Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Acting Strange After Clean Install & A Hardened Control Over It


  • Please log in to reply
11 replies to this topic

#1 evilcatdogx

evilcatdogx

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:01:58 PM

Posted 22 October 2018 - 05:26 AM

Hi guys,

 

I had a virus problem not too long back which was almost undetectable. It had been there for some time and when I eventually found & noticed its actual presence - it noticed me too. At that point, it went on an offensive against me and I pulled the plug. i ended up reinstalling at that time. (I was on Win10 but have since upgraded to Win8.1). :)

 

As you could imagine, I spent a good few weeks being careful in what was installed, and didnt let the family use the PC until I was sure I had full control.

I did the following things:

Installed Emsisoft AntiMalware - After trying a few other AV suites.

Use the Windows Firewall and have blocked most things in or out.

Diabled any service i didnt need or know what it was for and didnt stop me doing what i needed.

Installed a backup suite, and made regular use of system restore along the way.

Added a few hundred hosts to the file to prevent access to certain sites.

 

There was always a feeling of "cleanliness" with no strange behaviours or processes running etc until a few weeks back.

At that time, I installed quite a few AV and malware scanners etc.. and in the process found this site.

In the end, most of the tools reported nothing serious, however, there remains a feeling that this is not correct.

I did allow the family to use the PC again around that time, and it is possible they have once again tried to download and install hacked/cracked programs (which is what i believe created the problem originally).

But when I reviewed it, I could only see the apps I installed, or free programs etc.

 

I noticed a few specific issues, that seem to only occur at certain times, and then not again for a while.

  • Explorer.exe seems to have a few instances running, which i close and it stays that way for a while until i check back and they are there again. I disabled the 'open in seperate process' - so there shouldnt be? One of these always seems to be utilising most of the CPU...
  • I have noticed copies of many windows files, eg. DLLs EXEs etc in the Win folder with extension extensions - e.g. Explorer.Exe.Mui - not sure if this is an issue.
  • There are some files in windows folder with no extension, but have a string of letters as filename - when opened in notepad have a short unintelligible string of characters.
  • I noticed in some of the scans I completed a few messages: Hijack this said I have DLL libraries being installed on Windows services or something like that... (sorry) it was a while ago. Superantispyware mentioned some files as unknown, which had user ratings of mostly bad - I deleted those at the time. (it seems they were from a DRM removal software that one of the kids installed.). I would say this would have been the likely cause (and might be one still as they installed about 6 of them on the same day) but the issues were present prior to this. I have left these installed for the time being as I am not sure if this will assist you guys?
  • My antimalware programs is set to very strict controls - however if one of the kids has clicked allow, this really doesnt help.
  • I noticed that some of the files removed by antispyware were installed, as part of the drm removal programs, but also had exact filenames as some of the AV files - my thoughts are maybe they were trying to skirt AV by replacing certain files? 
  • I also noticed that there was a set of theming software installed - eg. windows glass or custom themes. These things have been left also. (My son is definelty the culprit as he loves those types of things - despite his adamance it was not him). Nevertheless - i explored each one, and while they seem from reputable places, there really is no way to be sure.

I would have simply used system restore - however it was disabled when i tried.

I since enabled it again, and the old restores were still present.

But all the signs point towards some type of infection and after the original problem I had before this reinstall - I found the restore points had been tampered with.

 

So - I have decided to stop trying anything and everything in the hopes that someone infinitely smarter can help me out.

I also have a concern that perhaps the original issue has been lurking all along (perhaps on a hidden drive MBR or something like that which i dont understand.)

 

Please help me out, and thanks in advance!

James

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10.10.2018
Ran by EVILCATDOG (administrator) on BIGPC (22-10-2018 20:31:31)
Running from C:\Users\EVILCATDOG\Downloads
Loaded Profiles: EVILCATDOG (Available Profiles: EVILCATDOG)
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2service.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(CHENGDU YIWO Tech Development Co., Ltd) C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe
(Microsoft Corporation) C:\Windows\System32\snmptrap.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
() C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2guard.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IDMan.exe
(Internet Download Manager, Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2start.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(WebMinds, Inc.) C:\Program Files\Duplicate Photo Cleaner\DuplicatePhotoCleaner.exe
(Microsoft Corporation) C:\Windows\Camera\Camera.exe
(Apple Inc.) C:\Program Files\iTunes\iTunes.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163640 2017-08-13] (IvoSoft)
HKLM\...\Run: [Emsisoft Anti-Malware] => C:\Program Files\Emsisoft Anti-Malware\a2guard.exe [8888624 2018-10-19] (Emsisoft Ltd)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [301880 2018-08-23] (Apple Inc.)
HKLM-x32\...\Run: [UXTheme Launcher] => C:\Program Files (x86)\UXTheme Multi-Patcher\themeengine.exe [292756 2016-09-20] (Windows X)
HKLM\...\Policies\Explorer: [NoRecentDocsNetHood] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoInstrumentation] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <==== ATTENTION
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Run: [IDMan] => C:\Program Files (x86)\Internet Download Manager\IDMan.exe [3966064 2018-09-28] (Tonec Inc.)
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Run: [UWT] => C:\Program Files (x86)\Ultimate Windows Tweaker 3.1.2.0\Ultimate Windows Tweaker 3.exe [598528 2014-06-28] (The Windows Club)
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [8893360 2018-09-21] (SUPERAntiSpyware)
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\system: [NoDispAppearancePage] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [NoPreviewPane] 1
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [NoTrayContextMenu] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [NoWinkeys] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [HideClock] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [HideSCANetwork] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [HideSCAVolume] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\MountPoints2: {c1246252-b50c-11e8-8258-3085a99b99e6} - "F:\LaunchU3.exe" -a
AppInit_DLLs: C:\AEROGL~1\ModernFrame.dll => No File
Startup: C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TWC Program Blocker.lnk [2018-10-19]
ShortcutTarget: TWC Program Blocker.lnk -> C:\Users\EVILCATDOG\Downloads\Compressed\PROGBLOC\Program Blocker v1\TWC Program Blocker.exe (No File)
BootExecute: autocheck autochk *  
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{44480D7B-1892-484E-9CBC-82A54417C99A}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{44480D7B-1892-484E-9CBC-82A54417C99A}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = 
HKU\S-1-5-21-657599590-845682314-92439975-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.windowsxlive.net
HKU\S-1-5-21-657599590-845682314-92439975-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/en-au/?ocid=iehp
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2018-06-20] (Internet Download Manager, Tonec Inc.)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2018-06-20] (Internet Download Manager, Tonec Inc.)
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2018-04-17] (Belarc, Inc.)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-09-11] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-09-11] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-09-11] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-09-11] (Microsoft Corporation)
 
