Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

high priority target in the blockchain field: possible rootkits.


  • This topic is locked This topic is locked
17 replies to this topic

#1 kmin

kmin

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 24 May 2018 - 10:22 PM

hello bleepingcomputer,
 

(also attached.)
 
i am concerned with a hidden service that popped up in gmer once, but then not a second time. perhaps it was a false flag because avast was pending restart with an mbr check?

this popped up as a red flag in gmer:

 

---- Services - GMER 2.2 ----Service   (*** hidden *** )

[MANUAL] aswbdisk  

Service   (*** hidden *** )  <-- ROOTKIT !!!

i wasn't able to remove it in gmer or in regedit:
 
vcF0zJW.png
 
it is mixed in with other "asw" stuff so i'm thinking avast related maybe? or stealth from within avast filename styles? i only see "awsbdisk" related to infected computers in google. that's why i'm not positive this is a legitimate avast file.
 
also this was happening earlier before i did a bunch of stuff:
 
ziFq9U7.png
 
was unable to turn them on.
 
what's the best way for me to secure my computer?
 
computer: alienware area-51
os: windows 10
 
i work in a space filled with threats that are both persistent and sophisticated. i think i have rootkits in and around my mbr and hard drives.
 
i also have volumes i can't account for
 
all i'm aware of is:
 
1. c:\ for os
2. d:\ where i store files and nothing else.
3. a windows recovery partition
 
but there are like 5 or 6. i saw them in mbr debugging tools such as a program in ubuntu usb and windows repair cmd.exe. i was trying to fix mbr and boot but getting "access denied" messages. every time i try to use aswmbr.exe i get a bsod:
 
nOIOuWX.png
 
help?
 
how do i get rid of any potential rootkits and/or hidden services? i have avast internet security with firewall so i can set firewall rules. what CAN'T i ban from microsoft and others? i already set google firewall rules to 80 and 443 but i can see an attacker definitely using those if they were open or something. i think i may have gotten a bad chrome addon, or worse, a persistent attacker in the blockchain space has targeted my computer because i am an early investor in bitcoin.
 
there are 2 possibilities:

1. i am being unnecessarily paranoid if there is such a thing
2. my computer is infected with sophisticated malware
 
also this happened during an avast/bios mbr scan. something to do with 2 atom related binaries. is someone spreading advanced rootkits through atom? probably not, but that would be an interesting attack vector. i've used atom like 3 times so i have no idea what i'm talking about but here's a crappy screenshot:
 
2meznk6.jpg

Attached Files


Edited by kmin, 24 May 2018 - 10:57 PM.


BC AdBot (Login to Remove)

 


#2 kmin

kmin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 24 May 2018 - 10:33 PM

i am unable to list myself as "online" but believe me my eyes are glued to this thread and i see all of the views coming in. perhaps search engines, though. it's late.

 

any help would be appreciated. any night owls that don't suck @ windows security as badly as i do?


Edited by kmin, 24 May 2018 - 10:34 PM.


#3 kmin

kmin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 26 May 2018 - 07:05 PM

update: pastebin links have expired but they are attached to OP

 

still need help


Edited by kmin, 26 May 2018 - 07:07 PM.


#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:07:39 AM

Posted 29 May 2018 - 07:02 AM

kmin:

 
 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil.  May I address you by your first name?
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time.   Forum policy requires that I post within 48 hours after your last post, but I do endeavor to post within 24 hours of your last post.
 
When you multiple post, the malware removal specialists here think that you have already been assisted: they are looking for topics with zero (0) replies.  You must understand that this is a busy Forum and the number of available qualified volunteers to assist users like yourself is limited.
 
I would ask that you please copy and paste the contents of all requested log files directly into your replies.   Please do not use "code" or "quote" boxes.  Thank you for your anticipated cooperation.
 
You did not submit the FRST "Addition.txt" file, which I need, per the instructions in Step :step6: here.  The file should be located in D:\Downloads folder, with the "FRST.txt" file.
 
I will need some time to review your FRST logs once I receive the "Addition.txt" file.  Please copy and paste it into your next reply.  That could take a day or two, but I do hope to respond later today with an initial FRST "fixlist" script, if I receive the file before noon today, my time.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil

Graduate of the Bleeping Computer Malware Removal Study Hall


#5 kmin

kmin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 29 May 2018 - 03:14 PM

Phil thank you. For the sake of transparency we will say my name is Josh, but that is actually a former roommate's name. He had a Windows account and I have since removed it. For some reason his name is showing up in GMER and elsewhere.

 

I am also now unable to run GMER without it attempting to connect to the Internet over HTTP to 72.21.91.29 or the .exe crashing, or giving me a BSOD. I can no longer run GMER and rootkits may have planted themselves elsewhere now.

 

That said, here is addition.txt followed by all of your other requests. Note: These are from 4 days ago. I can no longer run GMER. It was hard to run even once. I forgot what I had to do. It was probably a lot. This has been a long battle. Now I'm pretty much blocking all services and monitoring each individual IP with Avast premium's firewall. I also keep breaking Windows and having to restart to see which outgoing connections are necessary by trial and error. It's not been fun.

 

An evil maid attack is very likely to have occurred.

 

