Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit issue, can't kill the problem file


  • Please log in to reply
1 reply to this topic

#1 williebuckets

williebuckets

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 16 July 2018 - 09:49 PM

My problem is basically identical to the problem described in this thread: https://www.bleepingcomputer.com/forums/t/680214/unkillable-process-spawns-multiple-tcp-sessions-and-uses-50-cpu-miner/

 

After a (dumb) torrent download, I've ended up with another unkillable folder called sbetzlv which I cannot access at all. I tried running a few programs (standard Malware Bytes, rkill, TDSS Killer, Lock Hunter) and nothing could kill it. Malware Bytes' anti-rootkit program identified it but wasn't able to kill it when I rebooted. GMER also identified it. I tried running PC Hunter and the program would not run.

 

I've attached FRST and GMER results here.

Thanks for any help you can give me, I really appreciate it.

 

FRST

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15.07.2018
Ran by Will (administrator) on DESKTOP-1JHIH6B (16-07-2018 20:14:40)
Running from C:\Users\Will\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads
Loaded Profiles: Will (Available Profiles: Will)
Platform: Windows 10 Pro Version 1803 17134.112 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(TOSHIBA CORPORATION) C:\Windows\System32\mbhxertsvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(@ByELDI) C:\Program Files\KMSpico\Service_KMS.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
() C:\Users\Will\AppData\Local\sbetzlv\sbetzlv.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
(Microsoft Corporation) C:\Windows\System32\browser_broker.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
() C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe
() C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe
() C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe
() C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe
() C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe
() C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe
(Farbar) C:\Users\Will\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\FRST64 (1).exe
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [638872 2018-04-11] (Microsoft Corporation)
HKLM\...\Run: [Mahogany] => "C:\Program Files (x86)\Perceive\Trekked.exe" azim
HKLM\...\Run: [Gatekeeping] => "C:\Program Files (x86)\inauthentic\Mailer.exe" azim
HKLM\...\Run: [Beads] => "C:\Program Files (x86)\Byu\Trekked.exe" azim
HKLM-x32\...\Run: [Kabbani] => "C:\Program Files (x86)\Perceive\Trekked.exe" azim
HKLM-x32\...\Run: [Chromed] => "C:\Program Files (x86)\inauthentic\Mailer.exe" azim
HKLM-x32\...\Run: [Reign] => "C:\Program Files (x86)\Byu\Trekked.exe" azim
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3033074897-1585976014-732848827-1001\...\Run: [Notice] => "C:\Program Files (x86)\Perceive\Trekked.exe" azim
HKU\S-1-5-21-3033074897-1585976014-732848827-1001\...\Run: [Fingerhut] => "C:\Program Files (x86)\inauthentic\Mailer.exe" azim
HKU\S-1-5-21-3033074897-1585976014-732848827-1001\...\Run: [Nosedive] => "C:\Program Files (x86)\Byu\Trekked.exe" azim
HKU\S-1-5-21-3033074897-1585976014-732848827-1001\...\Run: [Samplers] => "C:\Program Files (x86)\Perceive\Trekked.exe" azim
HKU\S-1-5-21-3033074897-1585976014-732848827-1001\...\Run: [Ukraine] => "C:\Program Files (x86)\inauthentic\Mailer.exe" azim
HKU\S-1-5-21-3033074897-1585976014-732848827-1001\...\Run: [Noxious] => "C:\Program Files (x86)\Byu\Trekked.exe" azim
HKU\S-1-5-21-3033074897-1585976014-732848827-1001\...\Run: [faldo] => "C:\Program Files (x86)\foreshadow\faldo.exe" azim
HKU\S-1-5-21-3033074897-1585976014-732848827-1001\...\Run: [examinee] => "C:\Program Files (x86)\Perceive\Trekked.exe" azim
Startup: C:\Users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CXIJ0hoyPTyuTre.lnk [2018-07-16]
ShortcutTarget: CXIJ0hoyPTyuTre.lnk -> C:\Program Files (x86)\I5jPX5vtAZfi41h.exe (No File)
Startup: C:\Users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pleasures.lnk [2018-07-16]
ShortcutTarget: pleasures.lnk -> C:\Program Files (x86)\Perceive\Trekked.exe (No File)
Startup: C:\Users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pleasurespleasures.lnk [2018-07-16]
ShortcutTarget: pleasurespleasures.lnk -> C:\Program Files (x86)\inauthentic\Mailer.exe (No File)
Startup: C:\Users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2018-07-16]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{3bca72a4-4c65-4891-bb99-8e590e00eb40}: [DhcpNameServer] 192.168.1.1
Internet Explorer:
==================
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2018-07-13] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-07-13] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-07-13] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-07-13] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-07-13] (Microsoft Corporation)
FireFox:
========
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-07-13] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-07-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-07-13] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=3.0.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-05-29] (VideoLAN)
Chrome:
=======
CHR DefaultSearchKeyword: Default -> lp
CHR Profile: C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default [2018-07-16]
CHR Extension: (Slides) - C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-07-13]
CHR Extension: (Docs) - C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-07-13]
CHR Extension: (Google Drive) - C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-07-13]
CHR Extension: (YouTube) - C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-07-13]
CHR Extension: (Sheets) - C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-07-13]
CHR Extension: (Google Docs Offline) - C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-07-13]
CHR Extension: (AdBlock) - C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2018-07-13]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2018-07-13]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-07-13]
CHR Extension: (Gmail) - C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-07-13]
CHR Extension: (Chrome Media Router) - C:\Users\Will\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-07-13]
==================== Services (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
HKLM\SYSTEM\CurrentControlSet\Services\xcslaem <==== ATTENTION (Rootkit!)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [8765104 2018-06-20] (Microsoft Corporation)
S2 N2NmZTUxMTFm; C:\Program Files\N2NmZTUxMTFm\NDkxNjEwO.exe [828592 2018-07-15] ()
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [4737448 2018-04-12] (Microsoft Corporation)
R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [745664 2016-01-11] (@ByELDI) [File not signed]
S4 ssh-agent; C:\WINDOWS\System32\OpenSSH\ssh-agent.exe [495616 2018-03-10] ()
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\NisSrv.exe [3925648 2018-07-15] (Microsoft Corporation)
S2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MsMpEng.exe [100080 2018-07-15] (Microsoft Corporation)
S2 MicroService; C:\Users\Will\AppData\Local\XService\XService.dll [X] <==== ATTENTION
R2 MzJkZmNl; rundll32.exe C:\WINDOWS\gijjfgepxydzniib.gij JqcGNRzfgsZBNjcm [X]
S4 windowsmanagementservice; windowsmanagementservice [X] <==== ATTENTION
===================== Drivers (Whitelisted) ======================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 AppleKmdfFilter; C:\WINDOWS\System32\drivers\AppleKmdfFilter.sys [20640 2018-04-26] (Apple Inc.)
S3 AppleLowerFilter; C:\WINDOWS\System32\drivers\AppleLowerFilter.sys [35560 2018-04-26] (Apple Inc.)
S3 DSI_SiUSBXp_3_1; C:\WINDOWS\system32\drivers\DSI_SiUSBXp_3_1.sys [16384 2007-09-06] (Silicon Laboratories)
S3 iaLPSS_GPIO; C:\WINDOWS\System32\drivers\iaLPSS_GPIO.sys [24568 2014-10-25] (Intel Corporation)
S3 iaLPSS_I2C; C:\WINDOWS\System32\drivers\iaLPSS_I2C.sys [99320 2014-10-25] (Intel Corporation)
S3 iaLPSS_SPI; C:\WINDOWS\System32\drivers\iaLPSS_SPI.sys [83960 2015-07-30] (Intel Corporation)
S3 iaLPSS_UART2; C:\WINDOWS\System32\drivers\iaLPSS_UART2.sys [128504 2015-07-30] (Intel Corporation)
R1 MDkxN; C:\WINDOWS\System32\drivers\MDkxN.sys [210568 2018-07-15] ()
R3 MEIx64; C:\WINDOWS\System32\drivers\TeeDriverx64.sys [100312 2014-10-25] (Intel Corporation)
S3 PTSimHid; C:\WINDOWS\System32\drivers\PTSimHid.sys [22912 2017-02-16] (UC-Logic Technology Corp.)
S3 qcusbser; C:\WINDOWS\System32\drivers\qcusbser.sys [254520 2017-03-14] (QUALCOMM Incorporated)
S3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [423144 2015-10-14] (Realsil Semiconductor Corporation)
S3 smbdirect; C:\WINDOWS\System32\DRIVERS\smbdirect.sys [152064 2018-04-12] (Microsoft Corporation)
S3 SurfaceTouchCover; C:\WINDOWS\System32\drivers\SurfaceTouchCover.sys [35976 2014-10-25] (Microsoft Corporation)
R3 TrueColor; C:\WINDOWS\system32\DRIVERS\TrueColor.sys [35952 2014-10-25] ()
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46592 2018-07-15] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [340008 2018-07-15] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [59944 2018-07-15] (Microsoft Corporation)
S3 WirelessKeyboardFilter; C:\WINDOWS\System32\drivers\WirelessKeyboardFilter.sys [49896 2016-07-22] (Microsoft Corporation)
R3 adgjnq; system32\drivers\gjnqtw.sys [X]
S4 bdrpx; System32\drivers\sekpobgr.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2018-07-16 20:14 - 2018-07-16 20:14 - 000000000 ____D C:\FRST
2018-07-16 20:06 - 2018-07-16 20:06 - 000004608 _____ C:\WINDOWS\SECOH-QAD.exe
2018-07-16 19:36 - 2018-07-16 19:36 - 000253664 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2018-07-16 19:36 - 2018-07-16 19:36 - 000191208 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MbamChameleon.sys
