Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All radio 4.27 infection


  • This topic is locked This topic is locked
34 replies to this topic

#1 cablecon

cablecon

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 11 July 2018 - 02:24 PM

Hello,

 

I have the 4.27 radio infection on a laptop.  I did some removal with malwarebytes and defender but I am still having issues. Defender keeps finding viruses and they keep coming back after removal.  I had to go into registry to turn defender back on. I am unable to update windows.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20.06.2018
Ran by Karen (administrator) on DESKTOP-J76698K (11-07-2018 14:51:51)
Running from C:\Users\Karen\Desktop
Loaded Profiles: Karen (Available Profiles: Karen & DefaultAppPool)
Platform: Windows 10 Pro Version 1709 16299.371 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(TOSHIBA CORPORATION) C:\Windows\System32\vsncdigsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\HidMonitorSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1806.18062-0\MsMpEng.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1806.18062-0\NisSrv.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsStore_11805.1001.42.0_x64__8wekyb3d8bbwe\WinStore.App.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2096424 2010-05-28] (Synaptics Incorporated)
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [745288 2015-06-25] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Nowicki] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKLM\...\Run: [Conked] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [37232 2008-06-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [640376 2008-06-11] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Permanent] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKLM-x32\...\Run: [Foreclosure] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
Winlogon\Notify\igfxcui: igfxdev.dll [X]
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Paiute] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Smite] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Businesspeople] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Absentia] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [sinatra] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\MountPoints2: {117b24e4-df89-11e7-a919-806e6f6e6963} - "D:\SETUP.EXE" /adminfile IU.MSP
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\MountPoints2: {37240579-3ceb-11e8-a91f-ecf4bb03df43} - "E:\LaunchU3.exe" -a
AppInit_DLLs-x32: acaptuser32.dll => C:\Windows\SysWOW64\acaptuser32.dll [111992 2008-06-11] (Adobe Systems, Inc.)
Startup: C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\saal.lnk [2018-06-28]
ShortcutTarget: saal.lnk -> C:\Program Files (x86)\Anchovies\Snowboards.exe (No File)
Startup: C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\saalsaal.lnk [2018-06-28]
ShortcutTarget: saalsaal.lnk -> C:\Program Files (x86)\commodious\Dobb.exe (No File)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{bf7d2dc1-1efd-4670-b506-186d9b768cae}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{ee701c51-f0ff-42be-82f9-b69c86450ccd}: [DhcpNameServer] 192.168.4.1
 
Internet Explorer:
==================
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11] (Adobe Systems Incorporated)
 
FireFox:
========
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-18] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-18] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default [2018-07-11]
CHR Extension: (Slides) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-04-10]
CHR Extension: (Docs) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-04-10]
CHR Extension: (Google Drive) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-04-10]
CHR Extension: (YouTube) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-04-10]
CHR Extension: (Sheets) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-04-10]
CHR Extension: (Google Docs Offline) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-04-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-10]
CHR Extension: (Gmail) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-04-10]
CHR Extension: (Chrome Media Router) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-06-28]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
HKLM\SYSTEM\CurrentControlSet\Services\ovdgmtkp <==== ATTENTION (Rootkit!)
 
R2 ApHidMonitorService; C:\Program Files\DellTPad\HidMonitorSvc.exe [96120 2015-06-25] (Alps Electric Co., Ltd.)
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2018-04-10] (Macrovision Europe Ltd.) [File not signed]
R2 igfxCUIService1.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [329192 2016-06-02] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6541008 2018-05-09] (Malwarebytes)
R2 osrss; C:\WINDOWS\system32\osrss.dll [131288 2018-06-27] (Microsoft Corporation)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [4329952 2017-12-13] (Microsoft Corporation)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\NisSrv.exe [3925648 2018-06-28] (Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MsMpEng.exe [100080 2018-06-28] (Microsoft Corporation)
S4 windowsmanagementservice; windowsmanagementservice [X] <==== ATTENTION
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 DellRbtn; C:\WINDOWS\System32\drivers\DellRbtn.sys [19440 2016-03-31] (OSR Open Systems Resources, Inc.)
R3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [253664 2018-07-11] (Malwarebytes)
S3 rismcx64; C:\WINDOWS\system32\DRIVERS\rismcx64.sys [59008 2009-07-20] (RICOH Company, Ltd.)
S3 smbdirect; C:\WINDOWS\System32\DRIVERS\smbdirect.sys [151552 2017-09-29] (Microsoft Corporation)
R3 ST_Accel; C:\WINDOWS\system32\DRIVERS\ST_Accel.sys [154280 2016-10-12] (STMicroelectronics)
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46592 2018-06-28] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [340008 2018-06-28] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [59944 2018-06-28] (Microsoft Corporation)
S3 pswzcc; system32\drivers\vzcfim.sys [X]
R3 wzcfjm; system32\drivers\cfjmps.sys [X]
S4 zpxwc; System32\drivers\pcrltuze.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-07-11 14:51 - 2018-07-11 14:52 - 000013771 _____ C:\Users\Karen\Desktop\FRST.txt
2018-07-11 14:51 - 2018-07-11 14:51 - 000000000 ____D C:\FRST
2018-07-11 14:51 - 2018-07-11 14:49 - 002412544 _____ (Farbar) C:\Users\Karen\Desktop\FRST64.exe
2018-07-11 14:09 - 2018-07-11 14:09 - 001802704 _____ (Bleeping Computer, LLC) C:\Users\Karen\Downloads\rkill.exe
2018-07-11 14:05 - 2018-07-11 14:05 - 000000000 ____D C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TouchPad
2018-07-11 10:53 - 2018-07-11 14:05 - 000253664 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2018-07-11 06:56 - 2018-07-11 14:06 - 000000000 ____D C:\Users\Karen\AppData\Local\upcgwxk
2018-07-02 02:56 - 2018-07-02 02:56 - 000000000 ____D C:\WINDOWS\%ALLUSERSPROFILE%
2018-06-29 15:17 - 2018-06-29 15:17 - 011599632 _____ (SurfRight B.V.) C:\Users\Karen\Downloads\HitmanPro_x64.exe
2018-06-29 15:15 - 2018-06-29 15:15 - 007372496 _____ (Malwarebytes) C:\Users\Karen\Downloads\AdwCleaner.exe
2018-06-29 14:54 - 2018-06-29 14:54 - 000145232 ____N C:\WINDOWS\system32\Drivers\sbrruxbe.sys
2018-06-29 14:52 - 2018-06-29 14:52 - 006625600 _____ (Zemana Ltd. ) C:\Users\Karen\Downloads\Zemana.AntiMalware.Setup (1).exe
2018-06-29 14:51 - 2018-06-29 14:51 - 006625600 _____ (Zemana Ltd. ) C:\Users\Karen\Downloads\Zemana.AntiMalware.Setup.exe
2018-06-29 14:23 - 2018-06-29 14:24 - 006625600 _____ (Zemana Ltd. ) C:\Users\Karen\Desktop\Zemana.AntiMalware.Setup.exe
2018-06-29 13:41 - 2018-06-29 13:41 - 000000000 ____D C:\$WINDOWS.~LS
2018-06-29 13:39 - 2018-06-29 13:39 - 000000000 ____D C:\$WINDOWS.~BT
2018-06-29 13:32 - 2018-06-29 13:32 - 000001804 _____ C:\Users\Karen\Desktop\Windows Compatibility Report.htm
2018-06-28 22:51 - 2018-06-28 22:51 - 000000000 ____D C:\Users\Karen\AppData\Local\ElevatedDiagnostics
2018-06-28 22:07 - 2018-06-28 22:07 - 001130840 _____ (Google Inc.) C:\Users\Karen\Downloads\ChromeSetup (1).exe
2018-06-28 21:15 - 2018-06-28 21:17 - 000015162 _____ C:\TDSSKiller.3.1.0.7_28.06.2018_21.15.07_log.txt
2018-06-28 16:14 - 2018-07-11 10:53 - 000152688 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbae64.sys
2018-06-28 16:14 - 2018-06-28 20:04 - 000000000 ____D C:\ProgramData\AutoKMS
2018-06-28 16:14 - 2018-06-28 16:14 - 000001919 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-06-28 16:14 - 2018-06-28 16:14 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-06-28 10:51 - 2018-07-10 22:02 - 000030768 _____ C:\Users\Karen\Desktop\Rkill.txt
2018-06-28 10:50 - 2018-06-28 10:51 - 000000000 ____D C:\Users\Karen\Desktop\Spyware, virus removal tools
2018-06-28 10:50 - 2018-06-28 10:50 - 000000364 _____ C:\TDSSKiller.3.1.0.7_28.06.2018_10.50.09_log.txt
2018-06-28 10:44 - 2018-06-28 10:44 - 000000020 ___SH C:\Users\DefaultAppPool\ntuser.ini
2018-06-28 10:44 - 2018-06-28 10:44 - 000000000 ____D C:\Users\DefaultAppPool
2018-06-28 10:44 - 2018-04-10 14:32 - 000000000 ____D C:\Users\DefaultAppPool\AppData\Local\Microsoft Help
2018-06-28 10:43 - 2018-06-28 10:43 - 000000364 _____ C:\TDSSKiller.3.1.0.7_28.06.2018_10.43.45_log.txt
2018-06-28 10:29 - 2018-06-28 10:29 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\edudnspz.sys
2018-06-28 10:27 - 2018-06-28 10:27 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dozqccoy.sys
2018-06-28 10:10 - 2018-06-28 10:30 - 000000001 _____ C:\g5j5qyh98fefujt
2018-06-28 09:54 - 2018-07-11 09:14 - 000000000 ____D C:\Users\Karen\AppData\Local\dsswnag
2018-06-28 09:54 - 2018-06-28 09:54 - 000000000 ____D C:\Users\Karen\AppData\Local\CEF
2018-06-28 09:51 - 2018-06-28 09:51 - 000000000 ____D C:\Users\Karen\AppData\Local\wmitlcb
2018-06-28 09:49 - 2018-07-11 14:04 - 002912256 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\vsncdigsvc.exe
2018-06-28 09:49 - 2018-06-28 09:49 - 000000000 ____D C:\WINDOWS\SysWOW64\avelbxz
2018-06-28 09:49 - 2018-06-28 09:49 - 000000000 ____D C:\WINDOWS\system32\avelbxz
2018-06-28 09:49 - 2018-06-28 09:49 - 000000000 ____D C:\Users\Karen\AppData\Roaming\et
2018-06-28 09:48 - 2018-07-11 09:53 - 000000000 ___HD C:\Program Files (x86)\nightclubs
2018-06-28 09:48 - 2018-06-28 09:48 - 000003844 _____ C:\WINDOWS\System32\Tasks\bleakness-jewelers
2018-06-28 09:48 - 2018-06-28 09:48 - 000003836 _____ C:\WINDOWS\System32\Tasks\tiptop
2018-06-28 09:48 - 2018-06-28 09:48 - 000003836 _____ C:\WINDOWS\System32\Tasks\nouvelles
2018-06-28 09:48 - 2018-06-28 09:48 - 000003824 _____ C:\WINDOWS\System32\Tasks\hazed
2018-06-28 09:48 - 2018-06-28 09:48 - 000003730 _____ C:\WINDOWS\System32\Tasks\bleakness-jewelersbleakness-jewelers
2018-06-28 09:48 - 2018-06-28 09:48 - 000003704 _____ C:\WINDOWS\System32\Tasks\nouvellesnouvelles
2018-06-28 09:48 - 2018-06-28 09:48 - 000003698 _____ C:\WINDOWS\System32\Tasks\tiptoptiptop
2018-06-28 09:48 - 2018-06-28 09:48 - 000003684 _____ C:\WINDOWS\System32\Tasks\hazedhazed
2018-06-28 09:48 - 2018-06-28 09:48 - 000000012 _____ C:\WINDOWS\b7478122
2018-06-28 09:48 - 2018-06-28 09:48 - 000000000 ___HD C:\Program Files (x86)\Elliman
2018-06-28 09:48 - 2018-06-28 09:48 - 000000000 ____D C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
2018-06-28 09:47 - 2018-06-28 09:50 - 000000000 ____D C:\Users\Karen\AppData\Roaming\AGData
2018-06-28 09:44 - 2018-07-11 09:53 - 000000000 ____D C:\Program Files (x86)\Microsoft Toolkit Final
2018-06-28 09:43 - 2018-06-28 09:43 - 000000000 ____D C:\Users\Karen\AppData\Roaming\WinRAR
2018-06-28 09:43 - 2018-06-28 09:43 - 000000000 ____D C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-06-28 09:43 - 2018-06-28 09:43 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-06-28 09:43 - 2018-06-28 09:43 - 000000000 ____D C:\Program Files (x86)\WinRAR
2018-06-28 09:42 - 2018-06-28 09:42 - 002894824 _____ (Alexander Roshal) C:\Users\Karen\Downloads\wrar560.exe
2018-06-28 09:40 - 2018-06-28 09:40 - 003699972 _____ C:\Users\Karen\Downloads\Microsoft Toolkit Final pass 123456.rar
2018-06-28 09:03 - 2018-06-28 09:44 - 000000000 ____D C:\Users\Karen\Desktop\Office 2010 Toolkit
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ C:\WINDOWS\osteen.exe
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ C:\Users\Karen\AppData\Local\Snowboards.exe
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ C:\Users\Karen\AppData\Local\Dobb.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-07-11 14:51 - 2018-04-10 17:33 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-07-11 14:47 - 2017-09-29 09:37 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-07-11 14:05 - 2018-04-10 11:27 - 000000000 __SHD C:\Users\Karen\IntelGraphicsProfiles
2018-07-11 14:04 - 2018-04-10 17:54 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-07-11 13:09 - 2017-09-29 04:45 - 013369344 _____ C:\WINDOWS\system32\config\HARDWARE
2018-07-11 09:55 - 2018-04-10 17:42 - 000000000 ____D C:\Users\Karen
2018-07-11 09:30 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\DeliveryOptimization
2018-07-10 08:30 - 2017-09-29 09:46 - 000000000 ___HD C:\Program Files\WindowsApps
2018-07-10 08:30 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-06-29 16:07 - 2017-08-14 20:59 - 000000000 ____D C:\WINDOWS\system32\MRT
2018-06-29 16:04 - 2018-04-10 14:59 - 133315992 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2018-06-29 16:03 - 2017-08-14 20:59 - 133315992 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2018-06-29 15:01 - 2017-08-14 19:50 - 001077422 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-06-29 14:54 - 2017-09-29 04:45 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2018-06-29 13:48 - 2018-04-10 17:53 - 000002207 _____ C:\WINDOWS\diagwrn.xml
2018-06-29 13:48 - 2018-04-10 17:53 - 000001908 _____ C:\WINDOWS\diagerr.xml
2018-06-28 22:56 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\system32\NDF
2018-06-28 22:49 - 2017-09-29 09:44 - 000000000 ____D C:\WINDOWS\INF
2018-06-28 22:11 - 2018-04-10 12:29 - 000002380 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-06-28 22:11 - 2018-04-10 12:29 - 000002339 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-06-28 20:00 - 2018-04-10 17:54 - 000003376 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1862989718-165141890-1895766380-1001
2018-06-28 20:00 - 2018-04-10 11:30 - 000002370 _____ C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2018-06-28 20:00 - 2018-04-10 11:30 - 000000000 ___RD C:\Users\Karen\OneDrive
2018-06-28 19:53 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2018-06-28 16:08 - 2018-04-10 17:33 - 000411616 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2018-06-28 09:27 - 2018-04-10 18:42 - 000446258 _____ C:\WINDOWS\AutoKMS.exe
2018-06-28 09:27 - 2018-04-10 18:42 - 000003142 _____ C:\WINDOWS\System32\Tasks\AutoKMS
2018-06-28 09:09 - 2018-04-10 19:06 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2018-06-27 12:10 - 2018-04-10 11:25 - 000131288 _____ (Microsoft Corporation) C:\WINDOWS\system32\osrss.dll
 
==================== Files in the root of some directories =======
 
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ () C:\Users\Karen\AppData\Local\Dobb.exe
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ () C:\Users\Karen\AppData\Local\Snowboards.exe
 