ADDITION.TXT

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 16.05.2018 01
Ran by josh (25-05-2018 03:06:55)
Running from d:\downloads
Windows 10 Home Version 1709 16299.15 (X64) (2017-12-18 22:06:11)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2006163460-2297624391-3983604502-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2006163460-2297624391-3983604502-503 - Limited - Disabled)
Guest (S-1-5-21-2006163460-2297624391-3983604502-501 - Limited - Disabled)
josh (S-1-5-21-2006163460-2297624391-3983604502-1001 - Administrator - Enabled) => C:\Users\defen
VUSR_DESKTOP-0FRQ1KG (S-1-5-21-2006163460-2297624391-3983604502-1007 - Limited - Enabled)
WDAGUtilityAccount (S-1-5-21-2006163460-2297624391-3983604502-504 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: COMODO Antivirus (Enabled - Up to date) {08B84BA8-CC77-5A8B-A100-3F522B1B6106}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}
FW: Avast Antivirus (Enabled) {B693136B-F6EE-DD1C-A0EF-229B8B0B29C4}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\uTorrent) (Version: 3.5.3.44396 - BitTorrent Inc.)
Active Directory Authentication Library for SQL Server (HKLM\...\{32C0D7B2-1046-43AC-98AD-B748E1910916}) (Version: 13.0.1601.5 - Microsoft Corporation) Hidden
Active Directory Authentication Library for SQL Server (x86) (HKLM-x32\...\{F40FA676-46B1-4609-85EF-D2F1F79E0C0E}) (Version: 13.0.1601.5 - Microsoft Corporation) Hidden
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.011.20040 - Adobe Systems Incorporated)
Adobe Audition 1.5 (HKLM-x32\...\{86EF9FC4-F209-4520-B7E1-C7FF0EEBDFFF}) (Version: 1.5 - Adobe Systems)
Adobe Bridge CC 2018 (HKLM-x32\...\KBRG_8_0_1) (Version: 8.0.1 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 4.5.0.331 - Adobe Systems Incorporated)
Adobe InDesign CC 2018 (HKLM-x32\...\IDSN_13_0_1) (Version: 13.0.1 - Adobe Systems Incorporated)
Adobe Media Encoder CC 2018 (HKLM-x32\...\AME_12_0_0) (Version: 12.0.0 - Adobe Systems Incorporated)
Adobe Photoshop CC 2018 (HKLM-x32\...\PHSP_19_0_1) (Version: 19.0.1 - Adobe Systems Incorporated)
Adobe Premiere Pro CC 2018 (HKLM-x32\...\PPRO_12_0_0) (Version: 12.0.0 - Adobe Systems Incorporated)
Aphex Audio Driver (HKLM\...\Aphex Audio Driver) (Version: 1.10 - Aphex)
Apple Application Support (32-bit) (HKLM-x32\...\{D4C80B0C-CF67-43A7-90C3-466853543B54}) (Version: 6.3 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{B2A2E8AF-BC48-4191-B2C4-3846A19835CA}) (Version: 6.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{AA7D90D2-2387-4FA5-A3AF-96811BE49BFD}) (Version: 11.0.5.14 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{19589375-5C58-4AFA-842F-8B34744CCEAD}) (Version: 2.5.0.1 - Apple Inc.)
Application Insights Tools for Visual Studio 2015 (HKLM-x32\...\{0E4C791E-B78E-477D-BD5A-CDD0985BA6EC}) (Version: 7.0.20622.1 - Microsoft Corporation)
Atom (HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\atom) (Version: 1.26.1 - GitHub Inc.)
Avast Cleanup Premium (HKLM-x32\...\{075CC190-59EE-499F-828B-0B5C098C8C15}_is1) (Version: 18.1.4888 - AVAST Software)
Avast Internet Security (HKLM-x32\...\Avast Antivirus) (Version: 18.4.2338 - AVAST Software)
AzureTools.Notifications (HKLM-x32\...\{1E5CA362-39B6-4BD0-B9C0-69CF15F0FEA2}) (Version: 2.7.30611.1601 - Microsoft Corporation) Hidden
BitShares 2.0.180402 (only current user) (HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\55efd047-5d18-54f5-be19-affeff8cc8e9) (Version: 2.0.180402 - Sigve Kvalsvik)
Blend for Visual Studio SDK for .NET 4.5 (HKLM-x32\...\{37E53780-3944-4A6A-842F-727128E8616E}) (Version: 3.0.40218.0 - Microsoft Corporation) Hidden
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Click Install if prompted (HKLM-x32\...\{40830C8E-936E-4E08-AE37-240FF3343927}) (Version: 1.0.6.0 - ExpressVpn) Hidden
COMODO Antivirus (HKLM\...\{9A106F13-BA73-4E76-AB5E-D37BAEF94A24}) (Version: 10.2.0.6526 - COMODO Security Solutions Inc.) Hidden
COMODO Antivirus (HKLM\...\COMODO Internet Security) (Version: 10.2.0.6526 - COMODO Security Solutions Inc.)
Composer - Php Dependency Manager (HKLM-x32\...\{7315AF68-E777-496A-A6A2-4763A98ED35A}_is1) (Version:  - getcomposer.org)
CSVed 2.5.2a (HKLM-x32\...\CSVed_is1) (Version: 2.5.2a - Sam Francke)
DB Browser for SQLite (HKLM-x32\...\DB Browser for SQLite) (Version: 3.10.1 - DB Browser for SQLite Team)
Discord (HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\Discord) (Version: 0.0.301 - Discord Inc.)
DriverDoc (HKLM-x32\...\{650580EA-978C-4C04-81B9-BA53BB34BCBE}) (Version: 1.8.0 - Solvusoft Corporation) Hidden
DriverDoc (HKLM-x32\...\DriverDoc) (Version: 1.8.0 - Solvusoft Corporation)
Dropbox (HKLM-x32\...\Dropbox) (Version: 50.4.71 - Dropbox, Inc.)
Dropbox Update Helper (HKLM-x32\...\{099218A5-A723-43DC-8DB5-6173656A1E94}) (Version: 1.3.75.1 - Dropbox, Inc.) Hidden
Elasto Mania (HKLM-x32\...\Elasto Mania) (Version:  - )
ExpressVPN (HKLM-x32\...\{B97E1AC2-1F11-43C0-90A7-22B158337D06}) (Version: 6.5.1.3605 - ExpressVPN) Hidden
ExpressVPN (HKLM-x32\...\{e87d0eca-dc93-4f55-bf74-0d155d8c6f07}) (Version: 6.5.1.3605 - ExpressVPN)
File Shredder 2.5 (HKLM\...\File Shredder_is1) (Version:  - Pow Tools)
FileZilla Client 3.31.0 (HKLM-x32\...\FileZilla Client) (Version: 3.31.0 - Tim Kosse)
Firefox Developer Edition 60.0 (x64 en-US) (HKLM\...\Firefox Developer Edition 60.0 (x64 en-US)) (Version: 60.0 - Mozilla)
Firefox Developer Edition 61.0 (x64 en-US) (HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\Firefox Developer Edition 61.0 (x64 en-US)) (Version: 61.0 - Mozilla)
Git version 2.16.2 (HKLM\...\Git_is1) (Version: 2.16.2 - The Git Development Community)
GitHub Desktop (HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\GitHubDesktop) (Version: 1.1.1 - GitHub, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 66.0.3359.181 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
HandBrake 1.1.0 (HKLM-x32\...\HandBrake) (Version: 1.1.0 - )
HHD Software Free Network Analyzer 8.05 (HKLM\...\HHD Device Monitoring Studio 5.01) (Version: 8.5.0.8767 - HHD Software, Ltd.)
IIS 10.0 Express (HKLM\...\{13FD7E30-D2F1-498D-ABC2-A4242DB6610E}) (Version: 10.0.1736 - Microsoft Corporation)
IIS Express Application Compatibility Database for x64 (HKLM\...\{08274920-8908-45c2-9258-8ad67ff77b09}.sdb) (Version:  - )
IIS Express Application Compatibility Database for x86 (HKLM\...\{ad846bae-d44b-4722-abad-f7420e08bcd9}.sdb) (Version:  - )
Internet Security Essentials (HKLM-x32\...\ComodoIse) (Version: 1.3.438464.135 - Comodo)
iTunes (HKLM\...\{1D7D1271-5258-4F5A-B8C1-7176BF398782}) (Version: 12.7.3.46 - Apple Inc.)
KakaoTalk (HKLM-x32\...\KakaoTalk) (Version: 2.6.6.1809 - Kakao Corp.)
Kaspersky Free (HKLM-x32\...\InstallWIX_{5AAE61FF-858E-453E-B8F3-944618149975}) (Version: 18.0.0.405 - Kaspersky Lab)
LyX 2.2.3 (HKLM-x32\...\LyX223) (Version: 2.2.3 - LyX Team)
ManyCam 6.3.2 (HKLM-x32\...\ManyCam) (Version: 6.3.2 - Visicom Media Inc.)
Microsoft .NET Framework 4.5 Multi-Targeting Pack (HKLM-x32\...\{56E962F0-4FB0-3C67-88DB-9EAA6EEFC493}) (Version: 4.5.50710 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (ENU) (HKLM-x32\...\{D3517C62-68A5-37CF-92F7-93C029A89681}) (Version: 4.5.50932 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (HKLM-x32\...\{6A0C6700-EA93-372C-8871-DCCF13D160A4}) (Version: 4.5.50932 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 SDK (HKLM-x32\...\{19A5926D-66E1-46FC-854D-163AA10A52D3}) (Version: 4.5.51641 - Microsoft Corporation)
Microsoft .NET Framework 4.6 SDK (HKLM-x32\...\{B5915D37-0637-4A26-A3AA-C5DC9F856370}) (Version: 4.6.00081 - Microsoft Corporation)
Microsoft .NET Framework 4.6 Targeting Pack (HKLM-x32\...\{2CC6A4A7-AAC2-46C9-9DBB-3727B5954F65}) (Version: 4.6.00081 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 SDK (HKLM-x32\...\{2F0ECC80-B9E4-4485-8083-CD32F22ABD92}) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 Targeting Pack (ENU) (HKLM-x32\...\{8EEB28EE-5141-411C-9CF0-9952264FE4AF}) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 Targeting Pack (HKLM-x32\...\{8BC3EEC9-090F-4C53-A8DA-1BEC913040F9}) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft .NET Version Manager (x64) 1.0.0-beta5 (HKLM\...\{c5a4aba3-1aba-3ef8-b2d5-c3fa37f59738}) (Version: 1.0.10609.0 - Microsoft Corporation)
Microsoft Help Viewer 2.2 (HKLM-x32\...\Microsoft Help Viewer 2.2) (Version: 2.2.25420 - Microsoft Corporation)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.9226.2156 - Microsoft Corporation)
Microsoft Office Professional Plus 2016 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 16.0.9226.2156 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\OneDriveSetup.exe) (Version: 18.065.0329.0002 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20513.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Command Line Utilities  (HKLM\...\{9D573E71-1077-4C7E-B4DB-4E22A5D2B48B}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Native Client  (HKLM\...\{49D665A2-4C2A-476E-9AB8-FCC425F526FC}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2014 Management Objects  (HKLM-x32\...\{2774595F-BC2A-4B12-A25B-0C37A37049B0}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server 2014 Management Objects  (x64) (HKLM\...\{1F9EB3B6-AED7-4AA7-B8F1-8E314B74B2A5}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server 2014 Transact-SQL ScriptDom  (HKLM\...\{020CDFE0-C127-4047-B571-37C82396B662}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server 2014 T-SQL Language Service  (HKLM-x32\...\{47D08E7A-92A1-489B-B0BF-415516497BCE}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server 2016 LocalDB  (HKLM\...\{E359515A-92E6-4FA3-A2C9-E1BA02D8DE6E}) (Version: 13.0.1601.5 - Microsoft Corporation)
Microsoft SQL Server 2016 Management Objects  (HKLM-x32\...\{0F1C8E2F-199A-4946-B3BF-0906DACFD032}) (Version: 13.0.1601.5 - Microsoft Corporation)
Microsoft SQL Server 2016 Management Objects  (x64) (HKLM\...\{20EA85AA-2A1D-4F11-B09F-4BA2BF3C8989}) (Version: 13.0.1601.5 - Microsoft Corporation)
Microsoft SQL Server 2016 T-SQL Language Service  (HKLM-x32\...\{8BFDE775-C5B8-46DB-84EF-43FFC8A2E8AD}) (Version: 13.0.14500.10 - Microsoft Corporation)
Microsoft SQL Server 2016 T-SQL ScriptDom  (HKLM\...\{D091DE8C-EA0F-49AF-8DE3-BD6C79737C6E}) (Version: 13.0.1601.5 - Microsoft Corporation)
Microsoft SQL Server Compact 4.0 SP1 x64 ENU (HKLM\...\{78909610-D229-459C-A936-25D92283D3FD}) (Version: 4.0.8876.1 - Microsoft Corporation)