2018-07-16 19:36 - 2018-07-16 19:36 - 000114920 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2018-07-16 19:36 - 2018-07-16 19:36 - 000102632 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2018-07-16 19:36 - 2018-07-16 19:36 - 000048360 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2018-07-16 19:36 - 2018-07-16 19:36 - 000001919 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-07-16 19:36 - 2018-07-16 19:36 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-07-16 19:36 - 2018-06-19 14:09 - 000152688 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbae64.sys
2018-07-16 19:35 - 2018-07-16 19:35 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-07-16 19:35 - 2018-07-16 19:35 - 000000000 ____D C:\Program Files\Malwarebytes
2018-07-16 19:29 - 2018-07-16 19:34 - 075581064 _____ (Malwarebytes ) C:\Users\Will\Downloads\mb3-setup-consumer-3.5.1.2522-1.0.391-1.0.5919.exe
2018-07-16 19:28 - 2018-07-16 19:28 - 005659639 _____ (Swearware) C:\Users\Will\Downloads\ComboFix.exe
2018-07-16 19:26 - 2018-07-16 19:27 - 000003444 _____ C:\Users\Will\Desktop\Rkill.txt
2018-07-16 19:26 - 2018-07-16 19:26 - 001802704 _____ (Bleeping Computer, LLC) C:\Users\Will\Downloads\rkill.exe
2018-07-16 19:15 - 2018-07-16 19:15 - 000000000 ____D C:\Users\Will\AppData\Local\CEF
2018-07-16 19:14 - 2018-07-16 20:07 - 000000000 ____D C:\Users\Will\AppData\Local\D3DSCache
2018-07-16 19:13 - 2018-07-16 19:13 - 000145232 ____N C:\WINDOWS\system32\Drivers\nickorux.sys
2018-07-16 19:09 - 2018-07-16 19:10 - 020093968 _____ (Malwarebytes ) C:\Users\Will\Downloads\Unconfirmed 459367.crdownload
2018-07-16 19:01 - 2018-07-16 19:41 - 000000000 ____D C:\Program Files\N2NmZTUxMTFm
2018-07-16 19:01 - 2018-07-16 19:01 - 000167034 _____ C:\Users\Will\Downloads\fileassassin-setup-1.06.exe
2018-07-16 19:01 - 2018-07-16 19:01 - 000001131 _____ C:\Users\Public\Desktop\FileASSASSIN.lnk
2018-07-16 19:01 - 2018-07-16 19:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileASSASSIN
2018-07-16 19:01 - 2018-07-16 19:01 - 000000000 ____D C:\Program Files (x86)\FileASSASSIN
2018-07-16 19:00 - 2018-07-16 19:14 - 000000000 ____D C:\Users\Will\AppData\LocalLow\uTorrent
2018-07-16 19:00 - 2018-07-16 18:22 - 000400896 _____ C:\Users\Will\AppData\Local\Trekked.exe
2018-07-16 18:54 - 2018-07-16 18:54 - 000003584 _____ C:\WINDOWS\SECOH-QAD.dll
2018-07-16 18:54 - 2018-07-16 18:54 - 000000000 ____D C:\ProgramData\LHService
2018-07-16 18:51 - 2018-07-16 18:51 - 000000000 ____D C:\ProgramData\LockHunter
2018-07-16 18:50 - 2018-07-16 18:50 - 000000000 ____D C:\Users\Will\AppData\Roaming\LockHunter
2018-07-16 18:49 - 2018-07-16 18:49 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LockHunter
2018-07-16 18:49 - 2018-07-16 18:49 - 000000000 ____D C:\Program Files\LockHunter
2018-07-16 18:48 - 2018-07-16 18:49 - 003133480 _____ (Crystal Rich Ltd ) C:\Users\Will\Downloads\lockhuntersetup_3-2-3.exe
2018-07-16 18:45 - 2018-07-16 20:13 - 000000000 ____D C:\Users\Will\AppData\Local\mscgvtn
2018-07-16 18:38 - 2018-07-16 20:12 - 000000000 ____D C:\Users\Will\AppData\Local\sbetzlv
2018-07-16 18:38 - 2018-07-16 18:38 - 000000000 ____D C:\Users\Will\AppData\Local\scixdnv
2018-07-16 18:36 - 2018-07-16 20:06 - 002912256 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\mbhxertsvc.exe
2018-07-16 18:36 - 2018-07-16 18:54 - 000001544 _____ C:\WINDOWS\Tasks\MEETEETSE.job
2018-07-16 18:36 - 2018-07-16 18:36 - 000013980 _____ C:\WINDOWS\System32\Tasks\MEETEETSE
2018-07-16 18:36 - 2018-07-16 18:36 - 000000000 ____D C:\WINDOWS\SysWOW64\senwmrt
2018-07-16 18:36 - 2018-07-16 18:36 - 000000000 ____D C:\WINDOWS\system32\senwmrt
2018-07-16 18:35 - 2018-07-16 18:35 - 000000000 ____D C:\Users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
2018-07-16 18:35 - 2018-07-16 18:35 - 000000000 ____D C:\Users\Will\AppData\Roaming\et
2018-07-16 18:32 - 2018-07-16 18:32 - 000000000 ____D C:\Users\Will\AppData\Roaming\Macromedia
2018-07-16 18:31 - 2018-07-16 18:35 - 000000000 ____D C:\Users\Will\AppData\Roaming\AGData
2018-07-16 18:31 - 2018-07-16 18:31 - 000003410 _____ C:\WINDOWS\System32\Tasks\AGProxyCheck
2018-07-16 18:31 - 2018-07-16 18:31 - 000000012 _____ C:\WINDOWS\b73612015
2018-07-16 18:31 - 2018-07-16 18:31 - 000000000 ____D C:\WINDOWS\system32\appmgmt
2018-07-16 18:30 - 2018-07-16 18:30 - 000003842 _____ C:\WINDOWS\System32\Tasks\rumbling-betcha
2018-07-16 18:30 - 2018-07-16 18:30 - 000003832 _____ C:\WINDOWS\System32\Tasks\unbelievably
2018-07-16 18:30 - 2018-07-16 18:30 - 000003832 _____ C:\WINDOWS\System32\Tasks\trad_uneventfully
2018-07-16 18:30 - 2018-07-16 18:30 - 000003828 _____ C:\WINDOWS\System32\Tasks\undreamt_pleats
2018-07-16 18:30 - 2018-07-16 18:30 - 000003824 _____ C:\WINDOWS\System32\Tasks\sno originates
2018-07-16 18:30 - 2018-07-16 18:30 - 000003818 _____ C:\WINDOWS\System32\Tasks\macon
2018-07-16 18:30 - 2018-07-16 18:30 - 000003818 _____ C:\WINDOWS\System32\Tasks\carvalho
2018-07-16 18:30 - 2018-07-16 18:30 - 000003720 _____ C:\WINDOWS\System32\Tasks\rumbling-betcharumbling-betcha
2018-07-16 18:30 - 2018-07-16 18:30 - 000003714 _____ C:\WINDOWS\System32\Tasks\trad_uneventfullytrad_uneventfully
2018-07-16 18:30 - 2018-07-16 18:30 - 000003706 _____ C:\WINDOWS\System32\Tasks\undreamt_pleatsundreamt_pleats
2018-07-16 18:30 - 2018-07-16 18:30 - 000003704 _____ C:\WINDOWS\System32\Tasks\unbelievablyunbelievably
2018-07-16 18:30 - 2018-07-16 18:30 - 000003700 _____ C:\WINDOWS\System32\Tasks\sno originatessno originates
2018-07-16 18:30 - 2018-07-16 18:30 - 000003682 _____ C:\WINDOWS\System32\Tasks\carvalhocarvalho
2018-07-16 18:30 - 2018-07-16 18:30 - 000003676 _____ C:\WINDOWS\System32\Tasks\maconmacon
2018-07-16 18:28 - 2018-07-16 19:42 - 000000000 ____D C:\WINDOWS\SysWOW64\SSL
2018-07-16 18:28 - 2018-07-16 18:28 - 001234432 _____ C:\WINDOWS\gijjfgepxydzniib.gij
2018-07-16 18:28 - 2018-07-16 18:28 - 000000000 ____D C:\Users\Will\Documents\LeaderTask
2018-07-16 18:28 - 2018-07-16 18:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LeaderTask
2018-07-16 18:27 - 2018-07-16 18:27 - 000000000 ____D C:\Users\Will\AppData\Local\Package Cache
2018-07-16 18:20 - 2018-07-16 18:20 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2018-07-16 18:20 - 2018-07-16 18:20 - 000000000 ____D C:\Program Files\7-Zip
2018-07-16 18:10 - 2018-07-16 18:10 - 001438086 _____ (Igor Pavlov) C:\Users\Will\Downloads\7z1805-x64.exe
2018-07-16 17:06 - 2018-07-16 17:30 - 000000000 ____D C:\Users\Will\AppData\Local\PlaceholderTileLogoFolder
2018-07-16 16:57 - 2018-07-16 17:01 - 000003474 _____ C:\WINDOWS\System32\Tasks\AutoPico Daily Restart
2018-07-16 16:55 - 2018-07-16 17:07 - 000000000 ____D C:\Program Files\KMSpico
2018-07-16 16:55 - 2018-07-16 17:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico
2018-07-16 16:55 - 2010-12-05 21:16 - 000090112 _____ (Vestris Inc.) C:\WINDOWS\system32\Vestris.ResourceLib.dll
2018-07-16 16:51 - 2018-07-16 16:52 - 007915893 _____ C:\Users\Will\Downloads\Files.fm_LuckySwallow_Install_v10.1.8.2.zip
2018-07-16 16:49 - 2018-07-16 16:49 - 000002062 _____ C:\Users\Will\Downloads\Links.txt
2018-07-16 10:16 - 2018-07-16 10:16 - 000080821 _____ C:\Users\Will\Downloads\EIP-2017-Statistics-for-Web.xlsx
2018-07-16 08:51 - 2018-07-16 08:51 - 012216545 _____ C:\Users\Will\Downloads\Vault Firm Guides.pdf
2018-07-16 08:50 - 2018-07-16 08:51 - 143045146 _____ C:\Users\Will\Downloads\Vault Practice Groups.pdf
2018-07-16 08:28 - 2018-07-16 08:28 - 000647079 _____ C:\Users\Will\Downloads\10-Questions-Presentation-HLS-January-2017.pdf
2018-07-15 18:00 - 2018-07-15 20:06 - 000000000 ____D C:\Users\Will\AppData\Roaming\vlc
2018-07-15 17:39 - 2018-07-15 17:39 - 000210568 _____ C:\WINDOWS\system32\Drivers\MDkxN.sys
2018-07-15 17:39 - 2018-07-15 17:39 - 000108487 _____ C:\WINDOWS\uninstaller.dat
2018-07-15 17:26 - 2018-07-15 17:26 - 000205157 _____ C:\Users\Will\Downloads\Self-Assessment-Exercises.pdf
2018-07-15 17:22 - 2018-07-16 19:42 - 000000000 ____D C:\Users\Will\AppData\Roaming\uTorrent
2018-07-15 17:22 - 2018-07-15 17:22 - 000000882 _____ C:\Users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2018-07-15 17:21 - 2018-07-15 17:21 - 002971704 _____ (BitTorrent Inc.) C:\Users\Will\Downloads\uTorrent.exe
2018-07-14 23:24 - 2018-07-14 23:24 - 000000000 ____D C:\Users\Will\AppData\Local\PeerDistRepub
2018-07-14 23:02 - 2018-07-14 23:02 - 004982409 _____ C:\Users\Will\Downloads\HLS-Law-Firm-Practice-Summary-012017.pdf
2018-07-14 21:53 - 2018-07-14 21:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools
2018-07-14 14:02 - 2018-07-14 14:02 - 000000000 ____D C:\Users\Will\Documents\OneNote Notebooks
2018-07-14 10:38 - 2018-07-14 10:39 - 000003374 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-3033074897-1585976014-732848827-1001
2018-07-14 00:36 - 2018-07-14 00:41 - 000000000 ____D C:\WINDOWS\system32\MRT
2018-07-14 00:36 - 2018-07-14 00:36 - 134675576 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2018-07-14 00:36 - 2018-07-14 00:36 - 000548000 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2018-07-13 16:06 - 2018-07-14 10:39 - 000000000 ___RD C:\Users\Will\OneDrive
2018-07-13 16:05 - 2018-07-13 16:05 - 000000000 ____D C:\ProgramData\Microsoft OneDrive
2018-07-13 16:05 - 2018-07-13 14:06 - 000000000 ____D C:\Users\Will\AppData\Local\MicrosoftEdge
2018-07-13 16:04 - 2018-07-16 17:28 - 000000000 ____D C:\Users\Will\AppData\Local\Publishers
2018-07-13 16:03 - 2018-07-16 17:30 - 000000000 ____D C:\Users\Will\AppData\Local\Packages
2018-07-13 16:03 - 2018-07-14 10:39 - 000002367 _____ C:\Users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2018-07-13 16:03 - 2018-07-13 16:03 - 000000020 ___SH C:\Users\Will\ntuser.ini
2018-07-13 16:03 - 2018-07-13 16:03 - 000000000 __RHD C:\Users\Public\AccountPictures
2018-07-13 16:03 - 2018-07-13 16:03 - 000000000 ___RD C:\Users\Will\3D Objects