FireFox:
========
FF HKU\S-1-5-21-657599590-845682314-92439975-1001\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\EVILCATDOG\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\EVILCATDOG\AppData\Roaming\IDM\idmmzcc5 [2018-10-17] [Legacy] [not signed]
FF HKU\S-1-5-21-657599590-845682314-92439975-1001\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi
FF Extension: (IDM integration) - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi [2017-12-21] [Legacy]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2018-09-13] (Adobe Systems)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [No File]
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2018-09-13] (Adobe Systems)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com
CHR StartupUrls: Default -> "hxxps://www.google.com.au/?gfe_rd=cr&ei=XoOlVvg7rszyB7PYhMAJ&gws_rd=ssl"
CHR Profile: C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT [2018-10-22]
CHR Extension: (AdGuard AdBlocker) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\bgnkhhnnamicmpeenaelnjfhikgbkllg [2018-10-17]
CHR Extension: (ColorZilla) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\bhlhnicpbhignbdhedgjhgdocnmhomnp [2018-10-17]
CHR Extension: (Adblock Plus) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2018-10-17]
CHR Extension: (Tampermonkey) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2018-10-17]
CHR Extension: (Copy All Urls) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\djdmadneanknadilpjiknlnanaolmbfk [2018-10-18]
CHR Extension: (Dark Reader) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\eimadpbcbfnmbkopoojfekhnkhdbieeh [2018-10-17]
CHR Extension: (AdBlock) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2018-10-17]
CHR Extension: (No Coin - Block miners on the web!) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\gojamcfopckidlocpkbelmpjcgmbgjcl [2018-10-17]
CHR Extension: (WhatFont) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\jabopobgcpjmedljpbcaablpmlmfcogm [2018-10-17]
CHR Extension: (The Great Suspender) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\klbibkeccnjlkjkiokjodocebajanakg [2018-10-17]
CHR Extension: (Chrome Ibis RED (Aero)) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\mdoiinnojnjojfklkbddmjlhghcncpan [2018-10-20]
CHR Extension: (LikePwner) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\olbblpoiaiamgladfgagkdodjiahlbbd [2018-10-17]
CHR Extension: (Data Saver) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\pfmgfdlgomnbgkofeojodiodmgpgmkac [2018-10-17]
CHR Extension: (Chrome Media Router) - C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-10-17]
CHR Profile: C:\Users\EVILCATDOG\AppData\Local\Google\Chrome\User Data\SYSTEM PROFILE [2018-10-17]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2018-09-28]
CHR HKLM-x32\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2018-09-28]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-01-31] (SUPERAntiSpyware.com)
R2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [9446096 2018-10-19] (Emsisoft Ltd)
S4 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe [818136 2018-09-13] (Adobe Inc.)
S4 AGMService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGMService.exe [2321384 2018-05-11] (Adobe Systems, Incorporated)
S4 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2128872 2018-05-11] (Adobe Systems, Incorporated)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [7962800 2018-02-22] (Microsoft Corporation)
R2 EaseUS Agent; C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe [40080 2018-08-14] (CHENGDU YIWO Tech Development Co., Ltd)
S4 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S4 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
S4 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-16] (Intel Corporation)
S2 UnsignedThemes; C:\Windows\unsignedthemes.exe [13824 2013-09-23] (The Within Network, LLC) [File not signed]
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-13] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-13] (Microsoft Corporation)
S2 Apple Mobile Device Service; "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" [X]
R2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem" -r -p 30000
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 asstor64; C:\Windows\System32\drivers\asstor64.sys [84816 2014-01-27] (Asmedia Technology)
R3 dtsoftbus01; C:\Windows\System32\drivers\dtsoftbus01.sys [283064 2018-09-11] (Disc Soft Ltd)
R1 epp; C:\Program Files\Emsisoft Anti-Malware\epp.sys [142952 2018-05-17] (Emsisoft Ltd)
R0 eppdisk; C:\Windows\System32\drivers\eppdisk.sys [37064 2018-04-02] (Emsisoft Ltd)
R1 eppwfp; C:\Program Files\Emsisoft Anti-Malware\eppwfp.sys [106608 2018-10-04] (Emsisoft Ltd)
R0 EUBKMON; C:\Windows\System32\drivers\EUBKMON.sys [54216 2018-08-14] ()
R3 FocusriteUSB; C:\Windows\System32\drivers\FocusriteUSB.sys [87056 2018-01-09] (Focusrite Audio Engineering Ltd.)
R3 FocusriteUSBAudio; C:\Windows\system32\drivers\FocusriteUSBAudio.sys [45072 2018-01-09] (Focusrite Audio Engineering Ltd.)
R3 FocusriteUSBSwRoot; C:\Windows\System32\drivers\FocusriteUSBSwRoot.sys [88592 2018-01-09] (Focusrite Audio Engineering Ltd.)
R1 GUBootStartup; C:\Windows\System32\drivers\GUBootStartup.sys [28936 2018-09-11] (Glarysoft Ltd)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-16] (Intel Corporation)
S3 rspLLL; C:\Windows\System32\DRIVERS\rspLLL64.sys [26368 2015-07-13] (Resplendence Software Projects Sp.)
S3 rspMmFs; C:\Windows\System32\DRIVERS\rspMmFs64.sys [20224 2016-12-08] (Resplendence Software Projects Sp.)
S3 rspMon; C:\Windows\System32\DRIVERS\rspMon64.sys [27392 2016-12-08] (Resplendence Software Projects Sp.)
S3 rspRegMon; C:\Windows\System32\DRIVERS\rspRegMon64.sys [27392 2016-04-12] (Resplendence Software Projects Sp.)
S3 rspSanity; C:\Windows\System32\DRIVERS\rspSanity64.sys [31328 2012-10-29] (Resplendence Software Projects Sp.)
S3 rspWhySoSlow; C:\Windows\System32\DRIVERS\rspWhy64.sys [28928 2016-12-17] (Resplendence Software Projects Sp.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 teVirtualMIDI64; C:\Windows\system32\DRIVERS\teVirtualMIDI64.sys [41016 2015-07-12] (Tobias Erichsen)
R2 uxstyle; C:\Windows\system32\Drivers\uxstyle.sys [31440 2013-09-23] (The Within Network, LLC)
S3 VBoxNetAdp; C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys [213080 2018-08-14] (Oracle Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [46600 2017-02-11] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [274776 2017-01-13] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [117592 2017-01-13] (Microsoft Corporation)
S4 NVHDA; \SystemRoot\system32\drivers\nvhda64v.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-10-22 20:31 - 2018-10-22 20:31 - 000020571 _____ C:\Users\EVILCATDOG\Downloads\FRST.txt
2018-10-22 20:30 - 2018-10-22 20:31 - 000000000 ____D C:\FRST
2018-10-22 20:29 - 2018-10-22 20:29 - 002414592 _____ (Farbar) C:\Users\EVILCATDOG\Downloads\FRST64.exe
2018-10-22 20:12 - 2018-10-22 20:12 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\Brice_Lambson
2018-10-21 23:49 - 2018-10-21 23:49 - 000003340 _____ C:\Users\EVILCATDOG\DESKTOP\quarantine.txt
2018-10-21 23:13 - 2018-10-21 23:13 - 000000000 ____D C:\SUPERDelete
2018-10-21 22:44 - 2018-10-21 22:44 - 000006530 _____ C:\Users\EVILCATDOG\AppData\Local\Temp20.html
2018-10-21 22:31 - 2018-10-21 22:31 - 000062448 _____ C:\Users\EVILCATDOG\DESKTOP\startuplist.txt
2018-10-21 21:30 - 2018-10-21 21:33 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\TunesKit Audio Converter
2018-10-21 21:30 - 2018-10-21 21:30 - 000001212 _____ C:\Users\EVILCATDOG\DESKTOP\TunesKit Audio Converter.lnk
2018-10-21 21:30 - 2018-10-21 21:30 - 000000775 _____ C:\Users\Public\DESKTOP\Duplicate Photo Cleaner.lnk
2018-10-21 21:30 - 2018-10-21 21:30 - 000000000 ____D C:\Users\EVILCATDOG\Documents\TunesKit Audio Converter
2018-10-21 21:30 - 2018-10-21 21:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\DuplicatePhotoCleaner
2018-10-21 21:30 - 2018-10-21 21:30 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TunesKit Audio Converter
2018-10-21 21:30 - 2018-10-21 21:30 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Duplicate Photo Cleaner
2018-10-21 21:30 - 2018-10-21 21:30 - 000000000 ____D C:\ProgramData\Duplicate Photo Cleaner
2018-10-21 21:30 - 2018-10-21 21:30 - 000000000 ____D C:\Program Files\Duplicate Photo Cleaner
2018-10-21 21:30 - 2018-10-21 21:30 - 000000000 ____D C:\Program Files (x86)\TunesKit Audio Converter
2018-10-21 21:29 - 2018-10-21 21:30 - 017203200 _____ (TunesKit, Inc. ) C:\Users\EVILCATDOG\Downloads\AudioConverter.exe
2018-10-21 21:27 - 2018-10-21 21:27 - 000001426 _____ C:\Users\EVILCATDOG\DESKTOP\TuneFab Apple Music Converter.lnk
2018-10-21 21:27 - 2018-10-21 21:27 - 000000000 ____D C:\Users\EVILCATDOG\TuneFab Apple Music Converter
2018-10-21 21:27 - 2018-10-21 21:27 - 000000000 ____D C:\Users\EVILCATDOG\TuneFab
2018-10-21 21:27 - 2018-10-21 21:27 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\PROGRAMS\TuneFab
2018-10-21 21:27 - 2018-10-21 21:27 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\TuneFab
2018-10-21 21:24 - 2018-10-21 21:26 - 023182080 _____ (TuneFab, Inc. ) C:\Users\EVILCATDOG\Downloads\apple-music-converter.exe
2018-10-21 20:56 - 2018-10-21 21:28 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\Sidify Apple Music Converter
2018-10-21 20:56 - 2018-10-21 20:56 - 000002498 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidify Apple Music Converter.lnk
2018-10-21 20:56 - 2018-10-21 20:56 - 000002486 _____ C:\Users\Public\DESKTOP\Sidify Apple Music Converter.lnk
2018-10-21 20:56 - 2018-10-21 20:56 - 000000000 ____D C:\Users\EVILCATDOG\Documents\Sidify Apple Music Converter
2018-10-21 20:56 - 2018-10-21 20:56 - 000000000 ____D C:\Program Files (x86)\Sidify Apple Music Converter
2018-10-21 20:34 - 2018-10-21 20:34 - 027577704 _____ (WebMinds, Inc. ) C:\Users\EVILCATDOG\Downloads\duplicatephotocleanersetup.exe
2018-10-21 20:05 - 2018-10-21 20:12 - 069688104 _____ (Sidify) C:\Users\EVILCATDOG\Downloads\sidify-amc.exe
2018-10-21 02:38 - 2018-10-21 02:38 - 000000000 ____D C:\Program Files (x86)\NoteBurner iTunes DRM Audio Converter
2018-10-21 02:35 - 2018-10-21 02:38 - 069638256 _____ (Noteburner) C:\Users\EVILCATDOG\Downloads\noteburner-itunes-drm-audio-converter.exe
2018-10-21 02:35 - 2018-10-21 02:35 - 000001471 _____ C:\Users\EVILCATDOG\DESKTOP\NoteBurner M4V Converter Plus.lnk
2018-10-21 02:34 - 2018-10-21 02:34 - 000001407 _____ C:\Users\EVILCATDOG\DESKTOP\Ondesoft iTunes Converter.lnk
2018-10-21 02:34 - 2018-10-21 02:34 - 000000000 ____D C:\Users\EVILCATDOG\Ondesoft iTunes Converter
2018-10-21 02:34 - 2018-10-21 02:34 - 000000000 ____D C:\Users\EVILCATDOG\Ondesoft
2018-10-21 02:34 - 2018-10-21 02:34 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\PROGRAMS\Ondesoft
2018-10-21 02:34 - 2018-10-21 02:34 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\Ondesoft
2018-10-21 02:34 - 2018-10-21 02:34 - 000000000 ____D C:\Program Files (x86)\NoteBurner
2018-10-21 02:33 - 2018-10-21 02:34 - 014688920 _____ C:\Users\EVILCATDOG\Downloads\noteburner-m4v-converter-plus.exe
2018-10-21 01:09 - 2018-10-21 01:09 - 000001470 _____ C:\Users\EVILCATDOG\DESKTOP\Easy DRM Converter for Windows.lnk
2018-10-21 01:09 - 2018-10-21 01:09 - 000000000 ____D C:\Users\EVILCATDOG\Easy DRM Converter for Windows
2018-10-21 01:09 - 2018-10-21 01:09 - 000000000 ____D C:\Users\EVILCATDOG\AppleMacSoft
2018-10-21 01:09 - 2018-10-21 01:09 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\PROGRAMS\ApplemacSoft
2018-10-21 01:09 - 2018-10-21 01:09 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\ApplemacSoft
2018-10-21 01:07 - 2018-10-21 01:09 - 023268544 _____ (ApplemacSoft, Inc. ) C:\Users\EVILCATDOG\Downloads\EasyDRMConverter (1).exe
2018-10-21 00:45 - 2018-10-21 00:45 - 000001481 _____ C:\Users\EVILCATDOG\DESKTOP\HD Video Converter Factory Pro.lnk
2018-10-20 20:08 - 2018-10-20 20:08 - 000973980 _____ C:\Users\EVILCATDOG\GHOST.pdn
2018-10-20 19:55 - 2018-10-20 19:55 - 000643754 _____ C:\Users\EVILCATDOG\LOSDT.pdn
2018-10-20 17:54 - 2018-10-20 17:54 - 001247056 _____ C:\Users\EVILCATDOG\LOST.pdn
2018-10-20 09:48 - 2018-10-21 00:45 - 000000000 ____D C:\Users\EVILCATDOG\Documents\WonderFox Soft
2018-10-20 09:47 - 2018-10-21 00:45 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\PROGRAMS\WonderFox Soft
2018-10-20 09:47 - 2018-10-21 00:45 - 000000000 ____D C:\Program Files (x86)\WonderFox Soft
2018-10-20 09:47 - 2018-10-20 09:47 - 000001438 _____ C:\Users\EVILCATDOG\DESKTOP\HD Video Converter Factory.lnk
2018-10-20 09:44 - 2018-10-20 09:47 - 079723936 _____ (WonderFox Soft, Inc.) C:\Users\EVILCATDOG\Downloads\hd-video-converter.exe
2018-10-20 09:43 - 2018-10-20 09:43 - 023268544 _____ (ApplemacSoft, Inc. ) C:\Users\EVILCATDOG\Downloads\EasyDRMConverter.exe
2018-10-20 09:38 - 2018-10-20 09:38 - 022089728 _____ (Ondesoft, Inc. ) C:\Users\EVILCATDOG\Downloads\oditunesconverter.exe
2018-10-20 02:08 - 2018-10-20 02:08 - 000001165 _____ C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\PROGRAMS\Emsisoft Anti-Malware Guard.lnk
2018-10-19 14:57 - 2018-10-19 14:57 - 000000000 ____D C:\Users\EVILCATDOG\Documents\Celemony
2018-10-19 14:53 - 2018-10-19 15:01 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\Celemony Software GmbH
2018-10-19 14:53 - 2018-10-19 14:53 - 000000000 ____D C:\ProgramData\Celemony Software GmbH
2018-10-19 14:52 - 2018-10-19 14:52 - 000001219 _____ C:\Users\EVILCATDOG\DESKTOP\Melodyne 4 (x86).lnk
2018-10-19 14:52 - 2018-10-19 14:52 - 000001028 _____ C:\Users\EVILCATDOG\DESKTOP\Melodyne 4 (x64).lnk
2018-10-19 14:52 - 2018-10-19 14:52 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Celemony
2018-10-19 14:52 - 2018-10-19 14:52 - 000000000 ____D C:\Program Files\Common Files\Celemony
2018-10-19 14:52 - 2018-10-19 14:52 - 000000000 ____D C:\Program Files\Celemony
2018-10-19 14:52 - 2018-10-19 14:52 - 000000000 ____D C:\Program Files (x86)\Celemony
2018-10-19 13:29 - 2018-10-19 13:29 - 000041810 _____ C:\Users\EVILCATDOG\Downloads\ABBA_-_The_Winner_Take_It_All.mid
2018-10-19 12:14 - 2018-10-19 12:14 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\{ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ}
2018-10-19 12:12 - 2018-10-19 12:13 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[REMOTE CONNECTIONS]
2018-10-19 11:24 - 2018-10-19 11:24 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[AUDIO & MEDIA PLAYBACK]
2018-10-19 11:16 - 2018-10-19 11:45 - 000000000 ____D C:\Users\EVILCATDOG\Documents\MY HTML PROJECTS
2018-10-19 11:09 - 2018-10-19 11:10 - 000001786 _____ C:\RestorePoint.vbs
2018-10-19 10:59 - 2018-10-19 10:59 - 000001949 _____ C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\Ultimate Windows Tweaker 3.exe - Shortcut.lnk
2018-10-19 10:54 - 2018-10-19 10:54 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\PROGRAMS\BetaBugs
2018-10-19 10:54 - 2018-10-19 10:54 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BetaBugs
2018-10-19 05:59 - 2018-10-21 21:37 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\NoteBurner iTunes DRM Audio Converter