Microsoft SQL Server Data Tools - enu (14.0.60519.0) (HKLM-x32\...\{4E27B0EF-7BAB-432A-AF3D-3FC8F3F7353F}) (Version: 14.0.60519.0 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2014 (HKLM\...\{FC3BB979-AA54-4B60-BBA3-2C4DA6E08D80}) (Version: 12.0.2402.29 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2014 (HKLM-x32\...\{091CE6AA-2753-4F6E-AD1C-0E875744EB54}) (Version: 12.0.2402.29 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2016 (HKLM\...\{96EB5054-C775-4BEF-B7B9-AA96A295EDCD}) (Version: 13.0.1601.5 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2016 (HKLM-x32\...\{84C23ECA-FE4D-494F-9247-3EBAD57E7F0C}) (Version: 13.0.1601.5 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40649 (HKLM-x32\...\{35b83883-40fa-423c-ae73-2aff7e1ea820}) (Version: 12.0.40649.5 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810 (HKLM-x32\...\{e2ee15e2-a480-4bc5-bfb7-e9803d1d9823}) (Version: 14.12.25810.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810 (HKLM-x32\...\{56e11d69-7cc9-40a5-a4f9-8f6190c4d84d}) (Version: 14.12.25810.0 - Microsoft Corporation)
Microsoft Visual Studio Community 2015 with Updates (HKLM-x32\...\{79b486b9-c5f0-4096-a00c-8351f59587c2}) (Version: 14.0.25420.1 - Microsoft Corporation)
Microsoft Web Deploy 3.6 (HKLM\...\{94E1227C-08A9-4962-B388-1F05D89AEA75}) (Version: 3.1238.1962 - Microsoft Corporation)
Microsoft Web Publishing Wizard 1.53 (HKLM-x32\...\WebPost) (Version:  - )
MiKTeX 2.9 (HKLM-x32\...\MiKTeX 2.9) (Version: 2.9 - MiKTeX.org)
Mozilla Firefox 59.0.3 (x64 en-US) (HKLM\...\Mozilla Firefox 59.0.3 (x64 en-US)) (Version: 59.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 59.0.3 - Mozilla)
Multi-Device Hybrid Apps using C# - Templates - ENU (HKLM-x32\...\{12D99739-FFD3-3761-8AA6-F929E0FE407E}) (Version: 14.0.23107 - Microsoft Corporation) Hidden
Nightly 61.0a1 (x64 en-US) (HKLM\...\Nightly 61.0a1 (x64 en-US)) (Version: 61.0a1 - Mozilla)
OBS Studio (HKLM-x32\...\OBS Studio) (Version: 20.1.3 - OBS Project)
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.9226.2156 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.9226.2156 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.9226.2156 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.9226.2156 - Microsoft Corporation) Hidden
Oracle VM VirtualBox 5.2.8 (HKLM\...\{A7F49FA5-9FCA-4936-8652-CD00206D9300}) (Version: 5.2.8 - Oracle Corporation)
Pidgin (HKLM-x32\...\Pidgin) (Version: 2.12.0 - )
pidgin-otr 4.0.2 (HKLM-x32\...\pidgin-otr) (Version: 4.0.2 - Cypherpunks CA)
PreEmptive Analytics Visual Studio Components (HKLM-x32\...\{436A18DD-5F2C-4B3C-985E-AD3C13B0CC25}) (Version: 1.2.5134.1 - PreEmptive Solutions) Hidden
Prerequisites for SSDT  (HKLM-x32\...\{21373064-AD95-48DB-A32E-0D9E08EF7355}) (Version: 12.0.2000.8 - Microsoft Corporation)
Prerequisites for SSDT  (HKLM-x32\...\{B7E94916-7AE6-4F7F-A377-7A410A42BA19}) (Version: 13.0.1601.5 - Microsoft Corporation)
Progress Telerik Fiddler (HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\Fiddler2) (Version: 5.0.20181.14850 - Telerik)
Python 3.6.5 (32-bit) (HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\{3346977b-49da-4095-8f4d-f56f103e52e9}) (Version: 3.6.5150.0 - Python Software Foundation)
Python 3.6.5 Add to Path (32-bit) (HKLM-x32\...\{1D3BE06D-5E44-48FF-8D61-B744808EBE46}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Core Interpreter (32-bit) (HKLM-x32\...\{58E1C809-82C5-4EDF-B69B-188A6C81F21F}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Development Libraries (32-bit) (HKLM-x32\...\{21FD2EE0-8D55-49DC-A1B0-771696DDEE98}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Documentation (32-bit) (HKLM-x32\...\{5C613D87-0AED-48A9-A216-3A3783463D6C}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Executables (32-bit) (HKLM-x32\...\{9107CF1A-A09C-4035-B29E-E79B4098AB8C}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 pip Bootstrap (32-bit) (HKLM-x32\...\{C024F06C-0E37-4529-945F-7920A9CFFD78}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Standard Library (32-bit) (HKLM-x32\...\{8C2E8A7D-95CC-491C-AB9C-DE785A137D00}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Tcl/Tk Support (32-bit) (HKLM-x32\...\{052FD2FB-034D-4CDD-864E-798DE45C742A}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Test Suite (32-bit) (HKLM-x32\...\{86533809-919A-4858-AFC4-4226B86C5291}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Utility Scripts (32-bit) (HKLM-x32\...\{5C0C82E9-B580-4EE4-894A-4451A23B0E2C}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python Launcher (HKLM-x32\...\{8A66FEC2-E443-4219-B9AC-F9B10607B57C}) (Version: 3.6.6295.0 - Python Software Foundation)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.15063.31236 - Realtek Semiconductor Corp.)
REAPER (x64) (HKLM\...\REAPER) (Version:  - )
RogueKiller version 12.12.18.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.12.18.0 - Adlice Software)
Roslyn Language Services - x86 (HKLM-x32\...\{6970C7E1-F99D-388D-8903-DF8FCE677FED}) (Version: 14.0.25431 - Microsoft Corporation) Hidden
Roslyn Language Services - x86 (HKLM-x32\...\{6C1985E7-E1C5-3A95-86EF-2C62465F15C3}) (Version: 14.0.23107 - Microsoft Corporation) Hidden
SecondLifeViewer (HKLM\...\SecondLifeViewer) (Version: 5.1.3.513644 - Linden Research, Inc.)
ShareX (HKLM\...\82E6AC09-0FEF-4390-AD9F-0DD3F5561EFC_is1) (Version: 12.1.1 - ShareX Team)
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.6.1 - Sophos Limited)
Split Tunneling Driver (HKLM-x32\...\{F078B0B5-2F41-42C2-9162-B8C628D5E6FE}) (Version: 1.0.0.0 - ExpressVpn) Hidden
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Team Explorer for Microsoft Visual Studio 2015 Update 3.1 (HKLM-x32\...\{7A95671A-759E-3B83-B763-4289D1D24D73}) (Version: 14.102.25619 - Microsoft) Hidden
TeamViewer 13 (HKLM-x32\...\TeamViewer) (Version: 13.0.6447 - TeamViewer)
Telegram Desktop version 1.2.17 (HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1) (Version: 1.2.17 - Telegram Messenger LLP)
Test Tools for Microsoft Visual Studio 2015 (HKLM-x32\...\{9EABBFE1-7EED-47D9-8FB8-21D7E4808057}) (Version: 14.0.23107 - Microsoft Corporation) Hidden
TypeScript Tools for Microsoft Visual Studio 2015 (HKLM-x32\...\{BA5762C7-D35F-4725-A4BD-525854127018}) (Version: 1.8.36.0 - Microsoft Corporation) Hidden
Universal CRT Extension SDK (HKLM-x32\...\{284FA9A0-CEDD-81D3-5A19-5858E95FD0C4}) (Version: 10.0.10150 - Microsoft Corporation) Hidden
Universal CRT Headers Libraries and Sources (HKLM-x32\...\{ABD37F71-FC3F-F525-C7B3-BDD95F684C51}) (Version: 10.0.10150 - Microsoft Corporation) Hidden
VeraCrypt (HKLM-x32\...\VeraCrypt) (Version: 1.21 - IDRIX)
VLC media player (HKLM-x32\...\VLC media player) (Version: 3.0.2 - VideoLAN)
VMware Player (HKLM\...\{DCA4824C-42E8-4911-9C10-5BB43A315625}) (Version: 12.0.0 - VMware, Inc.)
VNC Viewer 6.17.1113 (HKLM\...\{26DEBF7F-3876-43C3-8365-5A2B4C604DFA}) (Version: 6.17.1113.31799 - RealVNC Ltd)
WCF Data Services 5.6.4 Runtime (HKLM-x32\...\{DB85E7BD-B2DD-43D4-B3C0-23D7B527B597}) (Version: 5.6.62175.4 - Microsoft Corporation) Hidden
WCF Data Services Tools for Microsoft Visual Studio 2015 (HKLM-x32\...\{0A3B508E-5638-4471-BCC9-954E1868CB86}) (Version: 5.6.62175.4 - Microsoft Corporation) Hidden
WebM for Premiere (HKLM\...\{7BCAE84F-ACE9-4089-87BB-75B914551743}) (Version: 1.0.0 - fnord software)
WeOnlyDo! Http DELUXE (HKLM\...\4B98AB24-5FC2-49a9-97B3-5B370FF22EC7_is1) (Version:  - WeOnlyDo! Software)
Windows Driver Package - AMD (amdkmpfd) System  (04/09/2018 18.20.0.0000) (HKLM\...\C1CD9FC495F433FA0B7C0C52A3086C8EF7366062) (Version: 04/09/2018 18.20.0.0000 - AMD)
Windows Driver Package - ELAN SMBus (ETDSMBus) System  (11/09/2016 15.1.2.10) (HKLM\...\77D13CB31BA00EAEA7E651CAE7C67F5894E47A0C) (Version: 11/09/2016 15.1.2.10 - ELAN SMBus)
Windows Driver Package - Intel (MEIx64) System  (11/19/2017 11.7.0.1057) (HKLM\...\8E4301FBE2293C6788FF5829C162E4A2D2044866) (Version: 11/19/2017 11.7.0.1057 - Intel)
Windows Driver Package - Intel Corporation (IaRNVMe) SCSIAdapter  (02/10/2017 4.6.0.2116) (HKLM\...\91150A39F24CC0ED33A67BDA78594DA659BEA280) (Version: 02/10/2017 4.6.0.2116 - Intel Corporation)
Windows Driver Package - Intel Corporation (iaStorA) SCSIAdapter  (04/18/2013 3.7.1.1020) (HKLM\...\7A1F674A8EEC46730D18A6F33A41CD86DDD6FD42) (Version: 04/18/2013 3.7.1.1020 - Intel Corporation)
Windows Driver Package - INTEL System  (08/19/2016 10.1.2.80) (HKLM\...\A000AF9EB26B7A09C8AF960E5B3B8CD0D80205F4) (Version: 08/19/2016 10.1.2.80 - INTEL)
Windows Driver Package - INTEL System  (09/30/2016 10.1.1.36) (HKLM\...\AFEF42D5A46C91C6106153E3E4A4AE6D2FDD4778) (Version: 09/30/2016 10.1.1.36 - INTEL)
Windows Driver Package - INTEL System  (11/11/2017 10.1.1.44) (HKLM\...\7EE42D182C872128F2092A67A73D838811175DBA) (Version: 11/11/2017 10.1.1.44 - INTEL)
Windows Driver Package - INTEL USB  (11/11/2017 10.1.1.44) (HKLM\...\D7DF12BF63B748065748BFB458552E2422CA93F8) (Version: 11/11/2017 10.1.1.44 - INTEL)
Windows Driver Package - IVT Corporation (Btcsrusb) Bluetooth Device  (12/22/2017 6.2.84.276) (HKLM\...\5904AD65D5DEFFD8294BF5DB998020688E567249) (Version: 12/22/2017 6.2.84.276 - IVT Corporation)
Windows Driver Package - Logitech USB  (10/22/2012 13.80.853.0) (HKLM\...\D9F8B4D536F4D3610EF684FB6C8DEA2E08816021) (Version: 10/22/2012 13.80.853.0 - Logitech)
Windows Driver Package - Microsoft (Point64) Mouse  (09/25/2017 9.12.107.0) (HKLM\...\BA63030A628B463137BC48597562245120114C1F) (Version: 09/25/2017 9.12.107.0 - Microsoft)
Windows Driver Package - Microsoft (UMPass) Network Infrastructure Devices  (07/01/2010 1.0.0.3) (HKLM\...\98306A2763CCA4193937CF5A96AED82FF08F40DD) (Version: 07/01/2010 1.0.0.3 - Microsoft)
Windows Driver Package - Microsoft Keyboard  (11/25/2012 9.3.139.0) (HKLM\...\07CB5434317B923B3005D01ECDE4764A33849D26) (Version: 11/25/2012 9.3.139.0 - Microsoft)
Windows Driver Package - NEC Personal Computers, Ltd. (Nececfilter) System  (06/01/2012 1.2.0.7) (HKLM\...\417B030477A4AB5D6690624F900F274C61C3EBB3) (Version: 06/01/2012 1.2.0.7 - NEC Personal Computers, Ltd.)
Windows Driver Package - NVIDIA Corporation (NVHDA) MEDIA  (03/23/2018 1.3.36.6) (HKLM\...\AA025B2D333C6CA1D458D7613DC14AA8A2C09D48) (Version: 03/23/2018 1.3.36.6 - NVIDIA Corporation)
Windows Driver Package - NVIDIA Corporation (NVHDA) MEDIA  (04/03/2018 1.3.37.4) (HKLM\...\7C679E39EC7AB0725A7B73142972E59ABDBC2FFB) (Version: 04/03/2018 1.3.37.4 - NVIDIA Corporation)
Windows Driver Package - Realtek Semiconductor Corp. (RTSUER) USB  (04/18/2018 10.0.17134.31242) (HKLM\...\4767DD5A505F0F3018F11BA006CF15157E4A4293) (Version: 04/18/2018 10.0.17134.31242 - Realtek Semiconductor Corp.)
Windows Driver Package - Render (rdacpi) HIDClass  (07/12/2016 15.58.20.163) (HKLM\...\3AE9FD6A3BBAEC3CB882CDFB24DDC1478E8AF1D8) (Version: 07/12/2016 15.58.20.163 - Render)
Windows Driver Package - Rivet Networks (KillerEth) Net  (09/06/2017 9.0.0.46) (HKLM\...\1EC053559653DD3CC394997AB7A88702877F74C9) (Version: 09/06/2017 9.0.0.46 - Rivet Networks)