2018-07-13 16:03 - 2018-07-13 16:03 - 000000000 ____D C:\WINDOWS\InfusedApps
2018-07-13 16:03 - 2018-07-13 16:03 - 000000000 ____D C:\Users\Will\AppData\Roaming\Adobe
2018-07-13 16:03 - 2018-07-13 16:03 - 000000000 ____D C:\Users\Will\AppData\Local\VirtualStore
2018-07-13 16:03 - 2018-07-13 15:55 - 000000000 ____D C:\WINDOWS\Panther
2018-07-13 16:03 - 2018-07-13 14:17 - 000000000 ____D C:\Users\Will\AppData\Local\ConnectedDevicesPlatform
2018-07-13 16:03 - 2018-07-13 14:06 - 000000000 ____D C:\Users\Will
2018-07-13 16:02 - 2018-07-13 16:03 - 000000000 ____D C:\WINDOWS\Firmware
2018-07-13 16:02 - 2018-07-13 16:02 - 000000000 ____D C:\WINDOWS\SysWOW64\sda
2018-07-13 16:01 - 2018-07-16 20:12 - 000838560 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-07-13 16:01 - 2018-07-13 16:03 - 000000000 ____D C:\WINDOWS\containers
2018-07-13 16:01 - 2018-07-13 16:01 - 000008192 _____ C:\WINDOWS\system32\config\userdiff
2018-07-13 16:01 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\Setup
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\zu-ZA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\yo-NG
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\xh-ZA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\wo-SN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\vi-VN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\uz-Latn-UZ
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\ur-PK
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\ug-CN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\tt-RU
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\tn-ZA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\tk-TM
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\ti-ET
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\tg-Cyrl-TJ
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\te-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\ta-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\sw-KE
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\sr-Cyrl-RS
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\sr-Cyrl-BA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\sq-AL
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\si-LK
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\sd-Arab-PK
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\rw-RW
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\quz-PE
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\quc-Latn-GT
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\prs-AF
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\pa-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\pa-Arab-PK
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\or-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\nso-ZA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\nn-NO
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\ne-NP
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\mt-MT
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\mr-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\mn-MN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\ml-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\mk-MK
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\mi-NZ
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\lo-LA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\lb-LU
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\ky-KG
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\ku-Arab-IQ
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\kok-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\kn-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\km-KH
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\kk-KZ
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\ka-GE
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\is-IS
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\ig-NG
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\id-ID
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\hy-AM
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\ha-Latn-NG
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\gu-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\gd-GB
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\ga-IE
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\fil-PH
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\fa-IR
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\cy-GB
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\chr-CHER-US
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\ca-ES-valencia
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\bs-Latn-BA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\bn-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\bn-BD
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\be-BY
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\az-Latn-AZ
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\as-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\am-ET
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\af-ZA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\zu-ZA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\yo-NG
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\xh-ZA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\wo-SN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\vi-VN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\uz-Latn-UZ
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\ur-PK
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\ug-CN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\tt-RU
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\tn-ZA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\tk-TM
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\ti-ET
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\tg-Cyrl-TJ
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\te-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\sw-KE
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\sr-Cyrl-RS
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\sr-Cyrl-BA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\sq-AL
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\sd-Arab-PK
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\rw-RW
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\quz-PE
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\quc-Latn-GT
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\prs-AF
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\pa-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\pa-Arab-PK
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\or-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\nso-ZA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\nn-NO
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\ne-NP
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\mt-MT
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\mr-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\mn-MN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\ml-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\mk-MK
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\mi-NZ
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\lo-LA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\lb-LU
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\ky-KG
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\ku-Arab-IQ
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\kok-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\kn-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\km-KH
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\kk-KZ
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\ka-GE
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\is-IS
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\ig-NG
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\id-ID
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\hy-AM
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\ha-Latn-NG
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\gu-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\gd-GB
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\ga-IE
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\fil-PH
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\fa-IR
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\cy-GB
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\chr-CHER-US
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\ca-ES-valencia
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\bs-Latn-BA
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\bn-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\bn-BD
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\be-BY
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\az-Latn-AZ
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\as-IN
2018-07-13 15:59 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\af-ZA
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\winrm
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\WCN
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\sysprep
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\slmgr
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\Printing_Admin_Scripts
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\MailContactsCalendarSync
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\hi-IN
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\gl-ES
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\eu-ES
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\ca-ES
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\0409
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\system32\winrm
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\system32\WCN
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\system32\slmgr