2018-10-19 05:59 - 2018-10-19 05:59 - 000000000 ____D C:\Users\EVILCATDOG\Documents\NoteBurner iTunes DRM Audio Converter
2018-10-18 19:56 - 2018-10-21 02:38 - 000002650 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NoteBurner iTunes DRM Audio Converter.lnk
2018-10-18 19:56 - 2018-10-21 02:38 - 000002638 _____ C:\Users\Public\DESKTOP\NoteBurner iTunes DRM Audio Converter.lnk
2018-10-17 16:11 - 2018-10-19 10:37 - 000000000 ____D C:\Users\EVILCATDOG\Documents\ALTEREGO VOICES
2018-10-17 06:10 - 2018-10-17 06:10 - 000000000 ____D C:\Program Files (x86)\UXTheme Multi-Patcher
2018-10-17 00:53 - 2018-10-17 01:20 - 000003092 _____ C:\Windows\System32\Tasks\Aero Glass
2018-10-17 00:52 - 2018-10-17 08:41 - 000000000 ____D C:\AeroGlass
2018-10-17 00:10 - 2018-10-17 00:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2018-10-17 00:09 - 2018-10-17 00:09 - 000000000 ____D C:\Program Files\Bonjour
2018-10-16 23:57 - 2018-10-17 00:06 - 269990216 _____ (Apple Inc.) C:\Users\EVILCATDOG\DESKTOP\ITUNES64SETUP.EXE
2018-10-16 22:25 - 2018-10-17 07:30 - 000000000 ____D C:\Users\EVILCATDOG\DESKTOP\DISPLAYRECEIPT_FILES
2018-10-16 22:25 - 2018-10-16 22:25 - 000026087 _____ C:\Users\EVILCATDOG\DESKTOP\DISPLAYRECEIPT.HTM
2018-10-16 21:42 - 2018-10-16 21:42 - 000211436 ____H C:\Windows\system32\mlfcache.dat
2018-10-16 14:36 - 2018-10-17 07:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\XFER
2018-10-16 14:31 - 2018-10-17 07:31 - 000000000 ____D C:\Users\EVILCATDOG\Documents\XFER
2018-10-16 13:49 - 2018-10-16 13:49 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sylenth1
2018-10-16 13:11 - 2018-10-21 20:59 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\AIMP
2018-10-16 13:10 - 2018-10-16 13:10 - 000000958 _____ C:\Users\Public\DESKTOP\AIMP.lnk
2018-10-16 13:10 - 2018-10-16 13:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AIMP
2018-10-16 13:10 - 2018-10-16 13:10 - 000000000 ____D C:\Program Files (x86)\AIMP
2018-10-16 12:41 - 2018-10-17 07:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\TAGTRAUM INDUSTRIES
2018-10-16 12:39 - 2018-10-16 12:39 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\beaTunes5
2018-10-16 12:38 - 2018-10-16 12:39 - 000000000 ____D C:\Program Files\beaTunes5
2018-10-16 11:56 - 2018-10-16 11:56 - 000000230 _____ C:\Users\EVILCATDOG\Documents\PICARD INSTR.TXT
2018-10-16 11:17 - 2018-10-19 11:23 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\MUSICBRAINZ
2018-10-16 11:17 - 2018-10-17 07:29 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\MUSICBRAINZ
2018-10-16 09:29 - 2018-10-16 09:29 - 000001027 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MusicBrainz Picard.lnk
2018-10-16 09:29 - 2018-10-16 09:29 - 000000000 ____D C:\Program Files\MusicBrainz Picard
2018-10-15 22:09 - 2018-10-21 21:48 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\MP3TAG
2018-10-15 19:56 - 2018-10-15 19:56 - 000001042 _____ C:\Users\Public\DESKTOP\Mp3tag.lnk
2018-10-15 19:56 - 2018-10-15 19:56 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mp3tag
2018-10-15 19:56 - 2018-10-15 19:56 - 000000000 ____D C:\Program Files (x86)\Mp3tag
2018-10-15 14:32 - 2018-10-15 14:32 - 000000237 _____ C:\Users\EVILCATDOG\Documents\TO DO.TXT
2018-10-15 14:28 - 2018-10-15 14:28 - 000001528 _____ C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\AUTORUNS64.EXE - SHORTCUT.LNK
2018-10-15 14:28 - 2018-10-15 14:28 - 000001499 _____ C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\TCPVIEW.EXE - SHORTCUT.LNK
2018-10-15 14:28 - 2018-10-15 14:28 - 000001499 _____ C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\PROCMON.EXE - SHORTCUT.LNK
2018-10-15 14:27 - 2018-10-15 14:28 - 000000000 ____D C:\Program Files\SYS INTERNALS
2018-10-15 13:06 - 2018-10-15 13:06 - 000001154 _____ C:\Users\EVILCATDOG\DESKTOP\FILEXILE.LNK
2018-10-15 13:06 - 2018-10-15 13:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\FilExile
2018-10-15 13:06 - 2018-10-15 13:06 - 000000000 ____D C:\Program Files (x86)\FilExile
2018-10-15 13:06 - 2017-02-05 20:55 - 000125952 _____ (FilExile) C:\Windows\SysWOW64\FilExileExt.dll
2018-10-15 13:06 - 2017-02-05 20:55 - 000069120 _____ (FilExile) C:\Windows\system32\FilExileExt.dll
2018-10-11 16:32 - 2018-10-11 16:32 - 000721616 _____ C:\Windows\is-2BVHI.exe
2018-10-11 16:32 - 2018-10-11 16:32 - 000011401 _____ C:\Windows\is-2BVHI.msg
2018-10-11 16:32 - 2018-10-11 16:32 - 000000352 _____ C:\Windows\is-2BVHI.lst
2018-10-11 16:32 - 2018-10-11 16:32 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Focusrite Audio Engineering Ltd
2018-10-11 16:32 - 2018-10-11 16:32 - 000000000 ____D C:\Program Files\FocusriteUSB
2018-10-11 16:32 - 2018-01-09 14:48 - 000088592 _____ (Focusrite Audio Engineering Ltd.) C:\Windows\system32\Drivers\FocusriteUSBSwRoot.sys
2018-10-11 16:32 - 2018-01-09 14:48 - 000087056 _____ (Focusrite Audio Engineering Ltd.) C:\Windows\system32\Drivers\FocusriteUSB.sys
2018-10-11 16:32 - 2018-01-09 14:48 - 000045072 _____ (Focusrite Audio Engineering Ltd.) C:\Windows\system32\Drivers\FocusriteUSBAudio.sys
2018-10-11 15:45 - 2018-10-16 18:38 - 001474934 _____ C:\Windows\ZAM_Guard.krnl.trace
2018-10-11 15:45 - 2018-10-11 16:25 - 000054989 _____ C:\Windows\ZAM.krnl.trace
2018-10-11 15:42 - 2018-10-17 07:30 - 000000000 ____D C:\Users\EVILCATDOG\DESKTOP\RKILL
2018-10-11 15:42 - 2018-10-11 15:42 - 000003776 _____ C:\Users\EVILCATDOG\DESKTOP\RKILL.TXT
2018-10-11 15:40 - 2018-10-21 21:48 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\CRASHDUMPS
2018-10-11 15:33 - 2018-10-11 15:33 - 000000000 ____D C:\ProgramData\HitmanPro
2018-10-11 15:33 - 2018-10-11 15:33 - 000000000 ____D C:\Program Files\HitmanPro
2018-10-11 15:27 - 2018-10-17 07:26 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\MBAM
2018-10-11 15:25 - 2018-10-17 07:26 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\MBAMTRAY
2018-10-11 15:25 - 2018-10-11 15:25 - 000001938 _____ C:\Users\Public\DESKTOP\Malwarebytes.lnk
2018-10-11 15:25 - 2018-10-11 15:25 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-10-11 15:25 - 2018-09-11 13:18 - 000152688 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys
2018-10-11 15:24 - 2018-10-11 15:24 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-10-11 15:24 - 2018-10-11 15:24 - 000000000 ____D C:\Program Files\Malwarebytes
2018-10-11 15:20 - 2018-10-11 15:32 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2018-10-11 15:19 - 2018-10-11 15:19 - 000000000 ____D C:\ProgramData\RogueKiller
2018-10-11 15:08 - 2018-10-11 15:08 - 000006529 _____ C:\Users\EVILCATDOG\AppData\Local\TEMP34.HTML
2018-10-11 14:58 - 2018-10-11 14:58 - 000000560 _____ C:\Users\EVILCATDOG\DESKTOP\JRT.TXT
2018-10-11 14:55 - 2018-10-17 07:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\ZEMANA
2018-10-11 14:54 - 2018-10-11 14:54 - 000000000 ____D C:\ProgramData\TEMP
2018-10-11 12:45 - 2018-10-17 07:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\VOXENGO
2018-10-11 11:51 - 2018-10-11 11:52 - 008192044 _____ C:\Users\EVILCATDOG\DESKTOP\UNTITLED2.WAV
2018-10-11 11:22 - 2018-10-11 11:22 - 046791724 _____ C:\Users\EVILCATDOG\DESKTOP\UNTITLED.WAV
2018-10-11 11:15 - 2018-10-11 11:15 - 036249644 _____ C:\Users\EVILCATDOG\DESKTOP\JIMMY STAY.WAV
2018-10-10 12:28 - 2018-10-10 12:28 - 000000000 ____D C:\Users\EVILCATDOG\Documents\BIGASOFT ITUNES VIDEO CONVERTER
2018-10-08 16:58 - 2018-10-08 16:58 - 000000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
2018-10-07 04:02 - 2018-10-07 04:02 - 000005134 _____ C:\Users\EVILCATDOG\DESKTOP\DOWNLOAD (1).HTM
2018-10-06 17:17 - 2018-10-19 07:00 - 000000000 ____D C:\Users\EVILCATDOG\ZEBRA2.DATA
2018-10-06 17:16 - 2018-10-06 17:16 - 000000424 _____ C:\Users\EVILCATDOG\THIS PC - SHORTCUT.LNK
2018-10-06 17:05 - 2018-10-06 17:05 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Camel Audio
2018-10-06 17:05 - 2018-10-06 17:05 - 000000000 ____D C:\ProgramData\Camel Audio
2018-10-06 17:05 - 2018-10-06 17:05 - 000000000 ____D C:\Program Files\Camel Audio
2018-10-06 16:24 - 2018-10-06 16:58 - 000000000 ____D C:\ProgramData\Spectrasonics
2018-10-06 13:31 - 2018-10-17 07:26 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\ISOLATEDSTORAGE
2018-10-06 13:27 - 2018-10-06 13:27 - 000001497 _____ C:\Users\EVILCATDOG\DESKTOP\AUTORUNS.EXE - SHORTCUT.LNK
2018-10-06 13:20 - 2018-10-06 13:20 - 000002649 _____ C:\Users\Public\DESKTOP\Microsoft Research AutoCollage 2008.lnk
2018-10-06 13:20 - 2018-10-06 13:20 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Research AutoCollage 2008
2018-10-06 13:18 - 2018-10-06 13:18 - 000001581 _____ C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\FOLDER2MYPC.EXE - SHORTCUT.LNK
2018-10-06 13:18 - 2018-10-06 13:18 - 000000000 ____D C:\Program Files (x86)\Folder2MyPC
2018-10-06 13:16 - 2018-10-06 13:16 - 000001661 _____ C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\DAMN NFO VIEWER.EXE - SHORTCUT.LNK
2018-10-06 13:16 - 2018-10-06 13:16 - 000000000 ____D C:\Program Files (x86)\DAMN NFO Viewer
2018-10-06 13:12 - 2018-10-06 13:12 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Febooti fileTweak Case
2018-10-06 13:12 - 2018-10-06 13:12 - 000000000 ____D C:\Program Files\Febooti fileTweak Case
2018-10-06 13:10 - 2018-10-06 13:10 - 000002601 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SyncToy 2.1(x64).lnk
2018-10-06 13:10 - 2018-10-06 13:10 - 000000000 ____D C:\Program Files\SyncToy 2.1
2018-10-06 13:10 - 2018-10-06 13:10 - 000000000 ____D C:\Program Files\Microsoft Sync Framework
2018-10-06 13:09 - 2018-10-06 13:09 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Image Resizer for Windows
2018-10-06 13:09 - 2018-10-06 13:09 - 000000000 ____D C:\Program Files\Image Resizer for Windows
2018-10-06 13:09 - 2018-10-06 13:09 - 000000000 ____D C:\Program Files (x86)\Image Resizer for Windows
2018-10-06 08:25 - 2018-10-06 08:25 - 060545774 _____ C:\Users\EVILCATDOG\DESKTOP\16 ANOTHER BRICK IN THE WALL (1980)2.WAV
2018-10-06 04:32 - 2018-10-06 04:32 - 090818030 _____ C:\Users\EVILCATDOG\DESKTOP\16 ANOTHER BRICK IN THE WALL (1980).WAV
2018-10-06 03:54 - 2018-10-17 07:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\PROGRAMS\BIGASOFT
2018-10-06 03:54 - 2018-10-06 03:54 - 000000000 ____D C:\Program Files (x86)\Bigasoft
2018-10-06 03:14 - 2018-10-06 03:14 - 000000000 ____D C:\Users\EVILCATDOG\Documents\OUTLOOK FILES
2018-10-06 02:42 - 2018-10-06 02:42 - 016607276 _____ C:\Users\EVILCATDOG\DESKTOP\PINK FLOYD PART 1.WAV
2018-10-06 00:18 - 2018-10-21 22:00 - 000000000 ____D C:\Users\EVILCATDOG\Documents\SESSION DATA IZOTOPE RX6
2018-10-05 23:44 - 2018-10-19 12:11 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[AUDIO PRODUCTION]
2018-10-05 09:56 - 2018-10-05 09:56 - 000000000 ____D C:\Program Files\Steinberg
2018-10-05 09:56 - 2018-10-05 09:56 - 000000000 ____D C:\Program Files (x86)\Steinberg
2018-10-05 08:49 - 2018-10-05 08:49 - 000000487 _____ C:\Users\EVILCATDOG\DESKTOP\IZOTOPE_NEUTRINO.IZOTOPELICENSE
2018-10-05 08:44 - 2018-10-21 00:25 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\IZOTOPE
2018-10-05 08:44 - 2018-10-17 07:31 - 000000000 ____D C:\Users\EVILCATDOG\Documents\IZOTOPE
2018-10-05 08:41 - 2018-10-06 17:10 - 000000000 ____D C:\Program Files (x86)\iZotope
2018-10-05 08:41 - 2018-10-05 13:05 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iZotope
2018-10-05 03:33 - 2018-10-17 07:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\WIZTREE3
2018-10-05 03:33 - 2018-10-05 03:33 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WizTree
2018-10-05 03:33 - 2018-10-05 03:33 - 000000000 ____D C:\Program Files\WizTree
2018-10-05 02:31 - 2018-10-19 05:49 - 003059910 _____ C:\Users\EVILCATDOG\Documents\album cover.pptx
2018-10-03 22:52 - 2018-10-03 22:55 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Voxengo
2018-10-03 22:52 - 2018-10-03 22:55 - 000000000 ____D C:\Program Files\Voxengo
2018-10-03 13:03 - 2018-10-03 13:04 - 020746490 _____ C:\Users\EVILCATDOG\DESKTOP\CINEMATIC ORCHESTRAL TRAILER - POP SONG [ANOTHER BRICK IN THE WALL].bleep
2018-10-03 03:31 - 2018-10-19 14:52 - 000000000 ____D C:\Program Files\Common Files\VST3
2018-10-03 03:31 - 2018-10-03 03:31 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HoRNet
2018-10-03 03:31 - 2018-10-03 03:31 - 000000000 ____D C:\Program Files\HoRNet
2018-10-02 20:41 - 2018-10-02 20:41 - 000000000 ____D C:\Program Files (x86)\neeviaPDF.com
2018-10-02 20:22 - 2018-10-17 07:30 - 000000000 ____D C:\Users\EVILCATDOG\DESKTOP\BANKRUPTCY FORMS
2018-09-28 20:31 - 2018-03-02 01:36 - 000226032 _____ (Tonec Inc.) C:\Windows\system32\Drivers\idmwfp.sys
2018-09-27 22:34 - 2018-09-27 22:34 - 000000000 ____D C:\ProgramData\Google
2018-09-27 20:32 - 2018-10-17 07:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\TEAMVIEWER
2018-09-27 17:33 - 2018-09-27 17:46 - 000001636 _____ C:\Users\EVILCATDOG\Documents\LOVE IS ALL AROUND.TXT
2018-09-27 15:13 - 2018-09-27 15:13 - 000000308 _____ C:\Users\EVILCATDOG\Documents\SONG.TXT
2018-09-27 01:32 - 2018-10-17 07:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\PLOGUE ART ET TECHNOLOGIE, INC
2018-09-27 01:32 - 2018-10-17 07:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\PLOGUE
2018-09-27 01:32 - 2018-09-27 01:32 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Plogue
2018-09-27 01:31 - 2018-09-27 01:31 - 000000000 ____D C:\Program Files\Plogue
2018-09-27 01:31 - 2018-09-27 01:31 - 000000000 ____D C:\Program Files\Common Files\Avid
2018-09-26 14:18 - 2018-10-17 07:31 - 000000000 ____D C:\Users\EVILCATDOG\Documents\JHUDSTUDIO
2018-09-26 09:17 - 2018-09-26 09:17 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\SPLICE
2018-09-26 09:09 - 2018-10-17 07:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\SQUIRRELTEMP
2018-09-24 05:07 - 2018-09-24 05:07 - 000001255 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\paint.net.lnk
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-10-22 20:28 - 2018-09-09 04:38 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\CLASSICSHELL
2018-10-22 20:21 - 2018-09-14 13:02 - 000000000 ____D C:\Program Files\Emsisoft Anti-Malware
2018-10-22 20:15 - 2018-09-09 01:00 - 000007694 _____ C:\Users\EVILCATDOG\AppData\Local\RESMON.RESMONCFG
2018-10-22 20:13 - 2018-09-08 20:52 - 000000000 ____D C:\Users\EVILCATDOG
2018-10-21 22:44 - 2018-09-16 05:55 - 000001293 _____ C:\Users\EVILCATDOG\AppData\Local\Temp1.html
2018-10-21 22:27 - 2018-09-08 20:52 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\VIRTUALSTORE
2018-10-21 22:00 - 2018-09-12 03:24 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\AUDACITY
2018-10-21 21:43 - 2018-09-12 02:48 - 000002238 ____H C:\Users\EVILCATDOG\Documents\DEFAULT.RDP
2018-10-21 20:18 - 2018-09-21 10:33 - 000000000 ____D C:\Users\EVILCATDOG\Documents\MY DOCS
2018-10-21 05:48 - 2014-11-21 19:43 - 000998084 _____ C:\Windows\system32\PerfStringBackup.INI
2018-10-21 05:48 - 2013-08-23 00:36 - 000000000 ____D C:\Windows\Inf
2018-10-21 02:46 - 2018-09-12 19:15 - 000003592 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-657599590-845682314-92439975-1001