Windows Driver Package - Samsung Monitor  (10/17/2013 1.0) (HKLM\...\DA1D7F8386ABBD681E5BAF2942380AE94069FCE2) (Version: 10/17/2013 1.0 - Samsung)
WinRAR 5.50 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.50.0 - win.rar GmbH)
WinSCP 5.13.2 (HKLM-x32\...\winscp3_is1) (Version: 5.13.2 - Martin Prikryl)
XAMPP (HKLM-x32\...\xampp) (Version: 7.2.2-0 - Bitnami)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-2006163460-2297624391-3983604502-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-A41BC47B1D01}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
CustomCLSID: HKU\S-1-5-21-2006163460-2297624391-3983604502-1001_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> D:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
ShellIconOverlayIdentifiers: [   AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => D:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-27] ()
ShellIconOverlayIdentifiers: [   AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => D:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-27] ()
ShellIconOverlayIdentifiers: [   AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => D:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-27] ()
ShellIconOverlayIdentifiers: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => D:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-27] ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => D:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-27] ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => D:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-27] ()
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-05-25] (AVAST Software)
ShellIconOverlayIdentifiers-x32: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ContextMenuHandlers1: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => D:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-27] ()
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-05-25] (AVAST Software)
ContextMenuHandlers1: [Comodo Antivirus] -> {4255A182-CAD9-4214-A19B-7BA7FB633BBD} => C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll [2018-03-13] (COMODO)
ContextMenuHandlers1: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ContextMenuHandlers1: [Kaspersky Anti-Virus 18.0.0] -> {FF48AD48-74C7-4260-B385-FAEB80947450} => D:\Program Files (x86)\Kaspersky Lab\Kaspersky Free 18.0.0\x64\ShellEx.dll [2018-05-05] (AO Kaspersky Lab)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => D:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => D:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers2: [Comodo Antivirus] -> {4255A182-CAD9-4214-A19B-7BA7FB633BBD} => C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll [2018-03-13] (COMODO)
ContextMenuHandlers2: [Kaspersky Anti-Virus 18.0.0] -> {FF48AD48-74C7-4260-B385-FAEB80947450} => D:\Program Files (x86)\Kaspersky Lab\Kaspersky Free 18.0.0\x64\ShellEx.dll [2018-05-05] (AO Kaspersky Lab)
ContextMenuHandlers2-x32: [VMDiskMenuHandler] -> {271DC252-6FE1-4D59-9053-E4CF50AB99DE} => D:\Program Files (x86)\VMware\VMware Player\vmdkShellExt.dll [2015-08-14] (VMware, Inc.)
ContextMenuHandlers2-x32: [VMDiskMenuHandler64] -> {E4D28EDC-8C0B-43EE-9E7D-C8A8682334DC} => D:\Program Files (x86)\VMware\VMware Player\x64\vmdkShellExt64.dll [2015-08-14] (VMware, Inc.)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-05-25] (AVAST Software)
ContextMenuHandlers3: [DeleteFiles] -> {736AF091-C361-49B4-A928-87C586130D33} => D:\Program Files\File Shredder\fsshell.dll [2012-04-01] ()
ContextMenuHandlers4: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ContextMenuHandlers4: [Kaspersky Anti-Virus 18.0.0] -> {FF48AD48-74C7-4260-B385-FAEB80947450} => D:\Program Files (x86)\Kaspersky Lab\Kaspersky Free 18.0.0\x64\ShellEx.dll [2018-05-05] (AO Kaspersky Lab)
ContextMenuHandlers5: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => D:\Program Files (x86)\Dropbox\Client\DropboxExt64.22.0.dll [2018-05-21] (Dropbox, Inc.)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\windows\system32\nvshext.dll [2017-10-27] (NVIDIA Corporation)
ContextMenuHandlers6: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => D:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-27] ()
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-05-25] (AVAST Software)
ContextMenuHandlers6: [Comodo Antivirus] -> {4255A182-CAD9-4214-A19B-7BA7FB633BBD} => C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll [2018-03-13] (COMODO)
ContextMenuHandlers6: [Kaspersky Anti-Virus 18.0.0] -> {FF48AD48-74C7-4260-B385-FAEB80947450} => D:\Program Files (x86)\Kaspersky Lab\Kaspersky Free 18.0.0\x64\ShellEx.dll [2018-05-05] (AO Kaspersky Lab)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => D:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => D:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0457BF43-BB06-4B70-8583-282C83386ED2} - System32\Tasks\COMODO\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2018-03-13] (COMODO)
Task: {0739336C-1B08-4374-A9A7-B5FE4B7BA1D1} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => D:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-05-12] (Microsoft Corporation)
Task: {0DE27618-F463-465D-B1AC-3E6507182810} - System32\Tasks\COMODO\COMODO CMC {06A09C0F-DD9C-4191-A670-71115CD78627} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2018-03-13] (COMODO)
Task: {161F3CB9-54A7-45CA-A83B-34D12C47C54C} - System32\Tasks\Microsoft\Windows\Setup\Notifier => C:\windows\system32\Notifier.exe [2018-05-04] (Microsoft Corporation)
Task: {25FA8724-EEB9-46CC-BC71-5E472EBCE355} - System32\Tasks\AdobeGCInvoker-1.0-MicrosoftAccount-defenses@yayo.org => D:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [2018-01-05] (Adobe Systems, Incorporated)
Task: {3255C7F1-5C55-45FB-93C3-6E1379A46958} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => D:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2018-05-18] (Microsoft Corporation)
Task: {40FB3576-20DB-45C5-BD86-1106A199D0E0} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => D:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-05-18] (Microsoft Corporation)
Task: {49977BD1-B760-4A65-A481-21A8EC36E829} - System32\Tasks\Avast TUNEUP Update => D:\Program Files (x86)\AVAST Software\Avast Cleanup\TUNEUpdate.exe [2018-05-21] (AVAST Software)
Task: {50B7D02C-4376-414F-ACC7-6C52135F4497} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => D:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-05-12] (Microsoft Corporation)
Task: {6477FF6B-954A-4E52-8C13-76C884A00010} - System32\Tasks\DropboxUpdateTaskMachineUA => D:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2018-01-02] (Dropbox, Inc.)
Task: {6AC22921-191F-45E7-9862-351A7E233E55} - System32\Tasks\GoogleUpdateTaskMachineCore => D:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-12-18] (Google Inc.)
Task: {6FF29CCD-CA08-41BD-A70A-5D536DB49F01} - System32\Tasks\DropboxUpdateTaskMachineCore => D:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2018-01-02] (Dropbox, Inc.)
Task: {7C80DD20-5A1E-4172-AC89-EB79F7EDAD70} - System32\Tasks\COMODO\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2018-03-13] (COMODO)
Task: {8AB67BBB-3250-47D0-8082-E4DE815516C1} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => D:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-05-18] (Microsoft Corporation)
Task: {8DF608FB-E011-4593-B49B-A53B41107715} - System32\Tasks\COMODO\COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10} => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [2018-03-13] (COMODO)
Task: {941007A7-38F1-46CF-8923-8469269107C1} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2018-05-25] (AVAST Software)
Task: {A8B05579-D93C-479D-BD60-7CB178728D21} - System32\Tasks\AdobeAAMUpdater-1.0-MicrosoftAccount-defenses@yayo.org => D:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2018-04-11] (Adobe Systems Incorporated)
Task: {AE78ED34-46FC-466A-930B-15334592EE83} - System32\Tasks\COMODO\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2018-03-13] (COMODO)
Task: {BDF9A74E-4C77-47D5-A649-D7ADAA45EDDD} - System32\Tasks\Microsoft\VisualStudio\VSIX Auto Update 14 => D:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\VSIXAutoUpdate.exe
Task: {C913C438-15F6-4E28-8FD9-C7AF83628CAE} - System32\Tasks\COMODO\COMODO Maintenance {947247B5-026A-4437-9371-770782BE839D} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2018-03-13] (COMODO)
Task: {CCCD0021-56CA-4FDC-85E6-836914F56A5A} - System32\Tasks\DriverDoc Auto Start => D:\Program Files (x86)\Solvusoft\DriverDoc\DriverDoc.exe
Task: {D2B82F56-C3D7-44AC-AB1D-ABC9439CFEFA} - System32\Tasks\COMODO\COMODO Telemetry {18AD3DFA-30C0-4B5F-84F7-F1870B1A4921} => C:\Program Files\COMODO\COMODO Internet Security\cis.exe [2018-03-13] (COMODO)
Task: {DDDB4D6B-4A14-4E05-AC52-BF9C82B92944} - System32\Tasks\GoogleUpdateTaskMachineUA => D:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-12-18] (Google Inc.)
Task: {DEA71538-2618-4F66-991C-0C6DF6B71766} - System32\Tasks\{52D7A218-0B65-4892-9A62-F3D8E5C73EAF} => "d:\program files (x86)\google\chrome\application\chrome.exe" hxxps://www.skype.com/go/downloading?source=lightinstaller&ver=7.40.0.104&LastError=404
Task: {DF7F16EB-842A-46CC-9C25-33B5D06F9EFA} - System32\Tasks\Avast Software\Overseer => D:\Program Files\Common Files\AVAST Software\Overseer\overseer.exe [2018-05-25] (AVAST Software)
Task: {E5BB3FFA-8D67-48AB-B147-5E4CDA7F0F8C} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => D:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2018-05-18] (Microsoft Corporation)
Task: {E95B1C01-32AA-42EA-86F1-6925ED8DF825} - System32\Tasks\Adobe Acrobat Update Task => D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-02-09] (Adobe Systems Incorporated)
Task: {FD66B480-ADBE-423C-9029-BC24D2E326B6} - System32\Tasks\Microsoft\Windows\Windows Media Sharing\UpdateLibrary => D:\Program Files\Windows Media Player\wmpnscfg.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\windows\Tasks\DriverDoc Auto Start.job => D:\Program Files (x86)\Solvusoft\DriverDoc\DriverDoc.exe
Task: C:\windows\Tasks\DropboxUpdateTaskMachineCore.job => D:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\windows\Tasks\DropboxUpdateTaskMachineUA.job => D:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox Developer Edition.lnk -> D:\Program Files\Firefox Developer Edition\firefox.exe (Mozilla Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox Nightly.lnk -> D:\Program Files\Firefox Nightly\firefox.exe (Mozilla Corporation)
Shortcut: C:\Users\Public\Desktop\Firefox Developer Edition.lnk -> D:\Program Files\Firefox Developer Edition\firefox.exe (Mozilla Corporation)
Shortcut: C:\Users\Public\Desktop\Firefox Nightly.lnk -> D:\Program Files\Firefox Nightly\firefox.exe (Mozilla Corporation)
 