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\system32\Printing_Admin_Scripts
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\system32\OpenSSH
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\system32\MailContactsCalendarSync
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\system32\hi-IN
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\system32\gl-ES
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\system32\eu-ES
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\system32\ca-ES
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\OCR
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\Program Files\Reference Assemblies
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\Program Files\MSBuild
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\Program Files (x86)\Reference Assemblies
2018-07-13 15:59 - 2018-07-13 15:59 - 000000000 ____D C:\Program Files (x86)\MSBuild
2018-07-13 15:58 - 2018-07-13 15:58 - 000000000 ____D C:\WINDOWS\system32\0409
2018-07-13 15:58 - 2018-07-13 15:58 - 000000000 ____D C:\WINDOWS\DigitalLocker
2018-07-13 15:57 - 2018-06-28 20:13 - 000835064 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2018-07-13 15:57 - 2018-06-28 20:13 - 000179704 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2018-07-13 15:57 - 2018-04-11 18:33 - 002752000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PrintConfig.dll
2018-07-13 15:55 - 2018-07-13 15:55 - 000000000 _SHDL C:\Users\Default User
2018-07-13 15:55 - 2018-07-13 15:55 - 000000000 _SHDL C:\Users\All Users
2018-07-13 15:55 - 2018-07-13 15:55 - 000000000 _SHDL C:\Documents and Settings
2018-07-13 15:54 - 2018-07-16 20:06 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-07-13 15:54 - 2018-07-16 19:18 - 000000000 ___RD C:\Program Files (x86)
2018-07-13 15:54 - 2018-07-16 19:14 - 000000000 ____D C:\WINDOWS\system32\config\TxR
2018-07-13 15:54 - 2018-07-16 17:35 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-07-13 15:54 - 2018-07-16 17:24 - 000000000 ___HD C:\Program Files\WindowsApps
2018-07-13 15:54 - 2018-07-16 16:25 - 000000000 ____D C:\WINDOWS\system32\FxsTmp
2018-07-13 15:54 - 2018-07-15 20:33 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2018-07-13 15:54 - 2018-07-15 07:06 - 000000000 ___RD C:\Program Files\Windows Defender
2018-07-13 15:54 - 2018-07-14 00:29 - 000000000 ____D C:\WINDOWS\system32\NDF
2018-07-13 15:54 - 2018-07-13 16:03 - 000028672 _____ C:\WINDOWS\system32\config\BCD-Template
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\TextInput
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\setup
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\oobe
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\SysWOW64\Dism
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\WinBioPlugIns
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\ta-in
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\SystemResetPlatform
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\si-lk
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\setup
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\oobe
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\Dism
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\appraiser
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\system32\am-et
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\ShellExperiences
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\Provisioning
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\WINDOWS\bcastdvr
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\Program Files\Windows Photo Viewer
2018-07-13 15:54 - 2018-07-13 16:01 - 000000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2018-07-13 15:54 - 2018-07-13 15:59 - 000000000 ___SD C:\WINDOWS\SysWOW64\F12
2018-07-13 15:54 - 2018-07-13 15:59 - 000000000 ___SD C:\WINDOWS\SysWOW64\DiagSvcs
2018-07-13 15:54 - 2018-07-13 15:59 - 000000000 ___SD C:\WINDOWS\system32\F12
2018-07-13 15:54 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\MUI
2018-07-13 15:54 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\com
2018-07-13 15:54 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\system32\Sysprep
2018-07-13 15:54 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\system32\MUI
2018-07-13 15:54 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\system32\migwiz
2018-07-13 15:54 - 2018-07-13 15:59 - 000000000 ____D C:\WINDOWS\PolicyDefinitions
2018-07-13 15:54 - 2018-07-13 15:58 - 000000000 ___SD C:\WINDOWS\system32\dsc
2018-07-13 15:54 - 2018-07-13 15:58 - 000000000 ___SD C:\WINDOWS\system32\DiagSvcs
2018-07-13 15:54 - 2018-07-13 15:58 - 000000000 ____D C:\WINDOWS\system32\com
2018-07-13 15:54 - 2018-07-13 15:58 - 000000000 ____D C:\WINDOWS\IME
2018-07-13 15:54 - 2018-07-13 15:58 - 000000000 ____D C:\WINDOWS\Help
2018-07-13 15:54 - 2018-07-13 15:58 - 000000000 ____D C:\Program Files\Windows Defender Advanced Threat Protection
2018-07-13 15:54 - 2018-07-13 15:58 - 000000000 ____D C:\Program Files\Common Files\system
2018-07-13 15:54 - 2018-07-13 15:58 - 000000000 ____D C:\Program Files (x86)\Windows Defender
2018-07-13 15:54 - 2018-07-13 15:57 - 000000000 ____D C:\WINDOWS\system32\spool
2018-07-13 15:54 - 2018-07-13 15:56 - 000000000 ____D C:\WINDOWS\system32\WinBioDatabase
2018-07-13 15:54 - 2018-07-13 15:55 - 000000000 ____D C:\WINDOWS\CSC
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 __SHD C:\WINDOWS\BitLockerDiscoveryVolumeContents
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 __SHD C:\Program Files\Windows Sidebar
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 __SHD C:\Program Files (x86)\Windows Sidebar
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 __RSD C:\WINDOWS\media
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 __RHD C:\Users\Public\Libraries
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ___SD C:\WINDOWS\SysWOW64\Nui
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ___SD C:\WINDOWS\SysWOW64\Configuration
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ___SD C:\WINDOWS\system32\UNP
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ___SD C:\WINDOWS\system32\Nui
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ___SD C:\WINDOWS\system32\Configuration
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ___SD C:\WINDOWS\system32\AppV
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ___SD C:\WINDOWS\Downloaded Program Files
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ___RD C:\WINDOWS\Offline Web Pages
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ___HD C:\WINDOWS\LanguageOverlayCache
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ___HD C:\WINDOWS\ELAMBKUP
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\Web
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\WaaS
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\Vss
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\tracing
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\TAPI
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\WinMetadata
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\SMI
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\ras
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\NDF
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\Msdtc
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\migwiz
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\Ipmi
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\InputMethod
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\inetsrv
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\IME
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\icsxml
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\GroupPolicyUsers
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\GroupPolicy
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\FxsTmp
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\downlevel
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\Bthprops
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\AppLocker
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SysWOW64\AdvancedInstallers
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SystemResources
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SystemApps
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\WinMetadata
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\winevt
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\ta-lk
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\ShellExperiences
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\SecureBootUpdates
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\ras
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\ProximityToast
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\PointOfService
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\my-mm
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\MsDtc
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\Macromed
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\Ipmi
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\InputMethod
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\inetsrv
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\IME
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\icsxml
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\ias
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\hydrogen
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\GroupPolicyUsers
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\GroupPolicy
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\DriverState
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\Drivers\DriverData
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\downlevel
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\DDFs
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\config\systemprofile
