42\ClaymoreProtocol.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 000073728 _____ () C:\Program Files (x86)\LightingService\1.00.42\CharmProtocol.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 000073728 _____ () C:\Program Files (x86)\LightingService\1.00.42\RogNewmouseProtocol.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 001951232 _____ () C:\Program Files (x86)\LightingService\1.00.42\R2Clib.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 000053248 _____ () C:\Program Files (x86)\LightingService\1.00.42\cpuutil.dll
2018-04-16 11:57 - 2018-04-16 11:57 - 000166912 _____ () C:\Program Files (x86)\TunnelBear\TunnelBear.VigilantBear.Wrapper.dll
2018-04-26 11:09 - 2018-04-22 08:04 - 001041344 _____ () C:\Program Files (x86)\NVIDIA Corporation\NvContainer\libprotobuf.dll
2017-12-14 14:51 - 2017-12-14 14:51 - 000407144 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooks.dll
2017-12-14 14:56 - 2017-12-14 14:56 - 000232448 _____ () C:\Program Files (x86)\MSI Afterburner\RTCore.dll
2017-12-14 14:56 - 2017-12-14 14:56 - 000071680 _____ () C:\Program Files (x86)\MSI Afterburner\RTMUI.dll
2017-12-14 14:56 - 2017-12-14 14:56 - 000056832 _____ () C:\Program Files (x86)\MSI Afterburner\RTFC.dll
2017-12-14 14:56 - 2017-12-14 14:56 - 000357888 _____ () C:\Program Files (x86)\MSI Afterburner\RTUI.dll
2017-12-14 14:57 - 2017-12-14 14:57 - 000566784 _____ () C:\Program Files (x86)\MSI Afterburner\RTHAL.dll
2018-05-01 18:00 - 2018-04-30 23:01 - 001891672 _____ () C:\Users\Yahfz\AppData\Local\Discord\app-0.0.301\ffmpeg.dll
2017-12-14 14:46 - 2017-12-14 14:46 - 000055808 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTFC.dll
2017-12-14 14:46 - 2017-12-14 14:46 - 000071680 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTMUI.dll
2017-12-14 14:46 - 2017-12-14 14:46 - 000353792 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTUI.dll
2018-05-01 18:00 - 2018-04-30 23:01 - 001937752 _____ () C:\Users\Yahfz\AppData\Local\Discord\app-0.0.301\libglesv2.dll
2018-05-01 18:00 - 2018-04-30 23:01 - 000095576 _____ () C:\Users\Yahfz\AppData\Local\Discord\app-0.0.301\libegl.dll
2018-04-26 11:09 - 2018-04-22 08:04 - 081563584 _____ () C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\libcef.dll
2018-04-26 11:09 - 2018-04-22 08:04 - 002478016 _____ () C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\swiftshader\libglesv2.dll
2018-04-26 11:09 - 2018-04-22 08:04 - 000125376 _____ () C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\swiftshader\libegl.dll
2018-05-01 18:40 - 2018-05-01 18:40 - 001910104 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_spellcheck\node_modules\cld\build\Release\cld.node
2018-05-01 18:40 - 2018-05-01 18:40 - 000422744 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_spellcheck\node_modules\spellchecker\build\Release\spellchecker.node
2018-05-01 18:40 - 2018-05-01 18:40 - 000145240 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_spellcheck\node_modules\keyboard-layout\build\Release\keyboard-layout-manager.node
2018-05-01 18:40 - 2018-05-04 17:21 - 009659736 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_voice\discord_voice.node
2018-05-01 18:40 - 2018-05-01 18:40 - 001530712 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_utils\discord_utils.node
2018-05-01 18:40 - 2018-05-01 18:40 - 000512856 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_erlpack\discord_erlpack.node
2018-05-01 18:40 - 2018-05-02 23:57 - 001578840 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_game_utils\discord_game_utils.node
2018-05-01 18:40 - 2018-05-01 18:40 - 002722648 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_rpc\discord_rpc.node
2018-05-01 18:40 - 2018-05-01 18:40 - 002760536 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_contact_import\discord_contact_import.node
2018-05-01 18:40 - 2018-05-01 18:40 - 001249112 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_vigilante\discord_vigilante.node
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2017-09-29 10:46 - 2018-05-07 21:03 - 000003112 _____ C:\Windows\system32\Drivers\etc\hosts
 