ShortcutWithArgument: C:\Users\defen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Ledger Wallet Ethereum.lnk -> D:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --profile-directory=Default --app-id=hmlhkialjkaldndjnlcdfdphcgeadkkm
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-09-29 09:41 - 2017-09-29 09:41 - 000184432 ____N () C:\windows\SYSTEM32\inputhost.dll
2018-03-13 17:18 - 2018-03-13 17:18 - 000160960 _____ () C:\Program Files\COMODO\COMODO Internet Security\cmdwrhlp.dll
2018-03-13 17:17 - 2018-03-13 17:17 - 000107200 _____ () C:\Program Files\COMODO\COMODO Internet Security\cavwpps.dll
2018-03-13 17:17 - 2018-03-13 17:17 - 000244416 _____ () C:\Program Files\COMODO\COMODO Internet Security\cmdcomps.dll
2018-05-20 13:11 - 2017-09-28 15:49 - 000612352 _____ () C:\windows\System32\openssh\ssh-agent.exe
2018-02-27 20:08 - 2018-02-27 20:08 - 000614856 _____ () D:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll
2017-12-20 18:42 - 2012-04-01 01:06 - 002689536 _____ () D:\Program Files\File Shredder\fsshell.dll
2017-12-20 11:37 - 2017-12-20 11:37 - 000948736 _____ () C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_2.1.18.0_x64__8wekyb3d8bbwe\e_sqlite3.dll
2018-03-13 17:56 - 2018-03-13 17:56 - 002426040 _____ () C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_2.1.18.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.dll
2018-03-20 18:53 - 2018-03-20 18:53 - 000381440 _____ () C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_2.1.18.0_x64__8wekyb3d8bbwe\Microsoft.Notes.Upgrade.dll
2017-12-18 18:24 - 2017-12-18 18:24 - 000843672 _____ () C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.17112.0_x64__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.dll
2018-03-13 17:56 - 2018-03-13 17:56 - 000631296 _____ () C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_2.1.18.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.dll
2017-09-29 09:41 - 2017-09-29 09:41 - 004069888 _____ () C:\Windows\System32\Windows.UI.Input.Inking.Analysis.dll
2017-09-29 09:42 - 2017-09-29 10:43 - 011044864 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-09-29 09:42 - 2017-09-29 10:43 - 001804288 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-05-23 11:27 - 2018-05-23 11:27 - 000086528 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2018-05-23 11:27 - 2018-05-23 11:27 - 000195072 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2018-05-23 11:27 - 2018-05-23 11:27 - 022374400 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2018-05-23 11:27 - 2018-05-23 11:27 - 002610176 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\skypert.dll
2018-05-23 11:27 - 2018-05-23 11:27 - 000654848 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\RtmMvrUap.dll
2018-05-24 21:57 - 2016-12-11 20:16 - 000271280 _____ () D:\killswitch\themes\CCE.THEME
2018-05-25 02:01 - 2018-05-25 02:01 - 000380928 _____ () d:\downloads\yntmiuu7.exe
2018-05-17 15:30 - 2018-05-14 23:13 - 004443992 _____ () D:\Program Files (x86)\Google\Chrome\Application\66.0.3359.181\libglesv2.dll
2018-05-17 15:30 - 2018-05-14 23:13 - 000099672 _____ () D:\Program Files (x86)\Google\Chrome\Application\66.0.3359.181\libegl.dll
2017-09-07 08:39 - 2017-09-07 08:39 - 000073920 _____ () C:\Program Files\COMODO\COMODO Internet Security\scanners\smart.cav
2017-09-29 09:41 - 2017-09-29 09:41 - 000047616 _____ () C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUITelemetry.dll
2017-09-29 09:41 - 2017-09-29 09:41 - 004173824 _____ () C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIDataModel.dll
2017-09-29 09:41 - 2017-09-29 09:41 - 003634176 _____ () C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIViewModels.dll
2017-09-29 09:41 - 2017-09-29 09:41 - 000971264 ____N () c:\windows\system32\FaceProcessor.dll
2017-09-29 09:41 - 2017-09-29 09:41 - 000269696 ____N () c:\windows\system32\FaceProcessorCore.dll
2017-09-29 09:41 - 2017-09-29 09:41 - 001357464 ____N () c:\windows\system32\FaceTrackerInternal.dll
2018-05-25 01:56 - 2018-05-25 01:56 - 000482520 _____ () c:\program files\avast software\avast\streamback.dll
2018-05-25 01:56 - 2018-05-25 01:56 - 067126928 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2018-05-25 01:56 - 2018-05-25 01:56 - 000293592 _____ () C:\Program Files\AVAST Software\Avast\gaming_mode_ui.dll
2018-05-24 23:04 - 2016-09-12 15:53 - 048936448 _____ () D:\Program Files (x86)\AVAST Software\Avast Cleanup\libcef.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\20147395.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\20147395.sys => ""="Driver"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2017-12-18 20:57 - 2017-12-18 20:56 - 000000824 _____ C:\windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\defen\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\photo gallery wallpaper.jpg
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "AdobeGCInvoker-1.0"
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "Dropbox"
HKLM\...\StartupApproved\Run32: => "IseUI"
HKLM\...\StartupApproved\Run32: => "CommonToolkitTray_Solvusoft"
HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\StartupApproved\StartupFolder: => "ShareX.lnk"
HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\StartupApproved\StartupFolder: => "KillSwitch.lnk"
HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\StartupApproved\Run: => "ExpressVPN4"
HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\StartupApproved\Run: => "aphaudcp.exe"
HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\StartupApproved\Run: => "KakaoTalk"
HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\StartupApproved\Run: => "ManyCam"
HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\...\StartupApproved\Run: => "WinSweep"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{E0FB1A21-7732-4224-93D7-2F53A4BAACFC}] => (Allow) C:\Users\defen\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{869866F9-EBEB-4C60-8142-72BE468A2A85}] => (Allow) C:\Users\defen\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{F515E1B9-53DB-457B-9494-DB67BD2D5124}] => (Allow) D:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\devenv.exe
FirewallRules: [{FF2CDA35-9028-4D1C-8224-558F72B17C9A}] => (Allow) D:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{525E9BBB-2FA4-45FD-9F3B-0CD610EC93E5}] => (Allow) D:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{C0C47BE5-AA1E-4E4B-9054-D423B0A9A454}] => (Allow) D:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{2E5DA4F1-5E45-4EAC-8EFC-5B774E9176B2}] => (Allow) D:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [TCP Query User{561C4A80-AC56-4323-8180-928D77E30B25}D:\program files (x86)\steam\steamapps\common\h1z1\h1z1.exe] => (Allow) D:\program files (x86)\steam\steamapps\common\h1z1\h1z1.exe
FirewallRules: [UDP Query User{94DCD5D9-E438-4809-AA0A-4269799D829F}D:\program files (x86)\steam\steamapps\common\h1z1\h1z1.exe] => (Allow) D:\program files (x86)\steam\steamapps\common\h1z1\h1z1.exe
FirewallRules: [{BDB15F90-836C-473B-BBF4-375813A09525}] => (Allow) D:\Program Files (x86)\Steam\steamapps\common\H1Z1\LaunchPad.exe
FirewallRules: [{789F42E1-B998-424B-BA41-E821BE4588AD}] => (Allow) D:\Program Files (x86)\Steam\steamapps\common\H1Z1\LaunchPad.exe
FirewallRules: [{E4B68520-2D1D-46AF-ADFE-FF71FB4A4024}] => (Allow) D:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
FirewallRules: [{97C0499E-718A-42D4-8FE0-BA097F546277}] => (Allow) D:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
FirewallRules: [TCP Query User{A50F6D9A-FB00-4021-96A9-9DE434152B0B}D:\program files (x86)\microsoft visual studio\common\tools\vs-ent98\vanalyzr\varpc.exe] => (Allow) D:\program files (x86)\microsoft visual studio\common\tools\vs-ent98\vanalyzr\varpc.exe
FirewallRules: [UDP Query User{AF0EC7E6-B1F8-44E8-9F8E-30AC5D906139}D:\program files (x86)\microsoft visual studio\common\tools\vs-ent98\vanalyzr\varpc.exe] => (Allow) D:\program files (x86)\microsoft visual studio\common\tools\vs-ent98\vanalyzr\varpc.exe
FirewallRules: [{141BABCA-97B8-4895-B528-01E7A7763161}] => (Allow) D:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{175F2C75-F48B-4B54-A834-BA99BB76337F}] => (Allow) D:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{7FE52073-A5E3-45CF-9FAA-42C177E2257C}] => (Allow) D:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{B1560ECE-D6FC-4313-98E7-078453E2A4CA}] => (Allow) D:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{5C7BF2E4-E9F7-4A56-85BA-5788A56B1C50}] => (Allow) D:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{ED34C2D6-A0A6-48C0-A7A9-E268A3D66801}] => (Allow) D:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{3036ABC8-0D2B-466A-8011-EBABC424278E}] => (Allow) D:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
FirewallRules: [{FE1BF90C-B6D6-4659-B75D-D0284A9EF6FD}] => (Allow) D:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{29694026-54F0-4147-A5F0-CD0AAAE79FF5}] => (Allow) D:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{A979ED4B-6484-4DB6-9F98-2BB1E5775C43}] => (Allow) D:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{27A6FC5E-E95D-4B0A-9B4F-0E01551E8882}] => (Allow) D:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{65BBD10D-7FF8-4DE0-962C-D11433DEC5D8}] => (Allow) D:\Program Files\iTunes\iTunes.exe
FirewallRules: [TCP Query User{74AC4014-26BA-44AE-8E81-901331144DD1}C:\xampp\apache\bin\httpd.exe] => (Allow) C:\xampp\apache\bin\httpd.exe
FirewallRules: [UDP Query User{BDF64678-B6AB-472F-8C9F-911A49535350}C:\xampp\apache\bin\httpd.exe] => (Allow) C:\xampp\apache\bin\httpd.exe
FirewallRules: [{A850A513-98E5-4AA3-B283-8F905642010F}] => (Block) C:\xampp\apache\bin\httpd.exe
FirewallRules: [{970740CE-68DC-47B4-83E3-3BF47686ABE5}] => (Block) C:\xampp\apache\bin\httpd.exe
FirewallRules: [{76843023-E275-4AE3-AAB9-5D7931AD4FD5}] => (Allow) D:\Program Files (x86)\Steam\steamapps\common\Golf With Your Friends\Golf With Your Friends.exe
FirewallRules: [{CC5EE027-AF25-4ED0-A4D9-EC059A51D083}] => (Allow) D:\Program Files (x86)\Steam\steamapps\common\Golf With Your Friends\Golf With Your Friends.exe
FirewallRules: [TCP Query User{9B9D0E77-18FA-441C-B4B5-95AE407F09DE}C:\xampp\mysql\bin\mysqld.exe] => (Allow) C:\xampp\mysql\bin\mysqld.exe
FirewallRules: [UDP Query User{5D87B180-49AC-40FC-9780-68FAD30CDFCA}C:\xampp\mysql\bin\mysqld.exe] => (Allow) C:\xampp\mysql\bin\mysqld.exe
FirewallRules: [{AEFC1F91-D102-46A0-BABF-0BCF1C3E8BC2}] => (Allow) D:\Program Files\Firefox Nightly\firefox.exe
FirewallRules: [{7B64A04C-25D1-49FC-91EC-122106A788F1}] => (Allow) D:\Program Files\Firefox Nightly\firefox.exe
FirewallRules: [{359BD9CD-E51D-4116-B228-15B738D46534}] => (Allow) D:\Program Files\Firefox Developer Edition\firefox.exe
FirewallRules: [TCP Query User{E20E012F-1F43-4B0F-A91F-D5DB8CC5D759}D:\program files (x86)\microsoft visual studio\vb98\vb6.exe] => (Allow) D:\program files (x86)\microsoft visual studio\vb98\vb6.exe
FirewallRules: [UDP Query User{97B60EAA-8C1D-4BE8-8DFF-A810D69567BE}D:\program files (x86)\microsoft visual studio\vb98\vb6.exe] => (Allow) D:\program files (x86)\microsoft visual studio\vb98\vb6.exe
FirewallRules: [{AC041F28-CF7E-41C5-BEB3-CA5A9840154D}] => (Allow) D:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [TCP Query User{6CBA7491-C25A-4CD4-B601-DEEF86341758}D:\program files\secondlifeviewer\slvoice.exe] => (Allow) D:\program files\secondlifeviewer\slvoice.exe
FirewallRules: [UDP Query User{CFB7984D-3878-43DB-996E-6A6957A24544}D:\program files\secondlifeviewer\slvoice.exe] => (Allow) D:\program files\secondlifeviewer\slvoice.exe
FirewallRules: [{0AC2BFFF-CFE6-49C9-AEEB-692178BAA9ED}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.80.474.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{64C8BAA1-7629-4FB3-AD2B-4471A03187E9}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.80.474.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{C397FFE4-A8B6-4BD3-90C0-BF6380B602C4}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.80.474.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{015C697A-8774-4A4B-B018-2BF1B0698DB8}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.80.474.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{1E1CA6F0-172D-4C38-93ED-2A33F606197C}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.80.474.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{31984D35-B80B-416F-9B94-1A9F6A98232E}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.80.474.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{2B91D697-1210-4F88-9D47-26282890A76B}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.80.474.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{8B9E631E-4D94-4241-876A-CA32A0EF81B4}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.80.474.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{DB590C1D-A32E-46C3-968A-2C7E5E6002C1}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.80.474.0_x86__zpdnekdrzrea0\SpotifyWebHelper.exe
FirewallRules: [{283A8D6D-4D4F-4F79-95B4-31FF8589F25A}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.80.474.0_x86__zpdnekdrzrea0\SpotifyWebHelper.exe
FirewallRules: [{D1472A60-6C41-445E-85F4-F84770D10682}] => (Allow) D:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{1FC50B34-5E02-4836-BC71-2FF2E48BDFD8}] => (Allow) D:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{A8B8DB79-19A1-4130-BD3C-075175124AED}] => (Allow) D:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{FEC7ED4E-A096-4AA4-BF52-D3EC305B607C}] => (Allow) D:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{EFF11646-ABF9-4782-B6AA-D5A0C2C555C1}] => (Allow) d:\Program Files\Fiddler\Fiddler.exe
FirewallRules: [TCP Query User{34F92282-8B77-4AF3-AF5F-3444EABC4760}D:\program files (x86)\telegram desktop\telegram.exe] => (Allow) D:\program files (x86)\telegram desktop\telegram.exe
FirewallRules: [UDP Query User{DE8B4963-6375-4030-BD8B-C7B31A8E2AE5}D:\program files (x86)\telegram desktop\telegram.exe] => (Allow) D:\program files (x86)\telegram desktop\telegram.exe
FirewallRules: [{8DDCE17C-8144-4ADF-97DB-34DBFB0C0E2A}] => (Allow) D:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{98661844-28C1-40E5-94FD-EDD551D2B05E}] => (Allow) D:\Program Files (x86)\Dropbox\Client\Dropbox.exe
 