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\config\Journal
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\Bthprops
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\AppLocker
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\AdvancedInstallers
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\System
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SKB
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\ShellComponents
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\ServiceState
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\security
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\schemas
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\SchCache
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\Resources
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\rescache
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\RemotePackages
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\Registration
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\PLA
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\Performance
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\ModemLogs
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\L2Schemas
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\InputMethod
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\IdentityCRL
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\Globalization
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\GameBarPresenceWriter
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\Cursors
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\Branding
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\appcompat
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\addins
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\ProgramData\WindowsHolographicDevices
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\ProgramData\USOShared
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\ProgramData\USOPrivate
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\Program Files\Windows Security
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\Program Files\Windows Portable Devices
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\Program Files\windows nt
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\Program Files\Windows Multimedia Platform
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\Program Files\Common Files\Services
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\Program Files (x86)\Windows Portable Devices
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\Program Files (x86)\windows nt
2018-07-13 15:54 - 2018-07-13 15:54 - 000000000 ____D C:\Program Files (x86)\Windows Multimedia Platform
2018-07-13 15:54 - 2018-07-13 15:53 - 000229376 _____ (Microsoft Corporation) C:\WINDOWS\system32\msclmd.dll
2018-07-13 15:54 - 2018-07-13 15:53 - 000215943 _____ C:\WINDOWS\SysWOW64\dssec.dat
2018-07-13 15:54 - 2018-07-13 15:53 - 000215943 _____ C:\WINDOWS\system32\dssec.dat
2018-07-13 15:54 - 2018-07-13 15:53 - 000208384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msclmd.dll
2018-07-13 15:54 - 2018-07-13 15:53 - 000017635 _____ C:\WINDOWS\system32\Drivers\etc\services
2018-07-13 15:54 - 2018-07-13 15:53 - 000017346 _____ C:\WINDOWS\system32\OEMDefaultAssociations.xml
2018-07-13 15:54 - 2018-07-13 15:53 - 000003683 _____ C:\WINDOWS\system32\Drivers\etc\lmhosts.sam
2018-07-13 15:54 - 2018-07-13 15:53 - 000001358 _____ C:\WINDOWS\system32\Drivers\etc\protocol
2018-07-13 15:54 - 2018-07-13 15:53 - 000000858 _____ C:\WINDOWS\system32\DefaultQuestions.json
2018-07-13 15:54 - 2018-07-13 15:53 - 000000741 _____ C:\WINDOWS\SysWOW64\NOISE.DAT
2018-07-13 15:54 - 2018-07-13 15:53 - 000000741 _____ C:\WINDOWS\system32\NOISE.DAT
2018-07-13 15:54 - 2018-07-13 15:53 - 000000407 _____ C:\WINDOWS\system32\Drivers\etc\networks
2018-07-13 15:54 - 2018-07-13 15:53 - 000000219 _____ C:\WINDOWS\system.ini
2018-07-13 15:54 - 2018-07-13 15:53 - 000000092 _____ C:\WINDOWS\win.ini
2018-07-13 15:54 - 2018-07-13 15:53 - 000000000 ___RD C:\WINDOWS\PrintDialog
2018-07-13 15:54 - 2018-07-13 15:53 - 000000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2018-07-13 15:54 - 2018-07-13 15:52 - 000000000 ____D C:\WINDOWS\system32\config\RegBack
2018-07-13 15:54 - 2018-07-13 14:25 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2018-07-13 15:54 - 2017-01-09 09:59 - 000103936 _____ (Khronos Group) C:\WINDOWS\SysWOW64\opencl.dll
2018-07-13 15:53 - 2018-07-16 20:12 - 000000000 ____D C:\WINDOWS\INF
2018-07-13 15:53 - 2018-07-13 15:53 - 000000000 ____H C:\WINDOWS\system32\Drivers\Msft_Kernel_TrueColor_01011.Wdf
2018-07-13 15:53 - 2018-07-13 15:53 - 000000000 ____H C:\WINDOWS\system32\Drivers\Msft_Kernel_SurfacePenDriver_01011.Wdf
2018-07-13 15:53 - 2018-07-13 15:53 - 000000000 ____H C:\ProgramData\DP45977C.lfl
2018-07-13 15:53 - 2018-07-13 15:53 - 000000000 ____D C:\WINDOWS\SysWOW64\TrueColor5.2
2018-07-13 15:53 - 2018-07-13 15:53 - 000000000 ____D C:\WINDOWS\system32\TrueColor5.2
2018-07-13 15:53 - 2017-01-09 09:59 - 000099848 _____ (Khronos Group) C:\WINDOWS\system32\OpenCL.DLL
2018-07-13 15:52 - 2018-07-16 20:06 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-07-13 15:52 - 2018-07-16 20:06 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-07-13 15:52 - 2018-07-16 17:05 - 000428944 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2018-07-13 15:52 - 2018-07-15 07:06 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2018-07-13 15:52 - 2018-07-13 15:52 - 000000000 ____H C:\WINDOWS\system32\Drivers\Msft_Kernel_TeeDriverx64_01011.Wdf
2018-07-13 15:52 - 2018-07-13 15:52 - 000000000 ____D C:\WINDOWS\ServiceProfiles
2018-07-13 15:52 - 2018-07-13 15:52 - 000000000 ____D C:\Program Files\Intel
2018-07-13 15:52 - 2018-07-13 15:52 - 000000000 ____D C:\Intel
2018-07-13 15:52 - 2018-07-13 15:52 - 000000000 _____ C:\WINDOWS\system32\GfxValDisplayLog.bin
2018-07-13 15:50 - 2018-07-14 19:56 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-07-13 15:49 - 2018-07-16 20:06 - 017301504 ____N C:\WINDOWS\system32\config\SYSTEM
2018-07-13 15:49 - 2018-07-16 19:14 - 017301504 _____ C:\WINDOWS\system32\config\HARDWARE
2018-07-13 15:49 - 2018-07-16 19:13 - 091226112 _____ C:\WINDOWS\system32\config\SOFTWARE
2018-07-13 15:49 - 2018-07-16 19:13 - 000786432 _____ C:\WINDOWS\system32\config\DEFAULT
2018-07-13 15:49 - 2018-07-16 19:13 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2018-07-13 15:49 - 2018-07-16 19:13 - 000065536 _____ C:\WINDOWS\system32\config\SAM
2018-07-13 15:49 - 2018-07-16 19:13 - 000032768 _____ C:\WINDOWS\system32\config\SECURITY
2018-07-13 15:49 - 2018-07-13 15:58 - 000000000 ____D C:\WINDOWS\servicing
2018-07-13 15:49 - 2018-07-13 15:54 - 000000000 ____D C:\WINDOWS\system32\SMI
2018-07-13 15:49 - 2018-07-13 15:52 - 000032768 _____ C:\WINDOWS\system32\config\ELAM
2018-07-13 15:48 - 2018-07-13 16:51 - 000000000 ___HD C:\$SysReset
2018-07-13 14:35 - 2018-07-13 14:35 - 000000000 ____D C:\Users\Will\AppData\Roaming\Skype
2018-07-13 14:33 - 2018-07-14 21:53 - 000002500 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk
2018-07-13 14:33 - 2018-07-14 21:53 - 000002499 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk
2018-07-13 14:33 - 2018-07-14 21:53 - 000002463 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access.lnk
2018-07-13 14:33 - 2018-07-14 21:53 - 000002462 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk
2018-07-13 14:33 - 2018-07-14 21:53 - 000002456 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook.lnk
2018-07-13 14:33 - 2018-07-14 21:53 - 000002450 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher.lnk
2018-07-13 14:33 - 2018-07-14 21:53 - 000002442 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk
2018-07-13 14:27 - 2018-07-13 14:27 - 000001146 _____ C:\Users\Public\Desktop\VLC media player.lnk
2018-07-13 14:27 - 2018-07-13 14:27 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2018-07-13 14:26 - 2018-07-13 14:26 - 000000000 ____D C:\Program Files (x86)\VideoLAN
2018-07-13 14:25 - 2018-07-14 21:52 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2018-07-13 14:25 - 2018-07-13 14:26 - 040184976 _____ C:\Users\Will\Downloads\vlc-3.0.3-win32.exe
2018-07-13 14:25 - 2018-07-13 14:25 - 000000000 ____D C:\Program Files\Microsoft Office 15
2018-07-13 14:24 - 2018-07-13 14:25 - 004751648 _____ (Microsoft Corporation) C:\Users\Will\Downloads\Setup.X86.en-US_O365HomePremRetail_0bd9f247-dd3d-48ab-94ed-3de235fdf69e_TX_PR_.exe
2018-07-13 14:22 - 2018-07-13 14:22 - 000002276 _____ C:\Users\Will\Desktop\SERVER 1 INTERNAL.rdp
2018-07-13 14:21 - 2018-07-13 14:22 - 000000000 ____D C:\ProgramData\Packages
2018-07-13 14:21 - 2018-07-13 14:21 - 000002276 _____ C:\Users\Will\Downloads\SERVER 1 INTERNAL.rdp
2018-07-13 14:18 - 2018-07-13 14:18 - 000000000 ____D C:\Users\Will\AppData\Local\DBG
2018-07-13 14:12 - 2018-07-13 14:12 - 000002276 _____ C:\Users\Will\Downloads\PUBLIC SERVER 5.RDP
2018-07-13 14:10 - 2018-07-13 14:10 - 000000000 ____D C:\Users\Will\AppData\Roaming\Google
2018-07-13 14:08 - 2018-07-16 19:32 - 000002416 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-07-13 14:08 - 2018-07-16 19:32 - 000002369 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-07-13 14:08 - 2018-07-13 14:08 - 000000000 ____D C:\Users\Will\AppData\Local\Comms
2018-07-13 14:07 - 2018-07-13 14:16 - 000000000 ____D C:\Users\Will\AppData\Local\Google
2018-07-13 14:07 - 2018-07-13 14:08 - 000000000 ____D C:\Program Files (x86)\Google
2018-07-13 14:07 - 2018-07-13 14:07 - 000003418 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2018-07-13 14:07 - 2018-07-13 14:07 - 000003294 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2018-07-13 14:06 - 2018-07-13 14:06 - 000000000 ___HD C:\Users\Will\MicrosoftEdgeBackups
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)