0.0.0.0 a.ads1.msn.com
0.0.0.0 a.ads2.msads.net
0.0.0.0 a.ads2.msn.com
0.0.0.0 a.rad.msn.com
0.0.0.0 a-0001.a-msedge.net
0.0.0.0 a-0002.a-msedge.net
0.0.0.0 a-0003.a-msedge.net
0.0.0.0 a-0004.a-msedge.net
0.0.0.0 a-0005.a-msedge.net
0.0.0.0 a-0006.a-msedge.net
0.0.0.0 a-0007.a-msedge.net
0.0.0.0 a-0008.a-msedge.net
0.0.0.0 a-0009.a-msedge.net
0.0.0.0 ac3.msn.com
0.0.0.0 ad.doubleclick.net
0.0.0.0 adnexus.net
0.0.0.0 adnxs.com
0.0.0.0 ads.msn.com
0.0.0.0 ads1.msads.net
0.0.0.0 ads1.msn.com
0.0.0.0 aidps.atdmt.com
0.0.0.0 aka-cdn-ns.adtech.de
0.0.0.0 a-msedge.net
0.0.0.0 apps.skype.com
0.0.0.0 az361816.vo.msecnd.net
0.0.0.0 az512334.vo.msecnd.net
0.0.0.0 b.ads1.msn.com
0.0.0.0 b.ads2.msads.net
0.0.0.0 b.rad.msn.com
0.0.0.0 bs.serving-sys.com
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05082018173614536\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Yahfz\AppData\Roaming\Microsoft\Windows Photo Viewer\Windows Photo Viewer Wallpaper.jpg
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05082018173614559\Control Panel\Desktop\\Wallpaper -> C:\Users\Yahfz\AppData\Roaming\Microsoft\Windows Photo Viewer\Windows Photo Viewer Wallpaper.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "SecurityHealth"
HKLM\...\StartupApproved\Run32: => "Lightshot"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\StartupApproved\Run: => "Google Update"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\StartupApproved\Run: => "Gyazo"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\StartupApproved\Run: => "Spotify Web Helper"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\StartupApproved\Run: => "CorsairLink4"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05082018173614559\...\StartupApproved\Run: => "Google Update"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05082018173614559\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05082018173614559\...\StartupApproved\Run: => "Gyazo"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05082018173614559\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05082018173614559\...\StartupApproved\Run: => "Spotify Web Helper"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-05082018173614559\...\StartupApproved\Run: => "CorsairLink4"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{9E36F2AB-E8AB-4427-955E-27EA737F7FF6}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{69B5DFBF-92EB-4875-AED3-2DC924275A2F}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{C3F676DF-2DF8-4CBE-8068-291B477A3ECF}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{0F3A3009-D77B-4CD0-8039-BA1531CE2148}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{91BDE8E0-A2E2-4212-ACDA-65D376C38E63}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exe
FirewallRules: [{16DE119C-5D61-42A7-990F-74D0C294A778}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exe
FirewallRules: [{4F46D3B0-231D-4CBD-BFA7-F9F934ADEB65}] => (Allow) C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\SonarHost.exe
FirewallRules: [{0F4090D5-1668-43DA-B21F-A0AE09A22553}] => (Allow) C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\SonarHost.exe
FirewallRules: [{8C4B4C01-96D7-46F5-9D12-B2180628F2E2}] => (Allow) D:\Games\Battlefield 4\BFLauncher.exe
FirewallRules: [{B190C498-8B9D-48F9-8552-8CC80F7DB372}] => (Allow) D:\Games\Battlefield 4\BFLauncher.exe
FirewallRules: [{017A074F-35A1-43F7-B7B2-198EAE7D603E}] => (Allow) D:\Games\Battlefield 4\BFLauncher_x86.exe
FirewallRules: [{DBAE80B7-66AF-49ED-AE52-0FD9306C61E2}] => (Allow) D:\Games\Battlefield 4\BFLauncher_x86.exe
FirewallRules: [TCP Query User{2D3ECCBC-0909-459F-B555-4188C0E01D3D}C:\users\yahfz\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\yahfz\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{E04481E9-7438-4021-98DB-F00FAACB5D1F}C:\users\yahfz\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\yahfz\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{4F26A444-7A01-41FA-B91E-84CEC8AEE0FC}C:\program files (x86)\steam\steamapps\common\pubg\tslgame\binaries\win64\tslgame.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\pubg\tslgame\binaries\win64\tslgame.exe
FirewallRules: [UDP Query User{B7A4437C-29E9-4D3A-9689-AD4F3EF2DF93}C:\program files (x86)\steam\steamapps\common\pubg\tslgame\binaries\win64\tslgame.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\pubg\tslgame\binaries\win64\tslgame.exe
FirewallRules: [{A59F8F4D-9EEE-486A-B37D-4E1FF727A93E}] => (Allow) D:\Games\Battlefield 1\bf1Trial.exe
FirewallRules: [{95F4C67A-7FAC-4298-A656-7323AEB658DD}] => (Allow) D:\Games\Battlefield 1\bf1Trial.exe
FirewallRules: [{089887D7-33B1-4731-BE89-2732DE0320A9}] => (Allow) D:\Games\Battlefield 1\bf1.exe
FirewallRules: [{B4CE05AF-F0CE-4AC7-ADA1-EAE70978440F}] => (Allow) D:\Games\Battlefield 1\bf1.exe
FirewallRules: [{A9049EA1-E8A6-46E1-87A3-ABB2C18B097D}] => (Allow) D:\Games\Steam Games\steamapps\common\Grand Theft Auto IV\GTAIV\LaunchGTAIV.exe
FirewallRules: [{18AAE70F-799F-4AFA-9A30-A20D044F4DC9}] => (Allow) D:\Games\Steam Games\steamapps\common\Grand Theft Auto IV\GTAIV\LaunchGTAIV.exe
FirewallRules: [TCP Query User{EA1BF4D9-EC61-4011-BFD0-75BB66938C98}D:\games\overwatch\overwatch.exe] => (Allow) D:\games\overwatch\overwatch.exe
FirewallRules: [UDP Query User{68782DE1-1844-482D-B0AB-963D5084A466}D:\games\overwatch\overwatch.exe] => (Allow) D:\games\overwatch\overwatch.exe
FirewallRules: [{327F0ED6-12D4-4C03-8D94-6D9E067C0BB7}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
FirewallRules: [{8FD367F3-EDBC-4A9A-8FE1-C25A3A17944E}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
FirewallRules: [{88EAA3A3-C7D3-45B3-8F53-23515AFE203C}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
FirewallRules: [{6A1C3F32-4244-4150-B33E-B640B6943472}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
FirewallRules: [{94DEF0FA-DE74-46BE-9723-C05FC2A1B537}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{0B051E3A-3075-4E9E-9A6D-B1D4EB171640}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [TCP Query User{28DA22C5-B397-448D-9C8F-71A308071E5A}D:\emulation\rpcs3\rpcs3.exe] => (Allow) D:\emulation\rpcs3\rpcs3.exe
FirewallRules: [UDP Query User{2B62CC1C-CCE6-4028-88B8-955177F72840}D:\emulation\rpcs3\rpcs3.exe] => (Allow) D:\emulation\rpcs3\rpcs3.exe
FirewallRules: [TCP Query User{75049051-49FF-46BF-9629-22C8B4AEB264}D:\games\battlefield 4\bf4.exe] => (Allow) D:\games\battlefield 4\bf4.exe
FirewallRules: [UDP Query User{699DF92B-7D71-46A3-91EA-D4389DA145D7}D:\games\battlefield 4\bf4.exe] => (Allow) D:\games\battlefield 4\bf4.exe
FirewallRules: [{E1A833F9-8197-4BD9-956A-C34823AEEDD5}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [TCP Query User{E3B7B3E5-CBED-4C08-96EC-7A827401C352}D:\games\steam games\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe] => (Allow) D:\games\steam games\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe
FirewallRules: [UDP Query User{FB1E88BA-5233-400D-BCDB-AE0527B71D04}D:\games\steam games\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe] => (Allow) D:\games\steam games\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe
FirewallRules: [{8BE4708A-A9AC-44EA-B9E1-3CF65AD93B94}] => (Allow) D:\Games\Steam Games\steamapps\common\Call of Duty Black Ops III\BlackOps3.exe
FirewallRules: [{B0950DB4-15D3-42EC-A629-0240D75C8A71}] => (Allow) D:\Games\Steam Games\steamapps\common\Call of Duty Black Ops III\BlackOps3.exe
FirewallRules: [{D4E9C4F9-FE06-4E3E-9D5A-B1E96DDD91CC}] => (Allow) C:\Users\Yahfz\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{1CBCFA53-13F9-4D15-BEE0-80BD2D1535B9}] => (Allow) C:\Users\Yahfz\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{9F56BBCF-374C-427E-AFA6-DD5A83ED9547}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{62D759A7-5755-4FEB-B284-B1879B8DAFAF}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{BDBC86CB-20F1-4C52-9873-9070FF108D2E}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{4F1C8604-10EC-4A26-A089-7CEF5504A324}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{32946FF4-9562-4B5E-988C-55CCB4D3CE9B}] => (Allow) C:\Program Files (x86)\Origin Games\Battlefield 3\bf3.exe
FirewallRules: [{B702F159-0A9D-4BA9-B42B-CEC8C85EA2C0}] => (Allow) C:\Program Files (x86)\Origin Games\Battlefield 3\bf3.exe
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
 