==================== Restore Points =========================
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (05/25/2018 02:49:26 AM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.
 
Details:
The specified object cannot be found. Specify the name of an existing object.  (HRESULT : 0x80040d06) (0x80040d06)
 
Error: (05/25/2018 02:49:26 AM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.
 
Context: Windows Application
 
Details:
The specified object cannot be found. Specify the name of an existing object.  (HRESULT : 0x80040d06) (0x80040d06)
 
Error: (05/25/2018 02:49:26 AM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: The gatherer object cannot be initialized.
 
Context: Windows Application, SystemIndex Catalog
 
Details:
The specified object cannot be found. Specify the name of an existing object.  (HRESULT : 0x80040d06) (0x80040d06)
 
Error: (05/25/2018 02:49:26 AM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <MSSearch.IpsPi> cannot be initialized.
 
Context: Windows Application, SystemIndex Catalog
 
Details:
The specified object cannot be found. Specify the name of an existing object.  (HRESULT : 0x80040d06) (0x80040d06)
 
Error: (05/25/2018 02:49:26 AM) (Source: Windows Search Service) (EventID: 3057) (User: )
Description: The plug-in manager <MSSearch.IpsPi> cannot be initialized.
 
Context: Windows Application
 
Details:
(HRESULT : 0x80040154) (0x80040154)
 
Error: (05/25/2018 02:49:09 AM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.
 
Details:
The specified object cannot be found. Specify the name of an existing object.  (HRESULT : 0x80040d06) (0x80040d06)
 
Error: (05/25/2018 02:49:09 AM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.
 
Context: Windows Application
 
Details:
The specified object cannot be found. Specify the name of an existing object.  (HRESULT : 0x80040d06) (0x80040d06)
 
Error: (05/25/2018 02:49:09 AM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: The gatherer object cannot be initialized.
 
Context: Windows Application, SystemIndex Catalog
 
Details:
The specified object cannot be found. Specify the name of an existing object.  (HRESULT : 0x80040d06) (0x80040d06)
 
 
System errors:
=============
Error: (05/25/2018 03:05:41 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 17 time(s).
 
Error: (05/25/2018 03:05:41 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Windows Search service terminated with the following service-specific error: 
%%2147749126
 
Error: (05/25/2018 03:05:41 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 16 time(s).
 
Error: (05/25/2018 03:05:41 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Windows Search service terminated with the following service-specific error: 
%%2147749126
 
Error: (05/25/2018 02:53:50 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-0FRQ1KG)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-0FRQ1KG\josh SID (S-1-5-21-2006163460-2297624391-3983604502-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (05/25/2018 02:53:43 AM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-0FRQ1KG)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-0FRQ1KG\josh SID (S-1-5-21-2006163460-2297624391-3983604502-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (05/25/2018 02:50:40 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 15 time(s).
 
Error: (05/25/2018 02:50:40 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Windows Search service terminated with the following service-specific error: 
%%2147749126
 
 
Windows Defender:
===================================
Date: 2018-05-24 21:15:12.434
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: HackTool:Win32/Gendows
ID: 2147646077
Severity: High
Category: Tool
Path: file:_D:\downloads\Windows 7 SP1 Ultimate (64 Bit)\Windows 7 ACTIVATION\Windows 7 Activation.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Signature Version: AV: 1.269.58.0, AS: 1.269.58.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14901.4, NIS: 2.1.14600.4
 
Date: 2018-05-24 21:15:03.943
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: HackTool:Win32/Gendows
ID: 2147646077
Severity: High
Category: Tool
Path: file:_D:\downloads\Windows 7 SP1 Ultimate (64 Bit)\Windows 7 ACTIVATION\Windows 7 Activation.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Signature Version: AV: 1.269.58.0, AS: 1.269.58.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14901.4, NIS: 2.1.14600.4
 
Date: 2018-05-24 21:14:51.279
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: HackTool:Win32/Gendows
ID: 2147646077
Severity: High
Category: Tool
Path: file:_D:\downloads\Windows 7 SP1 Ultimate (64 Bit)\Windows 7 ACTIVATION\Windows 7 Activation.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Signature Version: AV: 1.269.58.0, AS: 1.269.58.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14901.4, NIS: 2.1.14600.4
 
Date: 2018-05-14 19:58:52.950
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {AA2D6DCA-666B-4510-B8C5-E4D0A3E75DBF}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-05-09 22:41:04.701
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {8591C228-950D-4B64-8457-CE737607EC23}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-05-24 23:57:28.544
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.269.58.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14901.4
Error code: 0x80072efd
Error description: A connection with the server could not be established 
 
Date: 2018-05-24 23:57:28.544
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 119.0.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: Network Inspection System
Update Type: Full
Current Engine Version: 
Previous Engine Version: 2.1.14600.4
Error code: 0x80072efd
Error description: A connection with the server could not be established 
 
Date: 2018-05-24 23:57:28.535
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.269.58.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14901.4
Error code: 0x80072efd
Error description: A connection with the server could not be established 
 
Date: 2018-05-24 23:57:28.534
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.269.58.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiSpyware
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14901.4
Error code: 0x80072efd
Error description: A connection with the server could not be established 
 
Date: 2018-05-24 23:57:28.534
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.269.58.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14901.4
Error code: 0x80072efd
Error description: A connection with the server could not be established 
 
CodeIntegrity:
===================================
 
Date: 2018-05-25 03:05:41.753
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\guard64.dll because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-25 03:04:30.143
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume9\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-25 03:04:30.141
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume9\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-25 03:04:29.593
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume9\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-25 03:04:29.590
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume9\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-25 03:02:25.829
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume9\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-25 03:02:25.827
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume9\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-05-25 03:02:23.925
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume9\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-5820K CPU @ 3.30GHz
Percentage of memory in use: 40%
Total physical RAM: 16274.09 MB
Available physical RAM: 9740.66 MB
Total Virtual: 25490.09 MB
Available Virtual: 20245.4 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:109.11 GB) (Free:53.35 GB) NTFS
Drive d: (D) (Fixed) (Total:1862.89 GB) (Free:1633.93 GB) NTFS
Drive e: (ESD-USB) (Fixed) (Total:31.99 GB) (Free:28.5 GB) FAT32 ==>[system with boot components (obtained from drive)]
 
\\?\Volume{62a9d35f-f5ec-4b7c-904d-fb3ef3175306}\ (ESP) (Fixed) (Total:0.48 GB) (Free:0.46 GB) FAT32
\\?\Volume{6684220c-abe8-40c4-867c-b6762d34435d}\ (WINRETOOLS) (Fixed) (Total:0.73 GB) (Free:0.44 GB) NTFS
\\?\Volume{d10680e3-290a-4fad-a643-b8288efff007}\ () (Fixed) (Total:0.44 GB) (Free:0.1 GB) NTFS
\\?\Volume{e4c824d6-b915-4bbc-910f-234733c7eb87}\ (PBR Image) (Fixed) (Total:8.31 GB) (Free:0.39 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 119.2 GB) (Disk ID: 2C48A0BD)
 
Partition: GPT.
 