2018-10-21 00:50 - 2018-09-16 08:11 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\DMCACHE
2018-10-20 02:58 - 2018-09-08 21:11 - 000000000 __RDO C:\Users\EVILCATDOG\ONEDRIVE
2018-10-20 02:52 - 2018-09-10 01:34 - 000000000 ____D C:\ProgramData\NVIDIA
2018-10-20 02:52 - 2013-08-23 01:45 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-10-20 02:27 - 2018-09-10 05:08 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\ElevatedDiagnostics
2018-10-20 02:06 - 2018-09-16 08:11 - 000000000 ____D C:\Program Files (x86)\Internet Download Manager
2018-10-19 16:58 - 2018-09-09 05:56 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\APPLE COMPUTER
2018-10-19 12:24 - 2018-09-11 01:34 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[SYSTEM UTILITIES]
2018-10-19 12:14 - 2018-09-11 12:11 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[PERSONALISATION]
2018-10-19 12:13 - 2018-09-21 10:41 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[INTERNET & DOWNLOADING]
2018-10-19 12:13 - 2018-09-21 10:30 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[VIEWERS & READERS]
2018-10-19 12:12 - 2018-09-11 01:34 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[ANTI-MALWARE]
2018-10-19 12:07 - 2018-09-11 20:14 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\{PRODUCTIVITY}
2018-10-19 11:53 - 2018-09-15 13:37 - 000000000 ____D C:\Program Files\VstPlugins64
2018-10-19 11:39 - 2018-09-15 18:45 - 000000000 ___HD C:\Users\EVILCATDOG\Documents\NATIVE INSTRUMENTS
2018-10-19 11:39 - 2018-09-15 18:45 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\NATIVE INSTRUMENTS
2018-10-19 11:31 - 2018-09-15 18:07 - 000000000 ____D C:\Program Files\Native Instruments
2018-10-19 11:30 - 2018-09-15 18:07 - 000000000 ____D C:\Program Files\Common Files\Native Instruments
2018-10-19 10:55 - 2018-09-15 13:37 - 000000000 ____D C:\Program Files (x86)\VstPlugins32
2018-10-18 19:06 - 2018-09-16 08:11 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\IDM
2018-10-17 07:37 - 2018-09-10 04:53 - 000000000 ____D C:\Windows\Minidump
2018-10-17 07:36 - 2018-09-17 05:54 - 000000000 ____D C:\Users\Public\Documents\ADOBE
2018-10-17 07:36 - 2018-09-16 06:45 - 000000000 ____D C:\Users\Public\Documents\NI RESOURCES
2018-10-17 07:36 - 2018-09-11 15:20 - 000000000 ____D C:\Users\Public\Documents\STARDOCK
2018-10-17 07:36 - 2018-09-08 21:12 - 000000000 __RHD C:\Users\Public\ACCOUNTPICTURES
2018-10-17 07:36 - 2013-08-23 02:36 - 000000000 __RHD C:\Users\Public\LIBRARIES
2018-10-17 07:34 - 2018-09-21 10:42 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[VPN]
2018-10-17 07:34 - 2018-09-21 10:42 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[VIRTUAL DISKS]
2018-10-17 07:34 - 2018-09-16 05:54 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\{AUDIO & MUSIC PRODUCTION}
2018-10-17 07:34 - 2018-09-12 03:22 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\{SETTINGS & CONFIG FILES}
2018-10-17 07:34 - 2018-09-11 18:14 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\{PERSONALISATION}
2018-10-17 07:34 - 2018-09-11 18:13 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[PROGRAMMING]
2018-10-17 07:34 - 2018-09-11 12:12 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[VIRTUAL MACHINES]
2018-10-17 07:34 - 2018-09-11 03:08 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\{SYSTEM UTILITIES}
2018-10-17 07:34 - 2018-09-11 01:34 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[PRODUCTIVITY]
2018-10-17 07:34 - 2018-09-09 02:03 - 000000000 ____D C:\Users\EVILCATDOG\INTEL
2018-10-17 07:33 - 2018-09-11 01:38 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[MULTIMEDIA]
2018-10-17 07:33 - 2018-09-11 01:33 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[FILE SYSTEM & HDD]
2018-10-17 07:33 - 2018-09-11 01:33 - 000000000 ____D C:\Users\EVILCATDOG\Downloads\[DRIVERS]
2018-10-17 07:31 - 2018-09-19 12:32 - 000000000 ____D C:\Users\EVILCATDOG\Documents\SOULSEEK DOWNLOADS
2018-10-17 07:31 - 2018-09-17 15:04 - 000000000 ____D C:\Users\EVILCATDOG\Documents\PAINT.NET USER FILES
2018-10-17 07:31 - 2018-09-16 06:05 - 000000000 ____D C:\Users\EVILCATDOG\Documents\WINDOWS SHORTCUTS
2018-10-17 07:31 - 2018-09-15 13:36 - 000000000 ___HD C:\Users\EVILCATDOG\Documents\IMAGE-LINE
2018-10-17 07:30 - 2018-09-20 05:36 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\ACD SYSTEMS
2018-10-17 07:30 - 2018-09-19 13:31 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\SOULSEEKQT
2018-10-17 07:30 - 2018-09-18 12:38 - 000000000 ____D C:\Users\EVILCATDOG\Documents\AUDACITY
2018-10-17 07:30 - 2018-09-18 03:21 - 000000000 ____D C:\Users\EVILCATDOG\CALIBRE LIBRARY
2018-10-17 07:30 - 2018-09-18 03:21 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\CALIBRE
2018-10-17 07:30 - 2018-09-17 09:50 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\MOBIRISE
2018-10-17 07:30 - 2018-09-17 06:09 - 000000000 ___RD C:\Users\EVILCATDOG\CREATIVE CLOUD FILES
2018-10-17 07:30 - 2018-09-17 06:09 - 000000000 ____D C:\Users\EVILCATDOG\AppData\LocalLow\ADOBE
2018-10-17 07:30 - 2018-09-16 08:11 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\PROGRAMS\INTERNET DOWNLOAD MANAGER
2018-10-17 07:30 - 2018-09-16 05:55 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\ANTI-MALWARE
2018-10-17 07:30 - 2018-09-15 16:32 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\NVIDIA
2018-10-17 07:30 - 2018-09-15 16:31 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\VALHALLA DSP, LLC
2018-10-17 07:30 - 2018-09-15 16:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\VALHALLAROOMPREFERENCES
2018-10-17 07:30 - 2018-09-15 16:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\VALHALLAROOM
2018-10-17 07:30 - 2018-09-15 16:29 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\FLUX
2018-10-17 07:30 - 2018-09-15 16:29 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\D16 GROUP
2018-10-17 07:30 - 2018-09-15 15:32 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\DIRECTAP
2018-10-17 07:30 - 2018-09-15 13:51 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\TAKEOWNERSHIPEX
2018-10-17 07:30 - 2018-09-15 13:38 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\PROGRAMS\ASIO4ALL V2
2018-10-17 07:30 - 2018-09-15 13:36 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\PROGRAMS\IMAGE-LINE
2018-10-17 07:30 - 2018-09-15 13:36 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\IMAGE-LINE
2018-10-17 07:30 - 2018-09-15 08:34 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\FILE & DISK MANAGEMENT
2018-10-17 07:30 - 2018-09-15 08:32 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\SYSTEM SECURITY
2018-10-17 07:30 - 2018-09-14 05:41 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\UNINSTALL A PROGRAM
2018-10-17 07:30 - 2018-09-12 06:26 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\HANDBRAKE
2018-10-17 07:30 - 2018-09-12 03:24 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\SUMATRAPDF
2018-10-17 07:30 - 2018-09-12 01:57 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\READING & VIEWING
2018-10-17 07:30 - 2018-09-12 01:56 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\REMOTE ACCESS
2018-10-17 07:30 - 2018-09-12 01:56 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\INTERNET & DOWNLOADING
2018-10-17 07:30 - 2018-09-12 01:56 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\GRAPHIC DESIGN
2018-10-17 07:30 - 2018-09-12 01:56 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\CODING & DEVELOPMENT
2018-10-17 07:30 - 2018-09-12 01:56 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\AUDIO & PRODUCTION
2018-10-17 07:30 - 2018-09-12 01:55 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\OFFICE & PRODUCTIVITY
2018-10-17 07:30 - 2018-09-12 01:49 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\VIRTUAL MACHINES
2018-10-17 07:30 - 2018-09-12 01:49 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\VIRTUAL DRIVES
2018-10-17 07:30 - 2018-09-12 01:49 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\TWEAKS & CUSTOMIZATION
2018-10-17 07:30 - 2018-09-12 01:48 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\SYSTEM MANAGEMENT
2018-10-17 07:30 - 2018-09-12 01:48 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\SYSTEM INFORMATION
2018-10-17 07:30 - 2018-09-12 01:48 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\MEDIA CONVERSION
2018-10-17 07:30 - 2018-09-12 01:48 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\MEDIA CODECS
2018-10-17 07:30 - 2018-09-12 01:47 - 000000000 ___RD C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Start Menu\BACKUP & RESTORE
2018-10-17 07:30 - 2018-09-11 19:51 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\TWEAKNOW FILERENAMER
2018-10-17 07:30 - 2018-09-11 18:13 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\DESKTOP BACKGROUND TUNER
2018-10-17 07:30 - 2018-09-11 16:14 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\QBITTORRENT
2018-10-17 07:30 - 2018-09-11 16:14 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\QBITTORRENT
2018-10-17 07:30 - 2018-09-11 15:58 - 000000000 __SHD C:\Users\EVILCATDOG\AppData\Roaming\COMMON
2018-10-17 07:30 - 2018-09-11 14:36 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\STARDOCK
2018-10-17 07:30 - 2018-09-11 11:43 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\SUPERANTISPYWARE.COM
2018-10-17 07:30 - 2018-09-11 10:42 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\CLASSICSHELL
2018-10-17 07:30 - 2018-09-10 04:04 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\GOOGLE
2018-10-17 07:30 - 2018-09-10 01:18 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\SAMSUNG
2018-10-17 07:30 - 2018-09-10 00:23 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\MPC-HC
2018-10-17 07:30 - 2018-09-09 13:25 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\PAINT.NET
2018-10-17 07:30 - 2018-09-09 12:09 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\TERACOPY
2018-10-17 07:30 - 2018-09-09 09:41 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\SKYPE
2018-10-17 07:30 - 2018-09-09 04:39 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\TEAMVIEWER
2018-10-17 07:30 - 2018-09-09 04:17 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\GLARYSOFT
2018-10-17 07:30 - 2018-09-09 03:59 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\NOTEPAD++
2018-10-17 07:30 - 2018-09-09 03:31 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\SUN
2018-10-17 07:30 - 2018-09-09 03:31 - 000000000 ____D C:\Users\EVILCATDOG\AppData\LocalLow\SUN
2018-10-17 07:30 - 2018-09-09 02:07 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\DAEMON TOOLS PRO
2018-10-17 07:30 - 2018-09-09 02:03 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\INTEL CORPORATION
2018-10-17 07:30 - 2018-09-09 01:46 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\INSTALLSHIELD
2018-10-17 07:30 - 2018-09-08 21:34 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\MACROMEDIA
2018-10-17 07:30 - 2018-09-08 21:15 - 000000000 __SHD C:\Users\EVILCATDOG\AppData\LocalLow\EMIEBROWSERMODELIST
2018-10-17 07:30 - 2018-09-08 20:52 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Roaming\ADOBE
2018-10-17 07:30 - 2018-09-08 20:52 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\PACKAGES
2018-10-17 07:28 - 2018-09-17 09:50 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\MOBIRISE.COM
2018-10-17 07:26 - 2018-09-09 12:19 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\GOOGLE
2018-10-17 07:25 - 2018-09-20 05:30 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\ACD SYSTEMS
2018-10-17 07:25 - 2018-09-18 03:22 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\CALIBRE-CACHE
2018-10-17 07:25 - 2018-09-17 06:09 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\CEF
2018-10-17 07:25 - 2018-09-17 06:09 - 000000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2018-10-17 07:25 - 2018-09-12 03:24 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\AUDACITY
2018-10-17 07:25 - 2018-09-11 18:19 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\APPLE COMPUTER
2018-10-17 07:25 - 2018-09-11 15:58 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\DISPLAYFUSION
2018-10-17 07:25 - 2018-09-11 14:57 - 000000000 ____D C:\ProgramData\Stardock
2018-10-17 07:25 - 2018-09-11 10:15 - 000000000 ____D C:\ProgramData\BROTHER
2018-10-17 07:25 - 2018-09-10 02:27 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\Apps\2.0
2018-10-17 07:25 - 2018-09-09 12:09 - 000000000 ___HD C:\Users\EVILCATDOG\.OBS32
2018-10-17 07:25 - 2018-09-09 06:20 - 000000000 ____D C:\ProgramData\SUPERANTISPYWARE.COM
2018-10-17 07:25 - 2018-09-09 05:56 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\APPLE
2018-10-17 07:25 - 2018-09-09 03:16 - 000000000 ____D C:\Users\EVILCATDOG\AppData\Local\ADOBE
2018-10-17 07:25 - 2018-09-09 03:16 - 000000000 ____D C:\ProgramData\Adobe
2018-10-17 07:25 - 2018-09-09 02:03 - 000000000 ____D C:\ProgramData\DAEMON Tools Pro
2018-10-17 07:25 - 2018-09-08 21:32 - 000000000 ____D C:\ProgramData\NVIDIA CORPORATION
2018-10-17 07:25 - 2018-09-08 21:17 - 000000000 ____D C:\ProgramData\Samsung
2018-10-17 07:25 - 2018-09-08 20:56 - 000000000 __SHD C:\Users\EVILCATDOG\AppData\Local\EMIEBROWSERMODELIST
2018-10-17 06:10 - 2018-09-09 13:13 - 000000000 ____D C:\ProgramData\Package Cache
2018-10-17 00:10 - 2018-09-09 05:56 - 000000000 ____D C:\Program Files\iTunes
2018-10-17 00:10 - 2018-09-09 05:56 - 000000000 ____D C:\Program Files\iPod
2018-10-17 00:09 - 2018-09-09 05:56 - 000000000 ____D C:\Program Files (x86)\Bonjour
2018-10-16 19:44 - 2013-08-23 00:25 - 000262144 ___SH C:\Windows\system32\config\BBI
2018-10-16 18:45 - 2018-09-11 21:26 - 000000032 _____ C:\Windows\SysWOW64\Eu(12-20180814).OD
2018-10-16 18:44 - 2018-09-11 14:57 - 000000000 ____D C:\Program Files (x86)\Stardock
2018-10-15 13:56 - 2013-08-23 02:20 - 000000000 ____D C:\Windows\CbsTemp
2018-10-11 14:55 - 2013-08-23 02:36 - 000000000 ____D C:\Windows\SysWOW64\GroupPolicy
2018-10-10 10:06 - 2013-08-23 02:36 - 000000000 ____D C:\Windows\system32\NDF
2018-10-06 13:26 - 2017-09-05 10:32 - 000000000 ____D C:\Program Files (x86)\AUTORUNS
2018-10-06 11:49 - 2018-09-09 04:13 - 000000000 ____D C:\Program Files\Classic Shell
2018-10-06 11:44 - 2018-09-08 21:15 - 000000000 __SHD C:\Users\EVILCATDOG\AppData\LocalLow\EMIEUSERLIST
2018-10-06 11:44 - 2018-09-08 20:55 - 000000000 __SHD C:\Users\EVILCATDOG\AppData\LocalLow\EMIESITELIST
2018-09-28 20:59 - 2018-09-09 04:17 - 000000000 ____D C:\Program Files (x86)\Glary Utilities 5
2018-09-28 20:52 - 2013-08-23 01:44 - 000485608 _____ C:\Windows\system32\FNTCACHE.DAT
2018-09-28 20:19 - 2018-09-14 07:26 - 000003934 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{68E52C56-9112-4BB7-9EDE-7DE20F6FA4FF}
2018-09-27 22:33 - 2018-09-09 03:15 - 000000000 ____D C:\Program Files (x86)\Google
2018-09-26 22:53 - 2018-09-11 01:15 - 000007146 _____ C:\Users\EVILCATDOG\Documents\INSTALL WIN 8.1 PRO 2018.TXT
2018-09-25 11:57 - 2018-09-10 01:35 - 001003022 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2018-09-24 05:07 - 2018-09-09 13:25 - 000000000 ____D C:\Program Files\paint.net
 