==================== Faulty Device Manager Devices =============
 
Name: TunnelBear Adapter V9
Description: TunnelBear Adapter V9
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: TunnelBear Provider V9
Service: tap-tb-0901
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (05/08/2018 08:06:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: rpcs3.exe, version: 0.0.0.0, time stamp: 0x5aeede17
Faulting module name: nvoglv64.dll_unloaded, version: 24.21.13.9731, time stamp: 0x5adc2ef1
Exception code: 0xc0000005
Fault offset: 0x00000000009be84a
Faulting process id: 0x2fa8
Faulting application start time: 0x01d3e7212bb51d7f
Faulting application path: D:\Emulation\RPCS3\rpcs3.exe
Faulting module path: nvoglv64.dll
Report Id: 7b18d505-a474-434f-9bf0-41cb68241d62
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (05/08/2018 08:06:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: rpcs3.exe, version: 0.0.0.0, time stamp: 0x5aeede17
Faulting module name: nvoglv64.dll, version: 24.21.13.9731, time stamp: 0x5adc2ef1
Exception code: 0xc0000005
Fault offset: 0x0000000000a75220
Faulting process id: 0x2fa8
Faulting application start time: 0x01d3e7212bb51d7f
Faulting application path: D:\Emulation\RPCS3\rpcs3.exe
Faulting module path: C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_2a800e6ebddb7f48\nvoglv64.dll
Report Id: 98ccbada-f3a1-4213-b5d4-0d754ad703c8
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (05/08/2018 08:02:35 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program rpcs3.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: 1b08
 
Start Time: 01d3e7208442c592
 
Termination Time: 4
 
Application Path: D:\Emulation\RPCS3\rpcs3.exe
 
Report Id: 02228002-8684-4abf-8c1f-674045c7f763
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (05/08/2018 06:09:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: rpcs3.exe, version: 0.0.0.0, time stamp: 0x5af1f5a8
Faulting module name: ucrtbase.dll, version: 10.0.16299.248, time stamp: 0xe71e5dfe
Exception code: 0xc0000409
Fault offset: 0x000000000006b79e
Faulting process id: 0x313c
Faulting application start time: 0x01d3e710c5fbc620
Faulting application path: D:\Emulation\Rpcs3\rpcs3.exe
Faulting module path: C:\Windows\System32\ucrtbase.dll
Report Id: 971dbd24-9985-4675-be15-62d608bcf433
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (05/08/2018 06:08:54 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program rpcs3.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: 2788
 
Start Time: 01d3e710a9f35747
 
Termination Time: 3
 
Application Path: D:\Emulation\RPCS3\rpcs3.exe
 
Report Id: f7ddad25-ec06-4a1c-9fdd-3c18d8959adf
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (05/08/2018 06:08:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: rpcs3.exe, version: 0.0.0.0, time stamp: 0x5af1f5a8
Faulting module name: KERNELBASE.dll, version: 10.0.16299.402, time stamp: 0xde35406a
Exception code: 0xe06d7363
Fault offset: 0x0000000000014008
Faulting process id: 0x3348
Faulting application start time: 0x01d3e710a3bc6e4b
Faulting application path: D:\Emulation\Rpcs3\rpcs3.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: 3de04a3b-4d1e-432a-bb24-133da8baa046
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (05/08/2018 06:07:55 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program rpcs3.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: 2c4
 
Start Time: 01d3e70fbc3555b3
 
Termination Time: 3
 
Application Path: D:\Emulation\RPCS3\rpcs3.exe
 
Report Id: 7a42b862-d9cd-4118-b6a0-f1797f6b22fa
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (05/08/2018 06:01:25 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: rpcs3.exe, version: 0.0.0.0, time stamp: 0x5af1f5a8
Faulting module name: ucrtbase.dll, version: 10.0.16299.248, time stamp: 0xe71e5dfe
Exception code: 0xc0000409
Fault offset: 0x000000000006b79e
Faulting process id: 0xc38
Faulting application start time: 0x01d3e70f7e56f1b8
Faulting application path: D:\Emulation\Rpcs3\rpcs3.exe
Faulting module path: C:\Windows\System32\ucrtbase.dll
Report Id: 467b8b67-cdaa-4a85-bdb5-a39089c850ad
Faulting package full name: 
Faulting package-relative application ID:
 
 
System errors:
=============
Error: (05/08/2018 08:09:03 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-UIJPUF7)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-UIJPUF7\Yahfz SID (S-1-5-21-1063343458-1627817258-3518694317-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (05/08/2018 08:08:31 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-UIJPUF7)
Description: The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.
 
Error: (05/08/2018 07:24:52 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-UIJPUF7)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-UIJPUF7\Yahfz SID (S-1-5-21-1063343458-1627817258-3518694317-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (05/08/2018 06:37:10 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-UIJPUF7)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-UIJPUF7\Yahfz SID (S-1-5-21-1063343458-1627817258-3518694317-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (05/08/2018 06:28:11 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-UIJPUF7)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-UIJPUF7\Yahfz SID (S-1-5-21-1063343458-1627817258-3518694317-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (05/08/2018 05:56:45 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-UIJPUF7)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-UIJPUF7\Yahfz SID (S-1-5-21-1063343458-1627817258-3518694317-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (05/08/2018 04:17:11 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-UIJPUF7)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-UIJPUF7\Yahfz SID (S-1-5-21-1063343458-1627817258-3518694317-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (05/08/2018 03:47:54 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-UIJPUF7)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-UIJPUF7\Yahfz SID (S-1-5-21-1063343458-1627817258-3518694317-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
 
CodeIntegrity:
===================================
 
Date: 2018-05-08 17:35:01.777
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-07 18:48:58.852
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-07 00:45:42.543
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-06 15:00:51.923
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-05 14:51:16.994
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-05 09:06:00.752
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-04-30 19:12:53.292
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-04-30 19:12:36.907
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-8700K CPU @ 3.70GHz
Percentage of memory in use: 19%
Total physical RAM: 16313.12 MB
Available physical RAM: 13193.71 MB
Total Virtual: 18745.12 MB
Available Virtual: 14543.93 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:111.19 GB) (Free:21.84 GB) NTFS
Drive d: (Local Disk) (Fixed) (Total:931.51 GB) (Free:150.7 GB) NTFS
Drive e: (Local Disk) (Fixed) (Total:465.76 GB) (Free:57.85 GB) NTFS
 
\\?\Volume{c15c6e24-22de-4389-849d-de9c4cf998fc}\ (Recovery) (Fixed) (Total:0.49 GB) (Free:0.13 GB) NTFS
\\?\Volume{327ae61b-94d6-423b-8c1d-13c85fb61742}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 111.8 GB) (Disk ID: B44B43FA)
 
Partition: GPT.
 
========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: 409E783D)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows 7/8/10) (Size: 465.8 GB) (Disk ID: 2130F05F)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

Edited by yahfz, 08 May 2018 - 06:58 PM.


#8 yahfz

yahfz
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 10 May 2018 - 08:54 PM

Anything suspicious? 



#9 RayS

RayS

  • Malware Study Hall Senior
  • 2,336 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:53 PM

Posted 10 May 2018 - 11:36 PM

Hi yahfz,

 

I submitted a post for approval by my instructor. I will send that to you after I see her reply.

 

Thank you for your patience.

 

Ray


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#10 RayS

RayS

  • Malware Study Hall Senior
  • 2,336 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:53 PM

Posted 11 May 2018 - 02:11 AM

Hello again yahfz, and welcome to Bleeping Computer.

Please call me "Ray".

I will be helping you with your computer problem.
 