Some zero byte size files/folders:
==========================
C:\Windows\System32\igfxDILib.dll
C:\Windows\System32\igfxDILibv2_0.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\WINDOWS\system32\drivers\sbrruxbe.sys -> Access Denied <======= ATTENTION
 
LastRegBack: 2018-07-08 22:55
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018
Ran by Karen (11-07-2018 14:53:33)
Running from C:\Users\Karen\Desktop
Windows 10 Pro Version 1709 16299.371 (X64) (2018-04-10 21:56:41)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1862989718-165141890-1895766380-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1862989718-165141890-1895766380-503 - Limited - Disabled)
Guest (S-1-5-21-1862989718-165141890-1895766380-501 - Limited - Disabled)
Karen (S-1-5-21-1862989718-165141890-1895766380-1001 - Administrator - Enabled) => C:\Users\Karen
WDAGUtilityAccount (S-1-5-21-1862989718-165141890-1895766380-504 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}) (Version: 9.0.0 - Adobe Systems)
Canon MX870 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX870_series) (Version:  - )
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 10.1207.101.103 - ALPS ELECTRIC CO., LTD.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 67.0.3396.99 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
Malwarebytes version 3.5.1.2522 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.5.1.2522 - Malwarebytes)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\OneDriveSetup.exe) (Version: 18.091.0506.0007 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
osrss (HKLM-x32\...\{1BA1133B-1C7A-41A0-8CBF-9B993E63D296}) (Version: 1.0.0 - Microsoft Corporation) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.0.17.4 - Synaptics Incorporated)
Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{AAB396C1-4338-4825-BFA1-A085F3C55781}) (Version: 2.19.0.0 - Microsoft Corporation)
UpdateAssistant (HKLM\...\{F3874F6F-EA00-487D-BEAD-5FAA010E78F2}) (Version: 1.15.0.0 - Microsoft Corporation) Hidden
Windows 10 Update Assistant (HKLM-x32\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.22402 - Microsoft Corporation)
Windows Setup Remediations (x64) (KB4023057) (HKLM\...\{5534e02f-0f5d-40dd-ba92-bea38d22384d}.sdb) (Version:  - )
WinRAR 5.60 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.60.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1862989718-165141890-1895766380-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)
ContextMenuHandlers1: [Adobe.Acrobat.ContextMenu] -> {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\..\Acrobat Elements\ContextMenu64.dll [2008-06-11] (Adobe Systems Inc.)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2018-06-24] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext.dll [2018-06-24] (Alexander Roshal)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\WINDOWS\system32\igfxDTCM.dll [2016-06-02] (Intel Corporation)
ContextMenuHandlers6: [Adobe.Acrobat.ContextMenu] -> {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\..\Acrobat Elements\ContextMenu64.dll [2008-06-11] (Adobe Systems Inc.)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2018-06-24] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext.dll [2018-06-24] (Alexander Roshal)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {2374AA84-E2F8-4A52-BF84-58D4BD10F16D} - System32\Tasks\nouvelles => C:\Program Files (x86)\Anchovies\Snowboards.exe
Task: {2A5243BE-D463-4C60-882B-9D301C026A8C} - System32\Tasks\tiptop => C:\Program Files (x86)\differences\differences.exe
Task: {2C2B4153-543E-4CDA-B4DA-6F54D5DC3E31} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MpCmdRun.exe [2018-06-28] (Microsoft Corporation)
Task: {3DFD35CF-5948-4028-B031-8AAAE4F440E6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-04-10] (Google Inc.)
Task: {462CA106-4B96-47C4-9F7E-9224E170E2BE} - System32\Tasks\hazed => C:\Program Files (x86)\Careering\explicit.exe
Task: {4BB55FEE-35BC-4D74-BA02-A11162A70146} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {522253EA-0274-4DF4-83C8-2E3AEBFDB5AA} - System32\Tasks\bleakness-jewelersbleakness-jewelers => C:\Program Files (x86)\commodious\Dobb.exe
Task: {5660E116-3562-43A8-A8C8-01034497163E} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MpCmdRun.exe [2018-06-28] (Microsoft Corporation)
Task: {76F1B57F-43F9-40B4-9183-2CCB14451B40} - System32\Tasks\tiptoptiptop => C:\Program Files (x86)\differences\differences.exe
Task: {963D0D1C-BEA3-48E9-9F18-7CC6F6673122} - System32\Tasks\nouvellesnouvelles => C:\Program Files (x86)\Anchovies\Snowboards.exe
Task: {A2BA9F5A-A0D8-4B55-A58E-C6C469376D13} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MpCmdRun.exe [2018-06-28] (Microsoft Corporation)
Task: {B4287672-F100-46DD-9ED9-6618B770F1EC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-04-10] (Google Inc.)
Task: {CA58DF6C-AB00-4CB6-8009-464BFDDCEFD3} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MpCmdRun.exe [2018-06-28] (Microsoft Corporation)
Task: {CF05F9AE-927C-4CD5-BC14-1EFB5D652A81} - System32\Tasks\bleakness-jewelers => C:\Program Files (x86)\commodious\Dobb.exe
Task: {FADEE08E-8922-403B-BF5A-0EEF01827513} - System32\Tasks\Microsoft\Windows\Setup\EOSNotify => C:\WINDOWS\system32\EOSNotify.exe
Task: {FBC70573-38B7-4154-94B7-03F3DB7A0036} - System32\Tasks\hazedhazed => C:\Program Files (x86)\Careering\explicit.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-09-29 09:41 - 2017-09-29 09:41 - 000184432 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2018-06-28 16:14 - 2018-07-11 10:53 - 002433744 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2013-09-05 00:17 - 2013-09-05 00:17 - 004300456 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 008801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2018-04-10 18:37 - 2018-02-21 20:26 - 011044864 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2018-04-10 18:38 - 2018-02-21 20:21 - 001804288 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-06-29 19:19 - 2018-06-29 19:19 - 000086528 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2018-06-29 19:19 - 2018-06-29 19:19 - 000195072 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2018-06-29 19:19 - 2018-06-29 19:19 - 022374400 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2018-06-29 19:19 - 2018-06-29 19:19 - 002610176 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\skypert.dll
2018-06-28 09:13 - 2018-06-22 15:15 - 004608856 _____ () C:\Program Files (x86)\Google\Chrome\Application\67.0.3396.99\libglesv2.dll
2018-06-28 09:13 - 2018-06-22 15:15 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\67.0.3396.99\libegl.dll
2018-06-29 19:19 - 2018-06-29 19:19 - 000093696 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11805.1001.42.0_x64__8wekyb3d8bbwe\WinStore.Preview.dll
2018-06-29 19:19 - 2018-06-29 19:19 - 002447072 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11805.1001.42.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
2018-06-29 19:19 - 2018-06-29 19:19 - 007813632 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11805.1001.42.0_x64__8wekyb3d8bbwe\WinStore.Entertainment.Mobile.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\WINDOWS\system32\test_keyboard.exe:xdg.origin.url [129]
AlternateDataStreams: C:\WINDOWS\system32\test_keyboard.exe:xdg.referrer.url [97]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\dozqccoy.sys:changelist [2574]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\edudnspz.sys:changelist [1146]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-10-30 03:24 - 2018-06-28 21:41 - 000000850 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Karen\Desktop\Karens phone pictures\Camera\_20150426_181517.JPG
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "Conked"
HKLM\...\StartupApproved\Run32: => "Foreclosure"
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\StartupApproved\Run: => "Absentia"
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\StartupApproved\Run: => "Smite"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [TCP Query User{4AF746BD-6E82-40A0-B1F5-FFE10284FA7F}C:\users\karen\appdata\local\temp\keygen.exe] => (Allow) C:\users\karen\appdata\local\temp\keygen.exe
FirewallRules: [UDP Query User{19CD59C3-7B1A-41E7-9937-04DDEA2E9A51}C:\users\karen\appdata\local\temp\keygen.exe] => (Allow) C:\users\karen\appdata\local\temp\keygen.exe
FirewallRules: [{C987400B-D22C-429B-B455-34ADFE754992}] => (Allow) C:\Program Files (x86)\Anchovies\Snowboards.exe
FirewallRules: [{3BD03343-1FB5-4B83-9F31-E7CCDB5680AB}] => (Allow) C:\Program Files (x86)\Elliman\Snowboards.exe
FirewallRules: [{3FF23900-81DF-4A7E-9C94-9A661916DCAA}] => (Allow) C:\Program Files (x86)\commodious\Dobb.exe
FirewallRules: [{6274F12C-6E26-4E18-A227-594E1DFAF7B1}] => (Allow) C:\Program Files (x86)\Elliman\Dobb.exe
FirewallRules: [{0BA7F87E-48CA-407F-87B0-2273B92056BE}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/02/2018 02:56:44 PM) (Source: Microsoft-Windows-CertificateServicesClient) (EventID: 1003) (User: DESKTOP-J76698K)
Description: Certificate Services Client  failed to invoke the Providers in response to event 512. Error code 2147943855.
 
Error: (07/02/2018 02:56:44 PM) (Source: Microsoft-Windows-CertificateServicesClient) (EventID: 1001) (User: DESKTOP-J76698K)
Description: Certificate Services Client failed to load Provider pautoenr.dll. Error code 1455.
 
Error: (07/02/2018 02:55:50 PM) (Source: Microsoft-Windows-CertificateServicesClient) (EventID: 1003) (User: NT AUTHORITY)
Description: Certificate Services Client  failed to invoke the Providers in response to event 256. Error code 2147943855.
 
Error: (07/02/2018 02:55:50 PM) (Source: Microsoft-Windows-CertificateServicesClient) (EventID: 1001) (User: NT AUTHORITY)
Description: Certificate Services Client failed to load Provider pautoenr.dll. Error code 1455.
 
Error: (07/02/2018 06:55:43 AM) (Source: Microsoft-Windows-CertificateServicesClient) (EventID: 1003) (User: DESKTOP-J76698K)
Description: Certificate Services Client  failed to invoke the Providers in response to event 512. Error code 2147943855.
 
Error: (07/02/2018 06:55:43 AM) (Source: Microsoft-Windows-CertificateServicesClient) (EventID: 1001) (User: DESKTOP-J76698K)
Description: Certificate Services Client failed to load Provider pautoenr.dll. Error code 1455.
 
Error: (07/02/2018 02:57:40 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine GetProviderMgmtInterface.  hr = 0x8004230f.
 
Error: (07/02/2018 02:57:40 AM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x800705aa, Insufficient system resources exist to complete the requested service.
].
 
 
Operation:
   Obtain a callable interface for this provider
   Obtaining provider management interface
 
Context:
   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Class ID: {00000000-0000-0000-0000-000000000000}
   Snapshot Context: -1
   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
 
 
System errors:
=============
Error: (07/11/2018 02:49:37 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (07/11/2018 02:49:37 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (07/11/2018 02:49:37 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (07/11/2018 02:49:37 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (07/11/2018 02:49:37 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (07/11/2018 02:38:26 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (07/11/2018 02:38:26 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (07/11/2018 02:38:26 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
 
Windows Defender:
===================================
Date: 2018-07-11 14:35:39.428
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/Detrahere!reg
ID: 2147727777
Severity: Severe
Category: Trojan
Path: regkeyvalue:_HKLM\SYSTEM\CurrentControlSet\Control\Network\\set_pt
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Signature Version: AV: 1.271.798.0, AS: 1.271.798.0, NIS: 1.271.798.0
Engine Version: AM: 1.1.15000.2, NIS: 1.1.15000.2
 
Date: 2018-07-11 14:11:18.490
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/SquareNet.Q
ID: 2147727751
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Karen\AppData\Local\upcgwxk\dsivuer.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\Karen\AppData\Local\upcgwxk\upcgwxk.exe
Signature Version: AV: 1.271.798.0, AS: 1.271.798.0, NIS: 1.271.798.0
Engine Version: AM: 1.1.15000.2, NIS: 1.1.15000.2
 
Date: 2018-07-11 14:10:26.553
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/SquareNet.Q
ID: 2147727751
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Karen\AppData\Local\upcgwxk\dsivuer.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\Karen\AppData\Local\upcgwxk\dsivuer.exe
Signature Version: AV: 1.271.798.0, AS: 1.271.798.0, NIS: 1.271.798.0
Engine Version: AM: 1.1.15000.2, NIS: 1.1.15000.2
 
Date: 2018-07-11 14:10:15.237
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/SquareNet.Q
ID: 2147727751
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Karen\AppData\Local\upcgwxk\dsivuer.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\Karen\AppData\Local\upcgwxk\dsivuer.exe
Signature Version: AV: 1.271.798.0, AS: 1.271.798.0, NIS: 1.271.798.0
Engine Version: AM: 1.1.15000.2, NIS: 1.1.15000.2
 
Date: 2018-07-11 14:09:40.540
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/SquareNet.Q
ID: 2147727751
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Karen\AppData\Local\upcgwxk\dsivuer.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\Karen\AppData\Local\upcgwxk\dsivuer.exe
Signature Version: AV: 1.271.798.0, AS: 1.271.798.0, NIS: 1.271.798.0
Engine Version: AM: 1.1.15000.2, NIS: 1.1.15000.2
 
Date: 2018-07-11 14:18:04.329
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.271.798.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.15000.2
Error code: 0x80070422
Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 
 
Date: 2018-07-11 13:26:00.805
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.271.798.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.15000.2
Error code: 0x80070422
Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 
 
Date: 2018-07-11 12:36:29.443
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.271.798.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.15000.2
Error code: 0x80070422
Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 
 
Date: 2018-07-11 11:48:24.211
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.271.798.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.15000.2
Error code: 0x80070422
Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 
 
Date: 2018-07-11 10:59:10.066
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.271.798.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.15000.2
Error code: 0x80070422
Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 
 
CodeIntegrity:
===================================
 
Date: 2018-06-28 22:31:11.919
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.18.1806.18062-0\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-06-28 22:29:35.587
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.18.1806.18062-0\NisSrv.exe that did not meet the Custom 3 / Antimalware signing level requirements.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-3340M CPU @ 2.70GHz
Percentage of memory in use: 51%
Total physical RAM: 3969.02 MB
Available physical RAM: 1905.44 MB
Total Virtual: 5441.02 MB
Available Virtual: 2917.47 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:297.25 GB) (Free:245.59 GB) NTFS
Drive d: (Office 2010 Prof) (CDROM) (Total:0.73 GB) (Free:0 GB) CDFS
Drive e: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
Drive f: (SANDISC) (Removable) (Total:1.91 GB) (Free:0.82 GB) FAT
 
\\?\Volume{ed327dcc-0000-0000-0000-100000000000}\ (System) (Fixed) (Total:0.34 GB) (Free:0.31 GB) NTFS
\\?\Volume{ed327dcc-0000-0000-0000-10664a000000}\ () (Fixed) (Total:0.49 GB) (Free:0.08 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 298.1 GB) (Disk ID: ED327DCC)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=297.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=506 MB) - (Type=27)
 
========================================================
Disk: 1 (Size: 1.9 GB) (Disk ID: 003E2B83)
Partition 1: (Active) - (Size=1.9 GB) - (Type=06)
 
==================== End of Addition.txt ============================

 



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:10 AM

Posted 11 July 2018 - 09:24 PM

Greetings cablecon and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please do this.

===================================================

GMER

--------------------
  • Please download GMER and save it to your desktop
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO
  • Select Quick scan button
  • Uncheck the following:

Devices
IAT/EAT
Show All <<< Important

  • Click Scan
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
  • Note: If you encounter any problems, try running GMER in Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • GMER report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 cablecon

cablecon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 13 July 2018 - 10:23 AM

Hi Gary,

 

I am unable to install or run apps outside the app store.  I've tried to change the setting to allow any app but it wont allow it.  I restarted in safe mode and ran GMER and the scan begins and then the computer runs into issues and restarts. It happened all 3 times so far.  What next?

 

Thank you



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:10 AM

Posted 13 July 2018 - 10:35 AM

Greetings.