==================== Files in the root of some directories =======
 
2018-09-09 01:00 - 2018-10-22 20:15 - 000007694 _____ () C:\Users\EVILCATDOG\AppData\Local\RESMON.RESMONCFG
2018-09-16 05:55 - 2018-10-21 22:44 - 000001293 _____ () C:\Users\EVILCATDOG\AppData\Local\Temp1.html
2018-10-21 22:44 - 2018-10-21 22:44 - 000006530 _____ () C:\Users\EVILCATDOG\AppData\Local\Temp20.html
2018-10-11 15:08 - 2018-10-11 15:08 - 000006529 _____ () C:\Users\EVILCATDOG\AppData\Local\TEMP34.HTML
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-10-19 02:47
 
==================== End of FRST.txt ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 10.10.2018
Ran by EVILCATDOG (22-10-2018 20:31:54)
Running from C:\Users\EVILCATDOG\Downloads
Windows 8.1 Pro (Update) (X64) (2018-09-08 09:52:03)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-657599590-845682314-92439975-500 - Administrator - Enabled)
EVILCATDOG (S-1-5-21-657599590-845682314-92439975-1001 - Administrator - Enabled) => C:\Users\EVILCATDOG
Guest (S-1-5-21-657599590-845682314-92439975-501 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Emsisoft Anti-Malware (Enabled - Up to date) {67773CDD-EA83-AD98-A2ED-386463EB3B0D}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Emsisoft Anti-Malware (Enabled - Up to date) {DC16DD39-CCB9-A216-985D-0316186C71B0}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 18.05 (x64) (HKLM\...\7-Zip) (Version: 18.05 - Igor Pavlov)
ACDSee Photo Studio Ultimate 2018 (HKLM\...\{35035ABF-4733-478B-88AC-CB25FF451926}) (Version: 11.1.0.1272 - ACD Systems International Inc.)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 4.7.0.400 - Adobe Systems Incorporated)
Adobe Dreamweaver CC 2018 (HKLM-x32\...\DRWV_18_2) (Version: 18.2 - Adobe Systems Incorporated)
Aero Glass for Win8.1+ (HKLM\...\{277BA0F1-D0BB-4D73-A2DF-6B60C91E1533}_is1) (Version: 1.4.6 - Big Muscle)
AIMP (HKLM-x32\...\AIMP) (Version: v4.51.2080, 07.07.2018 - AIMP DevTeam)
Apple Application Support (32-bit) (HKLM-x32\...\{308F2F8C-9D33-4B22-8A6C-D9C13DBEF8C6}) (Version: 7.0.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{0CB84A7D-9697-4526-A819-60FB050E8F05}) (Version: 7.0.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{77F8C879-88CD-4145-945A-541C35285285}) (Version: 12.0.0.1039 - Apple Inc.)
ARIA Engine v1.9.1.6 (HKLM\...\ARIA Engine_is1) (Version: v1.9.1.6 - Plogue Art et Technologie, Inc)
ASIO4ALL (HKLM-x32\...\ASIO4ALL) (Version: 2.14 - Michael Tippach)
Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.16.12.0 - Asmedia Technology)
Asmedia ASM106x SATA Host Controller Driver (HKLM-x32\...\{61942EF5-2CD8-47D4-869C-2E9A8BB085F1}) (Version: 2.0.8.0000 - Asmedia Technology)
Audacity 2.2.2 (HKLM-x32\...\Audacity_is1) (Version: 2.2.2 - Audacity Team)
beaTunes 5.1.10 (HKLM-x32\...\beaTunes5) (Version: 5.1.10 - tagtraum industries incorporated)
Belarc Advisor 8.6b (HKLM-x32\...\Belarc Advisor) (Version: 8.6.2.0 - Belarc Inc.)
Beta Bugs BugPack1 VST (HKLM-x32\...\BugPack1) (Version: "1.0.0" - "BetaBugs")
Bigasoft iTunes Video Converter 3.7.50.5067 (HKLM-x32\...\{83340D90-BB65-4969-8C4E7FABC6319CDA}_is1) (Version:  - Bigasoft Corporation)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
calibre 64bit (HKLM\...\{7A345D03-2C46-4483-855B-01C7C320600F}) (Version: 3.31.0 - Kovid Goyal)
Camel Audio CamelCrusher64 (HKLM-x32\...\Camel Audio CamelCrusher64) (Version: 1.01.0 - Camel Audio)
Celemony Melodyne 4 (HKLM\...\Melodyne 4_is1) (Version: 4.2.0.020 - Celemony)
Classic Shell (HKLM\...\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}) (Version: 4.3.1 - IvoSoft)
DAEMON Tools Pro (HKLM-x32\...\DAEMON Tools Pro) (Version: 5.4.0.0377 - Disc Soft Ltd)
Duplicate Photo Cleaner (HKLM\...\Duplicate Photo Cleaner_is1) (Version:  - WebMinds, Inc.)
EaseUS Todo Backup Home 11.5 Trial (HKLM-x32\...\EaseUS Todo Backup_is1) (Version: 11.5 - CHENGDU YIWO Tech Development Co., Ltd)
Easy DRM Converter for Windows version 5.6.1 (HKU\S-1-5-21-657599590-845682314-92439975-1001\...\{36065dd8-1211-4827-aed4-0c6676c5a906}_is1) (Version: 5.6.1 - ApplemacSoft, Inc.)
Emsisoft Anti-Malware (HKLM\...\{CA975286-D816-410C-B6C9-F7213CA84695}) (Version: 18.8.1.8923 - Emsisoft Ltd.)
Febooti fileTweak Case (HKLM\...\{5FC2BE90-A810-4170-B12F-2F3FFC6524A5}) (Version: 3.0.0 - Febooti Software)
FilExile (HKLM-x32\...\{37D0B08A-2D0E-4A2E-8C8D-B2CB52BA81AC}_is1) (Version: 3.00 - Bryan Carey)
FL Studio 20 (HKLM-x32\...\FL Studio 20) (Version:  - Image-Line)
FL Studio ASIO (HKLM-x32\...\FL Studio ASIO) (Version:  - Image-Line)
Focusrite USB 4.36.5.0 (HKLM\...\Focusrite USB_is1) (Version: 4.36.5.0 - Focusrite Audio Engineering Ltd.)
Glary Utilities 5.105 (HKLM-x32\...\Glary Utilities 5) (Version: 5.105.0.129 - Glarysoft Ltd)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 69.0.3497.81 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
HandBrake 1.1.2 (HKLM-x32\...\HandBrake) (Version: 1.1.2 - )
HD Video Converter Factory 14.3 (HKLM-x32\...\HD Video Converter Factory) (Version: 14.3 - WonderFox Soft, Inc.)
HD Video Converter Factory Pro 16.3 (HKLM-x32\...\HD Video Converter Factory Pro) (Version: 16.3 - WonderFox Soft, Inc.)
HoRNet SongKey MKII (HKLM\...\SongKey MKII_is1) (Version: 2.0.2 - HoRNet)
Image Resizer for Windows (64 bit) (HKLM\...\{617CA6E9-D5FB-4017-8130-82E68C56C34D}) (Version: 3.0.4802.35565 - Brice Lambson) Hidden
Image Resizer for Windows (HKLM-x32\...\{69d72156-6582-4556-8637-06f40aa7f85b}) (Version: 3.0.4802.35565 - Brice Lambson)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.15.1730 - Intel Corporation)
Internet Download Manager (HKLM-x32\...\Internet Download Manager) (Version:  - Tonec Inc.)
iTunes (HKLM\...\{D18613A9-9399-477C-A299-BFBDAA0DEE2E}) (Version: 12.9.0.167 - Apple Inc.)
iZotope Nectar 3 Elements (HKLM\...\Nectar 3 Elements_is1) (Version: 3.00 - iZotope & Team V.R)
K-Lite Codec Pack 14.4.0 Standard (HKLM-x32\...\KLiteCodecPack_is1) (Version: 14.4.0 - KLCP)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version:  - )
LatencyMon 6.70 (HKLM\...\LatencyMon_is1) (Version:  - Resplendence Software Projects Sp.)
Malwarebytes version 3.6.1.2711 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.6.1.2711 - Malwarebytes)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.9029.2167 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-657599590-845682314-92439975-1001\...\OneDriveSetup.exe) (Version: 17.3.6743.1212 - Microsoft Corporation)
Microsoft Research AutoCollage 2008 Academic Edition (HKLM-x32\...\{423D8FBE-EC52-40FD-B2A0-8C9C8F973FD7}) (Version: 1.01.2008 - Microsoft Research)
Microsoft Sync Framework 2.0 Core Components (x64) ENU  (HKLM\...\{8CCBEC22-D2DB-4DC9-A58A-E1A1F3A38C8A}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Provider Services (x64) ENU  (HKLM\...\{03AC245F-4C64-425C-89CF-7783C1D3AB2C}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810 (HKLM-x32\...\{e2ee15e2-a480-4bc5-bfb7-e9803d1d9823}) (Version: 14.12.25810.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810 (HKLM-x32\...\{56e11d69-7cc9-40a5-a4f9-8f6190c4d84d}) (Version: 14.12.25810.0 - Microsoft Corporation)
Mobirise4 (HKLM-x32\...\Mobirise4_is1) (Version:  - Mobirise.com)
Mp3tag v2.90a (HKLM-x32\...\Mp3tag) (Version: 2.90a - Florian Heidenreich)
MultiMon 3.00 (HKLM\...\MultiMon_is1) (Version:  - Resplendence Software Projects Sp.)
MusicBrainz Picard (HKLM-x32\...\MusicBrainz Picard) (Version: 2.0.4 - MusicBrainz)
Native Instruments Kontakt 5 (HKLM-x32\...\Native Instruments Kontakt 5) (Version: 5.8.1.43 - Native Instruments)
Neutron 2 Advanced (HKLM-x32\...\Neutron 2) (Version: 2.00 - iZotope, Inc.)
NoteBurner iTunes DRM Audio Converter 3.1.3 (HKLM-x32\...\ef58365b-3b59-546e-8130-a7df132c5009) (Version: 3.1.3 - Noteburner)
NoteBurner M4V Converter Plus 5.4.8 (HKLM-x32\...\NoteBurner M4V Converter Plus) (Version: 5.4.8 - NoteBurner)
Notepad++ (32-bit x86) (HKLM-x32\...\Notepad++) (Version: 7.5.8 - Notepad++ Team)
NVIDIA 3D Vision Driver 391.35 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 391.35 - NVIDIA Corporation)
NVIDIA Graphics Driver 391.35 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 391.35 - NVIDIA Corporation)
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.9029.2167 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.9029.2167 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.9029.2167 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.9029.2167 - Microsoft Corporation) Hidden
Ondesoft iTunes Converter version 5.6.1 (HKU\S-1-5-21-657599590-845682314-92439975-1001\...\{938C66A7-BF2F-4BFE-95ED-F8550A1BD01D}_is1) (Version: 5.6.1 - Ondesoft, Inc.)
OneClickFirewall (HKLM\...\OneClickFirewall) (Version: 1.0.0.2 - hxxp://winaero.com)
Ozone 8 Advanced (HKLM-x32\...\Ozone 8) (Version: 8.00 - iZotope, Inc.)
paint.net (HKLM\...\{36C264F3-0458-42D9-A091-807B5CEB0FA8}) (Version: 4.1.1 - dotPDN LLC)
ParkControl (HKLM-x32\...\ParkControl) (Version: 1.2.8.4 - Bitsum)
PDFCreator (HKLM\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 3.2.2 - pdfforge GmbH)
Plogue AlterEgo v1.516 (HKLM\...\__ARIA_1019___is1) (Version: v1.516 - Plogue)
Python Launcher (HKLM-x32\...\{D6BDDB48-938A-4384-A7BE-2B4E4931B111}) (Version: 3.7.6386.0 - Python Software Foundation)
qBittorrent 4.1.2 (HKLM-x32\...\qBittorrent) (Version: 4.1.2 - The qBittorrent project)
Registrar Registry Manager 8.04 (HKLM\...\RegistrarHome_is1) (Version:  - Resplendence Software Projects Sp.)
Revo Uninstaller 2.0.5 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.0.5 - VS Revo Group, Ltd.)
RX 6 Audio Editor Advanced (HKLM-x32\...\RX 6 Audio Editor Advanced) (Version: 6.10 - iZotope, Inc.)
Samsung Magician (HKLM-x32\...\{29AE3F9F-7158-4ca7-B1ED-28A73ECDB215}_is1) (Version: 5.2.1.1780 - Samsung Electronics)
SanityCheck 3.51 (HKLM\...\SanityCheck_is1) (Version:  - Resplendence Software Projects Sp.)
Sidify Apple Music Converter 3.0.4 (HKLM-x32\...\088959b6-3237-59c7-b0b2-e65561a6acf5) (Version: 3.0.4 - Sidify)
SoulseekQt version 2017.2.20 (HKLM-x32\...\{8A4E1646-488C-4E5B-AC31-F784400E8D2D}_is1) (Version: 2017.2.20 - Soulseek LLC)
SumatraPDF (HKLM\...\SumatraPDF) (Version: 3.1.2 - Krzysztof Kowalczyk)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1262 - SUPERAntiSpyware.com)
Sylenth1 v2.21 (HKLM\...\Sylenth1_is1) (Version:  - )
SyncToy 2.1 (x64) (HKLM\...\{88DAAF05-5A72-46D2-A7C5-C3759697E943}) (Version: 2.1.0 - Microsoft)
TuneFab Apple Music Converter version 5.6.1 (HKU\S-1-5-21-657599590-845682314-92439975-1001\...\{ce745ba1-2bbc-4dd1-8ee4-0c67366accd0}_is1) (Version: 5.6.1 - TuneFab, Inc.)
TunesKit Audio Converter 2.1.9.30 (HKLM-x32\...\TunesKit Audio Converter_is1) (Version:  - TunesKit, Inc.)
TweakNow FileRenamer (HKLM-x32\...\TweakNow FileRenamer_is1) (Version: 1.0.1 - TweakNow.com)
UxStyle (HKLM\...\{86D24646-DAF6-4F5E-BCAD-CF7EF8E362E1}) (Version: 0.2.3.0 - The Within Network, LLC) Hidden
UxStyle (HKLM-x32\...\{05560347-3a9b-4644-a8ed-8b64cc947189}) (Version: 0.2.3.0 - The Within Network, LLC)
Voxengo AnSpec (HKLM\...\Voxengo AnSpec_is1) (Version: 1.2 - Voxengo)
Voxengo Boogex (HKLM\...\Voxengo Boogex_is1) (Version: 2.3 - Voxengo)
Voxengo Marvel GEQ (HKLM\...\Voxengo Marvel GEQ_is1) (Version: 1.4 - Voxengo)
Voxengo MSED (HKLM\...\Voxengo MSED_is1) (Version: 3.0 - Voxengo)
Voxengo OldSkoolVerb (HKLM\...\Voxengo OldSkoolVerb_is1) (Version: 2.4.1 - Voxengo)
Voxengo Overtone GEQ (HKLM\...\Voxengo Overtone GEQ_is1) (Version: 1.11 - Voxengo)
Voxengo Sound Delay (HKLM\...\Voxengo Sound Delay_is1) (Version: 1.7 - Voxengo)
Voxengo SPAN (HKLM\...\Voxengo SPAN_is1) (Version: 3.1 - Voxengo)
Voxengo Stereo Touch (HKLM\...\Voxengo Stereo Touch_is1) (Version: 2.9 - Voxengo)
Voxengo Tempo Delay (HKLM\...\Voxengo Tempo Delay_is1) (Version: 2.1 - Voxengo)
Voxengo Tube Amp (HKLM\...\Voxengo Tube Amp_is1) (Version: 2.5 - Voxengo)
WhoCrashed 6.01 (HKLM\...\WhoCrashed_is1) (Version:  - Resplendence Software Projects Sp.)
WhySoSlow 1.50 (HKLM\...\WhySoSlowHome_is1) (Version:  - Resplendence Software Projects Sp.)
Winaero Tweaker (HKLM\...\Winaero Tweaker_is1) (Version: 0.11.2.0 - Winaero)
WizTree v3.25 (HKLM\...\WizTree_is1) (Version: 3.25 - Antibody Software)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-657599590-845682314-92439975-1001_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
ShellIconOverlayIdentifiers: [ IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll [2018-05-12] (Tonec Inc.)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2018-04-30] (Igor Pavlov)
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files (x86)\Notepad++\NppShell_06.dll [2018-07-23] ()
ContextMenuHandlers1: [FilExileShlExt] -> {37D0B08A-2D0E-4A2E-8C8D-B2CB52BA81AC} => C:\Windows\system32\FilExileExt.dll [2017-02-05] (FilExile)
ContextMenuHandlers1: [Image Resizer] -> {51B4D7E5-7568-4234-B4BB-47FB3C016A69} => C:\Program Files\Image Resizer for Windows\ShellExtensions.dll [2013-02-23] (Brice Lambson)
ContextMenuHandlers1: [Mp3tagShell] -> {6351E20C-35FA-4BE3-98FB-4CABF1363E12} => C:\Program Files (x86)\Mp3tag\Mp3tagShell64.dll [2018-09-23] (Florian Heidenreich)
ContextMenuHandlers1: [SimpleShlExt] -> {45203D3B-3D73-4497-8AFE-D29950AC6C55} => C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\ImageSh.dll [2018-08-14] (CHENGDU YIWO Tech Development Co.,Ltd)
ContextMenuHandlers2-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\Program Files\Emsisoft Anti-Malware\A2CONTMENU.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers2-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\Program Files\Emsisoft Anti-Malware\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers2-x32: [Mp3tagShell] -> {6351E20C-35FA-4BE3-98FB-4CABF1363E12} => C:\Program Files (x86)\Mp3tag\Mp3tagShell64.dll [2018-09-23] (Florian Heidenreich)
ContextMenuHandlers2-x32: [SimpleShlExt] -> {45203D3B-3D73-4497-8AFE-D29950AC6C55} => C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\ImageSh.dll [2018-08-14] (CHENGDU YIWO Tech Development Co.,Ltd)
ContextMenuHandlers3-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\Program Files\Emsisoft Anti-Malware\A2CONTMENU.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers3-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\Program Files\Emsisoft Anti-Malware\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2018-04-30] (Igor Pavlov)
ContextMenuHandlers4: [FilExileShlExt] -> {37D0B08A-2D0E-4A2E-8C8D-B2CB52BA81AC} => C:\Windows\system32\FilExileExt.dll [2017-02-05] (FilExile)
ContextMenuHandlers4: [Mp3tagShell] -> {6351E20C-35FA-4BE3-98FB-4CABF1363E12} => C:\Program Files (x86)\Mp3tag\Mp3tagShell64.dll [2018-09-23] (Florian Heidenreich)
ContextMenuHandlers4: [SimpleShlExt] -> {45203D3B-3D73-4497-8AFE-D29950AC6C55} => C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\ImageSh.dll [2018-08-14] (CHENGDU YIWO Tech Development Co.,Ltd)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2018-03-24] (NVIDIA Corporation)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2018-04-30] (Igor Pavlov)
ContextMenuHandlers6-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\Program Files\Emsisoft Anti-Malware\A2CONTMENU.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers6-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\Program Files\Emsisoft Anti-Malware\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers6-x32: [FilExileShlExt] -> {37D0B08A-2D0E-4A2E-8C8D-B2CB52BA81AC} => C:\Windows\system32\FilExileExt.dll [2017-02-05] (FilExile)
ContextMenuHandlers6-x32: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\Windows\system32\StartMenuHelper64.dll [2017-08-13] (IvoSoft)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0BB47ACB-3129-4AF7-B6B9-FF88FF4D1F57} - System32\Tasks\Aero Glass => C:\AeroGlass\aerohost.exe [2016-09-20] (Big Muscle)
Task: {1947BBA6-D015-4453-B527-688E2523C38C} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-02-22] (Microsoft Corporation)
Task: {ABBF04BE-F304-4F2B-87DA-EB0DE0AE1E71} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-09-11] (Microsoft Corporation)
Task: {D4422BBD-FD2A-4D76-8983-06BF67B24DC6} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-09-11] (Microsoft Corporation)
Task: {F04A24BF-C48A-4D43-959E-C70170012B4F} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-02-22] (Microsoft Corporation)
Task: {FAD3010F-5020-4E0C-BA74-0C19B198D9F5} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2018-09-11] (Microsoft Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2018-09-11 21:23 - 2018-08-14 10:41 - 000270480 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
2018-07-23 11:14 - 2018-07-23 11:14 - 000230064 _____ () C:\Program Files (x86)\Notepad++\NppShell_06.dll
2018-08-28 10:46 - 2018-08-28 10:46 - 000088888 _____ () C:\Program Files\iTunes\zlib1.dll
2018-08-28 10:46 - 2018-08-28 10:46 - 001356088 _____ () C:\Program Files\iTunes\libxml2.dll
2018-08-28 10:44 - 2018-08-28 10:44 - 000235832 _____ () C:\Program Files\iTunes\libxslt.dll
2018-09-10 02:31 - 2018-09-04 08:04 - 002677592 _____ () C:\Program Files (x86)\Google\Chrome\Application\69.0.3497.81\swiftshader\libglesv2.dll
2018-09-10 02:31 - 2018-09-04 08:04 - 000148824 _____ () C:\Program Files (x86)\Google\Chrome\Application\69.0.3497.81\swiftshader\libegl.dll
2018-09-11 21:24 - 2017-02-21 18:19 - 000083136 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CodeLog.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000019600 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CompressFile.dll
2018-09-11 21:24 - 2016-03-07 19:08 - 001291264 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\libxml2.dll
2018-09-11 21:24 - 2004-10-05 04:08 - 000055808 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\zlib1.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000024720 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CmcTbProxy.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000188560 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CMCPipeCenter.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000195728 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CMCAdapt.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000163472 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CMCAdapt_RTTO.dll
2018-09-11 21:23 - 2018-08-14 10:40 - 000055952 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\TBInfo.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000018064 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CMCNetTokenProxy.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000058000 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\ActivationOnline.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000704144 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\EuActiveOnline.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000487568 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\EULicenseDLL.DLL
2018-09-11 21:23 - 2018-08-14 10:39 - 000021648 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\fsclog.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000264336 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\AuthorizedMng.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000112272 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CalcScheduleTime.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000085648 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\logsys.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000032912 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\DiskSearchImg.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000070800 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\MountImg.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000169616 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\ImgFile.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000539280 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\DsImgFile.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000078480 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\FatLib.dll
2018-09-11 21:23 - 2018-08-14 10:40 - 000318608 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\NTFSUtil.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000211088 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\NTFSLib.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000026256 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CallbackOperator.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000074384 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CheckImg.dll
2018-09-11 21:23 - 2018-08-14 10:40 - 000141968 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\vhdvmdk.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000089232 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\BootDriver.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 002458768 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\ExImage.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000266384 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\EmailBackupSize.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000162960 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\EnumDisk.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000029328 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\DeviceAdapter.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000131216 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\FileStorage.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000026768 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\GetDriverInfo.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000024720 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CorrectMbr.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000034448 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\EnumTapeDevice.dll
2018-09-11 21:23 - 2018-08-14 10:40 - 000054416 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\TbTapeBrowse.dll
2018-09-11 21:23 - 2018-08-14 10:40 - 000066192 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\RegLib.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000026768 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\AccountManager.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000072848 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\NasOperator.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000292496 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\EmailBrowser.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000078992 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\CloudOperator.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000021648 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\ActiveOnline.dll
2018-09-11 21:23 - 2018-08-14 10:40 - 000138384 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\VMConfig.dll
2018-09-11 21:23 - 2018-08-14 10:40 - 000075408 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\SqlExBrowser.dll
2018-09-11 21:23 - 2018-08-14 10:40 - 000585872 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\SqlSMOCPlusPlus.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000119952 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\FileSearch.dll
2018-09-11 21:23 - 2018-08-14 10:40 - 000045200 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\TbDataSwap.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000367760 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\DeviceManager.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000142992 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\Device.dll
2018-09-11 21:23 - 2018-08-14 10:40 - 000149136 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\Partition.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000052368 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\FileSystemAnalyser.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000064144 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\FATFileSystemAnalyser.dll
2018-09-11 21:23 - 2018-08-14 10:38 - 000091792 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\Common.dll
2018-09-11 21:23 - 2018-08-14 10:39 - 000058512 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\NTFSFileSystemAnalyser.dll
2018-09-11 21:23 - 2018-08-14 10:40 - 000220304 _____ () C:\Program Files (x86)\EaseUS\Todo Backup\bin\SmartBackup.dll
2018-09-11 16:31 - 2018-09-11 16:32 - 001452728 _____ () C:\Program Files (x86)\Microsoft Office\root\Office16\ClientTelemetry.dll
2018-09-11 16:31 - 2018-09-11 16:32 - 001079984 _____ () C:\Program Files (x86)\Microsoft Office\root\Office16\msosvg.dll
2018-09-11 16:31 - 2018-09-11 16:32 - 000294056 _____ () C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLL
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\ProgramData:Duplicate$Photo$Cleaner [154]
AlternateDataStreams: C:\Users\All Users:Duplicate$Photo$Cleaner [154]
AlternateDataStreams: C:\ProgramData\Application Data:Duplicate$Photo$Cleaner [154]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\UnsignedThemes => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UnsignedThemes => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2018-09-11 09:47 - 2018-09-20 05:39 - 000407860 _____ C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1 localhost
127.0.0.1 localhost.localdomain
255.255.255.255 broadcasthost
127.0.0.1 local
0.0.0.0 goatse.cx       # More information on sites such as 
0.0.0.0 www.goatse.cx   # these can be found in this article
0.0.0.0 oralse.cx       # en.wikipedia.org/wiki/List_of_shock_sites
0.0.0.0 www.oralse.cx
0.0.0.0 goatse.ca
0.0.0.0 www.goatse.ca
0.0.0.0 oralse.ca
0.0.0.0 www.oralse.ca
0.0.0.0 goat.cx
0.0.0.0 www.goat.cx
0.0.0.0 shafou.com
0.0.0.0 www.shafou.com
0.0.0.0 1girl1pitcher.com
0.0.0.0 1girl1pitcher.org
0.0.0.0 1guy1cock.com
0.0.0.0 1man1jar.org
0.0.0.0 1man2needles.com
0.0.0.0 1priest1nun.com
0.0.0.0 1priest1nun.net
0.0.0.0 2girls1cup.cc
0.0.0.0 2girls1cup.com
0.0.0.0 2girls1cup-free.com
0.0.0.0 2girls1cup.nl
0.0.0.0 2girls1cup.ws
0.0.0.0 2girls1finger.com
0.0.0.0 2girls1finger.org
 
There are 13753 more lines.
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-657599590-845682314-92439975-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\EVILCATDOG\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 8.8.8.8 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
If an entry is included in the fixlist, it will be removed.
 