  • Please do not attach any log files to your replies unless specifically requested. Instead, please copy and paste the entire text of the logs into the body of your reply. Use separate consecutive posts if that's easier for you.
  • Please do not make any further changes to your computer (such as Install/Uninstall programs, use special fix tools, delete files, edit the registry, etc...) and don't perform any actions without being advised to do so. If you are unsure, please stop and describe the current state of your PC and ask your question.
  • Always read my entire message before you begin to follow my instructions.
  • It may be helpful for you to print my instructions for easy reference.
  • Perform my instructions in the order as given.
  • Click More Reply Options and then Preview Post before you post a reply. Be sure your message addresses all the issues I raise.
  • Any fixes I provide are for this specific problem on this machine only.
  • Removing malware is hazardous. I will not knowingly advise actions that will damage your computer, but it is impossible to guarantee the safety of your system. It may even become necessary to re-format and re-install your operating system. Before we proceed, you should back up all your data -- preferably to a different computer or to off-line storage.

 

Thank you for the logs. I end all my instructions with a summary of required items. Please be sure to address all the items in your replies. Here are the open items (repeated here for your convenience) from my previous post: 

  • Confirm that you have backed up your important files.
  • Tell me the names of the random files you're concerned about.
  • Do you have any other relevant information?

 

 

Illegal Software
Unfortunately there is evidence of illegal software on your computer. I am requesting that you completely uninstall any and all products for which you do not have a valid Product Key, including all "cracked" software and hacking tools. If you are willing to do that, please rerun a FRST scan after removal. Then copy/paste both reports into your reply.

 

 

 

Peer-to-Peer File Sharing Warning
Going over your logs, I noticed that you have BitTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and trojans spread across P2P file sharing networks, gaming, and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

See quietman7's warning about P2P here.

It is pretty much certain that if you continue to use P2P programs, you will get re-infected.
I strongly recommend that you uninstall all peer-to-peer file sharing programs, however, that choice is up to you. To remove these programs, see Uninstall programs instructions below.

If you wish to keep it, please do not use it until your computer is cleaned.

Please let me know whether you will refrain from using BitTorrent or will uninstall it.

 

 

 

Continue with this topic
If you decide to remove the illegal program(s) and will refrain from using peer-to-peer file sharing, please scan with CKScanner after removal. Be aware, however, that the tools we will be using in a later fix are likely to break any cracked software which you might retain on your PC.


Scan with CKScanner
Download CKScanner by askey127.

Important: save it to your desktop. 

  • Right-click CKScanner.exe and select Run as Administrator to start the tool.
  • Click Search For Files.
  • When finished, click Save List To File.
  • Run this tool only one time.

Please attach CKFiles.txt to your next reply. (don't copy/paste)



Re-scan with Farbar Recovery Scan Tool
Do this after you remove the illegal program(s). 

  • Right-click FRST64.exe then click Run as administrator.
  • When the tool opens, click Yes to disclaimer.
  • When the tool is done updating itself, it will show This tool is ready to use. near the upper left corner of the tool's window.
  • Under Optional Scan, be sure a checkmark is placed next to Addition.txt.
  • Click Scan.
  • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory where the tool was run from.
  • Please copy and paste both logs into your next reply.



In your next reply...

  • Please address pending items from my previous post.
  • Confirm that you have removed all illegal programs.
  • Confirm that you will not use peer-to-peer file sharing while we are working together.
  • Please attach CKFiles.txt to your next reply. (don't copy/paste)
  • Copy and paste FRST.txt and Addition.txt into the body of your message.
  • Please give me any other relevant information about persistent random files or other symptoms of malware.

Thank you,

Ray


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#11 yahfz

yahfz
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 11 May 2018 - 03:04 AM

I understand that you want me to remove the 'cracked/hacking tools' and i will completely understand if you'll drop this case after hearing what i just said but unfortunately i need to refuse because i know exactly what caused the malware/trojans and all.If It helps, it was a Keygen thing that happens to be malicious and was supposed to 'crack' the amplitube software.  Anywho, i posted the logs, just in case you wanna keep helping me for some reason. 