==================== Files in the root of some directories =======
2018-07-16 19:00 - 2018-07-16 18:22 - 000400896 _____ () C:\Users\Will\AppData\Local\Trekked.exe
Some files in TEMP:
====================
2018-07-15 21:53 - 2018-07-15 21:53 - 017510684 _____ () C:\Users\Will\AppData\Local\Temp\setup.dll
==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\WINDOWS\system32\drivers\nickorux.sys -> Access Denied <======= ATTENTION
LastRegBack: 2018-07-13 15:52
==================== End of FRST.txt ============================

 

 

 

 

 

Addition

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15.07.2018
Ran by Will (16-07-2018 20:15:37)
Running from C:\Users\Will\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads
Windows 10 Pro Version 1803 17134.112 (X64) (2018-07-13 20:55:38)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================
Administrator (S-1-5-21-3033074897-1585976014-732848827-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3033074897-1585976014-732848827-503 - Limited - Disabled)
Guest (S-1-5-21-3033074897-1585976014-732848827-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-3033074897-1585976014-732848827-504 - Limited - Disabled)
Will (S-1-5-21-3033074897-1585976014-732848827-1001 - Administrator - Enabled) => C:\Users\Will
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Malwarebytes (Disabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Disabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
µTorrent (HKU\S-1-5-21-3033074897-1585976014-732848827-1001\...\uTorrent) (Version: 3.5.4.44498 - BitTorrent Inc.)
7-Zip 18.05 (x64) (HKLM\...\7-Zip) (Version: 18.05 - Igor Pavlov)
AnonymizerGadget (HKU\S-1-5-21-3033074897-1585976014-732848827-1001\...\AnonymizerGadget) (Version: 1 - Jetico lim) <==== ATTENTION
FileASSASSIN (HKLM-x32\...\FileASSASSIN) (Version: 1.06 - Malwarebytes)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 67.0.3396.99 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
Impaq Speed (HKU\S-1-5-21-3033074897-1585976014-732848827-1001\...\{5b0c3e0d-0e9b-4ebd-a5de-222a48f16015}) (Version: 0.0.0.0 - Melasys LLC) Hidden
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version:  - )
LeaderTask version v2 (HKLM-x32\...\{B4DBF7E4-3DBD-4618-84B9-91A845BA3427}_is1) (Version: v2 - Organizer LeaderTask, LLC)
LockHunter 3.2, 32/64 bit (HKLM\...\LockHunter_is1) (Version:  - Crystal Rich Ltd)
Malwarebytes version 3.5.1.2522 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.5.1.2522 - Malwarebytes)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.10228.20080 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-3033074897-1585976014-732848827-1001\...\OneDriveSetup.exe) (Version: 18.111.0603.0006 - Microsoft Corporation)
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.10228.20080 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.10228.20080 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.10228.20080 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.10228.20080 - Microsoft Corporation) Hidden
VLC media player (HKLM-x32\...\VLC media player) (Version: 3.0.3 - VideoLAN)
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2018-04-30] (Igor Pavlov)
ContextMenuHandlers1: [LockHunterShellExt] -> {0BB27CDA-7029-4C0E-9C56-D922B229F0EB} => C:\Program Files\LockHunter\LHShellExt64.dll [2017-07-20] (Crystal Rich Ltd)
ContextMenuHandlers2: [LockHunterShellExt] -> {0BB27CDA-7029-4C0E-9C56-D922B229F0EB} => C:\Program Files\LockHunter\LHShellExt64.dll [2017-07-20] (Crystal Rich Ltd)
ContextMenuHandlers3-x32: [FAExt] -> {05672D66-9736-42F5-8BEB-FA1DD3CA51C4} => C:\Program Files (x86)\FileASSASSIN\FileASSASSINExt.dll [2007-03-30] (Malwarebytes)
ContextMenuHandlers3-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2018-04-30] (Igor Pavlov)
ContextMenuHandlers4: [LockHunterShellExt] -> {0BB27CDA-7029-4C0E-9C56-D922B229F0EB} => C:\Program Files\LockHunter\LHShellExt64.dll [2017-07-20] (Crystal Rich Ltd)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2018-04-30] (Igor Pavlov)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {05F652A5-07AA-470C-A436-E411DC9298ED} - System32\Tasks\unbelievablyunbelievably => C:\Program Files (x86)\Perceive\Trekked.exe
Task: {0D2C5C78-268C-4114-ACF2-A397FE75FB37} - System32\Tasks\trad_uneventfully => C:\Users\Will\AppData\Local\Mailer.exe
Task: {107C922A-2F19-4416-9E31-5687E3BBD0EB} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MpCmdRun.exe [2018-07-15] (Microsoft Corporation)
Task: {10A256ED-6A9E-4270-90A9-84CEEE2D29CF} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MpCmdRun.exe [2018-07-15] (Microsoft Corporation)
Task: {1385F356-522D-421A-809B-3871B7125039} - System32\Tasks\macon => C:\Program Files (x86)\Borgman\rabelais.exe
Task: {16B3A8DB-E572-44D6-9E54-0BF2F28E5B8B} - System32\Tasks\sno originates => C:\Program Files (x86)\Byu\Mailer.exe
Task: {223E9AD8-305A-4278-A8D9-DAD85AE1A474} - System32\Tasks\undreamt_pleatsundreamt_pleats => C:\Program Files (x86)\Byu\Trekked.exe
Task: {25F2E040-EA66-40E4-9443-0C2747891E20} - System32\Tasks\unbelievably => C:\Program Files (x86)\Perceive\Trekked.exe
Task: {2EEC1584-F4AF-4276-AEE4-70B6C20EFFF1} - System32\Tasks\trad_uneventfullytrad_uneventfully => C:\Users\Will\AppData\Local\Mailer.exe
Task: {2F08AE9D-A7A3-409B-98AD-489E0F5799C6} - System32\Tasks\rumbling-betcha => C:\Program Files (x86)\inauthentic\Mailer.exe
Task: {412613BA-E125-43FE-9A9E-C3CEC274D17D} - System32\Tasks\Microsoft\Windows\HelloFace\FODCleanupTask => C:\WINDOWS\System32\WinBioPlugIns\FaceFodUninstaller.exe [2018-04-11] ()
Task: {4B1F39A1-0547-4DA9-A2E4-F806E8E86E44} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-06-20] (Microsoft Corporation)
Task: {51E80157-D77B-4E05-98F0-F9F9DD512F45} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-07-13] (Microsoft Corporation)
Task: {7619939D-5151-4FDC-B4A4-0BCD21982218} - System32\Tasks\undreamt_pleats => C:\Program Files (x86)\Byu\Trekked.exe
Task: {76E35ABB-6E77-4F8F-B7C1-B89669060CED} - System32\Tasks\MEETEETSE => C:\Program Files\MEETEETSE\MEETEETSE.exe
Task: {79C4B805-0AB5-4FBF-ACF0-2937D25BE741} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-06-20] (Microsoft Corporation)
Task: {87729AF9-E437-4B65-8BFD-1C672BCAD9A5} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [2016-01-11] (@ByELDI)
Task: {A5DD2319-E622-4C10-BBEE-CD0B668D2966} - System32\Tasks\sno originatessno originates => C:\Program Files (x86)\Byu\Mailer.exe
Task: {AC0B068C-85DF-412D-82B1-016F4C15BD59} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MpCmdRun.exe [2018-07-15] (Microsoft Corporation)
Task: {B3F5F740-22FC-409D-97ED-FB4C55C3233F} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MpCmdRun.exe [2018-07-15] (Microsoft Corporation)
Task: {B95BDAE9-071B-40C8-B408-32FF2D0C83CA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-07-13] (Google Inc.)
Task: {BEEDDBA2-0D7C-4D38-80AB-C8795EC038D0} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-07-13] (Google Inc.)
Task: {D1E36035-CF39-4E92-B45F-6BE78BC5D341} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-07-13] (Microsoft Corporation)
Task: {D99E7506-098D-49C6-9D12-2625C2FA1E0A} - System32\Tasks\Microsoft\Office\OfficeOsfInstaller => C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\osfinstaller.exe [2018-07-13] (Microsoft Corporation)
Task: {DEFE6C05-8567-47CB-8ABC-72FA8CAFC421} - System32\Tasks\carvalhocarvalho => C:\Program Files (x86)\wattle\wattle.exe
Task: {E0321A30-149A-4968-A160-A83F1F72B9C5} - System32\Tasks\carvalho => C:\Program Files (x86)\wattle\wattle.exe
Task: {E2F8D7B9-CD63-4978-B209-B8CFDABD2B26} - System32\Tasks\maconmacon => C:\Program Files (x86)\Borgman\rabelais.exe
Task: {EADFD22F-B92A-4BD1-A481-99AB66239028} - System32\Tasks\AGProxyCheck => C:\Program [Argument = Files (x86)\AnonymizerGadget\AGService.exe /recove]
Task: {F1D8E6F4-6852-4015-85B1-48950FD635CE} - System32\Tasks\rumbling-betcharumbling-betcha => C:\Program Files (x86)\inauthentic\Mailer.exe
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\WINDOWS\Tasks\MEETEETSE.job => C:\Program Files\MEETEETSE\MEETEETSE.exe
==================== Shortcuts & WMI ========================
(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============
2018-04-11 18:34 - 2018-04-11 18:34 - 000491744 ____N () C:\Windows\System32\InputHost.dll
2018-04-11 18:34 - 2018-04-11 18:34 - 000472064 ____N () C:\Windows\ShellExperiences\TileControl.dll
2018-04-11 18:34 - 2018-04-11 18:34 - 002759168 ____N () C:\Windows\ShellComponents\TaskFlowUI.dll
2018-06-13 09:19 - 2018-06-08 03:56 - 002185216 ____N () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-07-13 16:24 - 2018-07-13 16:24 - 000086528 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2018-07-13 16:24 - 2018-07-13 16:24 - 000195072 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2018-07-13 16:24 - 2018-07-13 16:24 - 022374400 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2018-07-13 16:24 - 2018-07-13 16:24 - 002610176 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\skypert.dll
2018-07-16 18:28 - 2018-07-16 18:28 - 001234432 _____ () C:\WINDOWS\gijjfgepxydzniib.gij
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2018-07-13 15:54 - 2018-07-16 19:41 - 000000850 _____ C:\WINDOWS\system32\Drivers\etc\hosts