Did GMER give you any warnings when you attempted to run it? Please attempt to run it again in Normal Boot with only the Services box checked. If you can't, try it is Safe Mode.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 cablecon

cablecon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 13 July 2018 - 10:55 AM

I cant get it to run in normal boot.  I keep getting the "your PC's settings only let it install verified apps from the store". I open settings and select "allow apps from anywhere" and try and run GMER and the warning  "your PC's settings only let it install verified apps from the store" comes back..

 

It did give me the warning about rootkit activity when running in safe mode. But I get BSOD before it finishes in safe mode



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:10 AM

Posted 13 July 2018 - 10:59 AM

OK, thank you.

First we must deal with this.

Unfortunately there is evidence of illegal software on your computer. I am going to request you completely uninstall Microsoft Office Professional Plus 2010 and any other products for which you do not have a valid Product Key, including all "cracked" software. If you are willing to do that please rerun a FRST scan after removal and copy/paste both reports in your reply. If you prefer to leave the program(s) on your computer let me know that and I will be closing the Topic.

If you decide to remove the program(s) please run this after removal.

===================================================

CKScanner

--------------------
  • Download CKScanner and save it to your Desktop
  • Double click CKScanner
  • Select Search For Files
  • Once completed select Save List to File
  • A ckfiles.txt document will be placed on your Desktop
  • Copy and paste the results of that report in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • CKScanner report
  • FRST report
  • Addition report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 cablecon

cablecon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 13 July 2018 - 11:05 AM

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2018-07-13 11:59:34
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000032 ST9320325AS rev.0005HPM1 298.09GB
Running: rf1g4f9o.exe; Driver: C:\Users\Karen\AppData\Local\Temp\awddyaob.sys
 
 
---- Services - GMER 2.2 ----
 
Service  system32\drivers\sbrkorux.sys (*** hidden *** )  [BOOT] ovdgmtkp   <-- ROOTKIT !!!
 
---- EOF - GMER 2.2 ----


#8 cablecon

cablecon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 13 July 2018 - 11:27 AM

Office removed.  CKScanner will not run  I keep getting the "your PC's settings only let it install verified apps from the store". I open settings and select "allow apps from anywhere" and try and run CKScanner and the warning  "your PC's settings only let it install verified apps from the store" comes back.
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20.06.2018
Ran by Karen (administrator) on DESKTOP-J76698K (13-07-2018 12:19:54)
Running from C:\Users\Karen\Desktop
Loaded Profiles: Karen (Available Profiles: Karen & DefaultAppPool)
Platform: Windows 10 Pro Version 1709 16299.371 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(TOSHIBA CORPORATION) C:\Windows\System32\vsncdigsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\HidMonitorSvc.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2096424 2010-05-28] (Synaptics Incorporated)
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [745288 2015-06-25] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Nowicki] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKLM\...\Run: [Conked] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [37232 2008-06-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [640376 2008-06-11] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Permanent] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKLM-x32\...\Run: [Foreclosure] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
Winlogon\Notify\igfxcui: igfxdev.dll [X]
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Paiute] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Smite] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Businesspeople] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Absentia] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [sinatra] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\MountPoints2: {117b24e4-df89-11e7-a919-806e6f6e6963} - "D:\SETUP.EXE" /adminfile IU.MSP
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\MountPoints2: {37240579-3ceb-11e8-a91f-ecf4bb03df43} - "E:\LaunchU3.exe" -a
AppInit_DLLs-x32: acaptuser32.dll => C:\Windows\SysWOW64\acaptuser32.dll [111992 2008-06-11] (Adobe Systems, Inc.)
Startup: C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\saal.lnk [2018-06-28]
ShortcutTarget: saal.lnk -> C:\Program Files (x86)\Anchovies\Snowboards.exe (No File)
Startup: C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\saalsaal.lnk [2018-06-28]
ShortcutTarget: saalsaal.lnk -> C:\Program Files (x86)\commodious\Dobb.exe (No File)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{bf7d2dc1-1efd-4670-b506-186d9b768cae}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{ee701c51-f0ff-42be-82f9-b69c86450ccd}: [DhcpNameServer] 192.168.4.1
 
Internet Explorer:
==================
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11] (Adobe Systems Incorporated)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11] (Adobe Systems Incorporated)
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-18] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-18] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default [2018-07-13]
CHR Extension: (Slides) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-04-10]
CHR Extension: (Docs) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-04-10]
CHR Extension: (Google Drive) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-04-10]
CHR Extension: (YouTube) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-04-10]
CHR Extension: (Sheets) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-04-10]
CHR Extension: (Google Docs Offline) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-04-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-10]
CHR Extension: (Gmail) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-04-10]
CHR Extension: (Chrome Media Router) - C:\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-06-28]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
HKLM\SYSTEM\CurrentControlSet\Services\ovdgmtkp <==== ATTENTION (Rootkit!)
 
R2 ApHidMonitorService; C:\Program Files\DellTPad\HidMonitorSvc.exe [96120 2015-06-25] (Alps Electric Co., Ltd.)
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2018-04-10] (Macrovision Europe Ltd.) [File not signed]
R2 igfxCUIService1.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [329192 2016-06-02] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6541008 2018-05-09] (Malwarebytes)
R2 osrss; C:\WINDOWS\system32\osrss.dll [131288 2018-06-27] (Microsoft Corporation)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [4329952 2017-12-13] (Microsoft Corporation)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\NisSrv.exe [3925648 2018-06-28] (Microsoft Corporation)
S2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MsMpEng.exe [100080 2018-06-28] (Microsoft Corporation)
S4 windowsmanagementservice; windowsmanagementservice [X] <==== ATTENTION
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 DellRbtn; C:\WINDOWS\System32\drivers\DellRbtn.sys [19440 2016-03-31] (OSR Open Systems Resources, Inc.)
R3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [253664 2018-07-13] (Malwarebytes)
S3 rismcx64; C:\WINDOWS\system32\DRIVERS\rismcx64.sys [59008 2009-07-20] (RICOH Company, Ltd.)
S3 smbdirect; C:\WINDOWS\System32\DRIVERS\smbdirect.sys [151552 2017-09-29] (Microsoft Corporation)
R3 ST_Accel; C:\WINDOWS\system32\DRIVERS\ST_Accel.sys [154280 2016-10-12] (STMicroelectronics)
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46592 2018-06-28] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [340008 2018-06-28] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [59944 2018-06-28] (Microsoft Corporation)
R3 nqtxad; system32\drivers\twadgj.sys [X]
S3 pswzcc; system32\drivers\vzcfim.sys [X]
S4 zpxwc; System32\drivers\pcrltuze.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-07-13 12:19 - 2018-07-13 12:20 - 000012157 _____ C:\Users\Karen\Desktop\FRST.txt
2018-07-13 12:18 - 2018-07-13 12:18 - 000468480 _____ () C:\Users\Karen\Desktop\CKScanner.exe
2018-07-13 12:16 - 2018-07-13 12:16 - 000000000 ____D C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TouchPad
2018-07-13 12:14 - 2018-07-13 12:14 - 000145232 ____N C:\WINDOWS\system32\Drivers\sbroruxb.sys
2018-07-13 11:20 - 2018-07-13 11:22 - 000458684 _____ C:\WINDOWS\Minidump\071318-31265-01.dmp
2018-07-13 11:12 - 2018-07-13 11:14 - 000436004 _____ C:\WINDOWS\Minidump\071318-30187-01.dmp
2018-07-13 11:06 - 2018-07-13 11:08 - 000458940 _____ C:\WINDOWS\Minidump\071318-32109-01.dmp
2018-07-13 11:00 - 2018-07-13 11:56 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2018-07-13 10:56 - 2018-07-13 10:56 - 000000000 ____D C:\WINDOWS\pss
2018-07-13 10:46 - 2018-07-13 10:46 - 000380928 _____ C:\Users\Karen\Desktop\rf1g4f9o.exe
2018-07-12 21:53 - 2018-07-13 11:20 - 427506899 _____ C:\WINDOWS\MEMORY.DMP
2018-07-12 21:53 - 2018-07-13 11:20 - 000000000 ____D C:\WINDOWS\Minidump
2018-07-12 21:53 - 2018-07-12 21:58 - 000429420 _____ C:\WINDOWS\Minidump\071218-35125-01.dmp
2018-07-11 14:51 - 2018-07-13 12:19 - 000000000 ____D C:\FRST
2018-07-11 14:51 - 2018-07-11 14:49 - 002412544 _____ (Farbar) C:\Users\Karen\Desktop\FRST64.exe
2018-07-11 14:09 - 2018-07-11 14:09 - 001802704 _____ (Bleeping Computer, LLC) C:\Users\Karen\Downloads\rkill.exe
2018-07-11 10:53 - 2018-07-13 12:15 - 000253664 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2018-07-11 06:56 - 2018-07-11 20:42 - 000000000 ____D C:\Users\Karen\AppData\Local\upcgwxk
2018-07-02 02:56 - 2018-07-02 02:56 - 000000000 ____D C:\WINDOWS\%ALLUSERSPROFILE%
2018-06-29 15:17 - 2018-06-29 15:17 - 011599632 _____ (SurfRight B.V.) C:\Users\Karen\Downloads\HitmanPro_x64.exe
2018-06-29 15:15 - 2018-06-29 15:15 - 007372496 _____ (Malwarebytes) C:\Users\Karen\Downloads\AdwCleaner.exe
2018-06-29 14:52 - 2018-06-29 14:52 - 006625600 _____ (Zemana Ltd. ) C:\Users\Karen\Downloads\Zemana.AntiMalware.Setup (1).exe
2018-06-29 14:51 - 2018-06-29 14:51 - 006625600 _____ (Zemana Ltd. ) C:\Users\Karen\Downloads\Zemana.AntiMalware.Setup.exe
2018-06-29 14:23 - 2018-06-29 14:24 - 006625600 _____ (Zemana Ltd. ) C:\Users\Karen\Desktop\Zemana.AntiMalware.Setup.exe
2018-06-29 13:41 - 2018-06-29 13:41 - 000000000 ____D C:\$WINDOWS.~LS
2018-06-29 13:39 - 2018-06-29 13:39 - 000000000 ____D C:\$WINDOWS.~BT
2018-06-29 13:32 - 2018-06-29 13:32 - 000001804 _____ C:\Users\Karen\Desktop\Windows Compatibility Report.htm
2018-06-28 22:51 - 2018-06-28 22:51 - 000000000 ____D C:\Users\Karen\AppData\Local\ElevatedDiagnostics
2018-06-28 22:07 - 2018-06-28 22:07 - 001130840 _____ (Google Inc.) C:\Users\Karen\Downloads\ChromeSetup (1).exe
2018-06-28 21:15 - 2018-06-28 21:17 - 000015162 _____ C:\TDSSKiller.3.1.0.7_28.06.2018_21.15.07_log.txt
2018-06-28 16:14 - 2018-07-11 10:53 - 000152688 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbae64.sys
2018-06-28 16:14 - 2018-06-28 20:04 - 000000000 ____D C:\ProgramData\AutoKMS
2018-06-28 16:14 - 2018-06-28 16:14 - 000001919 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-06-28 16:14 - 2018-06-28 16:14 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-06-28 10:51 - 2018-07-10 22:02 - 000030768 _____ C:\Users\Karen\Desktop\Rkill.txt
2018-06-28 10:50 - 2018-06-28 10:51 - 000000000 ____D C:\Users\Karen\Desktop\Spyware, virus removal tools
2018-06-28 10:50 - 2018-06-28 10:50 - 000000364 _____ C:\TDSSKiller.3.1.0.7_28.06.2018_10.50.09_log.txt
2018-06-28 10:44 - 2018-06-28 10:44 - 000000020 ___SH C:\Users\DefaultAppPool\ntuser.ini
2018-06-28 10:44 - 2018-06-28 10:44 - 000000000 ____D C:\Users\DefaultAppPool
2018-06-28 10:44 - 2018-04-10 14:32 - 000000000 ____D C:\Users\DefaultAppPool\AppData\Local\Microsoft Help
2018-06-28 10:43 - 2018-06-28 10:43 - 000000364 _____ C:\TDSSKiller.3.1.0.7_28.06.2018_10.43.45_log.txt
2018-06-28 10:29 - 2018-06-28 10:29 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\edudnspz.sys
2018-06-28 10:27 - 2018-06-28 10:27 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dozqccoy.sys
2018-06-28 10:10 - 2018-06-28 10:30 - 000000001 _____ C:\g5j5qyh98fefujt
2018-06-28 09:54 - 2018-07-11 19:19 - 000000000 ____D C:\Users\Karen\AppData\Local\dsswnag
2018-06-28 09:54 - 2018-06-28 09:54 - 000000000 ____D C:\Users\Karen\AppData\Local\CEF
2018-06-28 09:51 - 2018-06-28 09:51 - 000000000 ____D C:\Users\Karen\AppData\Local\wmitlcb
2018-06-28 09:49 - 2018-07-13 12:14 - 002912256 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\vsncdigsvc.exe
2018-06-28 09:49 - 2018-06-28 09:49 - 000000000 ____D C:\WINDOWS\SysWOW64\avelbxz
2018-06-28 09:49 - 2018-06-28 09:49 - 000000000 ____D C:\WINDOWS\system32\avelbxz
2018-06-28 09:49 - 2018-06-28 09:49 - 000000000 ____D C:\Users\Karen\AppData\Roaming\et
2018-06-28 09:48 - 2018-07-11 09:53 - 000000000 ___HD C:\Program Files (x86)\nightclubs
2018-06-28 09:48 - 2018-06-28 09:48 - 000003844 _____ C:\WINDOWS\System32\Tasks\bleakness-jewelers
2018-06-28 09:48 - 2018-06-28 09:48 - 000003836 _____ C:\WINDOWS\System32\Tasks\tiptop
2018-06-28 09:48 - 2018-06-28 09:48 - 000003836 _____ C:\WINDOWS\System32\Tasks\nouvelles
2018-06-28 09:48 - 2018-06-28 09:48 - 000003824 _____ C:\WINDOWS\System32\Tasks\hazed
2018-06-28 09:48 - 2018-06-28 09:48 - 000003730 _____ C:\WINDOWS\System32\Tasks\bleakness-jewelersbleakness-jewelers
2018-06-28 09:48 - 2018-06-28 09:48 - 000003704 _____ C:\WINDOWS\System32\Tasks\nouvellesnouvelles
2018-06-28 09:48 - 2018-06-28 09:48 - 000003698 _____ C:\WINDOWS\System32\Tasks\tiptoptiptop
2018-06-28 09:48 - 2018-06-28 09:48 - 000003684 _____ C:\WINDOWS\System32\Tasks\hazedhazed
2018-06-28 09:48 - 2018-06-28 09:48 - 000000012 _____ C:\WINDOWS\b7478122
2018-06-28 09:48 - 2018-06-28 09:48 - 000000000 ___HD C:\Program Files (x86)\Elliman
2018-06-28 09:48 - 2018-06-28 09:48 - 000000000 ____D C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
2018-06-28 09:47 - 2018-06-28 09:50 - 000000000 ____D C:\Users\Karen\AppData\Roaming\AGData
2018-06-28 09:44 - 2018-07-11 09:53 - 000000000 ____D C:\Program Files (x86)\Microsoft Toolkit Final
2018-06-28 09:43 - 2018-06-28 09:43 - 000000000 ____D C:\Users\Karen\AppData\Roaming\WinRAR
2018-06-28 09:43 - 2018-06-28 09:43 - 000000000 ____D C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-06-28 09:43 - 2018-06-28 09:43 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-06-28 09:43 - 2018-06-28 09:43 - 000000000 ____D C:\Program Files (x86)\WinRAR
2018-06-28 09:42 - 2018-06-28 09:42 - 002894824 _____ (Alexander Roshal) C:\Users\Karen\Downloads\wrar560.exe
2018-06-28 09:40 - 2018-06-28 09:40 - 003699972 _____ C:\Users\Karen\Downloads\Microsoft Toolkit Final pass 123456.rar
2018-06-28 09:03 - 2018-06-28 09:44 - 000000000 ____D C:\Users\Karen\Desktop\Office 2010 Toolkit
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ C:\WINDOWS\osteen.exe
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ C:\Users\Karen\AppData\Local\Snowboards.exe
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ C:\Users\Karen\AppData\Local\Dobb.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-07-13 12:16 - 2018-04-10 17:33 - 000401264 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2018-07-13 12:16 - 2018-04-10 11:27 - 000000000 __SHD C:\Users\Karen\IntelGraphicsProfiles
2018-07-13 12:15 - 2018-04-10 17:54 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-07-13 12:14 - 2017-09-29 04:45 - 013107200 _____ C:\WINDOWS\system32\config\HARDWARE
2018-07-13 12:14 - 2017-09-29 04:45 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2018-07-13 12:12 - 2018-04-10 16:26 - 000000000 ____D C:\Program Files (x86)\MSBuild
2018-07-13 12:10 - 2015-10-30 03:24 - 000000076 _____ C:\WINDOWS\win.ini
2018-07-13 12:09 - 2017-09-29 09:46 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2018-07-13 12:05 - 2017-08-14 19:50 - 001328528 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-07-13 11:44 - 2018-04-10 17:33 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-07-13 11:07 - 2018-04-10 17:42 - 000000000 ____D C:\Users\Karen
2018-07-13 10:54 - 2017-09-29 09:37 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-07-13 08:30 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\DeliveryOptimization
2018-07-12 21:59 - 2017-09-29 09:44 - 000000000 ____D C:\WINDOWS\INF
2018-07-12 17:26 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-07-11 21:06 - 2017-09-29 09:46 - 000000000 ___HD C:\Program Files\WindowsApps
2018-06-29 16:07 - 2017-08-14 20:59 - 000000000 ____D C:\WINDOWS\system32\MRT
2018-06-29 16:04 - 2018-04-10 14:59 - 133315992 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2018-06-29 16:03 - 2017-08-14 20:59 - 133315992 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2018-06-29 13:48 - 2018-04-10 17:53 - 000002207 _____ C:\WINDOWS\diagwrn.xml
2018-06-29 13:48 - 2018-04-10 17:53 - 000001908 _____ C:\WINDOWS\diagerr.xml
2018-06-28 22:56 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\system32\NDF
2018-06-28 22:11 - 2018-04-10 12:29 - 000002380 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-06-28 22:11 - 2018-04-10 12:29 - 000002339 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-06-28 20:00 - 2018-04-10 17:54 - 000003376 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1862989718-165141890-1895766380-1001
2018-06-28 20:00 - 2018-04-10 11:30 - 000002370 _____ C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2018-06-28 20:00 - 2018-04-10 11:30 - 000000000 ___RD C:\Users\Karen\OneDrive
2018-06-28 19:53 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2018-06-28 09:27 - 2018-04-10 18:42 - 000446258 _____ C:\WINDOWS\AutoKMS.exe
2018-06-28 09:09 - 2018-04-10 19:06 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2018-06-27 12:10 - 2018-04-10 11:25 - 000131288 _____ (Microsoft Corporation) C:\WINDOWS\system32\osrss.dll
 