FRST.txt : https://pastebin.com/gFcRBC25

Addition:
 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 10.05.2018
Ran by Yahfz (11-05-2018 05:01:36)
Running from D:\Downloads
Windows 10 Pro Version 1709 16299.431 (X64) (2018-04-23 07:44:37)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1063343458-1627817258-3518694317-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1063343458-1627817258-3518694317-503 - Limited - Disabled)
Guest (S-1-5-21-1063343458-1627817258-3518694317-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-1063343458-1627817258-3518694317-504 - Limited - Disabled)
Yahfz (S-1-5-21-1063343458-1627817258-3518694317-1001 - Administrator - Enabled) => C:\Users\Yahfz
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Malwarebytes (Disabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Disabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
AmpliTube 4 version 4.0.2 (HKLM\...\{21B0C8E0-7EB7-4832-B764-20A7DAE86E02}_is1) (Version: 4.0.2 - IK Multimedia)
AP Tuner 3.08 (HKLM-x32\...\AP Tuner 3.08) (Version:  - )
AURA (HKLM-x32\...\{5899CD4F-8764-4303-A0D9-C60A62CFC24F}) (Version: 1.06.17 - ASUSTeK Computer Inc.)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Battlefield 3™ (HKLM-x32\...\{64BFBE7A-886C-4CA2-A9B4-0C2B5A5942BC}) (Version: 1.6.0.0 - Electronic Arts)
Battlefield 4™ (HKLM-x32\...\{ABADE36E-EC37-413B-8179-B432AD3FACE7}) (Version: 1.8.2.48475 - Electronic Arts)
Battlefield™ 1 (HKLM-x32\...\{335B50BC-6130-4BAF-9A6A-F1561270587B}) (Version: 1.0.54.357 - Electronic Arts)
Battlelog Web Plugins (HKLM-x32\...\Battlelog Web Plugins) (Version: 2.3.0 - EA Digital Illusions CE AB)
BitTorrent (HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\BitTorrent) (Version: 7.10.3.44397 - BitTorrent Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.42 - Piriform)
Corsair LINK 4 (HKLM-x32\...\{40036d0c-634b-4fc0-be89-13343b4bea96}) (Version: 4.9.7.35 - Corsair Components, Inc.)
Corsair LINK 4 (HKLM-x32\...\{D97F4B31-5A7D-4A07-AC85-16D64FAB93E1}) (Version: 4.9.7.35 - Corsair Components, Inc.) Hidden
Custom Shop version 1.7.0 (HKLM-x32\...\{21BAD046-50EC-49E2-BE7B-F9729704F2C3}_is1) (Version: 1.7.0 - IK Multimedia)
Discord (HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\Discord) (Version: 0.0.301 - Discord Inc.)
DisplayDriverAnalyzer (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_DisplayDriverAnalyzer) (Version: 397.64 - NVIDIA Corporation) Hidden
ESN Sonar (HKLM-x32\...\ESN Sonar-0.70.4) (Version: 0.70.4 - ESN Social Software AB)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 66.0.3359.170 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
IK Multimedia Authorization Manager version 1.0.15 (HKLM\...\{85BC0DCB-69E5-4279-AA25-F108EF896588}_is1) (Version: 1.0.15 - IK Multimedia)
Lightshot-5.4.0.35 (HKLM-x32\...\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1) (Version: 5.4.0.35 - Skillbrains)
Malwarebytes version 3.4.5.2467 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.4.5.2467 - Malwarebytes)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}) (Version: 3.5.92.0 - Microsoft Corporation)
Microsoft Games for Windows Marketplace (HKLM-x32\...\{67F42018-F647-4D3C-BE62-F8CB4FE2FCD5}) (Version: 3.5.67.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.10.25008 (HKLM-x32\...\{f1e7e313-06df-4c56-96a9-99fdfd149c51}) (Version: 14.10.25008.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.10.25008 (HKLM-x32\...\{c239cea1-d49e-4e16-8e87-8c055765f7ec}) (Version: 14.10.25008.0 - Microsoft Corporation)
MPC-HC 1.7.13 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.13 - MPC-HC Team)
MSI Afterburner 4.4.2 (HKLM-x32\...\Afterburner) (Version: 4.4.2 - MSI Co., LTD)
Notepad++ (64-bit x64) (HKLM\...\Notepad++) (Version: 7.5.6 - Notepad++ Team)
NVIDIA 3D Vision Controller Driver 390.41 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 390.41 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 397.64 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 397.64 - NVIDIA Corporation)
NVIDIA GeForce Experience 3.13.1.30 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 3.13.1.30 - NVIDIA Corporation)
NVIDIA Graphics Driver 397.64 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 397.64 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.37.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.37.1 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.17.0524 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.17.0524 - NVIDIA Corporation)
OBS Studio (HKLM-x32\...\OBS Studio) (Version: 21.1.0 - OBS Project)
Origin (HKLM-x32\...\Origin) (Version: 10.5.18.58059 - Electronic Arts, Inc.)
Overwatch (HKLM-x32\...\Overwatch) (Version:  - Blizzard Entertainment)
paint.net (HKLM\...\{E8FA8815-3817-4128-A814-E2EAC456ADF0}) (Version: 4.0.21 - dotPDN LLC)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.991 - Even Balance, Inc.)
RivaTuner Statistics Server 7.0.2 (HKLM-x32\...\RTSS) (Version: 7.0.2 - Unwinder)
Spotify (HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\Spotify) (Version: 1.0.77.338.g758ebd78 - Spotify AB)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.1.8 - TeamSpeak Systems GmbH)
TunnelBear (HKLM-x32\...\{18bbd477-8e4b-4ee8-a2ae-05c0d756c0f2}) (Version: 3.3.0.3 - TunnelBear)
TunnelBear (HKLM-x32\...\{194D7B5E-8A68-4354-9152-168F21E3D027}) (Version: 3.3.0.3 - TunnelBear) Hidden
VEGAS Pro 15.0 (HKLM\...\{E0F91FB0-7FC4-11E7-B8E9-95BE57594EAC}) (Version: 15.0.177 - VEGAS)
Vulkan Run Time Libraries 1.1.70.0 (HKLM\...\VulkanRT1.1.70.0) (Version: 1.1.70.0 - LunarG, Inc.) Hidden
Windows Driver Package - Corsair Components, Inc. (SIUSBXP) USB  (07/14/2017 3.3) (HKLM\...\A2206C09905C467F30CB24DCBB49F056D7F0A290) (Version: 07/14/2017 3.3 - Corsair Components, Inc.)
WinRAR 5.50 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.50.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1063343458-1627817258-3518694317-1001_Classes\CLSID\{91A41FCC-BC02-42D8-A36E-0D27FF9BFFC8}\InprocServer32 -> C:\Users\Yahfz\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1063343458-1627817258-3518694317-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Yahfz\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll => No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files\Notepad++\NppShell_06.dll [2018-03-18] ()
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-27] (Malwarebytes)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2018-05-07] (NVIDIA Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-27] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {10AC4E26-0700-431C-B6E3-0A009D9E50FB} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2018-05-07] (NVIDIA Corporation)
Task: {14BDAF45-9872-49B7-8BA3-2DBE8C092378} - System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe [2018-05-07] (NVIDIA Corporation)
Task: {1D2FF44B-4889-4EC2-928A-3D28DB3F4587} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2018-05-07] (NVIDIA Corporation)
Task: {212D2271-C96B-4059-9672-97ED26B3AE2A} - System32\Tasks\S-1-5-21-1063343458-1627817258-3518694317-1001\DataSenseLiveTileTask => C:\Windows\System32\DataUsageLiveTileTask.exe [2017-09-29] (Microsoft Corporation)
Task: {360E6237-1579-40D6-90E8-91889D0C194A} - System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [2018-05-07] (NVIDIA Corporation)
Task: {48D46AC6-7E13-47B3-B9D7-B5623204F25B} - System32\Tasks\update-sys => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2017-04-12] (TODO: <Company name>)
Task: {4FF62BA4-F9B6-4EC1-9789-D1D33896BB1B} - System32\Tasks\NvBatteryBoostCheckOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe [2018-05-07] (NVIDIA Corporation)
Task: {5741A10B-7D86-4870-9A9B-76A28A88F76A} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2018-04-12] (Piriform Ltd)
Task: {5FE1FB51-DDC7-4306-A2B6-3A8D67099368} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-05-11] (Google Inc.)
Task: {61054D1C-A318-4E09-8A0F-992732B3B036} - System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmMon.exe [2018-05-07] (NVIDIA Corporation)
Task: {703BC9D0-8CD2-4D69-A1B7-66451A606988} - System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe [2018-05-07] (NVIDIA Corporation)
Task: {8DBFB464-D281-45C7-AEA0-D717EAEE17A5} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1063343458-1627817258-3518694317-1001UA => C:\Users\Yahfz\AppData\Local\Google\Update\GoogleUpdate.exe
Task: {90B28E57-557B-4838-972C-DFE71D4028DD} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2018-04-12] (Piriform Ltd)
Task: {A07BCB25-6712-4A13-BC1A-8FFB7C25668D} - System32\Tasks\MSIAfterburner => C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe [2017-12-15] ()
Task: {A91D6E7A-6050-4BA1-8A28-9889474A2FD5} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1063343458-1627817258-3518694317-1001Core => C:\Users\Yahfz\AppData\Local\Google\Update\GoogleUpdate.exe