==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-3033074897-1585976014-732848827-1001\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [{EB7DB594-2F3D-4288-AA2C-B11243364BC5}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{75FD5F64-CA99-4BE9-8694-3EE5455E26BF}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{AA0D0ABD-C2C2-4E28-AB52-3FF8B1CC03C4}] => (Allow) C:\Users\Will\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{F54EA1D4-1D09-4DD0-A60F-1C441B614FD5}] => (Allow) C:\Users\Will\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{43539B5A-53BC-4885-AFE7-4E2ED89A2D50}] => (Allow) C:\Program Files (x86)\Perceive\Trekked.exe
FirewallRules: [{CEAEBD72-B22B-4FD9-8A3B-58B83919A8BE}] => (Allow) C:\Program Files (x86)\Byu\Trekked.exe
FirewallRules: [{A1AE28A7-717C-4D31-83E3-6805BF9EB81E}] => (Allow) C:\Program Files (x86)\inauthentic\Mailer.exe
FirewallRules: [{D72BB64D-9B70-486C-AFD0-F750084D69C0}] => (Allow) C:\Program Files (x86)\Byu\Mailer.exe
==================== Restore Points =========================
ATTENTION: System Restore is disabled
==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================
Application errors:
==================
Error: (07/16/2018 08:06:38 PM) (Source: Software Protection Platform Service) (EventID: 1017) (User: )
Description: Installation of the Proof of Purchase failed. 0xC004E016
Partial Pkey=WFFWR
ACID=?
Detailed Error[?]
Error: (07/16/2018 07:24:28 PM) (Source: Software Protection Platform Service) (EventID: 1017) (User: )
Description: Installation of the Proof of Purchase failed. 0xC004E016
Partial Pkey=WFFWR
ACID=?
Detailed Error[?]
Error: (07/16/2018 07:16:03 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program WhatsNew.Store.exe version 6.13.1806.7001 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
Process ID: 180c
Start Time: 01d41d632b5535b1
Termination Time: 4294967295
Application Path: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe
Report Id: aa6e0f78-4e87-4436-8887-84256be6cdf2
Faulting package full name: Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe
Faulting package-relative application ID: App
Error: (07/16/2018 07:15:56 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-1JHIH6B$ via https://IFX-KeyId-c2ef641c329cb0a9f2eae04bfb10c99b89c34614.microsoftaik.azure.net/templates/Aik/scep failed:
GetCACaps
Method: GET(32ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
Error: (07/16/2018 07:15:19 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-1JHIH6B$ via https://IFX-KeyId-c2ef641c329cb0a9f2eae04bfb10c99b89c34614.microsoftaik.azure.net/templates/Aik/scep failed:
GetCACaps
Method: GET(63ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
Error: (07/16/2018 07:14:33 PM) (Source: Software Protection Platform Service) (EventID: 1017) (User: )
Description: Installation of the Proof of Purchase failed. 0xC004E016
Partial Pkey=WFFWR
ACID=?
Detailed Error[?]
Error: (07/16/2018 07:10:12 PM) (Source: Software Protection Platform Service) (EventID: 1017) (User: )
Description: Installation of the Proof of Purchase failed. 0xC004E016
Partial Pkey=WFFWR
ACID=?
Detailed Error[?]
Error: (07/16/2018 07:01:01 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-1JHIH6B$ via https://IFX-KeyId-c2ef641c329cb0a9f2eae04bfb10c99b89c34614.microsoftaik.azure.net/templates/Aik/scep failed:
GetCACaps
Method: GET(47ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)