==================== Files in the root of some directories =======
 
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ () C:\Users\Karen\AppData\Local\Dobb.exe
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ () C:\Users\Karen\AppData\Local\Snowboards.exe
 
Some zero byte size files/folders:
==========================
C:\Windows\System32\igfxDILib.dll
C:\Windows\System32\igfxDILibv2_0.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\WINDOWS\system32\drivers\sbroruxb.sys -> Access Denied <======= ATTENTION
 
LastRegBack: 2018-07-08 22:55
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018
Ran by Karen (13-07-2018 12:21:30)
Running from C:\Users\Karen\Desktop
Windows 10 Pro Version 1709 16299.371 (X64) (2018-04-10 21:56:41)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1862989718-165141890-1895766380-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1862989718-165141890-1895766380-503 - Limited - Disabled)
Guest (S-1-5-21-1862989718-165141890-1895766380-501 - Limited - Disabled)
Karen (S-1-5-21-1862989718-165141890-1895766380-1001 - Administrator - Enabled) => C:\Users\Karen
WDAGUtilityAccount (S-1-5-21-1862989718-165141890-1895766380-504 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}) (Version: 9.0.0 - Adobe Systems)
Canon MX870 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX870_series) (Version:  - )
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 10.1207.101.103 - ALPS ELECTRIC CO., LTD.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 67.0.3396.99 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
Malwarebytes version 3.5.1.2522 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.5.1.2522 - Malwarebytes)
Microsoft OneDrive (HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\OneDriveSetup.exe) (Version: 18.091.0506.0007 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
osrss (HKLM-x32\...\{1BA1133B-1C7A-41A0-8CBF-9B993E63D296}) (Version: 1.0.0 - Microsoft Corporation) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.0.17.4 - Synaptics Incorporated)
Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{AAB396C1-4338-4825-BFA1-A085F3C55781}) (Version: 2.19.0.0 - Microsoft Corporation)
UpdateAssistant (HKLM\...\{F3874F6F-EA00-487D-BEAD-5FAA010E78F2}) (Version: 1.15.0.0 - Microsoft Corporation) Hidden
Windows 10 Update Assistant (HKLM-x32\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.22402 - Microsoft Corporation)
Windows Setup Remediations (x64) (KB4023057) (HKLM\...\{5534e02f-0f5d-40dd-ba92-bea38d22384d}.sdb) (Version:  - )
WinRAR 5.60 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.60.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1862989718-165141890-1895766380-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)
ContextMenuHandlers1: [Adobe.Acrobat.ContextMenu] -> {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\..\Acrobat Elements\ContextMenu64.dll [2008-06-11] (Adobe Systems Inc.)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2018-06-24] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext.dll [2018-06-24] (Alexander Roshal)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\WINDOWS\system32\igfxDTCM.dll [2016-06-02] (Intel Corporation)
ContextMenuHandlers6: [Adobe.Acrobat.ContextMenu] -> {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\..\Acrobat Elements\ContextMenu64.dll [2008-06-11] (Adobe Systems Inc.)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2018-06-24] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext.dll [2018-06-24] (Alexander Roshal)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {2374AA84-E2F8-4A52-BF84-58D4BD10F16D} - System32\Tasks\nouvelles => C:\Program Files (x86)\Anchovies\Snowboards.exe
Task: {2A5243BE-D463-4C60-882B-9D301C026A8C} - System32\Tasks\tiptop => C:\Program Files (x86)\differences\differences.exe
Task: {2C2B4153-543E-4CDA-B4DA-6F54D5DC3E31} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MpCmdRun.exe [2018-06-28] (Microsoft Corporation)
Task: {3DFD35CF-5948-4028-B031-8AAAE4F440E6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-04-10] (Google Inc.)
Task: {462CA106-4B96-47C4-9F7E-9224E170E2BE} - System32\Tasks\hazed => C:\Program Files (x86)\Careering\explicit.exe
Task: {4BB55FEE-35BC-4D74-BA02-A11162A70146} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {522253EA-0274-4DF4-83C8-2E3AEBFDB5AA} - System32\Tasks\bleakness-jewelersbleakness-jewelers => C:\Program Files (x86)\commodious\Dobb.exe
Task: {5660E116-3562-43A8-A8C8-01034497163E} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MpCmdRun.exe [2018-06-28] (Microsoft Corporation)
Task: {76F1B57F-43F9-40B4-9183-2CCB14451B40} - System32\Tasks\tiptoptiptop => C:\Program Files (x86)\differences\differences.exe
Task: {963D0D1C-BEA3-48E9-9F18-7CC6F6673122} - System32\Tasks\nouvellesnouvelles => C:\Program Files (x86)\Anchovies\Snowboards.exe
Task: {A2BA9F5A-A0D8-4B55-A58E-C6C469376D13} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MpCmdRun.exe [2018-06-28] (Microsoft Corporation)
Task: {B4287672-F100-46DD-9ED9-6618B770F1EC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-04-10] (Google Inc.)
Task: {CA58DF6C-AB00-4CB6-8009-464BFDDCEFD3} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MpCmdRun.exe [2018-06-28] (Microsoft Corporation)
Task: {CF05F9AE-927C-4CD5-BC14-1EFB5D652A81} - System32\Tasks\bleakness-jewelers => C:\Program Files (x86)\commodious\Dobb.exe
Task: {FADEE08E-8922-403B-BF5A-0EEF01827513} - System32\Tasks\Microsoft\Windows\Setup\EOSNotify => C:\WINDOWS\system32\EOSNotify.exe
Task: {FBC70573-38B7-4154-94B7-03F3DB7A0036} - System32\Tasks\hazedhazed => C:\Program Files (x86)\Careering\explicit.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-09-29 09:41 - 2017-09-29 09:41 - 000184432 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2018-06-28 16:14 - 2018-07-11 10:53 - 002433744 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2018-04-10 18:37 - 2018-02-21 20:26 - 011044864 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2018-04-10 18:38 - 2018-02-21 20:21 - 001804288 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-06-28 09:13 - 2018-06-22 15:15 - 004608856 _____ () C:\Program Files (x86)\Google\Chrome\Application\67.0.3396.99\libglesv2.dll
2018-06-28 09:13 - 2018-06-22 15:15 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\67.0.3396.99\libegl.dll
2017-12-13 21:38 - 2017-12-13 21:38 - 000975872 _____ () c:\windows\system32\FaceProcessor.dll
2017-12-13 21:38 - 2017-12-13 21:38 - 000269696 _____ () c:\windows\system32\FaceProcessorCore.dll
2017-09-29 09:41 - 2017-09-29 09:41 - 001357464 _____ () c:\windows\system32\FaceTrackerInternal.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\WINDOWS\system32\test_keyboard.exe:xdg.origin.url [129]
AlternateDataStreams: C:\WINDOWS\system32\test_keyboard.exe:xdg.referrer.url [97]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\dozqccoy.sys:changelist [2574]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\edudnspz.sys:changelist [1146]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-10-30 03:24 - 2018-06-28 21:41 - 000000850 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Karen\Desktop\Karens phone pictures\Camera\_20150426_181517.JPG
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "Conked"
HKLM\...\StartupApproved\Run32: => "Foreclosure"
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\StartupApproved\Run: => "Absentia"
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\StartupApproved\Run: => "Smite"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [TCP Query User{4AF746BD-6E82-40A0-B1F5-FFE10284FA7F}C:\users\karen\appdata\local\temp\keygen.exe] => (Allow) C:\users\karen\appdata\local\temp\keygen.exe
FirewallRules: [UDP Query User{19CD59C3-7B1A-41E7-9937-04DDEA2E9A51}C:\users\karen\appdata\local\temp\keygen.exe] => (Allow) C:\users\karen\appdata\local\temp\keygen.exe
FirewallRules: [{C987400B-D22C-429B-B455-34ADFE754992}] => (Allow) C:\Program Files (x86)\Anchovies\Snowboards.exe
FirewallRules: [{3BD03343-1FB5-4B83-9F31-E7CCDB5680AB}] => (Allow) C:\Program Files (x86)\Elliman\Snowboards.exe
FirewallRules: [{3FF23900-81DF-4A7E-9C94-9A661916DCAA}] => (Allow) C:\Program Files (x86)\commodious\Dobb.exe
FirewallRules: [{6274F12C-6E26-4E18-A227-594E1DFAF7B1}] => (Allow) C:\Program Files (x86)\Elliman\Dobb.exe
FirewallRules: [{0BA7F87E-48CA-407F-87B0-2273B92056BE}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/13/2018 12:09:02 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine QueryFullProcessImageNameW.  hr = 0x80070006, The handle is invalid.
.
 
 
Operation:
   Executing Asynchronous Operation
 
Context:
   Current State: DoSnapshotSet
 
Error: (07/13/2018 11:24:39 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3001) (User: NT AUTHORITY)
Description: The performance counter name string value in the registry is not formatted correctly. The malformed string is 12676. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.
 
Error: (07/13/2018 11:15:14 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: DESKTOP-J76698K)
Description: Package Microsoft.Windows.Cortana_1.9.6.16299_neutral_neutral_cw5n1h2txyewy+CortanaUI was terminated because it took too long to suspend.
 
Error: (07/13/2018 10:59:27 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 512) (User: )
Description: The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.
 
Details:
Could not query the status of the EventSystem service.
 
System Error:
A system shutdown is in progress.
.
 
Error: (07/02/2018 02:56:44 PM) (Source: Microsoft-Windows-CertificateServicesClient) (EventID: 1003) (User: DESKTOP-J76698K)
Description: Certificate Services Client  failed to invoke the Providers in response to event 512. Error code 2147943855.
 
Error: (07/02/2018 02:56:44 PM) (Source: Microsoft-Windows-CertificateServicesClient) (EventID: 1001) (User: DESKTOP-J76698K)
Description: Certificate Services Client failed to load Provider pautoenr.dll. Error code 1455.
 
Error: (07/02/2018 02:55:50 PM) (Source: Microsoft-Windows-CertificateServicesClient) (EventID: 1003) (User: NT AUTHORITY)
Description: Certificate Services Client  failed to invoke the Providers in response to event 256. Error code 2147943855.
 
Error: (07/02/2018 02:55:50 PM) (Source: Microsoft-Windows-CertificateServicesClient) (EventID: 1001) (User: NT AUTHORITY)
Description: Certificate Services Client failed to load Provider pautoenr.dll. Error code 1455.
 
 
System errors:
=============
Error: (07/13/2018 12:19:19 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-J76698K)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 and APPID 
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 to the user DESKTOP-J76698K\Karen SID (S-1-5-21-1862989718-165141890-1895766380-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ContentDeliveryManager_10.0.16299.15_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-350187224-1905355452-1037786396-3028148496-2624191407-3283318427-1255436723). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/13/2018 12:18:25 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-J76698K)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-J76698K\Karen SID (S-1-5-21-1862989718-165141890-1895766380-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/13/2018 12:16:13 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/13/2018 12:16:13 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/13/2018 12:15:29 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The WinDefend service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.
 
Error: (07/13/2018 12:15:29 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the WinDefend service to connect.
 