Task: {C56980C4-2467-4B14-BD1F-AB0AF1486B19} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-05-11] (Google Inc.)
Task: {D8C47E25-764F-41B9-84CA-A939D399EA0D} - System32\Tasks\update-S-1-5-21-1063343458-1627817258-3518694317-1001 => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2017-04-12] (TODO: <Company name>)
Task: {EC7343DE-CDC3-4F8F-BB38-4F2A7BBAD66A} - System32\Tasks\ASUS\AsRogAuraGpuDllServer => C:\Program Files (x86)\LightingService\1.00.42\AsRogAuraGpuDllServer.exe [2018-03-29] ()
Task: {F573505D-CAFD-4FA6-A8DE-5D80AC29C26B} - System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [2018-05-07] (NVIDIA Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\update-S-1-5-21-1063343458-1627817258-3518694317-1001.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\Windows\Tasks\update-sys.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-09-29 10:41 - 2017-09-29 10:41 - 000184432 _____ () C:\Windows\SYSTEM32\inputhost.dll
2018-04-23 16:28 - 2018-05-04 11:33 - 000076152 _____ () C:\Windows\SysWOW64\PnkBstrA.exe
2018-04-16 11:57 - 2018-04-16 11:57 - 000116096 _____ () C:\Program Files (x86)\TunnelBear\TunnelBear.Maintenance.exe
2017-12-14 14:51 - 2017-12-14 14:51 - 000438376 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooks64.dll
2017-12-15 06:04 - 2017-12-15 06:04 - 000725288 _____ () C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
2018-05-04 03:03 - 2018-03-29 08:14 - 000280536 _____ () C:\Program Files (x86)\LightingService\1.00.42\AsRogAuraGpuDllServer.exe
2018-04-23 05:29 - 2018-02-21 21:26 - 011044864 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2018-04-23 05:29 - 2018-02-21 21:21 - 001804288 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-12-14 14:51 - 2017-12-14 14:51 - 000252008 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTSS.exe
2017-12-14 14:51 - 2017-12-14 14:51 - 000035432 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\EncoderServer.exe
2017-12-14 14:51 - 2017-12-14 14:51 - 000061032 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooksLoader64.exe
2018-05-11 02:31 - 2018-05-09 19:05 - 004443992 _____ () C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.170\libglesv2.dll
2018-05-11 02:31 - 2018-05-09 19:05 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.170\libegl.dll
2018-05-09 13:44 - 2018-05-09 13:44 - 000084992 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11804.1001.8.0_x64__8wekyb3d8bbwe\WinStore.Preview.dll
2018-05-08 11:48 - 2018-05-08 11:48 - 001873120 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11804.1001.8.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
2018-05-03 12:57 - 2018-05-03 12:57 - 004165632 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1804.911.0_x64__8wekyb3d8bbwe\Calculator.exe
2018-05-03 12:57 - 2018-05-03 12:57 - 000634880 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1804.911.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.dll
2018-04-29 02:31 - 2018-02-06 08:46 - 000081368 _____ () C:\Program Files (x86)\ASUS\AXSP\4.00.01\ATKEX.dll
2018-04-29 02:31 - 2018-02-06 08:46 - 000229848 _____ () C:\Program Files (x86)\ASUS\AXSP\4.00.01\ASUS_WMI.dll
2018-04-29 02:31 - 2018-05-11 00:51 - 000046888 _____ () C:\Program Files (x86)\ASUS\AXSP\4.00.01\PEbiosinterface32.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 000047576 _____ () C:\Program Files (x86)\LightingService\1.00.42\AuraHueWrapper.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 001777664 _____ () C:\Program Files (x86)\LightingService\1.00.42\Vender.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 000073728 _____ () C:\Program Files (x86)\LightingService\1.00.42\ClaymoreProtocol.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 000073728 _____ () C:\Program Files (x86)\LightingService\1.00.42\CharmProtocol.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 000073728 _____ () C:\Program Files (x86)\LightingService\1.00.42\RogNewmouseProtocol.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 001951232 _____ () C:\Program Files (x86)\LightingService\1.00.42\R2Clib.dll
2018-05-04 03:03 - 2018-03-20 07:33 - 000053248 _____ () C:\Program Files (x86)\LightingService\1.00.42\cpuutil.dll
2018-04-16 11:57 - 2018-04-16 11:57 - 000166912 _____ () C:\Program Files (x86)\TunnelBear\TunnelBear.VigilantBear.Wrapper.dll
2017-12-14 14:56 - 2017-12-14 14:56 - 000232448 _____ () C:\Program Files (x86)\MSI Afterburner\RTCore.dll
2017-12-14 14:56 - 2017-12-14 14:56 - 000071680 _____ () C:\Program Files (x86)\MSI Afterburner\RTMUI.dll
2017-12-14 14:56 - 2017-12-14 14:56 - 000056832 _____ () C:\Program Files (x86)\MSI Afterburner\RTFC.dll
2017-12-14 14:56 - 2017-12-14 14:56 - 000357888 _____ () C:\Program Files (x86)\MSI Afterburner\RTUI.dll
2017-12-14 14:57 - 2017-12-14 14:57 - 000566784 _____ () C:\Program Files (x86)\MSI Afterburner\RTHAL.dll
2017-12-14 14:51 - 2017-12-14 14:51 - 000407144 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooks.dll
2017-12-14 14:46 - 2017-12-14 14:46 - 000071680 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTMUI.dll
2017-12-14 14:46 - 2017-12-14 14:46 - 000055808 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTFC.dll
2017-12-14 14:46 - 2017-12-14 14:46 - 000353792 _____ () C:\Program Files (x86)\RivaTuner Statistics Server\RTUI.dll
2018-04-23 04:58 - 2018-04-02 20:34 - 002631968 _____ () C:\Program Files (x86)\Steam\video.dll
2018-04-23 04:58 - 2018-01-10 23:05 - 000784672 _____ () C:\Program Files (x86)\Steam\SDL2.dll
2018-04-23 04:57 - 2016-08-31 22:02 - 004969248 _____ () C:\Program Files (x86)\Steam\v8.dll
2018-04-23 04:57 - 2017-12-19 22:43 - 000695584 _____ () C:\Program Files (x86)\Steam\libavformat-57.dll
2018-04-23 04:57 - 2017-12-19 22:43 - 000351520 _____ () C:\Program Files (x86)\Steam\libavresample-3.dll
2018-04-23 04:57 - 2017-12-19 22:43 - 005137696 _____ () C:\Program Files (x86)\Steam\libavcodec-57.dll
2018-04-23 04:57 - 2017-12-19 22:43 - 000783648 _____ () C:\Program Files (x86)\Steam\libswscale-4.dll
2018-04-23 04:57 - 2016-08-31 22:02 - 001563936 _____ () C:\Program Files (x86)\Steam\icui18n.dll
2018-04-23 04:57 - 2016-08-31 22:02 - 001195296 _____ () C:\Program Files (x86)\Steam\icuuc.dll
2018-04-23 04:57 - 2017-12-19 22:43 - 000847136 _____ () C:\Program Files (x86)\Steam\libavutil-55.dll
2018-04-23 04:58 - 2018-04-02 20:34 - 000977184 _____ () C:\Program Files (x86)\Steam\bin\chromehtml.DLL
2018-04-23 04:57 - 2016-07-04 19:17 - 000266560 _____ () C:\Program Files (x86)\Steam\openvr_api.dll
2018-05-01 18:00 - 2018-04-30 23:01 - 001891672 _____ () C:\Users\Yahfz\AppData\Local\Discord\app-0.0.301\ffmpeg.dll
2018-05-01 18:00 - 2018-04-30 23:01 - 001937752 _____ () C:\Users\Yahfz\AppData\Local\Discord\app-0.0.301\libglesv2.dll
2018-05-01 18:00 - 2018-04-30 23:01 - 000095576 _____ () C:\Users\Yahfz\AppData\Local\Discord\app-0.0.301\libegl.dll
2018-04-23 04:58 - 2017-12-13 18:16 - 071471392 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\libcef.dll
2018-04-23 04:58 - 2017-09-06 23:04 - 000678400 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\SDL2.dll
2018-04-23 04:57 - 2015-09-24 20:52 - 000119208 _____ () C:\Program Files (x86)\Steam\winh264.dll
2018-05-01 18:40 - 2018-05-01 18:40 - 001910104 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_spellcheck\node_modules\cld\build\Release\cld.node
2018-05-01 18:40 - 2018-05-01 18:40 - 000422744 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_spellcheck\node_modules\spellchecker\build\Release\spellchecker.node
2018-05-01 18:40 - 2018-05-01 18:40 - 000145240 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_spellcheck\node_modules\keyboard-layout\build\Release\keyboard-layout-manager.node
2018-05-01 18:40 - 2018-05-09 23:41 - 009659736 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_voice\discord_voice.node
2018-05-01 18:40 - 2018-05-01 18:40 - 001530712 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_utils\discord_utils.node
2018-05-01 18:40 - 2018-05-01 18:40 - 000512856 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_erlpack\discord_erlpack.node
2018-05-01 18:40 - 2018-05-02 23:57 - 001578840 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_game_utils\discord_game_utils.node
2018-05-01 18:40 - 2018-05-01 18:40 - 002722648 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_rpc\discord_rpc.node
2018-05-01 18:40 - 2018-05-01 18:40 - 002760536 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_contact_import\discord_contact_import.node
2018-05-01 18:40 - 2018-05-01 18:40 - 001249112 _____ () \\?\C:\Users\Yahfz\AppData\Roaming\discord\0.0.301\modules\discord_vigilante\discord_vigilante.node
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2017-09-29 10:46 - 2018-05-11 00:51 - 000003112 _____ C:\Windows\system32\Drivers\etc\hosts
 