System errors:
=============
Error: (07/16/2018 08:15:01 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-1JHIH6B)
Description: The server {9E175B6D-F52A-11D8-B9A5-505054503030} did not register with DCOM within the required timeout.
Error: (07/16/2018 08:13:14 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (07/16/2018 08:13:00 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-1JHIH6B)
Description: The server {9E175B6D-F52A-11D8-B9A5-505054503030} did not register with DCOM within the required timeout.
Error: (07/16/2018 08:11:00 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-1JHIH6B)
Description: The server {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} did not register with DCOM within the required timeout.
Error: (07/16/2018 08:09:00 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-1JHIH6B)
Description: The server {E48EDA45-43C6-48E0-9323-A7B2067D9CD5} did not register with DCOM within the required timeout.
Error: (07/16/2018 08:08:32 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
Windows.SecurityCenter.WscBrokerManager
 and APPID
Unavailable
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (07/16/2018 08:08:03 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (07/16/2018 08:06:57 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The N2NmZTUxMTFm service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Windows Defender:
===================================
Date: 2018-07-16 18:42:40.243
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Skeeyah.A!rfn&threatid=2147694182&enterprise=0
Name: Trojan:Win32/Skeeyah.A!rfn
ID: 2147694182
Severity: Severe
Category: Trojan
Path: chromeinstall:_HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME;file:_C:\Program Files (x86)\Google\Chrome\Application\winhttp.dll
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Program Files (x86)\Google\Chrome\Application\chromeAnatomists.exe
Signature Version: AV: 1.271.1074.0, AS: 1.271.1074.0, NIS: 1.271.1074.0
Engine Version: AM: 1.1.15100.1, NIS: 1.1.15100.1
Date: 2018-07-16 18:38:54.261
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Skeeyah.A!rfn&threatid=2147694182&enterprise=0
Name: Trojan:Win32/Skeeyah.A!rfn
ID: 2147694182
Severity: Severe
Category: Trojan
Path: file:_C:\Program Files (x86)\Google\Chrome\Application\winhttp.dll
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Program Files (x86)\Google\Chrome\Application\chromeAnatomists.exe
Signature Version: AV: 1.271.1074.0, AS: 1.271.1074.0, NIS: 1.271.1074.0
Engine Version: AM: 1.1.15100.1, NIS: 1.1.15100.1
Date: 2018-07-16 18:38:06.444
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Occamy.C&threatid=2147726780&enterprise=0
Name: Trojan:Win32/Occamy.C
ID: 2147726780
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Will\AppData\Local\Temp\1531784148\setup0904.exe;process:_pid:7896,ProcessStart:131762577968563691
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: System
Process Name: C:\Users\Will\AppData\Local\Temp\1531784148\setup0904.exe
Signature Version: AV: 1.271.1074.0, AS: 1.271.1074.0, NIS: 1.271.1074.0
Engine Version: AM: 1.1.15100.1, NIS: 1.1.15100.1
Date: 2018-07-16 18:36:54.284
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Fuerboos.C!cl&threatid=2147723654&enterprise=0
Name: Trojan:Win32/Fuerboos.C!cl
ID: 2147723654
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Will\AppData\Local\Temp\4870531\ic-0.491de87dc5455.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Users\Will\AppData\Local\Temp\nsw33BB.tmp\cpSetup.exe
Signature Version: AV: 1.271.1074.0, AS: 1.271.1074.0, NIS: 0.0.0.0
Engine Version: AM: 1.1.15100.1, NIS: 0.0.0.0
Date: 2018-07-16 18:35:42.562
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Fuerboos.C!cl&threatid=2147723654&enterprise=0
Name: Trojan:Win32/Fuerboos.C!cl
ID: 2147723654
Severity: Severe
Category: Trojan
Path: file:_C:\Users\Will\AppData\Local\Temp\4870531\ic-0.491de87dc5455.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Users\Will\AppData\Local\Temp\nsw33BB.tmp\cpSetup.exe
Signature Version: AV: 1.271.1074.0, AS: 1.271.1074.0, NIS: 1.271.1074.0
Engine Version: AM: 1.1.15100.1, NIS: 1.1.15100.1
CodeIntegrity:
===================================
Date: 2018-07-16 20:06:36.902
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\mbhxertsvc.exe that did not meet the Unchecked signing level requirements.
Date: 2018-07-16 20:06:36.888
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\mbhxertsvc.exe that did not meet the Unchecked signing level requirements.
Date: 2018-07-16 20:06:36.866
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\mbhxertsvc.exe that did not meet the Unchecked signing level requirements.
Date: 2018-07-16 19:14:30.694
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\mbhxertsvc.exe that did not meet the Unchecked signing level requirements.
Date: 2018-07-16 19:14:30.597
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\mbhxertsvc.exe that did not meet the Unchecked signing level requirements.
Date: 2018-07-16 19:14:30.459
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\mbhxertsvc.exe that did not meet the Unchecked signing level requirements.
Date: 2018-07-16 19:00:11.120
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\mbhxertsvc.exe that did not meet the Unchecked signing level requirements.
Date: 2018-07-16 19:00:11.087
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\mbhxertsvc.exe that did not meet the Unchecked signing level requirements.
==================== Memory info ===========================
Processor: Intel® Core™ i5-4300U CPU @ 1.90GHz
Percentage of memory in use: 68%
Total physical RAM: 4001.06 MB
Available physical RAM: 1269.02 MB
Total Virtual: 5409.06 MB
Available Virtual: 2545.06 MB
==================== Drives ================================
Drive c: (Windows) (Fixed) (Total:112.38 GB) (Free:89.68 GB) NTFS
\\?\Volume{3b15d0a2-b1dc-413b-9e43-5ee8ee1a937f}\ (Windows RE tools) (Fixed) (Total:0.34 GB) (Free:0.08 GB) NTFS
\\?\Volume{8c2c8672-f5f1-464f-95da-150911f9ead0}\ () (Fixed) (Total:0.83 GB) (Free:0.45 GB) NTFS
\\?\Volume{ed380435-0698-43fd-80a0-80567e8b5641}\ () (Fixed) (Total:0 GB) (Free:0 GB)
\\?\Volume{d607f336-bd96-4b4c-bb90-f9e480f275f7}\ (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.17 GB) FAT32
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 119.2 GB) (Disk ID: BBDF435A)
Partition: GPT.
==================== End of Addition.txt ============================

 

 

 

 

 

GMER 1 (this is what appeared after I first opened the program)

 

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2018-07-16 20:35:03
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000033 SAMSUNG_MZMTE128HMGR-000MV rev.EXT41M0Q 119.24GB
Running: m4wbfncy (1).exe; Driver: C:\Users\Will\AppData\Local\Temp\awndraod.sys

---- Disk sectors - GMER 2.2 ----
Disk     \Device\Harddisk0\DR0                                                                                                                  unknown MBR code
---- Threads - GMER 2.2 ----
Thread   C:\WINDOWS\system32\csrss.exe [708:780]                                                                                                ffffdd69899a6840
---- Processes - GMER 2.2 ----
Library  C:\Users\Will\AppData\Local\sbetzlv\sbetzlv.exe (*** suspicious ***) @ C:\Users\Will\AppData\Local\sbetzlv\sbetzlv.exe [7548]          0000000000ce0000
Library  C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe (*** suspicious ***) @ C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe [5336]          0000000000d40000
Library  C:\Users\Will\AppData\Local\sbetzlv\libcef.dll (*** suspicious ***) @ C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe [5336]           0000000066990000
Library  C:\Users\Will\AppData\Local\sbetzlv\chrome_elf.dll (*** suspicious ***) @ C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe [5336]       000000006b7e0000
Library  C:\Users\Will\AppData\Local\sbetzlv\ipc_service.dll (*** suspicious ***) @ C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe [5336]      000000006b6d0000
Library  C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe (*** suspicious ***) @ C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe [12256]         0000000000d40000
Library  C:\Users\Will\AppData\Local\sbetzlv\libcef.dll (*** suspicious ***) @ C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe [12256]          0000000066990000
Library  C:\Users\Will\AppData\Local\sbetzlv\ipc_service.dll (*** suspicious ***) @ C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe [12256]     000000006b6d0000
Library  C:\Users\Will\AppData\Local\sbetzlv\chrome_elf.dll (*** suspicious ***) @ C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe [12256]      000000006b7e0000
Library  C:\Users\Will\AppData\Local\sbetzlv\D3DCompiler_47.dll (*** suspicious ***) @ C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe [12256]  0000000065d00000
Library  C:\Users\Will\AppData\Local\sbetzlv\libglesv2.dll (*** suspicious ***) @ C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe [12256]       0000000065ae0000
Library  C:\Users\Will\AppData\Local\sbetzlv\libegl.dll (*** suspicious ***) @ C:\Users\Will\AppData\Local\sbetzlv\cwanrgv.exe [12256]          0000000065a90000
---- EOF - GMER 2.2 ----

 

 

 

 

GMER 2 (what appeared after I pressed the scan button)

 

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2018-07-16 20:43:58
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000033 SAMSUNG_MZMTE128HMGR-000MV rev.EXT41M0Q 119.24GB
Running: m4wbfncy (1).exe; Driver: C:\Users\Will\AppData\Local\Temp\awndraod.sys

---- Kernel code sections - GMER 2.2 ----
.text  C:\WINDOWS\system32\hal.dll!HalAdjustResourceList + 723                                   fffff80081622393 2 bytes [00, EE]
---- User code sections - GMER 2.2 ----
?      C:\WINDOWS\SYSTEM32\iertutil.dll [8196] entry point in ".rdata" section                   0000000070bba200
?      C:\WINDOWS\SYSTEM32\NTASN1.dll [8196] entry point in ".rdata" section                     0000000070648250
?      C:\WINDOWS\SYSTEM32\dbgcore.DLL [8196] entry point in ".rdata" section                    000000007044c5a0
?      C:\Windows\System32\OneCoreUAPCommonProxyStub.dll [8196] entry point in ".rdata" section  0000000070315ac0
?      C:\Windows\System32\WinTypes.dll [8196] entry point in ".rdata" section                   000000006fcd72b0
?      C:\WINDOWS\SYSTEM32\atlthunk.dll [8196] entry point in ".data" section                    000000006f8d6bb0
?      C:\WINDOWS\SYSTEM32\srpapi.dll [8196] entry point in ".rdata" section                     000000006c6d6400
?      C:\Windows\System32\OneCoreCommonProxyStub.dll [8196] entry point in ".rdata" section     000000006c75a490
?      C:\WINDOWS\SYSTEM32\dbgcore.DLL [7548] entry point in ".rdata" section                    000000007044c5a0
---- Disk sectors - GMER 2.2 ----
Disk   \Device\Harddisk0\DR0                                                                     unknown MBR code
---- EOF - GMER 2.2 ----

 

 

 



BC AdBot (Login to Remove)

 


#2 williebuckets

williebuckets
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 18 July 2018 - 09:01 PM

Alright, I got a bit tired of waiting and just reinstalled Windows. No helped needed anymore, thanks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users