Error: (07/13/2018 12:02:16 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-J76698K)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-J76698K\Karen SID (S-1-5-21-1862989718-165141890-1895766380-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/13/2018 12:01:24 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-J76698K)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
{7022A3B3-D004-4F52-AF11-E9E987FEE25F}
 and APPID 
{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}
 to the user DESKTOP-J76698K\Karen SID (S-1-5-21-1862989718-165141890-1895766380-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
 
Windows Defender:
===================================
Date: 2018-07-13 10:05:39.506
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: HackTool:Win32/Keygen
ID: 2147593794
Severity: High
Category: Tool
Path: file:_C:\WINDOWS\AutoKMS.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: System
Process Name: Unknown
Signature Version: AV: 1.271.907.0, AS: 1.271.907.0, NIS: 1.271.907.0
Engine Version: AM: 1.1.15000.2, NIS: 1.1.15000.2
 
Date: 2018-07-13 10:05:39.504
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/Detrahere!reg
ID: 2147727777
Severity: Severe
Category: Trojan
Path: regkeyvalue:_HKLM\SYSTEM\CurrentControlSet\Control\Network\\set_pt
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Signature Version: AV: 1.271.907.0, AS: 1.271.907.0, NIS: 1.271.907.0
Engine Version: AM: 1.1.15000.2, NIS: 1.1.15000.2
 
Date: 2018-07-13 09:12:40.128
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: HackTool:Win32/Keygen
ID: 2147593794
Severity: High
Category: Tool
Path: file:_C:\WINDOWS\AutoKMS.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: System
Process Name: Unknown
Signature Version: AV: 1.271.907.0, AS: 1.271.907.0, NIS: 1.271.907.0
Engine Version: AM: 1.1.15000.2, NIS: 1.1.15000.2
 
Date: 2018-07-13 09:12:40.125
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: Trojan:Win32/Detrahere!reg
ID: 2147727777
Severity: Severe
Category: Trojan
Path: regkeyvalue:_HKLM\SYSTEM\CurrentControlSet\Control\Network\\set_pt
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Signature Version: AV: 1.271.907.0, AS: 1.271.907.0, NIS: 1.271.907.0
Engine Version: AM: 1.1.15000.2, NIS: 1.1.15000.2
 
Date: 2018-07-13 08:19:16.504
Description: 
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Name: HackTool:Win32/Keygen
ID: 2147593794
Severity: High
Category: Tool
Path: file:_C:\WINDOWS\AutoKMS.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: System
Process Name: Unknown
Signature Version: AV: 1.271.907.0, AS: 1.271.907.0, NIS: 1.271.907.0
Engine Version: AM: 1.1.15000.2, NIS: 1.1.15000.2
 
Date: 2018-07-13 10:44:14.541
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.271.907.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.15000.2
Error code: 0x80070422
Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 
 
Date: 2018-07-13 09:51:10.205
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.271.907.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.15000.2
Error code: 0x80070422
Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 
 
Date: 2018-07-13 08:57:37.435
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.271.907.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.15000.2
Error code: 0x80070422
Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 
 
Date: 2018-07-13 08:04:22.214
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.271.907.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.15000.2
Error code: 0x80070422
Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 
 
Date: 2018-07-13 07:11:19.437
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.271.907.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.15000.2
Error code: 0x80070422
Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 
 
CodeIntegrity:
===================================
 
Date: 2018-06-28 22:31:11.919
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.18.1806.18062-0\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-06-28 22:29:35.587
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.18.1806.18062-0\NisSrv.exe that did not meet the Custom 3 / Antimalware signing level requirements.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-3340M CPU @ 2.70GHz
Percentage of memory in use: 54%
Total physical RAM: 3969.02 MB
Available physical RAM: 1815.04 MB
Total Virtual: 5441.02 MB
Available Virtual: 3316.75 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:297.25 GB) (Free:249.11 GB) NTFS
Drive d: (Office 2010 Prof) (CDROM) (Total:0.73 GB) (Free:0 GB) CDFS
Drive e: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
Drive f: (SANDISC) (Removable) (Total:1.91 GB) (Free:0.82 GB) FAT
 
\\?\Volume{ed327dcc-0000-0000-0000-100000000000}\ (System) (Fixed) (Total:0.34 GB) (Free:0.31 GB) NTFS
\\?\Volume{ed327dcc-0000-0000-0000-10664a000000}\ () (Fixed) (Total:0.49 GB) (Free:0.08 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 298.1 GB) (Disk ID: ED327DCC)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=297.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=506 MB) - (Type=27)
 
========================================================
Disk: 1 (Size: 1.9 GB) (Disk ID: 003E2B83)
Partition 1: (Active) - (Size=1.9 GB) - (Type=06)
 
==================== End of Addition.txt ============================


#9 cablecon

cablecon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 13 July 2018 - 11:41 AM

Ran CKScanner in safe mode

 

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\windows\autokms.exe
scanner sequence 3.AP.11.RUNAJZ
 ----- EOF ----- 


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:10 AM

Posted 13 July 2018 - 12:47 PM

Thank you for doing that.

Your computer is quite infected. We are going to start with these things.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
  • The information will be copied invisibly and will be "pasted" into FRST automatically when you click Fix as instructed below
Start::
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [Nowicki] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKLM\...\Run: [Conked] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKLM-x32\...\Run: [Permanent] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKLM-x32\...\Run: [Foreclosure] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Paiute] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Smite] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Businesspeople] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Absentia] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [sinatra] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
Startup: C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\saal.lnk [2018-06-28]
ShortcutTarget: saal.lnk -> C:\Program Files (x86)\Anchovies\Snowboards.exe (No File)
Startup: C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\saalsaal.lnk [2018-06-28]
ShortcutTarget: saalsaal.lnk -> C:\Program Files (x86)\commodious\Dobb.exe (No File)
S4 windowsmanagementservice; windowsmanagementservice [X] <==== ATTENTION
S3 pswzcc; system32\drivers\vzcfim.sys [X]
R3 wzcfjm; system32\drivers\cfjmps.sys [X]
S4 zpxwc; System32\drivers\pcrltuze.sys [X]
2018-07-11 06:56 - 2018-07-11 14:06 - 000000000 ____D C:\Users\Karen\AppData\Local\upcgwxk
2018-07-02 02:56 - 2018-07-02 02:56 - 000000000 ____D C:\WINDOWS\%ALLUSERSPROFILE%
2018-06-29 14:54 - 2018-06-29 14:54 - 000145232 ____N C:\WINDOWS\system32\Drivers\sbrruxbe.sys
2018-06-28 16:14 - 2018-06-28 20:04 - 000000000 ____D C:\ProgramData\AutoKMS
2018-06-28 10:29 - 2018-06-28 10:29 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\edudnspz.sys
2018-06-28 10:27 - 2018-06-28 10:27 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dozqccoy.sys
2018-06-28 10:10 - 2018-06-28 10:30 - 000000001 _____ C:\g5j5qyh98fefujt
2018-06-28 09:54 - 2018-07-11 09:14 - 000000000 ____D C:\Users\Karen\AppData\Local\dsswnag
2018-06-28 09:54 - 2018-06-28 09:54 - 000000000 ____D C:\Users\Karen\AppData\Local\CEF
2018-06-28 09:51 - 2018-06-28 09:51 - 000000000 ____D C:\Users\Karen\AppData\Local\wmitlcb
2018-06-28 09:49 - 2018-07-11 14:04 - 002912256 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\vsncdigsvc.exe
2018-06-28 09:49 - 2018-06-28 09:49 - 000000000 ____D C:\WINDOWS\SysWOW64\avelbxz
2018-06-28 09:49 - 2018-06-28 09:49 - 000000000 ____D C:\WINDOWS\system32\avelbxz
2018-06-28 09:49 - 2018-06-28 09:49 - 000000000 ____D C:\Users\Karen\AppData\Roaming\et
2018-06-28 09:48 - 2018-07-11 09:53 - 000000000 ___HD C:\Program Files (x86)\nightclubs
2018-06-28 09:48 - 2018-06-28 09:48 - 000003844 _____ C:\WINDOWS\System32\Tasks\bleakness-jewelers
2018-06-28 09:48 - 2018-06-28 09:48 - 000003836 _____ C:\WINDOWS\System32\Tasks\tiptop
2018-06-28 09:48 - 2018-06-28 09:48 - 000003836 _____ C:\WINDOWS\System32\Tasks\nouvelles
2018-06-28 09:48 - 2018-06-28 09:48 - 000003824 _____ C:\WINDOWS\System32\Tasks\hazed
2018-06-28 09:48 - 2018-06-28 09:48 - 000003730 _____ C:\WINDOWS\System32\Tasks\bleakness-jewelersbleakness-jewelers
2018-06-28 09:48 - 2018-06-28 09:48 - 000003704 _____ C:\WINDOWS\System32\Tasks\nouvellesnouvelles
2018-06-28 09:48 - 2018-06-28 09:48 - 000003698 _____ C:\WINDOWS\System32\Tasks\tiptoptiptop
2018-06-28 09:48 - 2018-06-28 09:48 - 000003684 _____ C:\WINDOWS\System32\Tasks\hazedhazed
2018-06-28 09:48 - 2018-06-28 09:48 - 000000012 _____ C:\WINDOWS\b7478122
2018-06-28 09:48 - 2018-06-28 09:48 - 000000000 ___HD C:\Program Files (x86)\Elliman
2018-06-28 09:48 - 2018-06-28 09:48 - 000000000 ____D C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
2018-06-28 09:47 - 2018-06-28 09:50 - 000000000 ____D C:\Users\Karen\AppData\Roaming\AGData
2018-06-28 09:44 - 2018-07-11 09:53 - 000000000 ____D C:\Program Files (x86)\Microsoft Toolkit Final
2018-06-28 09:40 - 2018-06-28 09:40 - 003699972 _____ C:\Users\Karen\Downloads\Microsoft Toolkit Final pass 123456.rar
2018-06-28 09:03 - 2018-06-28 09:44 - 000000000 ____D C:\Users\Karen\Desktop\Office 2010 Toolkit
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ C:\WINDOWS\osteen.exe
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ C:\Users\Karen\AppData\Local\Snowboards.exe
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ C:\Users\Karen\AppData\Local\Dobb.exe
2018-06-28 09:27 - 2018-04-10 18:42 - 000446258 _____ C:\WINDOWS\AutoKMS.exe
2018-06-28 09:27 - 2018-04-10 18:42 - 000003142 _____ C:\WINDOWS\System32\Tasks\AutoKMS
C:\Windows\System32\igfxDILib.dll
C:\Windows\System32\igfxDILibv2_0.dll
Task: {2374AA84-E2F8-4A52-BF84-58D4BD10F16D} - System32\Tasks\nouvelles => C:\Program Files (x86)\Anchovies\Snowboards.exe
Task: {2A5243BE-D463-4C60-882B-9D301C026A8C} - System32\Tasks\tiptop => C:\Program Files (x86)\differences\differences.exe
Task: {462CA106-4B96-47C4-9F7E-9224E170E2BE} - System32\Tasks\hazed => C:\Program Files (x86)\Careering\explicit.exe
Task: {522253EA-0274-4DF4-83C8-2E3AEBFDB5AA} - System32\Tasks\bleakness-jewelersbleakness-jewelers => C:\Program Files (x86)\commodious\Dobb.exe
Task: {76F1B57F-43F9-40B4-9183-2CCB14451B40} - System32\Tasks\tiptoptiptop => C:\Program Files (x86)\differences\differences.exe
Task: {963D0D1C-BEA3-48E9-9F18-7CC6F6673122} - System32\Tasks\nouvellesnouvelles => C:\Program Files (x86)\Anchovies\Snowboards.exe
Task: {CF05F9AE-927C-4CD5-BC14-1EFB5D652A81} - System32\Tasks\bleakness-jewelers => C:\Program Files (x86)\commodious\Dobb.exe
AlternateDataStreams: C:\WINDOWS\system32\test_keyboard.exe:xdg.origin.url [129]
AlternateDataStreams: C:\WINDOWS\system32\test_keyboard.exe:xdg.referrer.url [97]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\dozqccoy.sys:changelist [2574]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\edudnspz.sys:changelist [1146]
HKLM\...\StartupApproved\Run: => "Conked"
HKLM\...\StartupApproved\Run32: => "Foreclosure"
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\StartupApproved\Run: => "Absentia"
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\StartupApproved\Run: => "Smite"
C:\Program Files (x86)\Anchovies
C:\Program Files (x86)\commodious
C:\Program Files (x86)\Careering
C:\Program Files (x86)\differences
HKLM\SYSTEM\CurrentControlSet\Services\ovdgmtkp <==== ATTENTION (Rootkit!)
C:\WINDOWS\system32\drivers\sbrruxbe.sys -> Access Denied <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
C:\Users\Karen\AppData\Local\upcgwxk
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: Bitsadmin /Reset /Allusers
cmd: ipconfig /flushdns
Removeproxy:
emptytemp:
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program agree to the request.
===================================================

Farbar's MiniRegTool

--------------------
  • Please download MiniRegTool64.zip (for 64 bit systems) and save it to your desktop
  • Unzip the folder and double click the icon
  • Copy and paste the following into the white box:

HKLM\SYSTEM\CurrentControlSet\Control\Network

  • Check the Export keys radio button.
  • Press the Go button and a Result.txt file will open on your Desktop
  • Copy and paste the contents of the report in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • MiniRegTool report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 cablecon

cablecon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 13 July 2018 - 01:19 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018
Ran by Karen (13-07-2018 14:05:03) Run:1
Running from C:\Users\Karen\Desktop
Loaded Profiles: Karen (Available Profiles: Karen & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [Nowicki] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKLM\...\Run: [Conked] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKLM-x32\...\Run: [Permanent] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKLM-x32\...\Run: [Foreclosure] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Paiute] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Smite] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Businesspeople] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [Absentia] => "C:\Program Files (x86)\commodious\Dobb.exe" ahnqb
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\Run: [sinatra] => "C:\Program Files (x86)\Anchovies\Snowboards.exe" ahnqb
Startup: C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\saal.lnk [2018-06-28]
ShortcutTarget: saal.lnk -> C:\Program Files (x86)\Anchovies\Snowboards.exe (No File)
Startup: C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\saalsaal.lnk [2018-06-28]
ShortcutTarget: saalsaal.lnk -> C:\Program Files (x86)\commodious\Dobb.exe (No File)
S4 windowsmanagementservice; windowsmanagementservice [X] <==== ATTENTION
S3 pswzcc; system32\drivers\vzcfim.sys [X]
R3 wzcfjm; system32\drivers\cfjmps.sys [X]
S4 zpxwc; System32\drivers\pcrltuze.sys [X]
2018-07-11 06:56 - 2018-07-11 14:06 - 000000000 ____D C:\Users\Karen\AppData\Local\upcgwxk
2018-07-02 02:56 - 2018-07-02 02:56 - 000000000 ____D C:\WINDOWS\%ALLUSERSPROFILE%
2018-06-29 14:54 - 2018-06-29 14:54 - 000145232 ____N C:\WINDOWS\system32\Drivers\sbrruxbe.sys
2018-06-28 16:14 - 2018-06-28 20:04 - 000000000 ____D C:\ProgramData\AutoKMS
2018-06-28 10:29 - 2018-06-28 10:29 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\edudnspz.sys
2018-06-28 10:27 - 2018-06-28 10:27 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dozqccoy.sys
2018-06-28 10:10 - 2018-06-28 10:30 - 000000001 _____ C:\g5j5qyh98fefujt
2018-06-28 09:54 - 2018-07-11 09:14 - 000000000 ____D C:\Users\Karen\AppData\Local\dsswnag
2018-06-28 09:54 - 2018-06-28 09:54 - 000000000 ____D C:\Users\Karen\AppData\Local\CEF
2018-06-28 09:51 - 2018-06-28 09:51 - 000000000 ____D C:\Users\Karen\AppData\Local\wmitlcb
2018-06-28 09:49 - 2018-07-11 14:04 - 002912256 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\vsncdigsvc.exe
2018-06-28 09:49 - 2018-06-28 09:49 - 000000000 ____D C:\WINDOWS\SysWOW64\avelbxz
2018-06-28 09:49 - 2018-06-28 09:49 - 000000000 ____D C:\WINDOWS\system32\avelbxz
2018-06-28 09:49 - 2018-06-28 09:49 - 000000000 ____D C:\Users\Karen\AppData\Roaming\et
2018-06-28 09:48 - 2018-07-11 09:53 - 000000000 ___HD C:\Program Files (x86)\nightclubs
2018-06-28 09:48 - 2018-06-28 09:48 - 000003844 _____ C:\WINDOWS\System32\Tasks\bleakness-jewelers
2018-06-28 09:48 - 2018-06-28 09:48 - 000003836 _____ C:\WINDOWS\System32\Tasks\tiptop
2018-06-28 09:48 - 2018-06-28 09:48 - 000003836 _____ C:\WINDOWS\System32\Tasks\nouvelles
2018-06-28 09:48 - 2018-06-28 09:48 - 000003824 _____ C:\WINDOWS\System32\Tasks\hazed
2018-06-28 09:48 - 2018-06-28 09:48 - 000003730 _____ C:\WINDOWS\System32\Tasks\bleakness-jewelersbleakness-jewelers
2018-06-28 09:48 - 2018-06-28 09:48 - 000003704 _____ C:\WINDOWS\System32\Tasks\nouvellesnouvelles
2018-06-28 09:48 - 2018-06-28 09:48 - 000003698 _____ C:\WINDOWS\System32\Tasks\tiptoptiptop
2018-06-28 09:48 - 2018-06-28 09:48 - 000003684 _____ C:\WINDOWS\System32\Tasks\hazedhazed
2018-06-28 09:48 - 2018-06-28 09:48 - 000000012 _____ C:\WINDOWS\b7478122
2018-06-28 09:48 - 2018-06-28 09:48 - 000000000 ___HD C:\Program Files (x86)\Elliman
2018-06-28 09:48 - 2018-06-28 09:48 - 000000000 ____D C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
2018-06-28 09:47 - 2018-06-28 09:50 - 000000000 ____D C:\Users\Karen\AppData\Roaming\AGData
2018-06-28 09:44 - 2018-07-11 09:53 - 000000000 ____D C:\Program Files (x86)\Microsoft Toolkit Final
2018-06-28 09:40 - 2018-06-28 09:40 - 003699972 _____ C:\Users\Karen\Downloads\Microsoft Toolkit Final pass 123456.rar
2018-06-28 09:03 - 2018-06-28 09:44 - 000000000 ____D C:\Users\Karen\Desktop\Office 2010 Toolkit
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ C:\WINDOWS\osteen.exe
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ C:\Users\Karen\AppData\Local\Snowboards.exe
2018-06-28 03:19 - 2018-06-28 03:19 - 000031744 _____ C:\Users\Karen\AppData\Local\Dobb.exe
2018-06-28 09:27 - 2018-04-10 18:42 - 000446258 _____ C:\WINDOWS\AutoKMS.exe
2018-06-28 09:27 - 2018-04-10 18:42 - 000003142 _____ C:\WINDOWS\System32\Tasks\AutoKMS
C:\Windows\System32\igfxDILib.dll
C:\Windows\System32\igfxDILibv2_0.dll
Task: {2374AA84-E2F8-4A52-BF84-58D4BD10F16D} - System32\Tasks\nouvelles => C:\Program Files (x86)\Anchovies\Snowboards.exe
Task: {2A5243BE-D463-4C60-882B-9D301C026A8C} - System32\Tasks\tiptop => C:\Program Files (x86)\differences\differences.exe
Task: {462CA106-4B96-47C4-9F7E-9224E170E2BE} - System32\Tasks\hazed => C:\Program Files (x86)\Careering\explicit.exe
Task: {522253EA-0274-4DF4-83C8-2E3AEBFDB5AA} - System32\Tasks\bleakness-jewelersbleakness-jewelers => C:\Program Files (x86)\commodious\Dobb.exe
Task: {76F1B57F-43F9-40B4-9183-2CCB14451B40} - System32\Tasks\tiptoptiptop => C:\Program Files (x86)\differences\differences.exe
Task: {963D0D1C-BEA3-48E9-9F18-7CC6F6673122} - System32\Tasks\nouvellesnouvelles => C:\Program Files (x86)\Anchovies\Snowboards.exe
Task: {CF05F9AE-927C-4CD5-BC14-1EFB5D652A81} - System32\Tasks\bleakness-jewelers => C:\Program Files (x86)\commodious\Dobb.exe
AlternateDataStreams: C:\WINDOWS\system32\test_keyboard.exe:xdg.origin.url [129]
AlternateDataStreams: C:\WINDOWS\system32\test_keyboard.exe:xdg.referrer.url [97]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\dozqccoy.sys:changelist [2574]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\edudnspz.sys:changelist [1146]
HKLM\...\StartupApproved\Run: => "Conked"
HKLM\...\StartupApproved\Run32: => "Foreclosure"
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\StartupApproved\Run: => "Absentia"
HKU\S-1-5-21-1862989718-165141890-1895766380-1001\...\StartupApproved\Run: => "Smite"
C:\Program Files (x86)\Anchovies
C:\Program Files (x86)\commodious
C:\Program Files (x86)\Careering
C:\Program Files (x86)\differences
HKLM\SYSTEM\CurrentControlSet\Services\ovdgmtkp <==== ATTENTION (Rootkit!)
C:\WINDOWS\system32\drivers\sbrruxbe.sys -> Access Denied <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
C:\Users\Karen\AppData\Local\upcgwxk
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: Bitsadmin /Reset /Allusers
cmd: ipconfig /flushdns
Removeproxy:
emptytemp:
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Nowicki" => removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Conked" => removed successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Permanent" => removed successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Foreclosure" => removed successfully
"HKU\S-1-5-21-1862989718-165141890-1895766380-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Paiute" => removed successfully
"HKU\S-1-5-21-1862989718-165141890-1895766380-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Smite" => removed successfully
"HKU\S-1-5-21-1862989718-165141890-1895766380-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Businesspeople" => removed successfully
"HKU\S-1-5-21-1862989718-165141890-1895766380-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Absentia" => removed successfully
"HKU\S-1-5-21-1862989718-165141890-1895766380-1001\Software\Microsoft\Windows\CurrentVersion\Run\\sinatra" => removed successfully
C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\saal.lnk => moved successfully
"C:\Program Files (x86)\Anchovies\Snowboards.exe" => not found
C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\saalsaal.lnk => moved successfully
"C:\Program Files (x86)\commodious\Dobb.exe" => not found
"HKLM\System\CurrentControlSet\Services\windowsmanagementservice" => removed successfully
windowsmanagementservice => service removed successfully
"HKLM\System\CurrentControlSet\Services\pswzcc" => removed successfully
pswzcc => service removed successfully
wzcfjm => service not found.
"HKLM\System\CurrentControlSet\Services\zpxwc" => removed successfully
zpxwc => service removed successfully
 