0.0.0.0 a.ads1.msn.com
0.0.0.0 a.ads2.msads.net
0.0.0.0 a.ads2.msn.com
0.0.0.0 a.rad.msn.com
0.0.0.0 a-0001.a-msedge.net
0.0.0.0 a-0002.a-msedge.net
0.0.0.0 a-0003.a-msedge.net
0.0.0.0 a-0004.a-msedge.net
0.0.0.0 a-0005.a-msedge.net
0.0.0.0 a-0006.a-msedge.net
0.0.0.0 a-0007.a-msedge.net
0.0.0.0 a-0008.a-msedge.net
0.0.0.0 a-0009.a-msedge.net
0.0.0.0 ac3.msn.com
0.0.0.0 ad.doubleclick.net
0.0.0.0 adnexus.net
0.0.0.0 adnxs.com
0.0.0.0 ads.msn.com
0.0.0.0 ads1.msads.net
0.0.0.0 ads1.msn.com
0.0.0.0 aidps.atdmt.com
0.0.0.0 aka-cdn-ns.adtech.de
0.0.0.0 a-msedge.net
0.0.0.0 apps.skype.com
0.0.0.0 az361816.vo.msecnd.net
0.0.0.0 az512334.vo.msecnd.net
0.0.0.0 b.ads1.msn.com
0.0.0.0 b.ads2.msads.net
0.0.0.0 b.rad.msn.com
0.0.0.0 bs.serving-sys.com
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Yahfz\AppData\Roaming\Microsoft\Windows Photo Viewer\Windows Photo Viewer Wallpaper.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "SecurityHealth"
HKLM\...\StartupApproved\Run32: => "Lightshot"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\StartupApproved\Run: => "Gyazo"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\StartupApproved\Run: => "Spotify Web Helper"
HKU\S-1-5-21-1063343458-1627817258-3518694317-1001\...\StartupApproved\Run: => "CorsairLink4"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{9E36F2AB-E8AB-4427-955E-27EA737F7FF6}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{69B5DFBF-92EB-4875-AED3-2DC924275A2F}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{C3F676DF-2DF8-4CBE-8068-291B477A3ECF}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{0F3A3009-D77B-4CD0-8039-BA1531CE2148}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{91BDE8E0-A2E2-4212-ACDA-65D376C38E63}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exe
FirewallRules: [{16DE119C-5D61-42A7-990F-74D0C294A778}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exe
FirewallRules: [{4F46D3B0-231D-4CBD-BFA7-F9F934ADEB65}] => (Allow) C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\SonarHost.exe
FirewallRules: [{0F4090D5-1668-43DA-B21F-A0AE09A22553}] => (Allow) C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\SonarHost.exe
FirewallRules: [{8C4B4C01-96D7-46F5-9D12-B2180628F2E2}] => (Allow) D:\Games\Battlefield 4\BFLauncher.exe
FirewallRules: [{B190C498-8B9D-48F9-8552-8CC80F7DB372}] => (Allow) D:\Games\Battlefield 4\BFLauncher.exe
FirewallRules: [{017A074F-35A1-43F7-B7B2-198EAE7D603E}] => (Allow) D:\Games\Battlefield 4\BFLauncher_x86.exe
FirewallRules: [{DBAE80B7-66AF-49ED-AE52-0FD9306C61E2}] => (Allow) D:\Games\Battlefield 4\BFLauncher_x86.exe
FirewallRules: [TCP Query User{2D3ECCBC-0909-459F-B555-4188C0E01D3D}C:\users\yahfz\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\yahfz\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{E04481E9-7438-4021-98DB-F00FAACB5D1F}C:\users\yahfz\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\yahfz\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{4F26A444-7A01-41FA-B91E-84CEC8AEE0FC}C:\program files (x86)\steam\steamapps\common\pubg\tslgame\binaries\win64\tslgame.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\pubg\tslgame\binaries\win64\tslgame.exe
FirewallRules: [UDP Query User{B7A4437C-29E9-4D3A-9689-AD4F3EF2DF93}C:\program files (x86)\steam\steamapps\common\pubg\tslgame\binaries\win64\tslgame.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\pubg\tslgame\binaries\win64\tslgame.exe
FirewallRules: [{A59F8F4D-9EEE-486A-B37D-4E1FF727A93E}] => (Allow) D:\Games\Battlefield 1\bf1Trial.exe
FirewallRules: [{95F4C67A-7FAC-4298-A656-7323AEB658DD}] => (Allow) D:\Games\Battlefield 1\bf1Trial.exe
FirewallRules: [{089887D7-33B1-4731-BE89-2732DE0320A9}] => (Allow) D:\Games\Battlefield 1\bf1.exe
FirewallRules: [{B4CE05AF-F0CE-4AC7-ADA1-EAE70978440F}] => (Allow) D:\Games\Battlefield 1\bf1.exe
FirewallRules: [{A9049EA1-E8A6-46E1-87A3-ABB2C18B097D}] => (Allow) D:\Games\Steam Games\steamapps\common\Grand Theft Auto IV\GTAIV\LaunchGTAIV.exe
FirewallRules: [{18AAE70F-799F-4AFA-9A30-A20D044F4DC9}] => (Allow) D:\Games\Steam Games\steamapps\common\Grand Theft Auto IV\GTAIV\LaunchGTAIV.exe
FirewallRules: [TCP Query User{EA1BF4D9-EC61-4011-BFD0-75BB66938C98}D:\games\overwatch\overwatch.exe] => (Allow) D:\games\overwatch\overwatch.exe
FirewallRules: [UDP Query User{68782DE1-1844-482D-B0AB-963D5084A466}D:\games\overwatch\overwatch.exe] => (Allow) D:\games\overwatch\overwatch.exe
FirewallRules: [TCP Query User{28DA22C5-B397-448D-9C8F-71A308071E5A}D:\emulation\rpcs3\rpcs3.exe] => (Allow) D:\emulation\rpcs3\rpcs3.exe
FirewallRules: [UDP Query User{2B62CC1C-CCE6-4028-88B8-955177F72840}D:\emulation\rpcs3\rpcs3.exe] => (Allow) D:\emulation\rpcs3\rpcs3.exe
FirewallRules: [TCP Query User{75049051-49FF-46BF-9629-22C8B4AEB264}D:\games\battlefield 4\bf4.exe] => (Allow) D:\games\battlefield 4\bf4.exe
FirewallRules: [UDP Query User{699DF92B-7D71-46A3-91EA-D4389DA145D7}D:\games\battlefield 4\bf4.exe] => (Allow) D:\games\battlefield 4\bf4.exe
FirewallRules: [TCP Query User{E3B7B3E5-CBED-4C08-96EC-7A827401C352}D:\games\steam games\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe] => (Allow) D:\games\steam games\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe
FirewallRules: [UDP Query User{FB1E88BA-5233-400D-BCDB-AE0527B71D04}D:\games\steam games\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe] => (Allow) D:\games\steam games\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe
FirewallRules: [{8BE4708A-A9AC-44EA-B9E1-3CF65AD93B94}] => (Allow) D:\Games\Steam Games\steamapps\common\Call of Duty Black Ops III\BlackOps3.exe
FirewallRules: [{B0950DB4-15D3-42EC-A629-0240D75C8A71}] => (Allow) D:\Games\Steam Games\steamapps\common\Call of Duty Black Ops III\BlackOps3.exe
FirewallRules: [{D4E9C4F9-FE06-4E3E-9D5A-B1E96DDD91CC}] => (Allow) C:\Users\Yahfz\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{1CBCFA53-13F9-4D15-BEE0-80BD2D1535B9}] => (Allow) C:\Users\Yahfz\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{9F56BBCF-374C-427E-AFA6-DD5A83ED9547}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{62D759A7-5755-4FEB-B284-B1879B8DAFAF}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{BDBC86CB-20F1-4C52-9873-9070FF108D2E}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{4F1C8604-10EC-4A26-A089-7CEF5504A324}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{32946FF4-9562-4B5E-988C-55CCB4D3CE9B}] => (Allow) C:\Program Files (x86)\Origin Games\Battlefield 3\bf3.exe
FirewallRules: [{B702F159-0A9D-4BA9-B42B-CEC8C85EA2C0}] => (Allow) C:\Program Files (x86)\Origin Games\Battlefield 3\bf3.exe
FirewallRules: [{0FDACADE-65BF-4501-9206-8EC958D51E04}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
FirewallRules: [{38D606B3-3F75-45A9-A168-F313271E716B}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
FirewallRules: [{C2E67103-B5E5-4B67-A85B-AC154D61ED25}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
FirewallRules: [{EFFE18B6-0344-4F6A-90D5-6FF998BE165E}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
FirewallRules: [{C17F0FEA-E03A-4B47-B668-AF643849FF91}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{7E5AFFFB-DF29-4858-9CDE-8F02BA5FA838}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{0795C2D4-08CE-48C6-A181-5BDD4248545F}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
 