MSCONFIG\Services: AdobeUpdateService => 2
MSCONFIG\Services: AGMService => 2
MSCONFIG\Services: AGSService => 2
MSCONFIG\Services: Apple Mobile Device Service => 3
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\Services: gupdate => 3
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: iPod Service => 3
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "DSATray"
HKLM\...\StartupApproved\Run32: => "UXTheme Launcher"
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\StartupApproved\StartupFolder: => "TWC Program Blocker.lnk"
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\StartupApproved\Run: => "GUDelayStartup"
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\StartupApproved\Run: => "UWT"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [TPMVSCMGR-Server-Out-TCP-NoScope] => (Block) %SystemRoot%\system32\RmtTpmVscMgrSvr.exe
FirewallRules: [TPMVSCMGR-Server-Out-TCP] => (Block) %SystemRoot%\system32\RmtTpmVscMgrSvr.exe
FirewallRules: [WFDPRINT-DAFWSD-Out-Active] => (Block) %SystemRoot%\system32\dashost.exe
FirewallRules: [WFDPRINT-SPOOL-Out-Active] => (Block) %SystemRoot%\system32\spoolsv.exe
FirewallRules: [WFDPRINT-SCAN-Out-Active] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [NetPres-Out-TCP-NoScope] => (Block) %SystemRoot%\system32\netproj.exe
FirewallRules: [NetPres-WSD-Out-UDP] => (Block) %SystemRoot%\system32\netproj.exe
FirewallRules: [NetPres-Out-TCP] => (Block) %SystemRoot%\system32\netproj.exe
FirewallRules: [{218C928C-1339-4012-8884-EF8EA42BD53D}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{0F87EA51-B93A-4240-B2A4-EDB6CEAF192C}] => (Allow) C:\Program Files\qBittorrent\qbittorrent.exe
FirewallRules: [{B047F077-BB29-4205-B11C-599771163E6C}] => (Allow) C:\Program Files\qBittorrent\qbittorrent.exe
FirewallRules: [{61D78939-2D2E-4FD2-A3AC-32319E21E4DA}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
FirewallRules: [{0A92871E-AA15-46CC-9CDF-43129AD19487}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{2C43902B-2400-4A36-9554-7AB90F5597DA}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{E77B0CB0-DF7C-4282-B8F2-6E105BCE9F46}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TbService.exe
FirewallRules: [{C0E55A40-8D63-4C2F-9B80-3515E3325F24}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TbService.exe
FirewallRules: [{1B9D89EB-ADFD-4725-80B9-6B218CC96227}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TBConsoleUI.exe
FirewallRules: [{F4DCB0EF-96CC-4153-9D12-180FBF521B99}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TBConsoleUI.exe
FirewallRules: [{8B54C820-7BA8-4D0B-B3BD-843B3F57CDBC}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
FirewallRules: [{DB7CC8E8-7B0C-4848-8B24-D236E2ACA3E1}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
FirewallRules: [{B3D59978-41C9-434D-AB5F-BAE6A85E0E3D}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
FirewallRules: [{6372D7AB-9D91-4D30-BF21-CED9670DDBC6}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
FirewallRules: [{BB3693DE-B1B3-4986-BE48-873FC60C25E5}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
FirewallRules: [{93323469-8098-4D04-A292-70A9974D826F}] => (Allow) C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
FirewallRules: [{8A0D37D0-12A0-4F8F-A63D-9BF8D900123F}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\bridge\64bit\ilbridge.exe
FirewallRules: [{E6665760-8C86-4BF3-8918-2E71666E13A2}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\bridge\32bit\ilbridge.exe
FirewallRules: [{0B36039B-D2E1-424A-8ED4-864C701B15ED}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\lilypond-windows.exe
FirewallRules: [{FDCB7D2F-60FC-4C97-B2A9-FE0E7106D3B0}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\beatslicer\zx_bs_d.exe
FirewallRules: [{89A2BEED-AD4D-4114-99C9-80164EE9F716}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\gs.exe
FirewallRules: [{2992F2DE-8E3E-4197-A2C0-796184477DA0}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\python-windows.exe
FirewallRules: [{62770355-55E5-472B-981B-2377EAF5E069}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\guile.exe
FirewallRules: [{08CD0D9A-C98D-4D85-892E-D319D7FAD835}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\gspawn-win32-helper.exe
FirewallRules: [{E15AC4F4-B022-42D9-8227-C6997EE6D385}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\test-lily.exe
FirewallRules: [{601052B5-97B4-449D-A129-936A5C7228EC}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\test-licoli.exe
FirewallRules: [{20E83D90-A7DB-4F86-A96F-6F711F712B6D}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\test-midi.exe
FirewallRules: [{CF5DBA95-4B85-4616-93EC-362814B650D8}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\python.exe
FirewallRules: [{11ADA45F-98DA-4067-A26C-11859DD7F35B}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\test-ps.exe
FirewallRules: [{17EBA883-2D7F-474D-B54C-F39752630B3F}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\test.exe
FirewallRules: [{C7D9AAB9-5943-4ABA-8DCD-0A877895C52E}] => (Block) c:\program files (x86)\image-line\fl studio 20\fl (compatible memory).exe
FirewallRules: [{4C068F2F-9F51-42A6-B831-55C057495C5F}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\diagnostics\fldiagnostic.exe
FirewallRules: [{9A19A3A8-9DCE-48BB-99DC-F639032FFEA3}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\test-pdf.exe
FirewallRules: [{6687D0BB-0EF1-4B4F-AD9E-13F55F5AA416}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\plugin manager\pluginmanager.exe
FirewallRules: [{A310748A-CFD3-413A-BC9D-8F6C4E97ADCF}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\installers\vorbisacm\codec\codecinstaller.exe
FirewallRules: [{0FD106C6-7D1E-45CE-A6DD-582AC954313A}] => (Block) c:\program files (x86)\image-line\fl studio 20\uninstall.exe
FirewallRules: [{84F691EA-20D0-47DC-82D2-8978D419ACF9}] => (Block) c:\program files (x86)\image-line\fl studio 20\fl64.exe
FirewallRules: [{F29682C1-B447-4F39-8353-4F2DF28BD756}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\installers\vorbisacm_x64\codec\codecinstaller.exe
FirewallRules: [{352A2898-D037-4601-B85D-8A2298EFA081}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\test-preview.exe
FirewallRules: [{E3ECDDA3-E1DE-4B15-89EA-56C6412AD000}] => (Block) c:\program files (x86)\image-line\fl studio 20\fl64 (scaled).exe
FirewallRules: [{13A88B52-310C-4111-8254-26352E87061D}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\control creator\controlcreator.exe
FirewallRules: [{F9990FDE-2083-4757-A4EE-A29316E61994}] => (Block) c:\program files (x86)\image-line\fl studio 20\fl (scaled).exe
FirewallRules: [{F40AF008-AB60-4977-8525-BF6C0C3AC447}] => (Block) c:\program files (x86)\image-line\fl studio 20\fl.exe
FirewallRules: [{44C3E89E-F9E8-400A-9765-90066CA5F9E8}] => (Block) c:\program files (x86)\image-line\fl studio 20\system\tools\lilypond\bin\test-ps.exe
FirewallRules: [{C168DBAA-DD42-4059-815B-F34A8C32BD0D}] => (Block) c:\program files\native instruments\kontakt 5.exe
FirewallRules: [TCP Query User{57E9A60A-146C-4882-A577-0A821FA9E799}C:\program files\adobe\adobe dreamweaver cc 2018\node\node.exe] => (Allow) C:\program files\adobe\adobe dreamweaver cc 2018\node\node.exe
FirewallRules: [UDP Query User{D45E3545-6B1A-42E3-8189-33E191D7DAD0}C:\program files\adobe\adobe dreamweaver cc 2018\node\node.exe] => (Allow) C:\program files\adobe\adobe dreamweaver cc 2018\node\node.exe
FirewallRules: [TCP Query User{0C6B8723-4C45-4238-871F-3B8669558B85}C:\program files (x86)\soulseekqt\soulseekqt.exe] => (Allow) C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [UDP Query User{846F9D97-6214-4057-B1E4-30D47E895D06}C:\program files (x86)\soulseekqt\soulseekqt.exe] => (Allow) C:\program files (x86)\soulseekqt\soulseekqt.exe
FirewallRules: [{45FBFACF-ADE5-4FAE-A70D-E7A17BF1801E}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdseecommanderultimate11.exe
FirewallRules: [{E451025A-11EA-4BCD-8F8B-11B0A96E26F7}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdseeindexerultimate11.exe
FirewallRules: [{C71C4886-FAD0-41A2-BB4F-D19BE4BAF1B7}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdseeindexerultimate11.exe
FirewallRules: [{98518E02-3B2A-4E0E-9C01-45A0CABAA124}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdseeqvultimate11.exe
FirewallRules: [{38E7918D-CCBB-466B-8D67-A3362F529A55}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdseesrultimate.exe
FirewallRules: [{2014F9AB-BCF4-407D-B506-8EA4A421D683}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdseetoastscheduler.exe
FirewallRules: [{24B1D417-C5E8-472C-BA2D-95B9D6F1351D}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdseeultimate2018.exe
FirewallRules: [{B3BBC180-A168-4F86-90B7-1485F5B126AE}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\d3dbaseslideshow.exe
FirewallRules: [{7FD93E27-5E1D-4AB6-AA73-FFE511DC4D7D}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\directx9\dxsetup.exe
FirewallRules: [{F8310879-C899-452E-A852-20EE1CA7839D}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\d3dbaseslideshow.exe
FirewallRules: [{A6ABDA77-7A5E-4BC5-B5BC-4228FF861813}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdseetoastscheduler.exe
FirewallRules: [{6064308D-047D-438C-B4D9-651521B67CD2}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdseesrultimate.exe
FirewallRules: [{71AE6AE7-6909-4EC8-B3E0-491CA777A014}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdseeqvultimate11.exe
FirewallRules: [{334400EE-AFB1-4330-9448-DB2509D1F1D1}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdidwriter.exe
FirewallRules: [{DAB63BC7-CBB6-4072-ABC5-42C68FF41594}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdidintouch2.exe
FirewallRules: [{3B10DDAB-4FEC-43D2-A99E-426EB7E2948E}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdseeindexerultimate11.exe
FirewallRules: [{F176CDD5-41CF-4678-B0A4-555DB986F855}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdseecommanderultimate11.exe
FirewallRules: [{C4C4CB07-8E7A-4E9C-B02D-C69B9DD77A16}] => (Block) c:\program files\acd systems\acdsee ultimate\11.0\acdseeultimate2018.exe
FirewallRules: [{A1C63CEF-16A3-43D0-A283-928F6B522DED}] => (Block) c:\program files (x86)\izotope\ozone 8\win64\izotope ozone 8.exe
FirewallRules: [{6F89F64D-61E1-46FB-81EF-8C6699ABF87B}] => (Block) c:\program files (x86)\izotope\ozone 8\win64\neuron plugin scanner.exe
FirewallRules: [{511852F5-A0C9-4B73-9F11-CEFCCA021B86}] => (Block) c:\program files (x86)\izotope\ozone 8\uninstall ozone 8.exe
FirewallRules: [{8B750B4F-740D-436C-9029-FBA3C3FAEC64}] => (Block) c:\program files (x86)\izotope\ozone 8\win32\izotope ozone 8.exe
FirewallRules: [{0E018CF1-009F-4A04-8DCE-62306D5C8D16}] => (Block) c:\program files (x86)\izotope\ozone 8\win32\neuron plugin scanner.exe
FirewallRules: [{4F1780FB-6DD2-4AC9-AA7D-2937F8E94B82}] => (Block) c:\program files (x86)\izotope\ozone 8\.internals\uninstall ozone 8 dynamic eq plug-in.exe
FirewallRules: [{E075A626-673F-44F6-B9C4-83339D5D046F}] => (Block) c:\program files (x86)\izotope\ozone 8\.internals\uninstall ozone 8 dynamics plug-in.exe
FirewallRules: [{4D6CBE4F-4845-4001-AC07-9911D2CFE055}] => (Block) c:\program files (x86)\izotope\ozone 8\.internals\uninstall ozone 8 equalizer plug-in.exe
FirewallRules: [{B2B6FBBD-AB1A-4793-882F-FC2F72F9E351}] => (Block) c:\program files (x86)\izotope\ozone 8\.internals\uninstall ozone 8 exciter plug-in.exe
FirewallRules: [{B3405BB4-DAD7-401E-A016-FF048EB818E2}] => (Block) c:\program files (x86)\izotope\ozone 8\.internals\uninstall ozone 8 imager plug-in.exe
FirewallRules: [{15D2FF4F-80AD-476A-8AE9-4E3B36CC13EE}] => (Block) c:\program files (x86)\izotope\ozone 8\.internals\uninstall ozone 8 maximizer plug-in.exe
FirewallRules: [{B289A8BF-84FD-49B1-81B9-7EE5B81AD7AA}] => (Block) c:\program files (x86)\izotope\ozone 8\.internals\uninstall ozone 8 plug-in.exe
FirewallRules: [{B20C35BB-F162-4D74-A2D8-877626CA89BD}] => (Block) c:\program files (x86)\izotope\ozone 8\.internals\uninstall ozone 8 spectral shaper plug-in.exe
FirewallRules: [{C656C5CA-A543-40E9-B0FD-22FED34FED99}] => (Block) c:\program files (x86)\izotope\ozone 8\.internals\uninstall ozone 8 vintage compressor plug-in.exe
FirewallRules: [{6447B0B8-CD2F-4C5B-ABB8-090B7BBD4291}] => (Block) c:\program files (x86)\izotope\ozone 8\.internals\uninstall ozone 8 vintage eq plug-in.exe
FirewallRules: [{932AF8DE-D5AC-4E0B-959A-9B4E33A8F760}] => (Block) c:\program files (x86)\izotope\ozone 8\.internals\uninstall ozone 8 vintage limiter plug-in.exe
FirewallRules: [{5424D7C5-4D60-4CF1-AE74-A47ECA17C08C}] => (Block) c:\program files (x86)\izotope\ozone 8\.internals\uninstall ozone 8 vintage tape plug-in.exe
FirewallRules: [{FAC0279C-31CC-4A0C-B0A2-51203A5879B9}] => (Block) c:\program files (x86)\izotope\ozone 8\.internals\uninstall izotope ozone 8 app.exe
FirewallRules: [{B53EBCE2-C34A-4A93-9F94-80C78E237CD5}] => (Block) c:\program files (x86)\izotope\tonal balance control\uninstall tonal balance control.exe
FirewallRules: [{55C2CAB7-4BFF-4B04-B5F7-7D7F36EC0737}] => (Block) c:\program files (x86)\izotope\neutrino\uninstall neutrino.exe
FirewallRules: [{F7FFDB65-F53F-4B24-87BF-52616B919B9C}] => (Block) c:\program files (x86)\izotope\updater\izotope updater.exe
FirewallRules: [{9BFB3991-21C8-45FD-9172-29B93B9C3F7C}] => (Block) c:\program files (x86)\izotope\crash reporter\izotope crash reporter.exe
FirewallRules: [{353CCB0F-9EE6-40DD-B385-D1DFA047BEAC}] => (Block) c:\program files (x86)\neeviapdf.com\pdftoolboxapps\pdfencrypt.exe
FirewallRules: [{51FF1A16-383D-45F9-B005-1B0FD985836A}] => (Block) c:\program files (x86)\neeviapdf.com\pdftoolboxapps\pdfmerge.exe
FirewallRules: [{9380C046-6C46-4EC2-B247-F424451A4836}] => (Block) c:\program files (x86)\neeviapdf.com\pdftoolboxapps\pdfresize.exe
FirewallRules: [{29F41BF7-D6F7-48F2-8ABC-0A8976FA9098}] => (Block) c:\program files (x86)\neeviapdf.com\pdftoolboxapps\pdfsign.exe
FirewallRules: [{D736998B-7A48-4FEA-AD42-59CB7C16E98A}] => (Block) c:\program files (x86)\neeviapdf.com\pdftoolboxapps\pdfsplit.exe
FirewallRules: [{A6A857DE-B228-4911-901E-3F6ABA0B339C}] => (Block) c:\program files (x86)\neeviapdf.com\pdftoolboxapps\pdfstamp.exe
FirewallRules: [{FAF84991-61CC-4F7A-B5D6-42FC2A8E4571}] => (Block) c:\program files (x86)\neeviapdf.com\pdftoolboxapps\pdfunstamp.exe
FirewallRules: [{F8B3D3F2-0B81-45F3-B12C-CE5CB8EC6CA8}] => (Block) c:\program files (x86)\neeviapdf.com\pdftoolboxapps\pdfcompress.exe
FirewallRules: [{B4149CEE-CE0F-4269-9252-0A3AEFF15675}] => (Block) c:\program files (x86)\image-line\downloader\ildownloadmanager.exe
FirewallRules: [{E577F77B-D44A-4DAC-BD19-887D974D3F22}] => (Block) c:\program files (x86)\image-line\downloader\uninstall.exe
FirewallRules: [{DF144C77-94D8-46B2-8616-200643E7C6B5}] => (Block) c:\program files (x86)\image-line\downloader\update\updater.exe
FirewallRules: [{27F8D542-2841-4608-B89B-B7C93E106F33}] => (Block) c:\program files (x86)\izotope\neutron 2\uninstall tonal balance control.exe
FirewallRules: [{B3187EBB-2940-409F-B7AA-84C6FBC84A69}] => (Block) c:\program files (x86)\izotope\neutron 2\uninstall neutron 2.exe
FirewallRules: [{96576903-73F3-443A-BEE2-0E094F015475}] => (Block) c:\program files (x86)\izotope\crash reporter\izotope crash reporter.exe
FirewallRules: [{80B4E405-D94B-438B-8587-DC0CE222B645}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\win64\izotope rx 6 audio editor.exe
FirewallRules: [{2D747A2D-064C-4F86-A430-23A3309C2221}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\win64\neuron plugin scanner.exe
FirewallRules: [{F57BBA4D-0DBF-48A8-AB3B-C18FD2063446}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\win32\neuron plugin scanner.exe
FirewallRules: [{10EC2BD2-6C25-4D04-B028-8814555D4012}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\win32\izotope rx 6 audio editor.exe
FirewallRules: [{C6A058A5-9813-46D7-84A8-91C88D982D5F}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\uninstall rx 6.exe
FirewallRules: [{9533B3D2-2FE5-4B35-ADC5-8A3BF171DAA9}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall izotope rx 6 audio editor.exe
FirewallRules: [{79FC098A-C3F3-45C6-846A-9AB69872C79B}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall rx 6 ambience match.exe
FirewallRules: [{175137EC-8975-4247-A6C3-32CB91D19BC5}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall rx 6 connect.exe
FirewallRules: [{4F631382-793B-4439-A1B9-E8610F8A8A93}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall rx 6 de-click.exe
FirewallRules: [{3D1F8941-8544-43E3-A1B1-089FF4DC3BB0}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall rx 6 de-clip.exe
FirewallRules: [{29A6AB5F-22A5-4CED-9CB6-B26D8AAD57CF}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall rx 6 de-crackle.exe
FirewallRules: [{C3DE6890-ABC5-4AFE-81B0-30E29E49E20B}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall rx 6 de-ess.exe
FirewallRules: [{004CED8B-D06C-46DE-8802-DB46FFD11C62}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall rx 6 de-hum.exe
FirewallRules: [{4EC1378C-0B53-49D3-8A37-AD3A2094DB89}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall rx 6 de-plosive.exe
FirewallRules: [{9059B83F-C5F4-4582-8390-D217C57C4077}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall rx 6 de-reverb.exe
FirewallRules: [{0A98F117-80E1-4BD2-9A7E-3A17415FA4E5}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall rx 6 monitor.exe
FirewallRules: [{DA94841F-A745-445C-97A5-C758AC2B8FD3}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall rx 6 mouth de-click.exe
FirewallRules: [{E6791F91-666F-42D5-8DCA-1F145F82CA01}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall rx 6 spectral de-noise.exe
FirewallRules: [{4E388167-2B20-44AE-BEB4-D6DEC057935D}] => (Block) c:\program files (x86)\izotope\rx 6 audio editor\.internals\uninstall rx 6 voice de-noise.exe
FirewallRules: [{8D99DE72-A3B8-4CCF-A5A5-CB9BD1DC76DB}] => (Block) c:\windows\system32\printisolationhost.exe
FirewallRules: [{47AE27C2-17E2-49C6-BC18-688D0748A166}] => (Block) c:\program files (x86)\unlocker\unlocker.exe
FirewallRules: [{D1312B78-6724-497A-B73A-D3FBCC112EB8}] => (Block) c:\program files (x86)\unlocker\unlockerinject32.exe
FirewallRules: [{1C5F0757-4ADB-431F-966D-9B5AABE22B39}] => (Block) c:\program files (x86)\unlocker\unlockerportable.exe
FirewallRules: [{4DBA8205-5D13-46B0-98BA-1A78D249BFE8}] => (Block) c:\program files (x86)\unlocker\unlockerassistant.exe
FirewallRules: [{AEBED277-E7DB-4417-B85D-E252989E0B0C}] => (Block) c:\program files (x86)\unlocker\uninst.exe
FirewallRules: [{CE1BF6B6-A581-41C8-90E3-37C30FAF07F0}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{736001CB-30A8-4848-A8BD-522F778C2A4E}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{D08B6564-F007-4726-84B1-47D3991D1420}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [63b28d39-4672-4569-8bfa-d6c085a426a5] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [567b5ed9-093a-43a8-b3a0-1a0f086f8215] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{B227A1A2-576C-4B37-BDE1-F963AA1D1BC6}] => (Allow) %ProgramFiles% (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
FirewallRules: [{6B7A8736-3889-48E2-BC24-206F77D0F4F2}] => (Allow) %SystemRoot%\System32\mstsc.exe
FirewallRules: [{B4DF82BF-F8C3-46A5-8B99-94CD44123CA4}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{840956AD-7924-49FB-8088-EF21612C16DB}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{B0BBC573-8104-4677-960E-AA7DB5A0912C}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{5D8E8A0F-28F8-4BE4-B4F0-AE9D4A4C3241}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{16647C49-F952-40AC-9783-1C59A8A87A47}] => (Allow) %ProgramFiles%\iTunes\iTunes.exe
FirewallRules: [{ACAB4BB0-DF97-4F33-913C-134F0EC5A24C}] => (Allow) C:\Program Files (x86)\Internet Download Manager\IDMan.exe
FirewallRules: [{B264371C-A0E6-4F17-ADE6-7B7A1BD4B454}] => (Allow) C:\Program Files (x86)\Internet Download Manager\IDMan.exe
FirewallRules: [{5FC08DC0-006D-4ADB-805C-EDA027B03BEF}] => (Allow) C:\Program Files (x86)\Internet Download Manager\IDMan.exe
FirewallRules: [{DCAABAED-6F6F-4A22-ACD3-2E80E021C6B6}] => (Allow) C:\Program Files (x86)\Internet Download Manager\IDMan.exe
FirewallRules: [{12C9B00C-D473-44F4-9587-84306A4425FC}] => (Allow) %ProgramFiles% (x86)\Internet Download Manager\IDMan.exe
FirewallRules: [{283608B4-A23B-4991-9E08-91D3C313E48F}] => (Allow) %USERPROFILE%\Downloads\hitmanpro_x64.exe
FirewallRules: [{EFB53759-A9DE-4BFC-95C6-4E734CFE23A3}] => (Block) c:\program files (x86)\common files\apple\mobile device support\applemobiledevicehelper.exe
FirewallRules: [{FDDDC95C-5158-445B-AF11-E1367EDCE454}] => (Allow) %ProgramFiles%\Emsisoft Anti-Malware\a2service.exe
FirewallRules: [{26304C11-3D99-437F-A886-2E1B1DC196DE}] => (Allow) %ProgramFiles% (x86)\SoulseekQt\SoulseekQt.exe
FirewallRules: [{F39880A6-A052-49E7-A42B-553810EB086B}] => (Allow) %SystemRoot%\System32\cmd.exe
FirewallRules: [{B0E1F6C7-A5C3-40AC-8746-848571F648BA}] => (Allow) %SystemRoot%\System32\Dism.exe
FirewallRules: [{DE95BE32-14D5-4F65-BF57-560D027298BE}] => (Allow) C:\Users\EVILCATDOG\AppData\Local\Temp\A375CFD0-1A3D-415D-B621-89DF50EF046E\dismhost.exe
FirewallRules: [{E22980E7-65D6-47D8-9518-C6D98D5B0696}] => (Allow) C:\Program Files (x86)\Mp3tag\Mp3tag.exe
FirewallRules: [{C0FE1D75-A46A-47FC-B378-09DB1E99D7C9}] => (Allow) %ProgramFiles% (x86)\Microsoft Office\root\Office16\EXCEL.EXE
FirewallRules: [{6D8009EC-E82F-44D2-8E1D-25CF5DA872CE}] => (Allow) %ProgramFiles%\MusicBrainz Picard\picard.exe
FirewallRules: [TCP Query User{F3EA750D-7400-41F7-A991-57BF481C89C5}C:\program files\beatunes5\beatunes5.exe] => (Allow) C:\program files\beatunes5\beatunes5.exe
FirewallRules: [UDP Query User{80C264A0-7818-43BF-81B9-505C1E015E06}C:\program files\beatunes5\beatunes5.exe] => (Allow) C:\program files\beatunes5\beatunes5.exe
FirewallRules: [{F3FB7A43-9B72-476D-A647-C064E760F07D}] => (Allow) %ProgramFiles%\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
FirewallRules: [{F1ED8482-3475-44D8-A1FC-20235170B1BD}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{9308C663-BA31-47E7-A71D-F136A8190C27}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{6149D058-9C72-4021-864F-808DBA234346}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{4004571C-528D-40D5-8BBB-2FFF1578B409}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
 