"C:\Users\Karen\AppData\Local\upcgwxk" folder move:
 
Could not move "C:\Users\Karen\AppData\Local\upcgwxk" => Scheduled to move on reboot.
 
C:\WINDOWS\%ALLUSERSPROFILE% => moved successfully
"C:\WINDOWS\system32\Drivers\sbrruxbe.sys" => not found
C:\ProgramData\AutoKMS => moved successfully
C:\WINDOWS\system32\Drivers\edudnspz.sys => moved successfully
C:\WINDOWS\system32\Drivers\dozqccoy.sys => moved successfully
C:\g5j5qyh98fefujt => moved successfully
 
"C:\Users\Karen\AppData\Local\dsswnag" folder move:
 
Could not move "C:\Users\Karen\AppData\Local\dsswnag" => Scheduled to move on reboot.
 
C:\Users\Karen\AppData\Local\CEF => moved successfully
 
"C:\Users\Karen\AppData\Local\wmitlcb" folder move:
 
Could not move "C:\Users\Karen\AppData\Local\wmitlcb" => Scheduled to move on reboot.
 
C:\WINDOWS\system32\vsncdigsvc.exe => moved successfully
C:\WINDOWS\SysWOW64\avelbxz => moved successfully
 
"C:\WINDOWS\system32\avelbxz" folder move:
 
Could not move "C:\WINDOWS\system32\avelbxz" => Scheduled to move on reboot.
 
C:\Users\Karen\AppData\Roaming\et => moved successfully
C:\Program Files (x86)\nightclubs => moved successfully
C:\WINDOWS\System32\Tasks\bleakness-jewelers => moved successfully
C:\WINDOWS\System32\Tasks\tiptop => moved successfully
C:\WINDOWS\System32\Tasks\nouvelles => moved successfully
C:\WINDOWS\System32\Tasks\hazed => moved successfully
C:\WINDOWS\System32\Tasks\bleakness-jewelersbleakness-jewelers => moved successfully
C:\WINDOWS\System32\Tasks\nouvellesnouvelles => moved successfully
C:\WINDOWS\System32\Tasks\tiptoptiptop => moved successfully
C:\WINDOWS\System32\Tasks\hazedhazed => moved successfully
C:\WINDOWS\b7478122 => moved successfully
C:\Program Files (x86)\Elliman => moved successfully
C:\Users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget => moved successfully
C:\Users\Karen\AppData\Roaming\AGData => moved successfully
C:\Program Files (x86)\Microsoft Toolkit Final => moved successfully
C:\Users\Karen\Downloads\Microsoft Toolkit Final pass 123456.rar => moved successfully
C:\Users\Karen\Desktop\Office 2010 Toolkit => moved successfully
C:\WINDOWS\osteen.exe => moved successfully
C:\Users\Karen\AppData\Local\Snowboards.exe => moved successfully
C:\Users\Karen\AppData\Local\Dobb.exe => moved successfully
C:\WINDOWS\AutoKMS.exe => moved successfully
"C:\WINDOWS\System32\Tasks\AutoKMS" => not found
C:\Windows\System32\igfxDILib.dll => moved successfully
C:\Windows\System32\igfxDILibv2_0.dll => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{2374AA84-E2F8-4A52-BF84-58D4BD10F16D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2374AA84-E2F8-4A52-BF84-58D4BD10F16D}" => removed successfully
"C:\WINDOWS\System32\Tasks\nouvelles" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nouvelles" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{2A5243BE-D463-4C60-882B-9D301C026A8C}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A5243BE-D463-4C60-882B-9D301C026A8C}" => removed successfully
"C:\WINDOWS\System32\Tasks\tiptop" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\tiptop" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{462CA106-4B96-47C4-9F7E-9224E170E2BE}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{462CA106-4B96-47C4-9F7E-9224E170E2BE}" => removed successfully
"C:\WINDOWS\System32\Tasks\hazed" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\hazed" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{522253EA-0274-4DF4-83C8-2E3AEBFDB5AA}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{522253EA-0274-4DF4-83C8-2E3AEBFDB5AA}" => removed successfully
"C:\WINDOWS\System32\Tasks\bleakness-jewelersbleakness-jewelers" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bleakness-jewelersbleakness-jewelers" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{76F1B57F-43F9-40B4-9183-2CCB14451B40}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{76F1B57F-43F9-40B4-9183-2CCB14451B40}" => removed successfully
"C:\WINDOWS\System32\Tasks\tiptoptiptop" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\tiptoptiptop" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{963D0D1C-BEA3-48E9-9F18-7CC6F6673122}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{963D0D1C-BEA3-48E9-9F18-7CC6F6673122}" => removed successfully
"C:\WINDOWS\System32\Tasks\nouvellesnouvelles" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nouvellesnouvelles" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{CF05F9AE-927C-4CD5-BC14-1EFB5D652A81}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CF05F9AE-927C-4CD5-BC14-1EFB5D652A81}" => removed successfully
"C:\WINDOWS\System32\Tasks\bleakness-jewelers" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bleakness-jewelers" => removed successfully
C:\WINDOWS\system32\test_keyboard.exe => ":xdg.origin.url" ADS removed successfully
C:\WINDOWS\system32\test_keyboard.exe => ":xdg.referrer.url" ADS removed successfully
"C:\WINDOWS\system32\Drivers\dozqccoy.sys" => ":changelist" ADS not found.
"C:\WINDOWS\system32\Drivers\edudnspz.sys" => ":changelist" ADS not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\Conked" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Conked" => not found
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32\\Foreclosure" => removed successfully
"HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Foreclosure" => not found
"HKU\S-1-5-21-1862989718-165141890-1895766380-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\Absentia" => removed successfully
"HKU\S-1-5-21-1862989718-165141890-1895766380-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Absentia" => not found
"HKU\S-1-5-21-1862989718-165141890-1895766380-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\Smite" => removed successfully
"HKU\S-1-5-21-1862989718-165141890-1895766380-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Smite" => not found
"C:\Program Files (x86)\Anchovies" => not found
"C:\Program Files (x86)\commodious" => not found
"C:\Program Files (x86)\Careering" => not found
"C:\Program Files (x86)\differences" => not found
HKLM\SYSTEM\CurrentControlSet\Services\ovdgmtkp <==== ATTENTION (Rootkit!) => Error: No automatic fix found for this entry.
"C:\WINDOWS\system32\drivers\sbrruxbe.sys -> Access Denied <======= ATTENTION" => not found
"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" => removed successfully
 
"C:\Users\Karen\AppData\Local\upcgwxk" folder move:
 
Could not move "C:\Users\Karen\AppData\Local\upcgwxk" => Scheduled to move on reboot.
 
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ip reset C:\resettcpip.txt =========
 
Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall set allprofiles state ON =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= Bitsadmin /Reset /Allusers =========
 
 
BITSADMIN version 3.0
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
0 out of 0 jobs canceled.
 
========= End of CMD: =========
 
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= RemoveProxy: =========
 
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\S-1-5-21-1862989718-165141890-1895766380-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\S-1-5-21-1862989718-165141890-1895766380-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
 
 
========= End of RemoveProxy: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 32997457 B
Java, Flash, Steam htmlcache => 2239 B
Windows/system/drivers => 527172 B
Edge => 775075 B
Chrome => 583716687 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 23584 B
NetworkService => 12222022 B
Karen => 15365590 B
DefaultAppPool => 0 B
 
RecycleBin => 85643 B
EmptyTemp: => 623.3 MB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 13-07-2018 14:09:44)
 
C:\Users\Karen\AppData\Local\upcgwxk => Could not move
C:\Users\Karen\AppData\Local\dsswnag => Could not move
C:\Users\Karen\AppData\Local\wmitlcb => Could not move
C:\WINDOWS\system32\avelbxz => Could not move
C:\Users\Karen\AppData\Local\upcgwxk => Could not move
 