========================================================
Disk: 1 (Protective MBR) (Size: 1863 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
========================================================
Disk: 2 (MBR Code: Windows 7/8/10) (Size: 1863 GB) (Disk ID: 77C8F349)
Partition 1: (Active) - (Size=32 GB) - (Type=0C)
 
==================== End of Addition.txt ============================
 
 
 
I would like to give you more recent information but I am afraid I am unable to complete scans without BSOD. Then it takes my computer a long time to restart most times (10 15 minutes) because Windows Updates keeps failing to install updates and rolls back. This has been persistent for a very long time. Cumulative Update for Windows 10 Version 1709 for x64-based Systems seems to be the latest. It's been trying to install for awhile. Never does.

 

I'm pretty sure I have either SOPHISTICATED malware or it's as simple as my computer being crappy for some other reason. I do have a large target on my back and have managed to piss off big hacker people. I cannot name drop but you have heard of them.

 

As far as not running more AV software that's all I've been doing since my first post. Have tried to used reputable ones.

 

What do you advise?


Edited by kmin, 29 May 2018 - 03:15 PM.


#6 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:07:39 AM

Posted 30 May 2018 - 07:26 AM

kmim:

 

Thank you for your post and your "Addition.txt" log.  Let's approach the issues that you are having in a methodical manner.  First off, I would not be trusting what GMER is reporting.  It has not been updated since June 2016, so I consider its compatibility with Windows 10, Build 1709, to be somewhat dubious, at best.

 

I have several other clients, who I started helping and who I obviously have to continue to help.  That said, I will analyze your FRST scan logs today and post back my initial FRST "fixlist" script later this afternoon.

 

I would appreciate your patience and understanding.  I would also ask that you not run any more scans or anti-malware tools.  They could make changes to your computer and complicate my job of trying to identify and remove any malware that might be present.  I understand your frustration and concern, but please accord me the necessary time to fully analyze the FRST scan logs that you have submitted.

 

Thank you and have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:07:39 AM

Posted 30 May 2018 - 12:04 PM

kmin:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools. Malware removal can cause unpredictable and unintended issues. Also you should be aware that some of the tools and scripts that will be used, will remove malware detected, without notice.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post(s), unless otherwise instructed. Please do not use code or quote boxes.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

First off, let me say that the FRST scan logs show that you have run many, many powerful anti-malware scanners on your computer. That can lead to computer issues because most programs can have "false positives", or not be compatible with Build 1709 of Windows 10 Home, so you are exposing your computer to the possibility of serious operating system file corruption, or even rendered it unbootable. Moreover some "false positives" can, and do lead, to the deletion of personal data files. I would recommend that if a malware infection is suspected that you seek expert help to minimize the chances of those issues arising.

.

:step1: I see that you have AVAST antii-virus software installed on your computer. You should check out this post by quietman7, one of the foremost computer security experts here at Bleeping Computer, which explains why he no longer recommends that product. It is your computer, so it is your decision. If you do consider another anti-virus solution, you can check out this post, also by quietman7. Personally, I would not have AVAST on my computer.

You also have COMODO anti-virus installed and I am seeing Kaspersky Free as well. It is a very bad idea to have more than one anti-virus program installed and active on your computer. It can cause all kinds of computer issues and seriously impair computer performance. Please see this post for more information.

Multiple running anti-virus programs might well be the cause of all of the computer issues that you are experiencing. Only ONE anti-virus should be running on your computer. If your Comodo product is a paid version, then I would keep it; if not, I would keep the Kaspersky Free product. Please uninstall the other two other anti-virus products that you decide not to keep, using the Control Panel, Programs, Uninstall a Program. Reboot your computer after each uninstallation.  The choice is yours as to which anti-virus program you keep.  It is YOUR computer.

.

:step2: Your FRST "Addition.txt" file shows the following program installed:
 

DriverDoc (HKLM-x32\...\{650580EA-978C-4C04-81B9-BA53BB34BCBE}) (Version: 1.8.0 - Solvusoft Corporation) Hidden
DriverDoc (HKLM-x32\...\DriverDoc) (Version: 1.8.0 - Solvusoft Corporation)


This program is listed as a PUP. See this link for more information. If you don't uninstall the program, it is very possible that one of the standard anti-malware tools that I will use later on might remove it from your computer, so you have to reinstall it, if you want to keep it. If you don't want to keep it, please uninstall it via the Control Panel, Programs, Uninstall a Program.

.

:step3: In going over your logs I noticed that you have µTorrent installed. Please consider the following advice to reduce the possibility of being infected when surfing the web.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, your computer will get infected again.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

.

:step4: Please run a FRST fix for me.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

Start::
CreateRestorePoint:
CloseProcesses:
File: C:\Windows\System32\OpenSSH\ssh-agent.exe;C:\windows\system32\Notifier.exe
VirusTotal: D:\downloads\yntmiuu7.exe
IFEO\AcroRd32.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\appcertui.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\appvlp.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\devenv.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\dropbox.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\excel.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\expressvpn.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\itunes.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\lync.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\manycam.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\msaccess.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\msoev.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\msotd.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\msoxmled.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\mspub.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\ocpubmgr.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\onenote.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\outlook.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\powerpnt.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\setlang.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\steam.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\teamviewer.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\uninstall.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\vkise.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\vmplayer.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\vslauncher.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\winword.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\wpa.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\wprui.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
GroupPolicy: Restriction ? <==== ATTENTION
S3 WdNisSvc; "%ProgramFiles%\Windows Defender\NisSrv.exe" [X]
R2 WinDefend; "%ProgramFiles%\Windows Defender\MsMpEng.exe" [X]
S3 WMPNetworkSvc; "%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe" [X]
U1 aswbdisk; no ImagePath
S3 BEDaisy; \??\D:\Program Files (x86)\Common Files\BattlEye\BEDaisy.sys [X]
U3 kwadypow; \??\C:\Users\defen\AppData\Local\Temp\kwadypow.sys [X] <==== ATTENTION
End::
  • Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.
  • Right click FRST64.exe, and select "Run as Administrator".
  • Press Fix button once and wait.
  • Please reboot the computer, if requested.
  • A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
  • Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#8 kmin

kmin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 01 June 2018 - 01:57 AM

Thank you. Here is the file:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 16.05.2018 01
Ran by josh (01-06-2018 02:51:52) Run:1
Running from d:\downloads
Loaded Profiles: josh (Available Profiles: josh)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
File: C:\Windows\System32\OpenSSH\ssh-agent.exe;C:\windows\system32\Notifier.exe
VirusTotal: D:\downloads\yntmiuu7.exe
IFEO\AcroRd32.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\appcertui.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\appvlp.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\devenv.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\dropbox.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\excel.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\expressvpn.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\itunes.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\lync.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\manycam.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\msaccess.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\msoev.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\msotd.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\msoxmled.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\mspub.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\ocpubmgr.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\onenote.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\outlook.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\powerpnt.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\setlang.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\steam.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\teamviewer.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\uninstall.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\vkise.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\vmplayer.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\vslauncher.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\winword.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\wpa.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\wprui.exe: [Debugger] "D:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
GroupPolicy: Restriction ? <==== ATTENTION
S3 WdNisSvc; "%ProgramFiles%\Windows Defender\NisSrv.exe" [X]
R2 WinDefend; "%ProgramFiles%\Windows Defender\MsMpEng.exe" [X]
S3 WMPNetworkSvc; "%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe" [X]
U1 aswbdisk; no ImagePath
S3 BEDaisy; \??\D:\Program Files (x86)\Common Files\BattlEye\BEDaisy.sys [X]
U3 kwadypow; \??\C:\Users\defen\AppData\Local\Temp\kwadypow.sys [X] <==== ATTENTION
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
 
========================= File: C:\Windows\System32\OpenSSH\ssh-agent.exe;C:\windows\system32\Notifier.exe ========================
 
C:\Windows\System32\OpenSSH\ssh-agent.exe
File is digitally signed
MD5: 9CD26F0263AB6CF0C8CADB6E1E40F46A
Creation and modification date: 2018-05-20 13:11 - 2017-09-28 15:49
Size: 000612352
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: OpenSSH for Windows
Description: 
File Version: 0.0.18.0
Product Version: 0.0.18.0
Copyright: 
 
C:\windows\system32\Notifier.exe
File is digitally signed
MD5: 52F71FC6F1F2F999E43D5EE5FD5CC66E
Creation and modification date: 2018-05-15 18:20 - 2018-05-04 05:37
Size: 000278448
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: Notifier
Original Name: Notifier.exe
Product: Microsoft® Windows® Operating System
Description: Notifier
File Version: 10.0.16299.459 (WinBuild.160101.0800)
Product Version: 10.0.16299.459
Copyright: © Microsoft Corporation. All rights reserved.
 
====== End of File: ======
 
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AcroRd32.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\appcertui.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\appvlp.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\devenv.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\dropbox.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\excel.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\expressvpn.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\itunes.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\lync.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\manycam.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msaccess.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msoev.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msotd.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msoxmled.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mspub.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ocpubmgr.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\onenote.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\outlook.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\powerpnt.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\setlang.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\steam.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\teamviewer.exe" => removed successfully
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\uninstall.exe => not found
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\vkise.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\vmplayer.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\vslauncher.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\winword.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wpa.exe" => removed successfully
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wprui.exe" => removed successfully
C:\windows\system32\GroupPolicy\Machine => moved successfully
C:\windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\System\CurrentControlSet\Services\WdNisSvc" => removed successfully
WdNisSvc => service removed successfully
WinDefend => Unable to stop service.
"HKLM\System\CurrentControlSet\Services\WinDefend" => removed successfully
WinDefend => service removed successfully
"HKLM\System\CurrentControlSet\Services\WMPNetworkSvc" => removed successfully
WMPNetworkSvc => service removed successfully
"HKLM\System\CurrentControlSet\Services\aswbdisk" => removed successfully
aswbdisk => service removed successfully
"HKLM\System\CurrentControlSet\Services\BEDaisy" => removed successfully
BEDaisy => service removed successfully
kwadypow => service not found.
 
 
The system needed a reboot.
 
==== End of Fixlog 02:52:04 ====


#9 kmin

kmin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 01 June 2018 - 02:04 AM

I would also like to point out that explorer.exe has active outgoing connections to these ip addresses

 

 
edit: which upon further review appear harmless.

Edited by kmin, 01 June 2018 - 02:05 AM.


#10 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:07:39 AM

Posted 01 June 2018 - 03:42 AM

Kmin:

 

Thank you for your post and for running the FRST "fixlist" script and posting the contents of the "fixlog.txt" file.  That all looks good to me.  :thumbup2:

 

You did not respond to my questions in Steps :step1: and :step2: of my previous post.  It is imperative that you uninstall two of the three anti-virus applications that you have installed on the computer.  We have to eliminate the conflicts between those applications to proceed further in a logical manner.  Multiple anti-virus programs are well known to cause all kinds of unwanted problems with computers.  Please let me know which anti-virus application you decide to keep and confirm that you have successfully uninstalled the other two anti-virus applications.  The choice of which anti-virus program to keep is your decision, although I have given you my recommendations in that previous post.  Once you have answered my questions and have successfully uninstalled two of three anti-virus programs, we can proceed to run further standard anti-malware scans to determine if your computer is infected.