==================== Restore Points =========================
 
28-09-2018 20:55:58 Removed Chrome Remote Desktop Host
05-10-2018 07:26:08 BEFORE IZOTOPE ALL SEEMS OK HERE
06-10-2018 13:09:03 Image Resizer for Windows
06-10-2018 16:15:10 prior to omnisphere
11-10-2018 14:56:20 JRT Pre-Junkware Removal
19-10-2018 11:19:26 UWT Restore Point
 
==================== Faulty Device Manager Devices =============
 
Name: TAP-Windows Adapter V9
Description: TAP-Windows Adapter V9
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: TAP-Windows Provider V9
Service: tap0901
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: High Definition Audio Controller
Description: High Definition Audio Controller
Class Guid: {4d36e97d-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HDAudBus
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: High Definition Audio Controller
Description: High Definition Audio Controller
Class Guid: {4d36e97d-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HDAudBus
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (10/22/2018 05:13:33 PM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (10/22/2018 05:13:33 PM) (Source: Microsoft Office 16) (EventID: 2011) (User: )
Description: Office Subscription licensing exception: Error Code: 0x803D0010; CorrelationId: {5E467BEF-94BC-4628-8BBB-495B381DF811}
 
Error: (10/22/2018 05:13:33 PM) (Source: Microsoft Office 16) (EventID: 2011) (User: )
Description: Office Subscription licensing exception: Error Code: 0x803D0010; CorrelationId: {5E467BEF-94BC-4628-8BBB-495B381DF811}
 
Error: (10/22/2018 02:52:29 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007232B
Command-line arguments:
RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=TimerEvent
 
Error: (10/21/2018 09:48:51 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: AudioConverter.exe, version: 2.1.9.30, time stamp: 0x5af54008
Faulting module name: QtCore4.dll, version: 4.8.4.0, time stamp: 0x50b29fa2
Exception code: 0xc0000005
Fault offset: 0x00106ae8
Faulting process ID: 0x644
Faulting application start time: 0x01d4692925232576
Faulting application path: C:\Program Files (x86)\TunesKit Audio Converter\AudioConverter.exe
Faulting module path: C:\Program Files (x86)\TunesKit Audio Converter\QtCore4.dll
Report ID: e4eb7845-d51e-11e8-8273-3085a99b99e6
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (10/21/2018 05:13:34 PM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (10/21/2018 05:13:34 PM) (Source: Microsoft Office 16) (EventID: 2011) (User: )
Description: Office Subscription licensing exception: Error Code: 0x803D0010; CorrelationId: {9689BCF5-020B-45DC-B35D-4737E3CEC2B6}
 
Error: (10/21/2018 05:13:34 PM) (Source: Microsoft Office 16) (EventID: 2011) (User: )
Description: Office Subscription licensing exception: Error Code: 0x803D0010; CorrelationId: {9689BCF5-020B-45DC-B35D-4737E3CEC2B6}
 
 
System errors:
=============
Error: (10/21/2018 08:18:22 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The iPod Service service terminated unexpectedly. It has done this 1 time(s).
 
Error: (10/21/2018 08:15:11 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
 
Error: (10/21/2018 08:12:45 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Apple Mobile Device Service service failed to start due to the following error: 
The system cannot find the file specified.
 
Error: (10/21/2018 08:11:45 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Apple Mobile Device Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
 
Error: (10/21/2018 08:10:03 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Apple Mobile Device Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
 
Error: (10/20/2018 01:52:45 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
 
Error: (10/20/2018 01:51:38 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Unsigned Themes service terminated unexpectedly. It has done this 1 time(s).
 
Error: (10/20/2018 09:32:33 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
 
 
Windows Defender:
===================================
Date: 2018-09-10 03:53:19.758
Description: 
Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
Signatures Attempted: Current
Error Code: 0x80508007
Error description: Your computer is low on memory. Close some programs and try again, or search Help and Support for information about preventing low memory problems. 
Signature version: 1.275.981.0;1.275.981.0
Engine version: 1.1.15200.1
 
Date: 2018-09-10 03:49:58.691
Description: 
Windows Defender Real-Time Protection feature has encountered an error and failed.
Feature: Network Inspection System
Error Code: 0x80070002
Error description: The system cannot find the file specified. 
Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
 
Date: 2018-09-10 03:47:04.668
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.155.266.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.9700.0
Error code: 0x80240016
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
 
Date: 2018-09-10 03:47:04.668
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.155.266.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.9700.0
Error code: 0x80240016
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
 
Date: 2018-09-10 03:47:04.668
Description: 
Windows Defender has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.155.266.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.9700.0
Error code: 0x80240016
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
 
CodeIntegrity:
===================================
 
Date: 2018-10-06 16:33:46.378
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume9\Program Files (x86)\Unlocker\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-10-06 16:33:46.222
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume9\Program Files (x86)\Unlocker\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-10-06 16:30:46.444
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume9\Program Files (x86)\Unlocker\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-10-06 16:30:46.288
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume9\Program Files (x86)\Unlocker\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-10-06 16:26:39.909
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume9\Program Files (x86)\Unlocker\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-10-06 16:26:39.752
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume9\Program Files (x86)\Unlocker\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-10-06 16:26:39.596
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume9\Program Files (x86)\Unlocker\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-10-06 16:26:39.440
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume9\Program Files (x86)\Unlocker\UnlockerDriver5.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-3970X CPU @ 3.50GHz
Percentage of memory in use: 11%
Total physical RAM: 65474.39 MB
Available physical RAM: 58191.88 MB
Total Virtual: 65474.39 MB
Available Virtual: 57416.34 MB
 
==================== Drives ================================
 
Drive c: (*SYSTEM DISK*) (Fixed) (Total:698.12 GB) (Free:371.17 GB) NTFS
Drive d: (DOWNLOADING & TEMP FILES) (Fixed) (Total:1863.01 GB) (Free:1610.22 GB) NTFS
Drive e: (BACKUP) (Fixed) (Total:3725.9 GB) (Free:2229.31 GB) NTFS
Drive f: (MUSIC PRODUCTION) (Fixed) (Total:5588.9 GB) (Free:3694.35 GB) NTFS
Drive h: (FL PROJECTS DRIVE) (Fixed) (Total:465.42 GB) (Free:78.54 GB) NTFS
 
\\?\Volume{6569dfdc-b34c-11e8-824e-806e6f6e6963}\ (SYSTEM RECOVERY) (Fixed) (Total:0.34 GB) (Free:0.04 GB) NTFS
\\?\Volume{4cce08ca-f047-4e45-88c0-7c998697d352}\ (Recovery) (Fixed) (Total:0.29 GB) (Free:0.28 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 465.8 GB) (Disk ID: 9E351CDC)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.4 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 698.6 GB) (Disk ID: 04A89201)
 
Partition: GPT.
 
========================================================
Disk: 2 (Protective MBR) (Size: 5589 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
========================================================
Disk: 3 (MBR Code: Windows 7 or Vista) (Size: 1863 GB) (Disk ID: 3FF4DA6C)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)
 
========================================================
Disk: 4 (Size: 3726 GB) (Disk ID: 7F63F992)
 
Partition: GPT.
 
==================== End of Addition.txt ============================
 

 

 



BC AdBot (Login to Remove)

 


#2 softwaremaniac

softwaremaniac

  • Malware Study Hall Senior
  • 1,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Croatia
  • Local time:04:58 AM

Posted 26 October 2018 - 08:58 PM

Hi elivcatdogx,
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.



#3 softwaremaniac

softwaremaniac

  • Malware Study Hall Senior
  • 1,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Croatia
  • Local time:04:58 AM

Posted 27 October 2018 - 03:36 PM

Hello and  :welcome:  to BleepingComputer. My name is softwaremaniac and I'll be helping you with your issues.

 

First and foremost, read my instructions top to bottom and let me know if you're unsure about something or something is if unclear before you start following instructions. If possible, print my instructions out, and keep them handy.

 

  • Please copy and paste all the logs I request you to provide instead of attaching them.
  • Please understand that I'm a student and therefore I have obligations to my faculty as well as a job, so I might not reply immediately. Another factor to count in is that these logs can be quite lengthy and take a bit of time to review.
  • Please try to reply within 24 hours of my post because this will ensure that we quickly and efficiently remove any infections from your system. If I receive no response within 3 days, I'll bump the thread, and if there's no response after 5 days, your thread will be closed.
  • All fixes that I provide you with are to be used only on this particular machine and not any other as that can lead to severe issues.
  • After we have started, please do not make any changes to your machine before consulting with me as I have to be aware of the changes in order to be able to assist you.
  • You should stick with me until the end; the absence of symptoms does not mean that your machine is clean. Please wait for me to confirm that all is clean.
  • If you see that I have not replied to your thread within 48 hours, please send me a Personal message and include the link to your thread.

 

All the best,

softwaremaniac :thumbup2:

 

 

Step#1 - P2P Warning

The Dangers of P2P Programs
IMPORTANT: I noticed that you have a P2P (Peer to Peer) file sharing program on your computer. I cannot stress highly enough the danger in using these types of programs. P2P programs are one of the major avenues of infection these days. The files downloaded with these programs are more than likely infected with trojans, malware, rootkits, etc.
You run the risk of getting an infection that can compromise your sensitive data, such as financial records, personal information, etc. That is just the infection aspect of using P2P programs. You also run the risk of possible arrest, fines, or in severe cases, jail time for illegal downloading of copyrighted material.
 
Here are some information sources about the dangers of P2P programs:

USA Today Artticle on P2P Programs
File Sharing Infects 500,000 Computers
 
 
It is, of course, your choice as to whether or not you disable it or even completely remove the program from your machine. It is my duty though, to point out how dangerous it is to use these programs. However, I must request that you do not use it while we are cleaning your machine.
 
Please disable the following Peer-to-Peer program(s): QBittorrent

 

Step#2 - Glary Utilities Warning
I see that you have Glary Utilities installed. This is indeed a good product but I wanted to caution you on running the registry cleaning functionality of the tool. Please avoid this as it can do more harm than good.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2853053
http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners/tools due to the following facts:

  • registry tools can cause irreparable damage to your Operating System
  • registry tools can, as a result of the above, render your pc to be inoperable.

For more information about why you should avoid using a such programs, one of the malware experts, miekiemoes, has an excellent write-up here

Another from quietman7 here

 

Before we start fixing the machine, can you tell me if these modifications were made intentionally?

HKLM\...\Policies\Explorer: [NoRecentDocsNetHood] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoInstrumentation] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <==== ATTENTION
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\system: [NoDispAppearancePage] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [NoPreviewPane] 1
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [NoTrayContextMenu] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [NoWinkeys] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [HideClock] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [HideSCANetwork] 0
HKU\S-1-5-21-657599590-845682314-92439975-1001\...\Policies\Explorer: [HideSCAVolume] 0

Thank you.



#4 evilcatdogx

evilcatdogx
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:01:58 PM

Posted 30 October 2018 - 02:57 PM

G'day SoftwareManiac!

 

I'll start off by apologizing for taking so long to respond as well as for responding so long, and as well as thanking you for the time you already have invested in assisting me.

 

Unfortunately after posting this log, the next day Windows alerted me to a presence of 2 Trojans (1 of them was a worm:orbinata) I cannot recall the other one - as i was stupid and clicked "fix" thereafter.

At first it all seemed well....but MS quickly told me to restart in order to complete removal. I had that PC booting up again in no time.

 

On login, I checked for the symptoms i was experiencing or thought i was, only to notice quite a few new things running. Not what i was expecting, but wasn't surprised.

I quickly began to delete them like some crazy game of whack-a-mole, as I simultaneously tried to kill processes in both task manager and CMD, while also hitting about 80 anti-malware apps from behind.

I soon discovered it was services where the action was, and then realised it was incredibly likely someone had been logging into my PC based on what was running (I literally had most of them turned off prior).

The real clue was that my Remote Desktop was open, linked into one of my other PCs - this was right after a restart and I hadn't done that for a few days...soon as i tried to do anything, i was logged off.

 

So into safe mode... NO..... NO.... not working either....

Ok.. recovery disk > yeah as if...

Ummm, another disk? 

Success!

 

Soon I was calmly trying to xcopy what few personal files i wanted, but then just as soon, the bizarre things began to happen in Win PE too...

So, in case i forgot to say (i did) - i had already disconnected LAN, so my only guess is that the evilness wormed its way onto my USB which, I hadnt used on a live session, or in a long while. OR

It was somehow activating from the already infected HDD without me doing anything to make it, other than looking at it. 

(Its like that scientists' possibly dead cat, until you look its there and its also not....)

Either-way, it soon became a challenge for me...

 

About 16 hours later, i was forced to give up my efforts at restoring access to those windows, as sleep beckoned with its promise of firewalled-dreams.

But this time I just knew I was so close....

4 hours later, as I dug out the J key from my forehead, I noticed that I had somehow sleep-hacked my way to the login screen.

With much trepidation and excitement I entered my password, wondering with each stroke how many accounts had already been compromised.

My cursing of the bloody NUM lock key distracted me for a few moments, until I realised that the black screen wasn't going anywhere.... 

An infinite void - the opposite of windows. Cold and Dark, it flowed towards me as the hallucinations & paranoia enveloped me and I almost gave up. 

But there was a shimmer of light in the distance!! CTRL-ALT-DEL!!

Hope would bring me back the trusty Task Thing, so i could explore this dark place - but - sure enough it chose the other team.

I never was very religious anyway.

 

So like putting down an incredibly-loved pet, or a grandma, i had a moment of silence before i turned the machine off - but not too long.

The silence increased my other perceptions and I noticed it was a different season and I hadn't actually fed my dog in a few days... (just kidding. she kept hassling me every time i took too long to get up).