==== End of Fixlog 14:09:44 ====
 
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network]
"FilterClasses"=hex(7):6d,00,73,00,5f,00,66,00,69,00,72,00,65,00,77,00,61,00,\
  6c,00,6c,00,5f,00,75,00,70,00,70,00,65,00,72,00,00,00,73,00,63,00,68,00,65,\
  00,64,00,75,00,6c,00,65,00,72,00,00,00,65,00,6e,00,63,00,72,00,79,00,70,00,\
  74,00,69,00,6f,00,6e,00,00,00,63,00,6f,00,6d,00,70,00,72,00,65,00,73,00,73,\
  00,69,00,6f,00,6e,00,00,00,76,00,70,00,6e,00,00,00,6c,00,6f,00,61,00,64,00,\
  62,00,61,00,6c,00,61,00,6e,00,63,00,65,00,00,00,66,00,61,00,69,00,6c,00,6f,\
  00,76,00,65,00,72,00,00,00,64,00,69,00,61,00,67,00,6e,00,6f,00,73,00,74,00,\
  69,00,63,00,00,00,63,00,75,00,73,00,74,00,6f,00,6d,00,00,00,70,00,72,00,6f,\
  00,76,00,69,00,64,00,65,00,72,00,5f,00,61,00,64,00,64,00,72,00,65,00,73,00,\
  73,00,00,00,6d,00,73,00,5f,00,69,00,6d,00,70,00,6c,00,61,00,74,00,66,00,6f,\
  00,72,00,6d,00,00,00,6d,00,73,00,5f,00,73,00,77,00,69,00,74,00,63,00,68,00,\
  5f,00,63,00,61,00,70,00,74,00,75,00,72,00,65,00,00,00,6d,00,73,00,5f,00,73,\
  00,77,00,69,00,74,00,63,00,68,00,5f,00,66,00,69,00,6c,00,74,00,65,00,72,00,\
  00,00,6d,00,73,00,5f,00,73,00,77,00,69,00,74,00,63,00,68,00,5f,00,72,00,65,\
  00,73,00,65,00,72,00,76,00,65,00,64,00,00,00,6d,00,73,00,5f,00,73,00,77,00,\
  69,00,74,00,63,00,68,00,5f,00,66,00,6f,00,72,00,77,00,61,00,72,00,64,00,00,\
  00,00,00
"set_pt"="z#sq\\eo86o\\MT68g\\3nniTvT\\G1RTy\\VnR-WAm#VnR-WAm.8A8#poIdV86.8A8|P#sq\\eo86o\\MT68g\\3nniTvT\\G1RTy\\pooWgT-|E#sq\\eo86o\\MT68g\\3nniTvT\\G1RTy\\WlIvyR4#gIRmd8-.8A8"
"atimode"="O|Y|N|j|u|PP|PN|Pu|rP|rr|rE|rO|rY|rN|rL|rj|ru|Ez|EP|Er|EE|EO|EY|OP|Or|OL|OY|Oj|YP|Yr|YE|YO|YN|Yj|Yu|Nz|NP|Nr|NE|NO|NY|EN|P|E|L|rz"
"shield_count"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\Connections]
"ClassManagers"=hex(7):7b,00,42,00,34,00,43,00,38,00,44,00,46,00,35,00,39,00,\
  2d,00,44,00,31,00,36,00,46,00,2d,00,34,00,30,00,34,00,32,00,2d,00,38,00,30,\
  00,42,00,37,00,2d,00,33,00,35,00,35,00,37,00,41,00,32,00,35,00,34,00,42,00,\
  37,00,43,00,35,00,7d,00,00,00,7b,00,42,00,41,00,31,00,32,00,36,00,41,00,44,\
  00,33,00,2d,00,32,00,31,00,36,00,36,00,2d,00,31,00,31,00,44,00,31,00,2d,00,\
  42,00,31,00,44,00,30,00,2d,00,30,00,30,00,38,00,30,00,35,00,46,00,43,00,31,\
  00,32,00,37,00,30,00,45,00,7d,00,00,00,7b,00,42,00,41,00,31,00,32,00,36,00,\
  41,00,44,00,35,00,2d,00,32,00,31,00,36,00,36,00,2d,00,31,00,31,00,44,00,31,\
  00,2d,00,42,00,31,00,44,00,30,00,2d,00,30,00,30,00,38,00,30,00,35,00,46,00,\
  43,00,31,00,32,00,37,00,30,00,45,00,7d,00,00,00,7b,00,42,00,41,00,31,00,32,\
  00,36,00,41,00,44,00,44,00,2d,00,32,00,31,00,36,00,36,00,2d,00,31,00,31,00,\
  44,00,31,00,2d,00,42,00,31,00,44,00,30,00,2d,00,30,00,30,00,38,00,30,00,35,\
  00,46,00,43,00,31,00,32,00,37,00,30,00,45,00,7d,00,00,00,00,00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\LightweightCallHandlers]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\LightweightCallHandlers\NETMAN]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\LightweightCallHandlers\PNIDUI]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\LightweightCallHandlers\PNIDUI\OnPrivateNetworkAvailable]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\LightweightCallHandlers\PNIDUI\OnPrivateNetworkAvailable\WMP_OnPrivateNetworkAvailable]
"Cardinality"=dword:00000000
"ExeName"=hex(2):22,00,25,00,70,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
  69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
  00,20,00,4d,00,65,00,64,00,69,00,61,00,20,00,50,00,6c,00,61,00,79,00,65,00,\
  72,00,5c,00,77,00,6d,00,70,00,6e,00,73,00,63,00,66,00,67,00,2e,00,65,00,78,\
  00,65,00,22,00,00,00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\LightweightCallHandlers\PNIDUI\Startup]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\LightweightCallHandlers\PNIDUI\Startup\NCSI_TrayIconStartup]
"Cardinality"=dword:00000001
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6e,\
  00,63,00,73,00,69,00,2e,00,64,00,6c,00,6c,00,00,00
"FunctionEntryName"="NcsiIdentifyUserSpecificProxies"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\NetworkLocationWizard]
"HideWizard"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\SharedAccessConnection]
"EnableControl"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"Broadcom 802.11n Network Adapter"=hex(7):31,00,00,00,00,00
"Broadcom NetXtreme 57xx Gigabit Controller"=hex(7):31,00,00,00,00,00
"Microsoft Kernel Debug Network Adapter"=hex(7):31,00,00,00,00,00
"Microsoft Wi-Fi Direct Virtual Adapter"=hex(7):31,00,00,00,00,00
"WAN Miniport (IKEv2)"=hex(7):31,00,00,00,00,00
"WAN Miniport (IP)"=hex(7):31,00,00,00,00,00
"WAN Miniport (IPv6)"=hex(7):31,00,00,00,00,00
"WAN Miniport (L2TP)"=hex(7):31,00,00,00,00,00
"WAN Miniport (Network Monitor)"=hex(7):31,00,00,00,00,00
"WAN Miniport (PPPOE)"=hex(7):31,00,00,00,00,00
"WAN Miniport (PPTP)"=hex(7):31,00,00,00,00,00
"WAN Miniport (SSTP)"=hex(7):31,00,00,00,00,00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{11992C50-925C-433F-BBC9-9245D655DD35}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{11992C50-925C-433F-BBC9-9245D655DD35}\Connection]
"Name"="Local Area Connection* 8"
"PnPInstanceId"="SWD\\MSRRAS\\MS_PPPOEMINIPORT"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{302D366A-2C19-4EBE-A5D0-0EBF19489D0B}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{302D366A-2C19-4EBE-A5D0-0EBF19489D0B}\Connection]
"Name"="Local Area Connection* 9"
"PnPInstanceId"="SWD\\MSRRAS\\MS_NDISWANIP"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{4D754296-19CD-4C2E-A59A-FE968E533DAE}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{4D754296-19CD-4C2E-A59A-FE968E533DAE}\Connection]
"Name"="Local Area Connection* 5"
"PnPInstanceId"="SWD\\MSRRAS\\MS_AGILEVPNMINIPORT"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{72AEC54C-03E3-47C0-A2A6-9159588CD979}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{72AEC54C-03E3-47C0-A2A6-9159588CD979}\Connection]
"Name"="Local Area Connection* 7"
"PnPInstanceId"="SWD\\MSRRAS\\MS_PPTPMINIPORT"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{7BE43317-A0AA-40A1-ADE5-BCE808EA0153}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{7BE43317-A0AA-40A1-ADE5-BCE808EA0153}\Connection]
"Name"="Local Area Connection* 1"
"PnPInstanceId"="ROOT\\KDNIC\\0000"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{884F3952-129C-42A7-9817-6B9A224B33FE}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{884F3952-129C-42A7-9817-6B9A224B33FE}\Connection]
"Name"="Local Area Connection* 6"
"PnPInstanceId"="SWD\\MSRRAS\\MS_L2TPMINIPORT"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{BF7D2DC1-1EFD-4670-B506-186D9B768CAE}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{BF7D2DC1-1EFD-4670-B506-186D9B768CAE}\Connection]
"Name"="Wi-Fi"
"PnPInstanceId"="PCI\\VEN_14E4&DEV_4359&SUBSYS_00141028&REV_00\\4&67996f5&0&00E1"
"MediaSubType"=dword:00000002
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{C7848876-BB33-428C-A924-170F59AFD374}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{C7848876-BB33-428C-A924-170F59AFD374}\Connection]
"Name"="Local Area Connection* 2"
"PnPInstanceId"="{5d624f94-8850-40c3-a3fa-a4fd2080baf3}\\vwifimp_wfd\\5&1503fcb5&0&11"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{C8649089-2A6A-472D-BA71-888CAC70E287}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{C8649089-2A6A-472D-BA71-888CAC70E287}\Connection]
"Name"="Local Area Connection* 10"
"PnPInstanceId"="SWD\\MSRRAS\\MS_NDISWANIPV6"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{EE701C51-F0FF-42BE-82F9-B69C86450CCD}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{EE701C51-F0FF-42BE-82F9-B69C86450CCD}\Connection]
"Name"="Ethernet"
"PnPInstanceId"="PCI\\VEN_14E4&DEV_1681&SUBSYS_053C1028&REV_10\\4&4568920&0&00E6"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{F0E50123-6ADD-42D7-BC65-4C087FC8C309}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{F0E50123-6ADD-42D7-BC65-4C087FC8C309}\Connection]
"Name"="Local Area Connection* 11"
"PnPInstanceId"="SWD\\MSRRAS\\MS_NDISWANBH"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{F8528E9E-139A-47DF-BEA3-B32587283EEE}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{F8528E9E-139A-47DF-BEA3-B32587283EEE}\Connection]
"Name"="Local Area Connection* 4"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{FC0F7626-47C2-428C-B5E7-3C5369EECBF1}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{FC0F7626-47C2-428C-B5E7-3C5369EECBF1}\Connection]
"Name"="Local Area Connection* 3"
"PnPInstanceId"="SWD\\MSRRAS\\MS_SSTPMINIPORT"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e973-e325-11ce-bfc1-08002be10318}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e973-e325-11ce-bfc1-08002be10318}\{54494F4E-5441-4B53-CCB9-061A6EC4BF6E}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00000080
"ComponentId"="ms_msclient"
"Description"="@%systemroot%\\system32\\wkssvc.dll,-1010"
"InfPath"="Netmscli.inf"
"InfSection"="MSClient.ndi"
"LocDescription"="@%systemroot%\\system32\\wkssvc.dll,-1010"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e973-e325-11ce-bfc1-08002be10318}\{54494F4E-5441-4B53-CCB9-061A6EC4BF6E}\Ndi]
"HelpText"="@%systemroot%\\system32\\wkssvc.dll,-1011"
"Service"="LanmanWorkstation"
"BindForm"="LanmanWorkstation"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e973-e325-11ce-bfc1-08002be10318}\{54494F4E-5441-4B53-CCB9-061A6EC4BF6E}\Ndi\Interfaces]
"LowerRange"="netbios,netbios_smb,tdi"
"UpperRange"="winnet5"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{171C5016-3D19-4CB2-9556-63E586EE5010}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_bridge"
"Description"="@%SystemRoot%\\system32\\bridgeres.dll,-2"
"InfPath"="netbrdg.inf"
"InfSection"="Install"
"LocDescription"="@%SystemRoot%\\system32\\bridgeres.dll,-2"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{171C5016-3D19-4CB2-9556-63E586EE5010}\Ndi]
"TimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"HelpText"="@%SystemRoot%\\system32\\bridgeres.dll,-2"
"Service"="MsBridge"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{171C5016-3D19-4CB2-9556-63E586EE5010}\Ndi\Interfaces]
"LowerRange"="nolower"
"UpperRange"="noupper"
"FilterMediaTypes"="ms_implatform"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{3BFD7820-D65C-4C1B-9FEA-983A019639EA}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00040028
"ComponentId"="ms_wfplwf_lower"
"Description"="@%windir%\\System32\\drivers\\wfplwfs.sys,-6006"
"InfPath"="wfplwfs.inf"
"InfSection"="WfpLwf_Lower_Install"
"LocDescription"="@%windir%\\System32\\drivers\\wfplwfs.sys,-6006"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{3BFD7820-D65C-4C1B-9FEA-983A019639EA}\Ndi]
"TimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"HelpText"="@%windir%\\System32\\drivers\\wfplwfs.sys,-6003"
"Service"="WfpLwfs"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{3BFD7820-D65C-4C1B-9FEA-983A019639EA}\Ndi\Interfaces]
"LowerRange"="nolower"
"UpperRange"="noupper"
"FilterMediaTypes"="ethernet,wlan,ppip,wan"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{42494F53-4554-004E-6E89-7EF9DE2570E3}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_netbios"
"Description"="@%windir%\\system32\\drivers\\netbios.sys,-501"
"InfPath"="netnb.inf"
"InfSection"="NetBIOS.ndi"
"LocDescription"="@%windir%\\system32\\drivers\\netbios.sys,-501"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{42494F53-4554-004E-6E89-7EF9DE2570E3}\Ndi]
"HelpText"="@%windir%\\system32\\drivers\\netbios.sys,-500"
"Service"="NetBIOS"
"BindForm"="NetBIOS"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{42494F53-4554-004E-6E89-7EF9DE2570E3}\Ndi\Interfaces]
"LowerRange"="netbios"
"UpperRange"="winnet5"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{52564552-5345-414E-2DD4-CF8F7555A888}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_server"
"Description"="@%systemroot%\\system32\\srvsvc.dll,-109"
"InfPath"="Netserv.inf"
"InfSection"="Install.ndi"
"LocDescription"="@%systemroot%\\system32\\srvsvc.dll,-109"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{52564552-5345-414E-2DD4-CF8F7555A888}\Ndi]
"HelpText"="@%systemroot%\\system32\\srvsvc.dll,-110"
"BindForm"="LanmanServer"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{52564552-5345-414E-2DD4-CF8F7555A888}\Ndi\Interfaces]
"LowerRange"="tdi,netbios,ipx,netbios_smb"
"UpperRange"="winnet5"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{5CBF81BF-5055-47CD-9055-A76B2B4E3698}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00040028
"ComponentId"="ms_vwifi"
"Description"="@%windir%\\System32\\drivers\\vwififlt.sys,-105"
"InfPath"="netvwififlt.inf"
"InfSection"="Install"
"LocDescription"="@%windir%\\System32\\drivers\\vwififlt.sys,-105"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{5CBF81BF-5055-47CD-9055-A76B2B4E3698}\Ndi]
"TimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"HelpText"="@%windir%\\System32\\drivers\\vwififlt.sys,-106"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{5CBF81BF-5055-47CD-9055-A76B2B4E3698}\Ndi\Interfaces]
"LowerRange"="nolower"
"UpperRange"="noupper"
"FilterMediaTypes"="vwifi,vchannel"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00040000
"ComponentId"="ms_pacer"
"Description"="@%windir%\\System32\\drivers\\pacer.sys,-101"
"InfPath"="netpacer.inf"
"InfSection"="Install"
"LocDescription"="@%windir%\\System32\\drivers\\pacer.sys,-101"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}\Ndi]
"TimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"HelpText"="@%windir%\\System32\\drivers\\pacer.sys,-100"
"Service"="Psched"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}\Ndi\Interfaces]
"LowerRange"="nolower"
"UpperRange"="noupper"
"FilterMediaTypes"="cp_tunnel,ethernet,wan"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{B70D6460-3635-4D42-B866-B8AB1A24454C}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00040028
"ComponentId"="ms_wfplwf_upper"
"Description"="@%windir%\\System32\\drivers\\wfplwfs.sys,-6005"
"InfPath"="wfplwfs.inf"
"InfSection"="WfpLwf_Upper_Install"
"LocDescription"="@%windir%\\System32\\drivers\\wfplwfs.sys,-6005"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{B70D6460-3635-4D42-B866-B8AB1A24454C}\Ndi]
"TimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"HelpText"="@%windir%\\System32\\drivers\\wfplwfs.sys,-6002"
"Service"="WfpLwfs"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{B70D6460-3635-4D42-B866-B8AB1A24454C}\Ndi\Interfaces]
"LowerRange"="nolower"
"UpperRange"="noupper"
"FilterMediaTypes"="ethernet"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{E475CF9A-60CD-4439-A75F-0079CE0E18A1}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00040028
"ComponentId"="ms_nativewifip"
"Description"="@%windir%\\System32\\drivers\\nwifi.sys,-101"
"InfPath"="netnwifi.inf"
"InfSection"="MS_NWIFI.Install"
"LocDescription"="@%windir%\\System32\\drivers\\nwifi.sys,-101"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{E475CF9A-60CD-4439-A75F-0079CE0E18A1}\Ndi]
"TimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Service"="NativeWifiP"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{E475CF9A-60CD-4439-A75F-0079CE0E18A1}\Ndi\Interfaces]
"LowerRange"="nolower"
"UpperRange"="noupper"
"FilterMediaTypes"="wlan"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{E7C3B2F0-F3C5-48DF-AF2B-10FED6D72E7A}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00040000
"ComponentId"="ms_wfplwf_vswitch"
"Description"="@%windir%\\System32\\drivers\\wfplwfs.sys,-6004"
"InfPath"="wfplwfs.inf"
"InfSection"="WfpLwf_vSwitch_Install"
"LocDescription"="@%windir%\\System32\\drivers\\wfplwfs.sys,-6004"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{E7C3B2F0-F3C5-48DF-AF2B-10FED6D72E7A}\Ndi]
"TimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"HelpText"="@%windir%\\System32\\drivers\\wfplwfs.sys,-6001"
"Service"="WfpLwfs"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{E7C3B2F0-F3C5-48DF-AF2B-10FED6D72E7A}\Ndi\Interfaces]
"LowerRange"="nolower"
"UpperRange"="noupper"
"FilterMediaTypes"="vmnetextension"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{EA24CD6C-D17A-4348-9190-09F0D5BE83DD}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00040038
"ComponentId"="ms_ndiscap"
"Description"="@%windir%\\System32\\drivers\\ndiscap.sys,-5000"
"InfPath"="ndiscap.inf"
"InfSection"="Install"
"LocDescription"="@%windir%\\System32\\drivers\\ndiscap.sys,-5000"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{EA24CD6C-D17A-4348-9190-09F0D5BE83DD}\Ndi]
"TimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"HelpText"="@%windir%\\System32\\drivers\\ndiscap.sys,-5001"
"Service"="NdisCap"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{EA24CD6C-D17A-4348-9190-09F0D5BE83DD}\Ndi\Interfaces]
"LowerRange"="nolower"
"UpperRange"="noupper"
"FilterMediaTypes"="ethernet,wlan,ppip,vmnetextension"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{414E444B-444D-0052-A0C8-EE4678CF4C97}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00000028
"ComponentId"="ms_rdma_ndk"
"Description"="@%SystemRoot%\\system32\\drivers\\tcpip.sys,-10108"
"InfPath"="nettcpip.inf"
"InfSection"="MS_RDMA.NDK.PrimaryInstall"
"LocDescription"="@%SystemRoot%\\system32\\drivers\\tcpip.sys,-10108"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{414E444B-444D-0052-A0C8-EE4678CF4C97}\Ndi]
"BindForm"="RDMANDK"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{414E444B-444D-0052-A0C8-EE4678CF4C97}\Ndi\Interfaces]
"LowerRange"="ndis5"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{43504950-0054-0000-4396-F76B563A898A}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:000000a0
"ComponentId"="ms_tcpip"
"Description"="@%SystemRoot%\\system32\\drivers\\tcpip.sys,-10100"
"InfPath"="nettcpip.inf"
"InfSection"="MS_TCPIP.PrimaryInstall"
"LocDescription"="@%SystemRoot%\\system32\\drivers\\tcpip.sys,-10100"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{43504950-0054-0000-4396-F76B563A898A}\Ndi]
"HelpText"="@%SystemRoot%\\system32\\drivers\\tcpip.sys,-10101"
"Service"="Tcpip"
"ClsId"="{A907657F-6FDF-11D0-8EFB-00C04FD912B2}"
"BindForm"="Tcpip"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{43504950-0054-0000-4396-F76B563A898A}\Ndi\Interfaces]
"LowerRange"="ndis5,ndis5_ip,flpp4"
"UpperRange"="tdi"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{45544254-004E-0000-E5E8-E867C26A2D4B}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00000028
"ComponentId"="ms_netbt"
"Description"="@%windir%\\system32\\drivers\\netbt.sys,-3"
"InfPath"="nettcpip.inf"
"InfSection"="MS_WINS.PrimaryInstall"
"LocDescription"="@%windir%\\system32\\drivers\\netbt.sys,-3"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{45544254-004E-0000-E5E8-E867C26A2D4B}\Ndi]
"Service"="NetBT"
"BindForm"="NetBT"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{45544254-004E-0000-E5E8-E867C26A2D4B}\Ndi\Interfaces]
"LowerRange"="tdi"
"UpperRange"="netbios"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{464F524D-4154-504C-A0A2-41BDC48EF8E9}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_implat"
"Description"="@%SystemRoot%\\System32\\drivers\\ndisimplatform.sys,-501"
"InfPath"="NdisImPlatform.inf"
"InfSection"="NdisImPlatform.ndi"
"LocDescription"="@%SystemRoot%\\System32\\drivers\\ndisimplatform.sys,-501"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{464F524D-4154-504C-A0A2-41BDC48EF8E9}\Ndi]
"HelpText"="@%SystemRoot%\\System32\\drivers\\ndisimplatform.sys,-500"
"Service"="NdisImPlatform"
"BindForm"="NdisImPlatform"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{464F524D-4154-504C-A0A2-41BDC48EF8E9}\Ndi\Interfaces]
"LowerRange"="ndis5"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{47414359-4C45-414E-7468-D029FA65984D}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_ndiswanlegacy"
"Description"="@%windir%\\system32\\mprmsg.dll,-32014"
"InfPath"="netrast.inf"
"InfSection"="Ndi-NdisWanLegacy"
"LocDescription"="@%windir%\\system32\\mprmsg.dll,-32014"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{47414359-4C45-414E-7468-D029FA65984D}\Ndi]
"Service"="ndiswanlegacy"
"BindForm"="ndiswanlegacy"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{47414359-4C45-414E-7468-D029FA65984D}\Ndi\Interfaces]
"LowerRange"="ndiswan"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{49524441-0000-0000-1D88-9D0178AC79BF}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00000028
"ComponentId"="ms_irda"
"Description"="@netirda.inf,%irda.displayname%;IrDA Protocol"
"InfPath"="netirda.inf"
"InfSection"="IrDA.Install"
"LocDescription"="@netirda.inf,%irda.displayname%;IrDA Protocol"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{49524441-0000-0000-1D88-9D0178AC79BF}\Ndi]
"HelpText"="@netirda.inf,%irda.helptext%;Infrared Data Association Protocol. Easy to use self configuring point-to-point connectivity without wires"
"Service"="irda"
"BindForm"="IrDA"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{49524441-0000-0000-1D88-9D0178AC79BF}\Ndi\Interfaces]
"LowerRange"="ndisirda"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{4C4C4450-4D53-0000-223C-9A85482F4393}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_lldp"
"Description"="@%SystemRoot%\\system32\\drivers\\mslldp.sys,-211"
"InfPath"="netlldp.inf"
"InfSection"="Install"
"LocDescription"="@%SystemRoot%\\system32\\drivers\\mslldp.sys,-211"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{4C4C4450-4D53-0000-223C-9A85482F4393}\Ndi]
"HelpText"="@%SystemRoot%\\system32\\drivers\\mslldp.sys,-210"
"Service"="MsLldp"
"BindForm"="MsLldp"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{4C4C4450-4D53-0000-223C-9A85482F4393}\Ndi\Interfaces]
"LowerRange"="ndis5"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{4E415250-5741-0000-4F47-6E7DD56A104E}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_wanarp"
"Description"="@%windir%\\system32\\mprmsg.dll,-32011"
"InfPath"="netrast.inf"
"InfSection"="Ndi-Wanarp"
"LocDescription"="@%windir%\\system32\\mprmsg.dll,-32011"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{4E415250-5741-0000-4F47-6E7DD56A104E}\Ndi]
"Service"="wanarp"
"BindForm"="wanarp"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{4E415250-5741-0000-4F47-6E7DD56A104E}\Ndi\Interfaces]
"LowerRange"="ndiswanip"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{4E4E454C-5455-4950-4357-8542DC463EC5}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00000028
"ComponentId"="ms_tcpip_tunnel"
"Description"="@%SystemRoot%\\system32\\drivers\\tcpip.sys,-10104"
"InfPath"="nettcpip.inf"
"InfSection"="MS_TCPIP.Tunnel.PrimaryInstall"
"LocDescription"="@%SystemRoot%\\system32\\drivers\\tcpip.sys,-10104"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{4E4E454C-5455-4950-4357-8542DC463EC5}\Ndi]
"BindForm"="TCPIPTUNNEL"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{4E4E454C-5455-4950-4357-8542DC463EC5}\Ndi\Interfaces]
"LowerRange"="ndis5_tunnel"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{4E4E454C-5455-5036-4166-270ABA793D96}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00000028
"ComponentId"="ms_tcpip6_tunnel"
"Description"="@%SystemRoot%\\system32\\drivers\\tcpip.sys,-10106"
"InfPath"="netip6.inf"
"InfSection"="MS_TCPIP6.Tunnel.Install"
"LocDescription"="@%SystemRoot%\\system32\\drivers\\tcpip.sys,-10106"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{4E4E454C-5455-5036-4166-270ABA793D96}\Ndi]
"BindForm"="TCPIP6TUNNEL"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{4E4E454C-5455-5036-4166-270ABA793D96}\Ndi\Interfaces]
"LowerRange"="ndis5_tunnel,ndis5_ip6_tunnel"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{50495036-5443-0000-C278-68FD7DFB2873}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:000000a0
"ComponentId"="ms_tcpip6"
"Description"="@%SystemRoot%\\system32\\drivers\\tcpip.sys,-10102"
"InfPath"="netip6.inf"
"InfSection"="MS_TCPIP6.Install"
"LocDescription"="@%SystemRoot%\\system32\\drivers\\tcpip.sys,-10102"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{50495036-5443-0000-C278-68FD7DFB2873}\Ndi]
"HelpText"="@%SystemRoot%\\system32\\drivers\\tcpip.sys,-10103"
"Service"="Tcpip6"
"ClsId"="{0C41D1E6-9D16-41ED-9CDD-D0665039857B}"
"BindForm"="Tcpip6"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{50495036-5443-0000-C278-68FD7DFB2873}\Ndi\Interfaces]
"LowerRange"="ndis5,ndis5_tunnel,ndis5_ip6_tunnel,flpp6"
"UpperRange"="tdi"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{504E4452-5253-0000-B220-5E7AD36F7B3A}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_rspndr"
"Description"="@%SystemRoot%\\system32\\lltdres.dll,-5"
"InfPath"="rspndr.inf"
"InfSection"="Install"
"LocDescription"="@%SystemRoot%\\system32\\lltdres.dll,-5"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{504E4452-5253-0000-B220-5E7AD36F7B3A}\Ndi]
"HelpText"="@%SystemRoot%\\system32\\lltdres.dll,-3"
"Service"="rspndr"
"BindForm"="rspndr"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{504E4452-5253-0000-B220-5E7AD36F7B3A}\Ndi\Interfaces]
"LowerRange"="ndis5"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{50504F45-5350-5241-55EF-06B36EF6E4C7}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_pppoe"
"Description"="@%windir%\\system32\\mprmsg.dll,-32015"
"InfPath"="netrast.inf"
"InfSection"="Ndi-PppoeProtocol"
"LocDescription"="@%windir%\\system32\\mprmsg.dll,-32015"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{50504F45-5350-5241-55EF-06B36EF6E4C7}\Ndi]
"HelpText"="@%windir%\\system32\\mprmsg.dll,-32015"
"Service"="RasPppoe"
"BindForm"="RasPppoe"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{50504F45-5350-5241-55EF-06B36EF6E4C7}\Ndi\Interfaces]
"LowerRange"="ndis4,ndis5"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{52505636-4E41-5741-78B8-9CA6E2AF3B73}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_wanarpv6"
"Description"="@%windir%\\system32\\mprmsg.dll,-32012"
"InfPath"="netrast.inf"
"InfSection"="Ndi-Wanarpv6"
"LocDescription"="@%windir%\\system32\\mprmsg.dll,-32012"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{52505636-4E41-5741-78B8-9CA6E2AF3B73}\Ndi]
"Service"="wanarpv6"
"BindForm"="wanarpv6"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{52505636-4E41-5741-78B8-9CA6E2AF3B73}\Ndi\Interfaces]
"LowerRange"="ndiswanipv6"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{53534D42-494F-5442-CC18-B25667ED6E1E}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"Characteristics"=dword:00000038
"ComponentId"="ms_netbt_smb"
"Description"="@%windir%\\system32\\drivers\\netbt.sys,-4"
"InfPath"="nettcpip.inf"
"InfSection"="MS_NETBT_SMB.PrimaryInstall"
"LocDescription"="@%windir%\\system32\\drivers\\netbt.sys,-4"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{53534D42-494F-5442-CC18-B25667ED6E1E}\Ndi]
"BindForm"="NetbiosSmb"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{53534D42-494F-5442-CC18-B25667ED6E1E}\Ndi\Interfaces]
"LowerRange"="nolower"
"UpperRange"="netbios_smb"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{5355494F-4449-004E-4AA3-6271CE351349}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_ndisuio"
"Description"="@%windir%\\system32\\drivers\\ndisuio.sys,-501"
"InfPath"="ndisuio.inf"
"InfSection"="Install"
"LocDescription"="@%windir%\\system32\\drivers\\ndisuio.sys,-501"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{5355494F-4449-004E-4AA3-6271CE351349}\Ndi]
"HelpText"="@%windir%\\system32\\drivers\\ndisuio.sys,-500"
"Service"="Ndisuio"
"BindForm"="Ndisuio"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{5355494F-4449-004E-4AA3-6271CE351349}\Ndi\Interfaces]
"LowerRange"="ndis5,ndis4,ndis5_uio,flpp4,flpp6"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{5357414E-4449-004E-7CF1-D431BBD4B8EB}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_ndiswan"
"Description"="@%windir%\\system32\\mprmsg.dll,-32002"
"InfPath"="netrast.inf"
"InfSection"="Ndi-NdisWan"
"LocDescription"="@%windir%\\system32\\mprmsg.dll,-32002"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{5357414E-4449-004E-7CF1-D431BBD4B8EB}\Ndi]
"Service"="NdisWan"
"BindForm"="NdisWan"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{5357414E-4449-004E-7CF1-D431BBD4B8EB}\Ndi\Interfaces]
"LowerRange"="ndisatm,ndiscowan,ndiswanasync"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{5444494F-4C4C-0000-B6DF-CDB5E038E33A}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_lltdio"
"Description"="@%SystemRoot%\\system32\\lltdres.dll,-6"
"InfPath"="lltdio.inf"
"InfSection"="Install"
"LocDescription"="@%SystemRoot%\\system32\\lltdres.dll,-6"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{5444494F-4C4C-0000-B6DF-CDB5E038E33A}\Ndi]
"HelpText"="@%SystemRoot%\\system32\\lltdres.dll,-4"
"Service"="lltdio"
"BindForm"="lltdio"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{5444494F-4C4C-0000-B6DF-CDB5E038E33A}\Ndi\Interfaces]
"LowerRange"="ndis5"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{56465050-5343-5456-47F9-EC637C282991}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="netvsc_vfpp"
"Description"="Microsoft NetVsc Failover VF Protocol"
"InfPath"="wnetvsc_vfpp.inf"
"InfSection"="netvscvfpp.ndi"
"LocDescription"="Microsoft NetVsc Failover VF Protocol"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{56465050-5343-5456-47F9-EC637C282991}\Ndi]
"HelpText"="NetVsc Failover VF Protocol"
"Service"="netvscvfpp"
"BindForm"="netvscvfpp"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{56465050-5343-5456-47F9-EC637C282991}\Ndi\Interfaces]
"LowerRange"="ndisvf"
"UpperRange"="noupper"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{58474950-424F-0058-CFE8-ABA2187557F2}]
"InstallTimeStamp"=hex:dd,07,0c,00,04,00,05,00,00,00,00,00,00,00,00,00
"ComponentId"="ms_xboxgip"
"Description"="Xbox Game Input Protocol Driver"
"LocDescription"="Xbox Game Input Protocol Driver"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{58474950-424F-0058-CFE8-ABA2187557F2}\Ndi]
"HelpText"="A driver to support communication with Xbox Gaming devices"
"Service"="Xboxgip"
"BindForm"="xboxgip"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{58474950-424F-0058-CFE8-ABA2187557F2}\Ndi\Interfaces]
"LowerRange"="ndisgip"
"UpperRange"="noupper"
 