 

Today is lawn mowing day in Port Hood, so there goes my day!  I start around 08:30 and can usually finish it all just after 15:00, by which time, this old guy (senior citizen) is pretty tuckered out.  :)  I might get back to the computer later this afternoon, but most likely it will be late tomorrow morning or early afternoon before I am back.  I will be available to come back for the next hour or so, but after that, I am offline, probably for the day.

 

Thank you for your patience and collaboration.  Have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#11 kmin

kmin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 01 June 2018 - 07:29 PM

yeah i uninstalled everything except avast because i paid for it. shrug. ready when you are! thanks again!!


Edited by kmin, 01 June 2018 - 07:30 PM.


#12 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:07:39 AM

Posted 02 June 2018 - 11:55 AM

kmin:
 
Thank you for your post.
 
:step1: You didn't respond to what you have done with the program DriverDoc?  Since this program is listed as a PUP, it could well be removed by the anti-malware scans we are about to run.  The use of driver updater programs is not recommended.  Please see this link for more information.  You should make sure that you have copied the program installer and licence key to external media before proceeding to run the standard anti-malware scans if you decide you want to keep this program.
 
.
 
:step2: ESET Online Scanner using Internet Explorer:

Note: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Then select: "Enable detection of potentially unwanted applications" - Yes.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected. There will be no log, if no threats were detected.

Don't forget to re-enable your antivirus when finished!

.

:step3: Please run a Malwarebytes Anti-Malware scan for me.

  • Please download Malwarebytes to your Desktop.
  • Double-click mb3-setup-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Next, please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."
  • Ensure that under "Potential Threat Protection", both switches are set to "Always Detect PUPs/PUMs (recommended).
  • Then scroll to the bottom of that page and ensure that "Automatic Quarantine" is turned "On."
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If an update of the definitions is available, it will be downloaded and installed before the scan commences.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.

The Scan log is available through Reports (double-click the appropriate scan log) or you can just double-click the "Last Scan" entry on the Dashboard. Click "Export"., and then select "Copy to Clipboard". Next, please paste the contents of the log into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#13 kmin

kmin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 03 June 2018 - 02:26 AM

ESET (Threats were detected but I couldn't find the log. I copy and pasted the 5 issues it dealt with. I'm aware of all of these files.)

D:\downloads\010820.zip a variant of Generik.MLRSXOV trojan deleted
D:\downloads\FileZilla_3.31.0_win64-setup_bundled.exe a variant of Win32/FusionCore.W potentially unwanted application cleaned by deleting
D:\downloads\metasploitframework-latest.msi multiple threats deleted
D:\downloads\010820\winsock1\server\server.exe a variant of Generik.MLRSXOV trojan cleaned by deleting
D:\downloads\Windows 7 SP1 Ultimate (64 Bit)\Windows 7 SP1 Ultimate (64 Bit).iso Win32/HackTool.WinActivator.I potentially unsafe application deleted
 
Malwarebytes (Aware of all of these files as well. I think my computer's clean. Imagine that!)
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 6/3/18
Scan Time: 3:26 AM
Log File: 7f2d5fa8-66ff-11e8-98b7-005056c00001.json
Administrator: Yes
 
-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.365
Update Package Version: 1.0.5340
License: Trial
 
-System Information-
OS: Windows 10 (Build 16299.15)
CPU: x64
File System: NTFS
User: DESKTOP-0FRQ1KG\josh
 
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 338101
Threats Detected: 9
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 2 min, 21 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 4
PUP.Optional.Solvusoft, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\DRIVERDOC AUTO START, No Action By User, [2888], [511235],1.0.5340
PUP.Optional.Solvusoft, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CCCD0021-56CA-4FDC-85E6-836914F56A5A}, No Action By User, [2888], [511235],1.0.5340
PUP.Optional.Solvusoft, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{CCCD0021-56CA-4FDC-85E6-836914F56A5A}, No Action By User, [2888], [511235],1.0.5340
PUP.Optional.WinSweeper, HKU\S-1-5-21-2006163460-2297624391-3983604502-1001\SOFTWARE\WinSweeper2, No Action By User, [2667], [516908],1.0.5340
 
Registry Value: 1
PUP.Optional.Solvusoft, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CCCD0021-56CA-4FDC-85E6-836914F56A5A}|PATH, No Action By User, [2888], [511236],1.0.5340
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 1
PUP.Optional.WinSweeper, C:\USERS\DEFEN\APPDATA\LOCAL\WINSWEEPER, No Action By User, [2667], [516905],1.0.5340
 
File: 3
PUP.Optional.Solvusoft, C:\WINDOWS\TASKS\DRIVERDOC AUTO START.JOB, No Action By User, [2888], [511234],1.0.5340
PUP.Optional.Solvusoft, C:\WINDOWS\SYSTEM32\TASKS\DRIVERDOC AUTO START, No Action By User, [2888], [511235],1.0.5340
PUP.Optional.WinSweeper, D:\PROGRAM FILES (X86)\9322811\WINSWEEPER.EXE, No Action By User, [2667], [516902],1.0.5340
 
Physical Sector: 0
(No malicious items detected)
 
WMI: 0
(No malicious items detected)
 
 
(end)
 
Although there is still the issue of this (sometimes it takes my computer 5 - 10 minutes to reboot because Windows Updates fail, sometimes it doesn't. It's odd.)

7fNNeqH.png
 
Update:
 
Windows Resource Protection found corrupt files and successfully repaired
them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For
example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not
supported in offline servicing scenarios.
 
Unable to update Windows or run the latest Windows Update.
 
I also can't activate Windows Defender even with AV uninstalled.

JeW6NHV.png
 
Also, I don't know what many of these partitions really contain. Which are safe to remove?
 
FmDeaSI.png
 
I would like to totally reset Windows but also use something like Partition Wizard to delete potentially problematic partitions.
 
Want my MBR totally factory reset. Do want to keep my files though. Afraid of viruses for sure though.
 
While waiting for the Windows 10 Setup tool to install to USB I actually wrote a proof of concept clipboard content stealer virus that passes all detection: https://www.virustotal.com/#/file/e07fc8e318aba655ff348bde7c265d58eb56258c1a9fdcb9434edd5cb0581fc7/detection 
 
So that is also kind of concerning. I would like a very sophisticated firewall setup to block most connections when all is said and done here.
 
I am also unable to update my BIOS which is listed as an "Urgent" upgrade
 

eGvMhmS.png


Edited by kmin, 03 June 2018 - 07:31 AM.


#14 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:07:39 AM

Posted 03 June 2018 - 11:55 AM

kmin:

 

Thank you for your post and for running the requested scans and posting the results.  I note that you did not remove the threats detected by Malwarebytes.  Thus your computer is still "infected" with PUPs. :(  It is your computer, so it is your decision, but your non-compliance with my instructions leads to me to wonder whether you want to continue with this topic?

 

I suspect that you still have remnants of one or more anti-virus programs that are interfering with Windows Defender activating and possibly interfering as well with the Windows Updates.  I did inform you that running multiple anti-virus programs is a recipe for all kinds of computer issues.  Some anti-virus applications are notoriously difficult to remove completely.  Many anti-virus vendors offer free removal tools for their specific products.

 

I do not know the make of your computer or what has been previously installed on it or how many times you have reset it.  I am therefore not in a position to offer any advice as to which partitions are safe to remove.  That may be a question that you might want to pose, after your computer is declared "clean", in the Windows 10 Forum here at Bleeping Computer, where the experts knowledgeable about that OS can be found.

 

If you want to reset your MBR to factory specs, then your computer would need to have a "factory reset/image" partition, which would return the computer to the precise condition it was in when you took it out of the box.  That would entail backing up all of your data, and having to reinstall your programs, so you would need the installer files for your programs and your licence keys stored on external media before undertaking that drastic step.  I am not sure why you would want to do a restoration of the MBR back to factory specs.  How do you know that it is not the same MBR as it was when it shipped?  I am very confident that if there had been a malicious alteration of your MBR that both the FRST and ESET scans would have detected it.

 

I am seeing evidence in your comments that you are perhaps hyper-vigilant when it comes to computer security.  While it is good to practice safe computing, excessive concern about computer security can often, unfortunately, degenerate into paranoia and really ruin your enjoyment of your computer.

 

 

 

While waiting for the Windows 10 Setup tool to install to USB I actually wrote a proof of concept clipboard content stealer virus that passes all detection: https://www.virustotal.com/#/file/e07fc8e318aba655ff348bde7c265d58eb56258c1a9fdcb9434edd5cb0581fc7/detection 

 

 

 

I can't speak to your veracity of your statement.  One has to remember though, with VirusTotal, it is strictly signature/MD5/hash-based.  Whether your POC app could successfully function on a computer with robust real-time anti-virus and anti-malware software active is another question, because they rely, to varying degrees, on behavior and heuristics analysis, not just "signatures."

 

I am not a firewall expert, but there is a Firewall Forum here at Bleeping Computer.  Again, when you have finished here, you could pose a question there, with sufficient information about your computer/network setup so that the pros there can provide you with germane advice.

 

Your failed BIOS update might also be the result of having had three different, and aggressive anti-virus products running on your computer.  We are not sure that two of them were entirely removed.  According to you, you even uninstalled Avast.

 

 

 

I also can't activate Windows Defender even with AV uninstalled.

 

 

 

We can continue with a couple of more standard anti-malware scans; or, you might prefer to conclude your topic.  The other option, although I don't see the point in it, since I understand that you want to keep Avast is to uninstall Avast again, and send me a fresh set of FRST scan logs so that I can see what, if any, remnants of anti-virus products are still active on your computer.  If there are any remnants, we could then remove those remnants and then try to activate Windows Defender, but like I said, if you want to keep Avast, then it is going to block Windows Defender, as do most, if not all, major anti-virus applications.

 

Please let me know how you want to proceed.  Thank you and have a great day.

 

Regards,

-Phil

 

 


Graduate of the Bleeping Computer Malware Removal Study Hall


#15 kmin

kmin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 03 June 2018 - 09:41 PM

I note that you did not remove the threats detected by Malwarebytes. Thus your computer is still "infected" with PUPs. :(  It is your computer, so it is your decision, but your non-compliance with my instructions leads to me to wonder whether you want to continue with this topic?

 

i meant to remove those. if i didn't remove them it was an unintentional mistake. i saw them and even though i recognized what they were from (uninstalled questionable but likely benign software) i still wanted them gone. and i appreciate your help very much.

 

getting back to it and will post updated information.


Edited by kmin, 03 June 2018 - 09:43 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users