So I made my way into my cold bed, and felt like a stranger. I was lucky to have made it under the sheets when I did, as the rays of light were seeping in between the cracks of the blinds.

Luckily for me I was almost dead anyway. 

 

While I nodded, nearly napping, suddenly there came a tapping,

As of some one gently rapping, rapping at my chamber door—
"‘Tis some visitor," I muttered, “tapping at my chamber door—
Only this and nothing more.”

 

But it wasn't a raven.... the universe decided now would be the perfect time to have a possum move into the walls above my bedroom.

Never more.... I yelled - which is latin for words I cant use here, and I got up again.

But it was rather fortuitous that i did as I soon discovered that the PC in my lounge room had become active..

What could it be I wondered, whilst knowing full well the truth.

 

After i woke up the neighborhood a little earlier than usual, I found the remote, and soon switched to HDMI-404 .

I dont think the roosters dared make a noise afterwards.

and sure enough as my eyes adjusted to the unusually bright settings I have on my big TV, I could see remote activity...

 

Now I dont care too much about identity or bank accounts - i mean- if someone wants to impersonate me, id take it as a compliment.

And the worst the could do is pay off some of my debt, before they were able to withdraw money.

But I was concerned about my other PC - the holy torrent from the flooded days of MiniNoah. I mean Mininova...

 

The last thing I needed was for that pirate ship to come into these waters, but the smoke was rising before I got past the c:\

As I took a moment to strateg...............   |wyutieytywtywttiw

......

......

As I dusted the broken pieces of my router up off the floor, so my dog wouldn't eat those, I felt a little better.

The only problem was I didn't know how to contact you and there was no way i was gonna type all of this into a phone.

So I now re-downgraded back up to Windows 10, because that was the first USB installer i could find without smashing something else.

 

 

Now I believe that I have done the right thing by keeping the LAN off and unplugged from my nice new router, as well as removing all HDD other than the system disk as I believe they have been compromised.

Im not sure how, or how to know though. So at this point, i have a freshly installed, manually upgraded, shining but MS-infested windows 10 pro 1803. I have installed AV stuff and checked multiple times, to confirm there is nothing dodgy going on. There isn't - barring the aforementioned "services". i mean - if they want to change to a "service" model - then shouldnt they be fixing this? haha...i know right.

 

Anyway- I believe that by totally reformatting the entire disk and all partitions from scratch before install has somehow helped??

Am i paranoid - or is it actually possible if I connect my backup/other drives to the PC that I can get reinfected just because?

 

As for my other (4x by the way) PCs around the house, they are all showing the same signs and symptoms as the original.

At this point i am wondering if you are still even able to help or would it be simpler if I just install another little box between my modem and the wall and redirect all the hackers mining results to my own accounts? I mean - I might be able to buy new computers by the time it would take me to fix all these...but then again, they will probably get infected just the same as soon as I connect them to one of my other PC HDD's (and the main library has 300tb (of data alone...)

 

On the other hand, they are likely to be all the same process to clean or not?

So i guess my questions to you are;

 

Do you still wish to help?

Do you have any suggestions I could follow regardless?

Would I be correct, that if the HDD are somehow secretly infected, and I have confirmed that most in the other PC have been, that its likely they all have been?

Also, after DR google (just for research) i read that maybe there is an alternate stream or MBR infection....

I dont know what they are, but I guess... anyway - would I be correct that I would have to do what my instinct says and reformat each of them before they would be safe again?

and lastly, I noticed the virus, right before D-day, was copying itself to almost every windows service running, as well as any installed app. Is it possible that a virus could have infected non-exe files, i.e. MP#/WAV/MKV/AVI/PDF/DOC/XLX etc...?

 

So at this point, i am trying to decide between whether i'm better off asking for forgiveness or selling my soul.

But that's probably already been infected too....

 

Cheers - James



#5 softwaremaniac

softwaremaniac

  • Malware Study Hall Senior
  • 1,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Croatia
  • Local time:04:58 AM

Posted 01 November 2018 - 12:22 PM

Hi, James!

 

I'll review this and reply today.

 

Thank you for your patience.



#6 softwaremaniac

softwaremaniac

  • Malware Study Hall Senior
  • 1,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Croatia
  • Local time:04:58 AM

Posted 02 November 2018 - 11:53 AM

Hi, James!

 

Yes, I do wish to help. Based on what I'm seeing, the computer in question does not seem infected anymore. What I would like you to do now is run an additional check just to be on the safe side.

 

ESET Online Scanner

  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Review the list of entries and if there are any you want to keep stop and copy/paste the ESET.txt report in your reply for my review
  • If you do not wish to keep any of the entries check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply


#7 softwaremaniac

softwaremaniac

  • Malware Study Hall Senior
  • 1,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Croatia
  • Local time:04:58 AM

Posted 03 November 2018 - 12:53 PM

Hello again, James!

 

You said before that you saw someone login using RDP. Did you use a proper, strong RDP password?

 

Thank you.



#8 softwaremaniac

softwaremaniac

  • Malware Study Hall Senior
  • 1,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Croatia
  • Local time:04:58 AM

Posted 06 November 2018 - 12:24 PM

Hello, James!

 

It has been three days since last contact, please confirm that you still require assistance.

 

Thank you!



#9 evilcatdogx

evilcatdogx
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:01:58 PM

Posted 09 November 2018 - 01:39 AM

Hi Software Maniac,

 

I am sorry for the delays - I have had a whirlwind of a time just trying to get back onto a computer in order to respond.

 

Long story short - I decided to reformat everything. 

Only it turns out, that I was infected with a particular nasty malware of which I am yet to identify.

It appears, to be some sort of rootkit, that infected the HDD and even a reinstall of the OS was not enough to destroy it.

It also turns out the USB install i was using also became infected, as did every other USB device is attempted to use.

And every single HDD of every PC was infected by this method - i.e. if i connect any other HDD to my system, it then becomes reinfected.

 

So I was forced to remove all network drives, other HDD in the system then boot into WINPE to destroy exisiting system drive parititions and then use a Windows CDROM to install from as this was read-only.

This appears to have worked. (i eventually figured all this out after about 20 times trying to reisntall....yay!!!)

 

(there was a moment where this didnt work too, until i discovered that my router too had been taken over - alas I now have yet another new router and a new install of windows.)

 

To date i have no signs of the infection...

I have completed your last steps and attached the logs here. (IT did find some things > not sure what the first 2 were but the iobit unlocker app i only just installed first time ever, and now i guess it never will be again...)

 

In regards to the RDP question: No I did not have a very strong password for this - at the time, the only way I used RDP was on the local network, and I naively believed the local network was secure enough that it never occured to me soemone would ever be able to access this - let alone use it themseleves.

 

So it seems i now have to find a way to reinstall every one of the other PCs on this network in the same manner.

Then - I need to determine how to reconnect other HDD one by one, while disinfecting them of the malware.

 

At this point, I now have a totally new LAN network setup on a new router, with 2 PC resinstalled - following the new method that appears to be keeping virus at bay.

I will attempt to follow this methods for the other 6 PCs on the network, then reflash all devices, e.g. phones, ipads etc... (not sure how far to go - but this does not seem that crazy after what i have seen)

same for TVs blurays, receivers, remotes etc... basically anything on the netwrok previously.

 

Then I still need to figure out a way to reconnect old HDD to the PCs without reinfection.... any ideas?

 

(And YES - i have made backups / images of the clean setups this time....) although those i made previously were likely corrupted anyway.

 

Thanks for the assistance thus far - although it was unconventional, it has helped me remain sane throughout this process.

 

{addendum}

FYI: if you are curious

I managed to extract the files from an infected HDD the virus was utilising, and during the many attempts at reinstalling, I had monitoring software running to try to catch it out.

in short - believe it or not, it deleted these documents off my hdd, despite naming them as alternative files and zipping them.

it appears it works by installing istelf into boot sector - as soon as online is detected, it uses corrupt dllhost to download copies of almost every windows dll, which are not genuine at all. it then replaces these.

basically once this is achieved there is no way to undo it.

You can remove the rootkit, but one of the hundered or so affected services will reinstall it.

It then activates the "defaultuser0" profile, and through this, changes policy and starts/disables win services as required. 

It gives itself remote acess privelges, and then goes about doing whatever it was it wanted to do.

it does its extreme best to remain hidden - and then if you find it, and try to remove it ( a pointless task anyway) it goes on the offensive!!

(I already mentioned it affectes every HDD on the sysstem, it also scans the LAN for any other PC to infect - whcih it does - and then infects the router itself. It also gets every USB media plugged in.)

First it tries to block access to tools you would require to destroy it, and if you manage to win here, and get a certain level of progress it simply disables all your rights and forces your pc to either freeze or restart.

After this time, you will be unable to login, as there is no active users, or login screen and taskmgr has been disabled.

Safe mode, sys restore, and WIN RE, are all tampered with and corrupted so no help there either.

Its either let it be, or face its wrath.

 

I also noticed it affect any anti-malware software installed;

It got defender first by tricking it into installing "updates" via files it placed into the folder.

Then it blocked windows update and the program would appear to be fucntional and up to date but far from  it.

It got emsisoft anti-malware by replacing signature files, and somehow altering all the settings.

It turned off certain options, added itself to exclusions, and removed me as a user, while giving itself full access.

and so on and so on...

obviously it would not allow downloads of certain tools unless renamed prior to download, same for running them.....

but in every instance, these tools would then appear to run normally.

 

(it also destroyed 2 of my storage HDD in what i can describe only as a payback/warning to leave it alone)

 

Crazy stuff.

James

 

ESET REPORT:

C:\Users\Slave-PC\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\3\Purchase80921489620[317].pdf PDF/Phishing.A.Gen trojan cleaned by deleting
C:\Users\Slave-PC\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\3\Unlocked-AppleID[529].pdf PDF/Phishing.A.Gen trojan cleaned by deleting
C:\Users\Slave-PC\Downloads\winrs_x64_1.5.9.zip Win32/IObit.D potentially unwanted application deleted
C:\Users\Slave-PC\Downloads\[FILES] [DELETE] IOBIT UNLOCKER\unlocker-setup.exe Win32/IObit.D potentially unwanted application cleaned by deleting


#10 softwaremaniac

softwaremaniac

  • Malware Study Hall Senior
  • 1,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Croatia
  • Local time:04:58 AM

Posted 11 November 2018 - 01:58 PM

Hello again!

 

if your hdd was infected the way you think it is, then you shouldn't connect it unless you boot from a linux live cd.

 

You should then connect the HDD and copy the data off it (the files you know are clean).

 

A couple of tips:

 

It was a pleasure assisting you and getting your machine back to working order!

 

softwaremaniac



#11 evilcatdogx

evilcatdogx
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:01:58 PM

Posted 13 November 2018 - 01:50 PM

Hi mate,

 

I am at a loss of what to do next.

 

To summarize so far;

  • Initial detection of virus on main user PC - unsure what I did exactly back then, but tried to detect and clean myself using tools/manual and it detected me and started removing permissions and access to tools / windows.
  • I attempted re-install of windows - this appeared well until a week or so into it, I noticed the symptoms again.
  • Repeated above a couple more times, until this thing destroyed one of my HDD by beginning to delete its content. I unplugged and removed said drive.
  • Reinstalled - this time to WIN8 instead of 10 - again appeared well, until same issues again.
  • At this time, I noticed similar symptoms appear on two other machines in my lounge rooms. (they may have been affected earlier as although always on, i hadnt used them physically for some time and even then mightnt have noticed anything unusual)
  • Upon discovering this, i did basic google searches and read something about routers etc... so i checked and mine had many changed settings.
  • I checked 4 other PCs on my network to discover they also have been infected. I turned off entire network (PC, router, switch, modem, phone, cameras, lights, amps, bluray, ipad, phones etc....) basically anything connectable.
  • I then connected new router to my wall socket and turned off wifi.. I didnt connect lan cable to any pc yet (and didnt get the chance later)
  • I turned off affected main PC, attempted to reinstall windows - same issue immediately.
  • I then Google some more, and read u need a CDROM as USB can get infected too, so i found old WIN 7 disc and tried to install. Also infected immediately.
  • I then took out system HDD and all the ones from all other PC and then used a laptop never connected to the previous network. I checked the laptop for similar issues to which i could not find. I then installed panda usb vaccinate to safeguard (hopefully) and used sata > usb converter to connect all HDD.
  • I then completely erased all volumes and partitions on all disks, until raw format. I then created new partitions for each and created new MBR for each disk. I then scanned each disk with MBR checked (which prev showed unknown MBR code) and now it said WIN 7 code > ok.
  • I then used DVD to load windows install with no HDD in system - when asked where to install i connected hdd by usb - and windows wouldnt let me, so I had to put back into pc and reboot. Before installing, i went into cmd and again ran fixmbr to make sure.
  • After install, I still had virus!! This is not possible??
  • I then learned about bios/uefi possiblity and so I again cleaned HDD like before, and this time i flashed motherboard before attempting windows install again.
  • Once again still have the virus. HOW?????????
  • I then used a different windows 7 disc (both were original MS) and NEW DVD ROM device, NEW graphics card, removed and disabled all other devices (and onboard ones) a brand new SSD HDD and tried again. (by this i mean, reflash bios and reisntall) Still have virus. I must be going insane by this time because i dont see how its possible.
  • It now seems the laptop i used is infected, which i expected to happen by connecting affected HDD to it. 
  • But i also had two other old laptop i never used in about 5 years - so i plugged in and checked.... i couldnt see any symptom of infection.
  • I then connected to the new router directly, which NO device was ever connected to it previously.
  • I watched carefully for any signs and didnt see. So i downloaded all the tools from this site, and burned to cd as i dont think any other PC was clean. I then ran the tools on same pc and they appeared to work differently than how they were functioning on my other pc's.. this included all the main tools suggested here (aswmbr, gmer, adwcleaner, malwarebytes, tdsskiller, combofix, rkill, sohpos, emsisoft, etc)
  • I thought i was in luck, but then the PC began to act odd, and I checked and straight away i could see the same sign of infection.
  • The next day, both pc are fully infected with same virus found on all other pc, but these were isolated and turned off. I used a new virgin router and no wifi. I didnt use any usb sticks which may cause cross infection.
  • How can this be possible?

 

The symptoms I can see on all affected PC are:

  • mysterious temp files, in various places some of these replace registry entries for kernel32, user32, advapi32 and oleaut32 (dlls)
  • mysterious devices are installed into system
  • default user account seems to be being used by someone
  • taskmgr shows multiple (up to 8x) (dllhost, rundll, searchUI, helppane, fontdrvhost, backgroundtaskhostw, srgmbroker, browser host, cortana, searchindexer, searchprotocolhost, searchfilterhost, taskhost, taskhostw, lsass, csrss, services) I know these are all legit - but shouldnt be so many. I tried to kill them and they keep returning. I disabled all services except basic essentials, still they run.
  • In services, i find certain entries suspicious with some critical security services (eg defender guard) enabled, but if failed no actions, and dont reset fail counter for 41975 days or something like that. Some services immediately re-enable when i disable them, eg remote assistance. Some services (too many to list) have different login accounts in thier settings.
  • I have found logs, various places, cant really remember where as too many places, too many times, too many different pc's in middle of panics.... but these have shown me things such as:
  • records of my actions
  • records of the virus' actions - eg it trying to sabotgae defender, changing settings of system files to point to different locations for updates, help files, etc
  • I have found logs of this thing searching for every antivirus in existence and then upon finding it, killing it.
  • I have found logs of this thins monitoring for special keywords and the like to kill processes and other stuff.
  • This thing appears to be visible if i corrupt the system and login via untraditional means. But if i login normally everything is hidden. This includes files from windows explorer, task maanger, autoruns, all virus and removal tools, dos, and so on.
  • It appears to be using alternate streams - not sure how/where exactly.
  • It hooks into all running processes at time of infection and then any new ones afterwards. NTDLL is coming up alot in infection reports when they do show problems. Although i believe that it isn't the issue but what has infiltrated it.

 

I now have no other PC left that i can call clean.

I dont have any explanation as to how the 2 laptops became infected unless it is from the wall.

(But then i read that bluetooth, and even speakers can transfer virus???) (could this be true?)

I dont know what to do anymore?

 

You mention to try linux live cd?

I read that once but dont know too much about it. Also some other people who seem to be in my situation say it doesnt work.

I am wiling to try your suggestion, but are you able to provide further information - eg. which one? what do i do exactly with it?

 

Other people have said they needed to buy new equipment completely.

But although what they describe sounds similar to me, i cant be sure. But as more time goes by and more attempts to fix this fail, i begin to doubt this.

It also seems that their new equipment then becomes infected too, so everyone if left unsure what to do.

Some people are demanding microsoft and card manufacturer, e.g. Nvidia refund them as they are not making secure products allowing others to utilise their devices. I dont want to step into conspiracy territory, but it does appear this virus can exist in the air itself and poossibly infect more than the hdd via mbr and hidden sectors. I used a tool called RWeverything after reading it somewhere and it shows many of my devices on just one pc, eg chips on MB etc have scripts in them. Im not sure if this is legit or not.

 

If it was just one PC, i would go buy a new one, but i cant replace 8 plus all devices, plus all tablets, phones etc...

It also appears to be on my work PC, and knowing how it works at home, I assume its on the entire companies systems (or it came from there).

I checked a friends laptop who used it here a few months ago and also infected.

At this point  i wonder if i am already insane.

 

please help me recover from this or admit to me if it is not possible....

  •  


#12 softwaremaniac

softwaremaniac

  • Malware Study Hall Senior
  • 1,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Croatia
  • Local time:04:58 AM

Posted 17 November 2018 - 10:37 AM

Hello again, James!

 

Please upload a few samples of the files you believe to be infected to VirusTotal and provide us with links to them. https://www.virustotal.com/

 

A lot of information you have found online is simply incorrect. For example the fact that malware can destroy a HDD. What could have provided an attacker with access is you leaving your RDP vulnerable as that would have allowed the attacker to modify whatever he wanted.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users