#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:10 AM

Posted 13 July 2018 - 01:53 PM

Thank you.

While we are cleaning your computer you may want to review information about the All Radio infection here.

Please do this now.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
  • The information will be copied invisibly and will be "pasted" into FRST automatically when you click Fix as instructed below
Start::
StartRegedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network
"set_pt"=-
"atimode"=-
"shield_count"=-
EndRegedit:
cmd: bcdedit
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 cablecon

cablecon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 13 July 2018 - 02:01 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018
Ran by Karen (13-07-2018 15:01:21) Run:2
Running from C:\Users\Karen\Desktop
Loaded Profiles: Karen (Available Profiles: Karen & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
StartRegedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network
"set_pt"=-
"atimode"=-
"shield_count"=-
EndRegedit:
cmd: bcdedit
 
*****************
 
 
====> Registry
 
========= bcdedit =========


#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:10 AM

Posted 13 July 2018 - 02:16 PM

Is that the entire report? We are missing the bcdedit information.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 cablecon

cablecon
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 13 July 2018 - 02:20 PM

Sorry about that

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018
Ran by Karen (13-07-2018 15:19:34) Run:3
Running from C:\Users\Karen\Desktop
Loaded Profiles: Karen (Available Profiles: Karen & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
StartRegedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network
"set_pt"=-
"atimode"=-
"shield_count"=-
EndRegedit:
cmd: bcdedit
 
*****************
 
 
====> Registry
 
========= bcdedit =========
 
 
Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {00242bb0-df89-11e7-90e0-ecf4bb03df43}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
 
Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \WINDOWS\system32\winload.exe
description             Windows 10
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {21ae34c1-3d28-11e8-bbdb-df33072c818d}
displaymessageoverride  Recovery
recoveryenabled         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \WINDOWS
resumeobject            {00242bb0-df89-11e7-90e0-ecf4bb03df43}
nx                      OptIn
bootmenupolicy          Standard
 
========= End of CMD: =========
 
 
==== End of Fixlog 15:19:35 ====





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users