==================== Faulty Device Manager Devices =============
 
Name: TunnelBear Adapter V9
Description: TunnelBear Adapter V9
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: TunnelBear Provider V9
Service: tap-tb-0901
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (05/11/2018 04:25:05 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "D:\Downloads\esetsmartinstaller_enu.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_5d750ac5a7e1c779.manifest.
 
Error: (05/11/2018 02:30:29 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "D:\Downloads\esetsmartinstaller_enu.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_5d750ac5a7e1c779.manifest.
 
Error: (05/11/2018 01:52:03 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "D:\Downloads\esetsmartinstaller_enu.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_5d750ac5a7e1c779.manifest.
 
Error: (05/11/2018 12:48:01 AM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: Event-ID 5000
 
Error: (05/11/2018 12:48:01 AM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: Event-ID 5000
 
Error: (05/11/2018 12:47:56 AM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: Event-ID 5000
 
Error: (05/11/2018 12:47:56 AM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: Event-ID 5000
 
Error: (05/10/2018 11:41:33 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "D:\Downloads\esetsmartinstaller_enu.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_5d750ac5a7e1c779.manifest.
 
 
System errors:
=============
Error: (05/11/2018 02:31:30 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-UIJPUF7)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-UIJPUF7\Yahfz SID (S-1-5-21-1063343458-1627817258-3518694317-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (05/11/2018 02:30:19 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-UIJPUF7)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-UIJPUF7\Yahfz SID (S-1-5-21-1063343458-1627817258-3518694317-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (05/11/2018 12:51:28 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-UIJPUF7)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-UIJPUF7\Yahfz SID (S-1-5-21-1063343458-1627817258-3518694317-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (05/11/2018 12:51:22 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The gupdatem service failed to start due to the following error: 
The system cannot find the file specified.
 
Error: (05/11/2018 12:50:45 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Steam Client Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (05/11/2018 12:50:45 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The TunnelBear Maintenance service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (05/11/2018 12:50:45 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The NVIDIA Display Container LS service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 6000 milliseconds: Restart the service.
 
Error: (05/11/2018 12:50:45 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The NVIDIA Telemetry Container service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.
 
 
CodeIntegrity:
===================================
 
Date: 2018-05-10 22:49:17.478
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-10 14:41:56.824
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-08 20:58:14.087
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-08 17:35:01.777
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-07 18:48:58.852
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-07 00:45:42.543
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-06 15:00:51.923
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-05 14:51:16.994
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Microsoft signing level requirements.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-8700K CPU @ 3.70GHz
Percentage of memory in use: 19%
Total physical RAM: 16313.12 MB
Available physical RAM: 13118.43 MB
Total Virtual: 18745.12 MB
Available Virtual: 14485.33 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:111.19 GB) (Free:22.14 GB) NTFS
Drive d: (Local Disk) (Fixed) (Total:931.51 GB) (Free:151.47 GB) NTFS
Drive e: (Local Disk) (Fixed) (Total:465.76 GB) (Free:57.85 GB) NTFS
 
\\?\Volume{c15c6e24-22de-4389-849d-de9c4cf998fc}\ (Recovery) (Fixed) (Total:0.49 GB) (Free:0.13 GB) NTFS
\\?\Volume{327ae61b-94d6-423b-8c1d-13c85fb61742}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 111.8 GB) (Disk ID: B44B43FA)
 
Partition: GPT.
 
========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: 409E783D)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows 7/8/10) (Size: 465.8 GB) (Disk ID: 2130F05F)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

Edited by yahfz, 11 May 2018 - 03:05 AM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:53 AM

Posted 11 May 2018 - 12:59 PM

but unfortunately i need to refuse because i know exactly what caused the malware/trojans and all.If It helps, it was a Keygen thing that happens to be malicious and was supposed to 'crack' the amplitube software

 

Let me summarize this topic so far: you've posted multiple topics over the years where it was pointed out to you that using cracked software is not only illegal but generally a bad idea because it might infect your computer. 

 

If I understand your statement, this is exactly what happened here. Despite you being warned about this in more than one topic you choose to ignore this advice. That is your choice, but don't expect any helper to waste their time cleaning a computer that, even if cleaned will be re-infected in no time because you just opt to ignore any advice on keeping your computer clean. 

 

In conclusion, I suggest you take your computer to a local repair shop and pay to have your computer cleaned. This topic is locked.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users